 |
 |
  
|
||
|
|
Special Report MIEC Claims Alert Number 26A July 2001 California Confidentiality of Medical Information Act: Rules for privacy and release of medical information
|
|||
The California Confidentiality of Medical Information Act (CMIA) defines who may release confidential information, and prohibits the sharing, selling, or otherwise unlawful use of medical information. With some exceptions, a patient or his/her representative must authorize the release of medical information. Medical information is "any individually identifiable information, in electronic or physical form, in possession of or derived from a provider of health care or health care service plan regarding a patient's medical history, mental or physical condition or treatment." Highlights of the Act: Disclosure limitations"No provider of health care, or healthcare service plan, or contractor shall disclose material information regarding a patient of the provider of health care or an enrollee or subscriber of a health care service plan without first obtaining an authorization, except as provided...." [Civil Code §56.10(a)] "...except to the extent expressly authorized by the patient...or as provided by subdivisions (b) and (c), no provider of health care, health care service plan, or contractor shall intentionally share, sell, or otherwise use any medical information for any purpose not necessary to provide health care services to the patient." [Civil Code §56.10(d)] A "health care service plan" is defined as any entity regulated by the Knox-Keene Health Care Service Plan Act of 1975. A "contractor" is "any person or entity that is a medical group, independent practice association, pharmaceutical benefits manager, or a medical service organization and not a health care service plan or provider of health care." [Civil Code §56.05(c) and (d)] The CMIA requires the authorization for the release of medical information to be handwritten by the signer or printed in at least 8-point type, clearly separate from any other wording on the same page. The form can be signed by the patient, the patient's legal representative, the beneficiary or personal representative of a deceased patient, and, for the purpose of processing an application for dependant health care coverage, the patient's spouse may sign the authorization. The form must include: the specific uses and limitations on the types of medical information to be disclosed; the name or functions of the health care provider, health care service plan or contractor that may disclose the information; the names or functions of those authorized to receive the information; the specific uses and limitations on use of the information by the recipients; the expiration date of the authorization; and a notice that the signer is entitled to a copy of the form (Figure 1). Health care service plans must assure confidentiality California's amended Health & Safety Code §1364.5 mandates that health care service plans must protect the security of patient medical information. Among the requirements, effective July 1, 2001, health care plans must have available to all enrollees a written statement to describe how the plan maintains the confidentiality of enrollees' medical information. Mandatory and discretionary disclosure of information There are numerous exceptions to the confidentiality laws. Civil Code §56.10, paragraph (b) says that medical information must be released, absent a patient's authorization, when requested by: court order, administrative directive, civil or criminal subpoena, investigative subpoena, arbitration panel, lawful search warrant and a patient or the patient's representative. Civil Code §56.10 (b)(8) "compels" physicians to provide confidential medical information to the coroner's office, "...when requested in the course of an investigation by the coroner's office for the purpose of identifying the decedent or locating next of kin, or when investigating deaths that may involve public health concerns, organ or tissue donation, child abuse, elder abuse, suicides, poisonings, accidents, sudden infant death, suspicious deaths, unknown deaths, or criminal deaths, or when otherwise authorized by the decedent's representative. Medical information requested by the coroner under this paragraph shall be limited to information regarding the patient who is the decedent and who is the subject of the investigation and shall be disclosed to the coroner without delay upon request." Civil Code §56.10 (c) says that a health care provider or health care service plan may disclose medical information without patient authorization to: 1) Other health care providers, health care service plans, or other health care professionals/ facilities for purpose of diagnosis and treatment of the patient. 2) Entities responsible for the payment of health care services, such as: an insurer, employer, health care service plan, hospital service plan, employee benefit plan, and governmental authority. Information released is limited to the extent necessary to determine payment. 3) Any person or entity that provides billing, claims management, medical data processing or other administrative services for health care providers, health care service plans, or entities listed in (2) above. 4) Organized committees and agents of professional societies, medical staffs of licensed hospitals, licensed health care service plans review organizations, utilization and quality control peer review organizations, or persons or organizations insuring, responsible for, or defending professional liability that a provider may incur, if the committees, agents, plans, organizations, or persons are engaged in reviewing the competence or qualifications of health care professionals or reviewing health care services. 5) Accreditation or licensing bodies of health care providers and service plans. 6) County coroner in course of an investigation related to "all purposes not included in paragraph (8) of subdivision (b)." 7) Public agencies, clinical investigators, including investigators conducting epidemiologic studies or bona fide research projects. However, this information may not be further disclosed by the recipient in any way that would disclose the patient's identity. 8) Providers of health care or health care service plan in conjunction with an employer-employee dispute (e.g., law suit, arbitration, grievance or other claim). 