Michigan Health Law Link : Michigan Health Care Lawyer & Attorney : Smith Haughey Rice & Roegge Law Firm : Ann Arbor, Grand Rapids, Traverse City

Two probable cases of swine flu have now been identified in Michigan.  The first suspected case was identified in Livingston County.  The second is an Ottawa County resident who was released from a Kent County hospital last week.

More suspected cases in Michigan are likely.  Both the Michigan Department of Community Health and the Centers for Disease Control and Prevention have set up informational websites to assist health care providers with identifying and treating suspected cases of swine flu and to disseminate the latest information on the disease in the U.S.

MDCH:  www.michigan.gov/swineflu

CDC:  www.cdc.gov/swineflu

• Email This
• Print
• Comments
• Trackbacks

In case you missed it, on December 15, 2008, the Office of Civil Rights published information that suggests it is thinking about how HIPAA applies to the electronic exchange of health information in a networked environment. If you want to review the materials for yourself, they are located here.

In summary, so long as the primary purpose for and function of an electronic network is treatment oriented, HIPAA should not be a barrier to the development of an effective network.   OCR's focus in its comments was on setting up electronic exchange networks so as to create a level of trust between patients and the covered entities participating in these networks.  OCR recommends that patients be advised, either in the Notice of Privacy Practices or in some other document, that their health information will be used and disclosed for treatment purposes through an electronic network.

Some of the other points made by OCR in this guidance includes the following:

• While covered entities are not required to agree to allow patients to restrict otherwise permissible uses and disclosures of their information, a covered entity must have policies in place to deal with the issue and if a covered entity does agree to allow certain restrictions, the covered entity must abide by that agreement, except in an emergency situation;
• OCR acknowledges that HIPAA does not require a covered entity to allow patients to "opt-in" or "opt-out" of an electronic network but suggests that the ability to afford patients that kind of choice will help build trust between patients and providers who use electronic networks;
• Minimum necessary concepts apply to the electronic networks and the access of health information for payment and health care operations purposes through such networks;
• Regardless of the scope or purpose of an electronic health information exchange network, any disclosures of health information by a covered entity through the network must comply with the Privacy Rule and, in addition must also be in compliance with any more stringent State law requirements;
• Even in an electronic exchange environment, the HIPAA Privacy Rule requirements that patients consent to the disclosure of psychotherapy notes still applies;
• Covered entities who set up electronic health information exchange networks must implement appropriate administrative, technical and physical safeguards to protect the privacy of the protected health information; and
• Covered entities that participate in an electronic network need to be aware that whatever information they import into their electronic records via a network become a part of their legal medical record. However, network participation alone does not make all of the information about a patient that is accessible through the network a part of their legal medical record.

Overall, given the clients that I have worked with who are setting up, trying to set up, or thinking about setting up these kinds of electronic exchange networks, the OCR guidance is not overly enlightening but still helpful in that it confirms that there is a right way and a wrong way to set up such a network and that if you have the right goal -- facilitating better access to information for treatment purposes -- you should be able to get where you are trying to go.

• Email This
• Print
• Comments
• Trackbacks

The Departments of Education and Health and Human Services have issued joint guidance on how the Family Educational Rights and Privacy Act (FERPA) and the Health Insurance Portability and Accountability Act of 1996 (HIPAA) apply to student health records. The guidance also addresses certain disclosures that are allowed without consent or authorization under both laws, especially those related to health and safety emergency situations.

FERPA is a federal law that generally prohibits an institution from disclosing the education records or personally identifiable information from education records, without a parent or eligible student’s written consent. An eligible student is one who is over 18 years of age or who attends a post-secondary institution at any age. FERPA applies to institutions that receive funds pursuant to any program administered by the U.S. Department of Education, including medical and other professional schools. Please note that if an institution receives funds in this manner, FERPA applies to the recipient as a whole, including all its components, such as a department within a university.

“Education records” are broadly defined to include records that are directly related to a student and that are maintained by an educational institution or by a party acting for the institution. At the elementary and secondary levels, this can include student health records. In post-secondary institutions, medical and psychological treatment records of eligible students are excluded from the definition of “education records” if they are made, maintained, and used only in connection with treatment of the student and disclosed only to individuals providing the treatment. If the disclose is for purposes other than treatment, the records are then subject to FERPA’s requirements and can only be disclosed with the student’s written consent or under one of several enumerated exceptions to written consent.

HIPAA requires covered entities (health plans, health care clearinghouses and health care providers) to implement appropriate safeguards to protect the privacy of patients’ identifiable health information and to set limits and conditions on the uses and disclosures that may be made of such information without patient authorization. HIPAA also gives patients rights over their health information, including rights to examine and obtain a copy of their health records, and to request corrections.

• Email This
• Print
• Comments
• Trackbacks