Reflectiove Journal week 7 in

profileHeathersimf
AB241816_Ch16.pptx

Chapter 16: Required Reporting and Mandatory Disclosure Laws

Fundamentals of Law for Health Informatics and Information Management, Third Edition

© 2017 American Health Information Management Association

© 2017 American Health Information Management Association

Required Reporting

Federal and state laws require reporting certain protected health information to protect the health and safety of a community.

Information collected in this manner is not considered public information and patient privacy and confidentiality are protected.

© 2017 American Health Information Management Association

HIPAA and Required Reporting Considerations

Disclosure without patient authorization or agreement

HIPAA Privacy Rule: 12 public interest and benefits activities exceptions (see figure 16.1)

Individual not given opportunity to agree or object to disclosure, no authorization required

Amount disclosed defined by state law, public health, serious threat to health or safety

© 2017 American Health Information Management Association

HIPAA and Required Reporting Considerations (continued)

Preemption

Provides that federal law must be followed when federal and state laws conflict, unless the state law is more stringent on matter than federal law

State law will prevail if there are provisions of state law, including state procedures for reporting of disease or injury, child abuse, birth, or death, or for the conduct of public health surveillance, investigation, or intervention (45 CFR 160.203)

© 2017 American Health Information Management Association

HIPAA and Required Reporting Considerations

Notice of privacy practice

Under HIPAA, generally “. . . an individual has a right to adequate notice of the uses and disclosures of protected health information that may be made by the covered entity. . .” (45 CFR 164.520).

Notice of Privacy Practices should include information regarding reporting without patient authorization under state and federal law

© 2017 American Health Information Management Association

HIPAA and Required Reporting Considerations

Accounting of disclosures

Privacy Rule requires the tracking of disclosures of PHI made in writing, electronically, by telephone, or orally

Organization must track disclosures in a central tracking system that enables departments to record disclosures

© 2017 American Health Information Management Association

Common State Reporting Requirements

Abuse and neglect of children

Reporting required by state law

Reportable to law enforcement

Types of neglect include

Neglect

Physical abuse

Sexual abuse

Emotional abuse

Child: Any person under of 18 or physically or mentally handicapped up to age of 21

© 2017 American Health Information Management Association

Common State Reporting Requirements (continued)

Abuse and neglect of children

State laws define who must report

Protection from liability for reporting in good faith

Privilege exemptions

Must be orally reported immediately with written reports in a prescribed timeframe

No conflict with HIPAA regarding authorization for disclosure due to public interest and benefit exceptions

© 2017 American Health Information Management Association

Common State Reporting Requirements (continued)

Abuse and neglect of the elderly and disabled

Includes individuals 60 years of age and older

Disability attributable to mental or physical impairment that results in functional limits

Types of abuse

Physical

Emotional

Financial

Sexual

Neglect

Abandonment

© 2017 American Health Information Management Association

Common State Reporting Requirements (continued)

Abuse and neglect of the elderly and disabled

Laws covering abuse in home setting (domestic abuse) versus abuse in institutional setting such as a nursing home

State laws also vary regarding required reporting of abuse of the elderly and disabled

No conflict with HIPAA regarding authorization for disclosure due to public interest and benefit exceptions

© 2017 American Health Information Management Association

Common State Reporting Requirements (continued)

Vital records

Required by state and federal law

National Center for Health Statistics (NCHS) responsible for working with state vital statistic laws

Birth certificates: Completed on every live birth

Two parts to certificate: Identifying information and information on mother’s pregnancy and any birth defects

Laws define how a father is acknowledged and what surname in entered for child

© 2017 American Health Information Management Association

Common State Reporting Requirements

Vital statistics

Death certificates: Usually completed by funeral director

Includes identifying information about the deceased as well as information about the cause of death

Physician must provide the cause of death and sign the death certificate

© 2017 American Health Information Management Association

Common State Reporting Requirements

Communicable diseases

Transmitted from infected person, animal, or inanimate reservoir to a susceptible person or host by either direct or indirect contact

State laws define what diseases are reportable, by whom, and how they should be reported, also have provisions to keep information confidential

Notifiable diseases classified according to their potential for endemic or epidemic spread and danger to public health, reportable within 24 hours usually

© 2017 American Health Information Management Association

Common State Reporting Requirements

Induced termination of pregnancy (abortion)

State law requires healthcare organization where induced termination or pregnancy to report termination

Information typically reported: Date of birth, race, marital status, and county and state of residence; the type of procedure performed; and resulting complications

Birth defects

Information may be obtained from birth certificates filed with the state used to determine trends in birth defects and to look for ways to prevent them

© 2017 American Health Information Management Association

Reportable Deaths

State law determines requirements for reporting certain deaths and what information can be disclosed in various cases (varies by circumstances and law enforcement involvement)

