Introduction to the CCS Program

• The CCS program is a voluntary, community-based program operated by the Dane County Department of Human Services (DCDHS) in compliance with Chapter 36 of the Wisconsin Administrative Code.
• The client designs his or her own recovery plan with the assistance of the Service Facilitator and mental health or substance abuse professional.
• The client then chooses services to meet his or her needs that are purchased by the department and made available to the client as part of the program.
• DCDHS will provide intake and approve clients for participation in the program.
• DCDHS will also maintain the records for, and manage and coordinate services in the CCS Program.
• DCDHS’ management duties include training service providers of the confidentiality laws relating to client records, which is the purpose of this course.
• Statutory and regulatory citations are provided in this presentation for reference purposes and for a greater understanding of legal mandates.
• This course covers basic confidentiality issues. However, situations will arise presenting more complicated confidentiality issues. Agencies with further questions should contact the CCS Program Administrator and/or their own legal counsel.

All client records of the CCS Program are strictly confidential.

This training (or refresher) course will cover the confidentiality laws applicable to the CCS Program and how they interrelate. The relevant rules of confidentiality are found in:

• Sections 51.30 and 51.45(14) of the Wisconsin Statutes
• Chapter DHSDHS 92 of the Wisconsin Administrative Code
• 45 CFR Parts 160, 162 and 164 (HIPAA Privacy, Security, Transaction and Breach Notification Rules)
• 42 CFR Part 2 (Federal Privacy Rules governing AODA treatment records)

Section 51.30, Wisconsin Statutes

This section provides that all treatment records are confidential and privileged to the person to whom the records pertain. Treatment records include all records generated by the CCS program created in the course of providing services to persons for mental illness, alcoholism, or drug dependence.

Chapter DHS 92 of the Wisconsin Administrative Code

are rules created to implement section 51.30 of the statutes. These rules are to be read hand-in-hand with section 51.30, Stats.

In addition, s. 51.45(14)(a) of the Wisconsin Statutes provides as follows regarding alcoholism treatment records:

CONFIDENTIALITY OF RECORDS OF PATIENTS. (a) “Except as otherwise provided in s. 51.30, the registration and treatment records of alcoholism treatment programs and facilities shall remain confidential and are privileged to the patient. The application of s. 51.30 is limited by any rule promulgated under s. 51.30 (4) (c) for the purpose of protecting the confidentiality of alcoholism treatment records in conformity with federal requirements.”

The HIPAA Privacy, Security, Transaction, and Breach Notification Rules apply to all information exchanged in the CCS Program.

HIPAA Privacy and Security Rules generally require that ‘covered entities’:

• Ensure the confidentiality, integrity, and availability of all Electronic Protected Health Information.
• Protect against all reasonably anticipated threats to the security of such information.
• Ensure that all Protected Health Information shared with Business Associates is protected through enforcement of a Business Associate Agreement, (and also ensuring that the Business Associate, if it subcontracts, requires the subcontractor to also comply with HIPAA Privacy and Security Rules.)

Here are some definitions you will need to know to understand the HIPAA privacy and security rules:

• A Covered Entity includes a Health Care Provider who transmits any health information in electronic form in connection with a covered transaction (generally billing). DCDHS and all Providers of CCS Program services are covered entities.
• A Health Care Provider is a direct provider of medical or health services and any entity that furnishes, bills, or is paid for health care in the normal course of business.
• Health Care includes treatment, assessment, diagnosis, or service related to a person’s physical or mental condition or function or the sale of a drug, device, or equipment in accordance with a prescription.
• Protected health information (or PHI) is any health or demographic information collected from an individual created by a health care provider that related to the past, present or future physical or mental health or condition of an individual, the provision of health care to the individual or the payment of health care for the individual and that identifies or could be used to identify the individual.

42 CFR Part 2 provides additional requirements for drug abuse and alcohol abuse patient records. It provides that records “of the identity, diagnosis, prognosis, or treatment of any patient which are maintained in connection with the performance of any drug abuse prevention function conducted” or “relating to alcoholism or alcohol abuse education, training, treatment, rehabilitation, or research” shall be “confidential and disclosed only for the purposes and under the circumstances expressly authorized”.

Given the strict confidentiality protections of CCS records, one might question how client information may be shared between service providers and DCDHS within the CCS Program. Wisconsin and federal statutes provide the basis for sharing information within the program, regardless of which agencies are performing what services as part of the recovery plan. References are provided as follows.