9) Sponsor, insurer or administrator of a group or individual insured or uninsured plan or policy from which the patient seeks coverage or benefits, absent written notification of contrary agreement. 10) A health care service plan by providers of health care that contract with the plan for the purpose of administering the health care plan. 11) "Nothing in this part shall prevent the disclosure by a provider of health care or a health care service plan to an insurance institution, agent or support organization, subject to Article 6.6 (commencing with Section 791) of Part 2 of Division 1 of the Insurance Code, of medical information if the insurance institution, agent or support organization has complied with all requirements of obtaining the information..." under the Insurance Code section. 12) A probate court investigator to determine the need for a new or continued conservator-ship, and to determine the need for a guardianship. 13) An organ procurement organization or tissue bank for the purpose of transplantation. 14) The Food and Drug Administration to report adverse events related to drug pro-ducts or medical devices. 15) "Basic information" to a state or federally recognized disaster relief organization for responding to disaster welfare inquiries. (Basic information includes the patient's name, city of residence, age, sex, and general condition.) 16) A third party for the purposes of "encoding, encrypting, or otherwise anonymizing data." 17) An entity contracting with a health care service plan to monitor or administer a chronic disease management program, if these services and care are authorized by a treating physician. Before releasing medical information without a patient's authorization, physicians and their staff must know why the information is being requested. The entities listed above are entitled to medical information only for the specific purposes outlined in the Civil Code section. Health & Safety Code §123111 allows any adult patient to inspect his/her record (or review a physician's summary of the patient's care and treatment) and "to provide to the health care provider a written addendum with respect to any item or statement in his or her records that the patient believes to be incomplete or incorrect." The addendum is limited to 250 words per alleged incomplete or incorrect item in the patient's record, and it must clearly indicate in writing that the patient wants the addendum to be part of the medical chart. The physician must attach the addendum to the patient's chart and include it whenever the health care provider "makes a disclosure of the allegedly incomplete or incorrect portion of the patient's records to any third party." Physicians are protected from liability under this code section for any "defamatory or otherwise unlawful language" written in the addendum and subsequently included in the medical record. Negligent or intentional disclosure penalties Anyone who negligently discloses medical information may be penalized. Violation of the Act that results in economic loss or personal injury to the patient is punishable as a misdemeanor, and the patient may recover unlimited compensatory damages, punitive damages up to $3000, attorney's fees up to $1000, and costs of litigation. Even patients who have not suffered injury because of the disclosure may recover nominal damages of $1000. Any person or entity that negligently discloses medical information also will be liable for an administrative fine or civil penalty not to exceed $2,500. Further, any licensed health care professional (physician, nurse, pharmacist, dentist) "who knowingly and willing" obtains, discloses or uses medical information in violation of the Act is liable for an administrative fine or civil penalty of up to $2,500 for the first violation, $10,000 for the second, and $25,000 for the third and subsequent infractions of the law. If done for financial gain, the fines are $5,000 for the first violation, $25,000 for the second, and $250,000 for the third and subsequent violations, plus "disgorgement of any proceeds or other consideration" obtained because of the infraction. [Civil Code §56.36(a) thru (c)] Outpatient psychotherapy treatment records Civil Code §56.104 (part of the Confidentiality of Medical Information Act) prevents a provider of health care, health care services plan, or contractor from making discretionary release of records regarding the patient's participation in outpatient psycho-therapy treatment to persons or entities to whom disclosure could formerly be made without patient authorization (including co-treating physicians). When asked to release a copy of outpatient psychotherapy records, a provider of health care, a health care services plan, or contractor must have either: (1) a patient's written authorization for release of the information; or (2) a written request from the inquiring party, that must include the elements itemized below.* MIEC legal counsel suggests that physicians who wish to obtain outpatient psychotherapy records ask the patient to sign an authorization (Figure 1). The signed authorization nullifies the requirement to send a written request to the patient's psycho-therapist, as mentioned in item (2) above. If the physician cannot obtain authorization from the patient, but wants/needs to obtain a copy of the patient's outpatient psycho-therapy records, the physician's written request must state:* (1) The specific information requested and its intended use; (2) the length of time the information will be retained; (3) a statement that the information will not be used for any purpose other than its intended use; and (4) a statement that the information will not be retained beyond the length of time specified, and that it will be destroyed or returned to the health care provider (Figure 2). A physician must then send a copy of the written request to the patient unless the patient has signed a "Waiver of Notice." [Civil Code §56.104(b)] Penalties for violation of the new law include: $1,000 damages, even in the absence of economic loss; any actual damages; possible punitive damages; a civil fine up to $2,500; additional civil penal-ties when disclosure is repeated or for financial gain, and potential Medical Board discipline. The Confidentiality of Medical Information Act requires that health care providers, health care service plans and contractors, who "create, maintain, preserve, store, 'abandon' or destroy" medical records do so in a manner that preserves the information's confidentiality.
|
|||||
|