Accidental death

Homicide

Suicide

Sudden death

Suspicious death

Death from abortion

Induced termination of pregnancy

© 2017 American Health Information Management Association

Reportable Deaths

Deaths reportable to medical examiner vs. coroner

ME is typically a physician with pathology training

Coroner appointed or elected official, who may or may not be a physician

Both responsibility for investigating suspicious deaths

MEs and coroners have right to receive medical information needed to investigate the case without authorization and may have subpoena powers to collect such information

© 2017 American Health Information Management Association

Reportable Deaths

Name and address of the deceased

Age of the deceased, if known

Marital status of the deceased

Ethnicity of the deceased

Time of accident or onset of cause of death

Place, mode, and manner of injury

Place of death

Time of death

Location of body

Other pertinent data

Name of person reporting the case, including date and time

Name of physician who pronounced person dead

Information commonly reportable to ME or coroner

© 2017 American Health Information Management Association

Reporting of Wounds: Knife, Gunshot, Burns

Wounds, such as knife wounds, gunshot wounds, and burns indicative of crimes, must also be reported to legal authorities.

States also require reporting of unusual events and other instances that might assist with public health prevention and control programs.

© 2017 American Health Information Management Association

Reporting Fetal Deaths

Refers to death of fetus of particular weight, frequently 500 grams or more, or 22 or more completed weeks of gestation

Depending on state law, responsibility for completing the fetal death certificate may lie with

Designated person in the institution where the fetal death occurred

Funeral director

Other person responsible for internment or cremation of remains

Physician in attendance if fetal death occurred outside an institution

If no one in attendance, must notify ME who completes death certificate

© 2017 American Health Information Management Association

Unusual Events and Other State Reporting Requirements

Some states require reporting of unusual or adverse events

Medication errors

Transfusion reactions

Falls resulting in fractures

Wrong patient/wrong site surgical procedures

Operative complications

© 2017 American Health Information Management Association

Unusual Events and Other State Reporting Requirements (continued)

Some states have implemented prescription drug monitoring programs (PDMPs)

Require pharmacies to report to state data bank on state identified controlled drugs

Nuclear Regulatory Commission (NRC)

Oversight for medical use of ionizing radiation

Medical centers must report to state agency and NRC information on use of radioactive materials and any misadministration of the material

© 2017 American Health Information Management Association

Worker’s Compensation for Occupational Illnesses, Injury, Death

Purpose of legislation

Ensures employees injured on job or become ill as result of job are provided with some means of support while recovering from illness or injury

Process

Employee or employee representative files a worker’s compensation claim

Must sign an authorization to release medical information to the workers’ compensation entity

Information may be disclosed to other state or federal agency without patient authorization

© 2017 American Health Information Management Association

National Reporting Requirements

Serious occurrences or deaths related to restraint or seclusion

Conditions of Participation patients rights rule, accredited hospitals deemed to meet Medicare requirements must report deaths from restraints or seclusion to CMS by phone within one business day

Must document in patient’s health record date and time that the death was reported

Must record in internal log/system with 7 days of death, key patient information

© 2017 American Health Information Management Association

Serious Occurrences or Deaths Related to Restraint or Seclusion

Children’s Health Act of 2000

Restrict the use of restraints and seclusion in all psychiatric facilities that receive federal funds and in non-medical community-based facilities for children and youth

Use of restraints and seclusion restricted to emergency safety situations only

Parent or legal guardian must be notified no later than 24 hours after the occurrence

© 2017 American Health Information Management Association

National Reporting Requirements of Quality Measures

CMS, Joint Commission and other entities require

Quality measures for hospitals, physician’s offices, nursing homes, and other provider entities for purpose of improving the quality and safety of patient care

PHI collected is used for retrospective analysis and real-time reporting to comprehensively evaluate and manage quality improvement efforts

Data submitted to federally supported Quality Improvement Organizations (QIOs), Clinical Data Abstraction Centers (CDACs), CDC, and others

© 2017 American Health Information Management Association

Quality Measures

2010 Affordable Care Act established mandatory quality reporting requirements for long-term care hospitals, inpatient rehabilitation facilities, and hospice programs, went into effect in 2014; may change as new administration works on new healthcare legislation

Mandatory reporting by hospitals already required

Medicare providers that fail to comply with data reporting requirements are subject to 2 percent reduction of reimbursement

© 2017 American Health Information Management Association

National Reporting Requirements

Programs designed to prevent fraud and abuse

Healthcare organizations must provide copies of health records

Recovery Audit Contractors (RACs)

Medicare Administrative Contractors (MACs)

Medicaid Integrity Contractors (MICs)

Purpose of these programs: To measure, prevent, identify, and correct incorrect payments under the Tax Relief and Health Care Act of 2006 and other federal healthcare reform legislations

© 2017 American Health Information Management Association

National Reporting Requirements (continued)

National Practitioner Data Banks (NPDB)

Created by Health Care Quality Improvement Act of 1986, information expanded by Medicare and Medicaid Patient and Program Protection Act of 1987

Purpose: Identify and discipline those who engage in unprofessional behavior and restrict ability of incompetent healthcare practitioners to move from State to State without disclosure or discovery of previous medical malpractice payment and adverse action

© 2017 American Health Information Management Association

National Reporting Requirements

National Practitioner Data Banks (NPDB) (cont.)