Under Wisconsin law the following statutes permit an exchange of information between service providers and the county department or multiple service providers within the same program:

• S. 51.42(1) (e) Exchange of information. “Notwithstanding ss. 46.2895 (9), 48.78 (2) (a), 49.45 (4), 49.83, 51.30, 51.45 (14) (a), 55.22 (3), 146.82, 252.11 (7), 253.07 (3) (c), and 938.78 (2) (a), any subunit of a county department of community programs or tribal agency acting under this section may exchange confidential information about a client, without the informed consent of the client, with any other subunit of the same county department of community programs or tribal agency, with a resource center, a care management organization, or a long-term care district, or with any person providing services to the client under a purchase of services contract with the county department of community programs or tribal agency or with a resource center, care management organization, or long-term care district, if necessary to enable an employee or service provider to perform his or her duties, or to enable the county department of community programs or tribal agency to coordinate the delivery of services to the client. Any agency releasing information under this paragraph shall document that a request was received and what information was provided.”
• S. 146.816(2), Wisconsin Statutes: “Sections 51.30 (4) (a) and (e) and 146.82 and rules promulgated under s. 51.30 (12) do not apply to a use, disclosure, or request for disclosure of protected health information by a covered entity or its business associate that meets all the following criteria:
  1. The covered entity or its business associate makes the use, disclosure, or request for disclosure in compliance with 45 CFR 164.500 to 164.534.
  2. The covered entity or its business associate makes the use, disclosure, or request for disclosure in any of the following circumstances:
     1. For purposes of treatment.
     2. For purposes of payment.
     3. For purposes of health care operations.”

Federal law (HIPAA) also permits the exchange of information necessary for the effective administration of the CCS Program.

45 CFR s. 164.502(a)(1)(ii) “A covered entity or business associate may not use or disclose protected health information except …

1. For treatment, payment, or health care operations, as permitted by and in compliance with § 164.506.”

Federal drug and alcohol treatment law also permits sharing of information within a program:

42 CFR s. 2.12(c)(3) “Communication within a program or between a program and an entity having direct administrative control over that program. The restrictions on disclosure in these regulations do not apply to communications of information between or among personnel having a need for the information in connection with their duties that arise out of the provision of diagnosis, treatment, or referral for treatment of alcohol or drug abuse if the communications are

1. Within a program or
2. Between a program and an entity that has direct administrative control over the program.”

Privacy Officer And Security Officer

• Each agency participating in the CCS Program must designate a privacy officer responsible for the development, implementation, and enforcement of privacy policies and procedures.
• Each agency participating in the CCS Program must also designate a security officer responsible for the development, implementation, and enforcement of security policies and procedures.

HIPAA Security Rules

• Under HIPAA Security Rules, DCDHS and contracted Providers and all involved workforce need to keep client information secure.
• Therefore CCS providers must have sound security practices regarding paper and electronic records.
• Agencies not able to comply with the following requirements must contact the Program Administrator to discuss if reasonable alternatives exist.

Risk Analysis

Conducting a risk analysis is the first step in identifying and implementing safeguards to comply with the HIPAA Security Rule. While there is no required format for risk analysis, one might start by considering the following questions:

• Has all electronic PHI been identified within the organization?
• What are the external sources of e-PHI? For example, do vendors or consultants create, receive, maintain, or transmit e-PHI?
• What are the human, natural, and environmental threats to information systems that contain e-PHI?

The outcome of the risk analysis should guide the implementation of policies to address the risks, addressing for example:

• Appropriate personnel screening processes.
• Electronic data backup procedures.
• Whether and how to use encryption technologies.
• What data must be authenticated in particular situations to protect data integrity.
• The appropriate manner of protecting health information transmissions.

The Use of Passwords

Provider agencies must secure all computer equipment and personal devices containing client information with the use of quality passwords. This includes cell phones, tablets, laptops, and flash drives.

 

Encryption

Likewise, all such portable devices and all electronic transmissions of client information must be encrypted. Encryption is a method of converting an original message of regular electronic text into encoded text.

The Security Officer must be aware of and keep an inventory of all electronic devices containing client information.

No Use Of Personal Devices For Storage Or Transmittal Of Client Information

• Agencies shall not permit the use of employees’ personally-owned devices to transact agency business containing any client information or any information that could identify a client.
• Agencies shall not permit its workforce to download any client information onto personally-owned devices such as home computers or cell phones.

Physical Accessibility to PHI and Work Station Concerns

• Each service provider with the CCS Program must have policies and practices in place to protect client information from being disclosed to those who are not entitled to or do not have a need for the information.
• Such practices include setting up work stations, media centers, and reception areas to avoid inadvertent disclosure of client information.

IT Systems

The Dane County Department of Human Services will maintain client records for the CCS Program. If the CCS Provider Agency keeps its own client records of the CCS Program, it must have electronic security as least as secure as is provided by DCDHS.

HIPAA Privacy Rules

The Minimum Necessary Rule

Even within the agency or program, disclosures are limited to the information necessary to fulfill the purpose of the authorized disclosure.

The Minimum Necessary Rules do not apply to the following situations:

• Health care providers for the purposes of providing treatment.
• Disclosures made to the client about information relating to the client.
• Disclosures made pursuant to a valid authorization.
• Disclosures required by law or made to comply with the requirements of law.

Verification Requirements

• Verification of the identity of an authorized recipient of client information is required.
• This includes proof of the identity and authority of the requesting person to receive client information.

What are some of the ways one can verify the identity and authority of an authorized recipient of the client information?

You may recognize the voice of the person on the phone in routine transactions.

You can require the person to fax the request to you on agency letterhead.

You may request information not known to people outside the situation.

You can require in-person meetings.

Client Access

Individuals Have Right of Access to His/Her Protected Health Information:

• Except for psychotherapy notes, a person has the right of access to his or her own records within 20 days of a written request in a convenient, accessible, and confidential place.
• The individual may also request amendments to inaccurate information in his or her records.

Disclosure Accounting

• An individual also has the right to know who has received his or her records without his or her authorization.
• The retention period for this requirement for paper records is six years.
• This does not apply to disclosures for treatment, payment or health care operation purposes, or disclosures pursuant to a valid authorization.
• The accounting must include the date of each disclosure, the entity and address of the entity receiving the disclosure, and the purpose and basis for each disclosure.

Disclosure of Electronic Protected Health Information

• The retention period for disclosure accounting of electronically protected health information is three years.
• Disclosure accounting of electronic PHI must also include disclosures for treatment, payment, and health care operations.

Disclosure Accounting Under State Law

S. 51.30(4)(e), Wis. Stats. Notation of release of information.

Each time written information is released from a treatment record, a notation shall be made in the record by the custodian thereof that includes the following: the name of the person to whom the information was released; the identification of the information released; the purpose of the release; and the date of the release.

Breach Notification

When Protected Health Information (all CCS Client Information) in unsecured or unencrypted form is disclosed to unauthorized persons, a notice of the disclosure must be made:

• to the Dane County Department of Human Services;
• to the person whose information was breached;
• to the Secretary of the U.S. Department of Health and Human Services;
• And possibly to the media.

Breach Notification to Dane County Department of Human Services:

• The report must occur within one business day of the breach and the report shall include the circumstances of the breach, actions already taken, and proposed to mitigate the breach and corrective actions taken and proposed to prevent a repeat of the breach in the future.
• The CCS provider agency will report any such breach to the Program Administrator, Program Manager, or DCDHS Privacy Officer, whoever is most readily available. The Dane County Department of Human Services Privacy Officer for the CCS Program is the Division Manager for Adult Community Services.

Breach Team

Because of the serious legal implications of a data breach, the CCS provider agency and the Department of Human Services will jointly establish a team of appropriate personnel to investigate, assess, and respond to the reported breach to ensure all legal obligations are met.

Breach Notification to those affected:

• Within 60 days, the provider agency must provide written notice by first-class mail to the last known address of every affected individual, or next of kin.
• The notice must include: a description of what happened, the type of information breached, the steps individuals should take to protect themselves, contact procedures for obtaining further information, and a description of actions taken to investigate the breach, mitigate losses, and protect against further breaches.
• If the contact information is insufficient, substitute notice must be provided, such as on the entity’s web site. A toll-free number a contact who can provide information must also be included.

Breach Notification Through the Media:

If a breach involves the Protected Health Information of more than 500 individual residents of a state, the entity must notify prominent media outlets. The CCS provider agency must consult with the CCS Program Administrator or Manager before doing so.

Breach Notification to Secretary of Federal Health & Human Services:

• If there are 10 or more Individuals with insufficient contact information, the entity must post on the agency’s web site.
• The entity must also maintain a log of any breach and annually submit the log to the Secretary of the U.S. Department of Health and Human Services.
• A breach of the information of 500 or more individuals must be reported to the Secretary immediately.

Duty to Mitigate:

The entity has an obligation to take all reasonable measures to mitigate any damage caused by unauthorized disclosure and to ensure that that type of disclosure does not reoccur.