NPDB merged with Healthcare Integrity and Protection Data Bank (HIPDB) established under Section 1128E of the Social Security Act; operational in 2000 to establish national healthcare fraud and abuse data collection program for reporting of final adverse actions (not including settlements in which no findings of liability have been made) against healthcare providers, suppliers, or practitioners

© 2017 American Health Information Management Association

NPDB Formal Clearing House

Information reported to the data bank is considered confidential and is not disclosed except as specified by regulation

Requirements include:

Who reports

What information is available

Who can query database

© 2017 American Health Information Management Association

Medical Device Reporting

Safe Medical Devices Act of 1990   

Requires reporting to the FDA and the product manufacturer of medical device occurrences that have or may have contributed to serious illness, serious injury, or death, including occurrences attributed to user error

Medical Device Amendments of 1992 clarified terms and established a single reporting standard for device users, manufacturers, importers, and distributors

© 2017 American Health Information Management Association

Medical Device Reporting (continued)

Medical device: Anything that is used in treatment or diagnosis that is not a drug

X-ray machines, sutures, defibrillators, grafts, syringes, lasers, heating pads, bone screws, pumps, etc.

FDA requires specific information to be reported within 10 days

User facility report number

Name and address of the device manufacturer

Device brand name and common name

Product model, catalog, serial, and lot numbers

Brief description of event reported to manufacturer and the FDA

Where report was submitted (FDA, manufacturer, or distributor)

© 2017 American Health Information Management Association

Medical Device Reporting (continued)

Reporting done through Safety Information and Adverse Event Reporting Program—MedWatch

FDA also encourages voluntary reporting of adverse events related to products or technologies to MedWatch

FDA does not regulate EHRs working with ONC and FCC representatives to improve the safe use of EHR technology, encourages voluntary reporting of problems with EHRs

© 2017 American Health Information Management Association

Medical Device Reporting and HIPAA

HIPAA allows medical device reporting without patient authorization

To collect or report adverse events (or similar activities with respect to food or dietary supplements), product defects or problems (including problems with the use or labeling of a product), or biological product deviations

To track FDA-regulated products

To enable product recalls, repairs, replacements, or look back

To conduct post-marketing surveillance

© 2017 American Health Information Management Association

Medical Device Reporting

Under Freedom of Information and Privacy Act, FDA information may be accessed but FDA is required to delete

Any personal, medical, and similar information that would constitute a clear, unwarranted invasion of personal privacy

Trade secrets and confidential commercial or financial information related to the manufacturer

Identifying information of the reporter of the event

© 2017 American Health Information Management Association

Organ Procurement Organization

Federal law requires that hospitals notify designated organ procurement organization (OPO) in a timely manner regarding specified organ donors who die in the hospital or for whom death is imminent

Hospital and OPO must do annual death record reviews

Hospital is not violating confidentiality by calling the OPO and providing information about an individual who has died

No requirement in statute or regulations that family be informed about hospital’s notification to OPO before OPO can be contacted

© 2017 American Health Information Management Association

Occupational Fatalities, Injuries, and Illnesses

Federal occupational safety and health regulation requires employers to report work-related fatalities, injuries, and illnesses

Healthcare facilities may be required to release medical information relevant to fatality, injury, or illness to appropriate authorities per state law as well

© 2017 American Health Information Management Association

Clinical, Disease, and Outcome-Based Registries

Database containing information about a disease or condition

Used for a broad range of purposes in public health and medicine, from evaluating patient care to monitoring defective devices

May be required by federal or state laws

Common requirement is that data submitted to the registry be maintained in a confidential manner and identity of the patient be protected from disclosure

© 2017 American Health Information Management Association

Federal Registry on Implantable Cardiac Defibrillators (ICDs)

2005: Medicare expanded its coverage ICDs to eligible Medicare beneficiaries

Every hospital that seeks reimbursement for ICDs must participate in ICD registry

© 2017 American Health Information Management Association

Variety of Registries

Type of registry determines what patient information is reported

Cancer registry

Trauma registry

Immunization

Birth defects

Diabetes

Implant

Transplant

Qualified Clinical Data Registries

© 2017 American Health Information Management Association

Disclosures to Public Health Authorities Not Required by Law

Covered entities may disclose PHI to public health entities even if law does not specifically require the disclosure, if the disclosure is for the purpose of

Preventing or controlling disease, injury, or disability, including, but not limited to, the reporting of disease, injury, vital events such as birth or death, and the conduct of public health surveillance, public health investigations, and public health interventions; or, at the direction of a public health authority, to an official of a foreign government agency that is acting in collaboration with a public health authority (45 CFR 164.512(b))

© 2017 American Health Information Management Association