 

Mitigation may include employee discipline and/or training.

Breach Notification Is Only Required for Unencrypted Information and Devices!

Disclosures Under HIPAA

Under the HIPAA Privacy Rules, disclosures of PHI may be made for one of the following reasons:

• To the individual or authorized representative.
• Pursuant to a valid release or authorization.
• For treatment, payment or health care operations.
• Pursuant to an exception specifically authorized by law.

Section 146.816(2) adopts this HIPAA Privacy Rule standard for disclosure of records otherwise protected from disclosure under section 51.30, Stats.

Business Associates

A Business Associate is an entity that assists a covered entity by performing a function or activity involving the use or disclosure of PHI such as billing, claims processing, data analysis, data processing, data management, consulting or other administrative functions, for example:

• Electronic keying for Medical Assistance billing claims.
• Consulting to assure program compliance.
• Data aggregation and data reporting required to make required reports to the state and to maintain financial eligibility for state and federal funds.
• Accounting services.
• Outside legal services.

What must a Business Associate do?

• Keep Protected Health Information confidential; follow state statutes and the HIPAA Privacy and Security rules.
• Have in place and enforce work rules and policies to protect the privacy and security of Protected Health Information, including the use of appropriate technical and physical safeguards.
• Report any breaches of confidential information.
• Assist the Covered Entity to comply with access to the individual and disclosure accounting and be prepared to provide disclosure accounting directly to the requesting individual if so directed by the covered entity.
• Return or destroy Protected Health Information at the conclusion of the contractual relationship.

Business Associate Agreements

If the CCS Agency has business associates that have access to PHI in the course of their work, the CCS Agency must maintain a Business Associate Agreement with the entity ensuring that the business associate maintains PHI in accordance with the previously stated requirements.

Notice of Privacy Practices

A covered entity must provide notice in plain language describing the uses and disclosures that may be made by the covered entity.

DCDHS provides the Notice of Privacy Practices to clients in the CCS Program. For this program, CCS Agencies may not provide clients with a Notice of Privacy Practices that is different from that provided by DCDHS.

Disclosures Under 42 CFR Part 2

Regulations for disclosures of substance abuse patient records are more stringent than required by HIPAA. Under 42 CFR Part 2 disclosure of substance abuse patient records may be made only for one of the following reasons:

1. To the individual or authorized representative.
2. Pursuant to valid release or authorization.
3. To medical personnel for treatment “only to the extent necessary to meet a bona fide medical emergency.”
4. For the purpose of diagnosis, treatment or referral if the communications are within a program or between a program and an entity that has direct administrative control over the program.
5. Pursuant to an exception specifically authorized under 42 CFR Part 2.

Disclosures Pursuant To Valid Authorization

A person may delegate his or her authority to disclose PHI to a third party pursuant to a Valid Authorization.

Core Requirements of a Valid Authorization:

• A specific meaningful description of the information to be disclosed.
• Name of the entity permitted to make the disclosure.
• Name of the person subject of the protected health information.
• A description of the purpose of the disclosure.
• An expiration date or event.
• A signature of the person and date of signature.
• The authorization contains required notice statements: the right to revoke in writing, the ability or inability to condition treatment on the authorization, and that the individual received a copy of the signed authorization.
• The authorization must be in plain language.

Disclosures to Parents of Minors

• A parent may access and authorize the release of a minor child’s mental health treatment information, except that a minor aged 14 or older may also consent to the release of mental health treatment information.
• A parent may access and authorize the release of a minor child’s drug and/or alcohol treatment, except that a minor 12 or older may also consent to treatment and release of AODA treatment information.
• A parent having been denied periods of physical placement may not access his or her minor child’s treatment information.

Disclosures to Guardians and POA Agents

Unless for some reason detrimental to the client’s well-being, the client’s guardian or agent under a Power of Attorney for Health Care document has the same right of access as the client.

CCS Program Disclosure Policy

Information may be released by CCS Program Agencies to others as necessary within the operation of the CCS Program using secure methods or communication, to the client, to the client’s authorized representative, or to persons who have valid written authorizations for release of client information. CCS Program Agencies may also release information in accordance with legal requirements in response to emergency situations. Other requests for information must be made in consultation with the CCS Program Manager or Director.

HIPAA Privacy Rules Permit Disclosures ‘Required by State Law’

These include:

• Disclosures to public health authorities.
• Disclosures as required under state law regarding child abuse and neglect.
• Disclosures as required under state law regarding adults-at-risk or elder adults-at-risk if the disclosure is necessary to prevent serious harm and the person is without the capacity to agree and is informed of the report or informing the person would put him or her at risk.
• To a health oversight agency.

You must consult with the CCS Program Administrator when receiving requests for information ‘required by law’.

Disclosures Required By Law Do Not Apply to Drug and Alcohol Treatment Records

The only disclosure permitted by state law requirements under 42 CFR Part 2 is the reporting of suspected child abuse or neglect.

You must consult with the CCS Program Manager or Director prior to releasing drug and alcohol treatment which is claimed to be required by law.

Disclosures to Law Enforcement Under HIPAA Privacy Rules are Permitted as Follows:

• To make reports required by law such as the reporting of gunshot wounds or other physical injuries.
• In compliance with the legal process limited to information relevant to the inquiry.
• As required by law to identify or locate a suspect, fugitive, material witness, missing person or deceased person.
• To report a crime that has occurred on the CCS Agency’s premises.
• To obtain help in medical emergencies and alert police officers of the possible commission of a crime and the identity of the perpetrator of the crime.

Disclosures to Law Enforcement under section 51.30, Wis. Stats. Is More Restrictive Than In HIPAA Privacy Rules.

Under section 51.30(4)(b)19., Stats., treatment records can be released to law enforcement:

“for the purpose of reporting an apparent crime committed on the premises of an inpatient treatment facility or nursing home, if the facility or home has treatment records subject to this section, or observed by staff or agents of any such facility or nursing home. Information released under this subdivision is limited to identifying information that may be released under sub. 16. (name and other identifying information, including photographs and fingerprints) and information related to the apparent crime.”

Disclosures to Law Enforcement Under Section 42 CFR Part 2 Is Even More Restrictive Than Under Wisconsin Law.

• The section makes no provision for disclosure to law enforcement, except that the disclosure of incidents of suspected child abuse or neglect is permitted.
• The section permits disclosure to medical personnel to the extent necessary to meet a bona fide medical emergency. While this does not permit disclosure to police, police presence at the emergency should not prohibit needed disclosure.
• The section permits disclosure by an appropriate order of the court but does not permit any record disclosed to be used to initiate or substantiate any criminal charges against the patient.

Summary: Disclosure to Law Enforcement

Depending upon the type of record, the information to be disclosed, and the legal process used by law enforcement to obtain client records, a CCS Agency may or may not be able to release information to law enforcement. CCS Agency staff must consult with the CCS Program Manager or Director prior to releasing any CCS Program record to law enforcement.

Disclosures to the Courts

Under HIPAA Privacy Rules, PHI (CCS client information) may only be released to a court with client authorization or with a qualified protective order. Without client authorization, CCS client information may not be released to courts prior to consultation with the CCS Program Manager or Director.

De-identification of PHI

CCS Agencies may find the need to use de-identified PHI. De-identified PHI is health information that does not identify an individual and which provides no reasonable basis to believe that the information can be used to identify an individual subject of the information. To de-identify PHI the following identifiers of the individual or of relatives, employers, or household members of the individual, are removed:

• Names.
• All geographic subdivisions smaller than a state, including street address, city, county, precinct, ZIP code, and their equivalent geocodes, except for the initial three digits of the ZIP code.
• All elements of dates (except year) for dates that are directly related to an individual, including birth date, admission date, discharge date, death date.
• Telephone numbers
• Fax numbers
• E-mail addresses
• Social Security numbers
• Medical record numbers
• Health plan beneficiary numbers
• Account numbers
• Certificate/license numbers
• Vehicle identifiers and serial numbers, including license plate numbers
• Device identifiers and serial numbers
• Web Universal Resource Locators (URLs)
• Internet Protocol (IP) addresses
• Biometric identifiers, including finger and voiceprints
• Full-face photographs and any comparable images
• Any other unique identifying number, characteristic, or code that could be used to identify the person.

Knowing the elements of identity required for de-identification is also important for knowing the elements of identity that must be protected under HIPAA Privacy and Security Rules.

Good sources for information about HIPAA compliance are the U.S. Department of Health and Human Services website and Wisconsin’s HIPAA Collaborative website.

 

 

We have neared the end of this presentation. Thank you for your attention to the issues presented in this course. Disclosure requests of PHI often pose difficult and complex legal questions. Do not hesitate to share your questions with the CCS Program Manager or Director. Together we will create a culture of respect and protection for our clients’ private and confidential information.

View the presentation slide-show