ebook img

Missouri Health Information Security and Privacy Collaborative PDF

2009·1.5 MB·English
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview Missouri Health Information Security and Privacy Collaborative

MISSOURI HEALTH INFORMATION SECURITY AND PRIVACY COLLABORATIVE NOTE: Below is a chart comparing Missouri law to HIPAA for preemption purposes. The chart includes a brief description of each Missouri statute or regulation, references the applicable HIPAA provisions, indicates whether there is a conflict between Missouri law and HIPAA as well as which law governs, and provides commentary regarding the analysis. The final column indicates the implications for electronic health information exchange (HIE). Generally, the majority of the Missouri statutes and regulations listed below do not specifically address electronic HIE. To the extent the laws create barriers to HIE (such as requiring a court or administrative order for the release of records), they generally will cause such barriers regardless of whether the HIE is electronic or otherwise. In a few instances, however, electronic records are addressed in the last column. Missouri Statute HIPAA Privacy Regulations Con- State Law Discussion and Implications for flict? or HIPAA? Conclusion Electronic HIE COUNTY, TOWNSHIP AND POLITICAL SUBDIVISION GOVERNMENT Circuit and Prosecuting Attorneys and County Counselors Investigative Subpoenas Law Enforcement Purposes Yes State ● Investigative ● None §56.085 §164.512(f) subpoenas have the ● In the course of a ● CEs may disclose PHI in same effect under criminal investigation, compliance with a court Missouri law as any the prosecuting or circuit order, court-ordered other similar attorney may request a warrant, subpoena or subpoena. judge to issue an summons issued by a ● Absent specific investigative subpoena judicial officer, grand jury statutory authority for oral examination or subpoena or, if certain under state law to production of documents. requirements are met, an disclose privileged administrative request. information in response to a subpoena, CEs may not disclose such information, even if requested by a subpoena, without a patient waiver or a court/administrative order. Ingram v. 1664508.6 *This document does not address electronic signatures or contracts under federal law. Under Missouri law, electronic records, contracts and signatures are legal and enforceable in accordance with the law per RSMo. §432.230. Missouri Statute HIPAA Privacy Regulations Con- State Law Discussion and Implications for flict? or HIPAA? Conclusion Electronic HIE Mutual of Omaha, 170 F.Supp.2d 907 (W.D.Mo. 2001). ● Some CEs may consider a subpoena signed by a judge to be a court order and others may not and some may consider a subpoena signed by an attorney to be a court order while others may not. Coroners and Inquests Reporting of Deaths and As Required by Law No State ● CEs may report ● None Inquiry about Cause of §164.512(a) deaths and provide Death ● CEs may use or disclose relevant information §§58.451, 58.452, 58.720 PHI without giving the as part of an inquiry and 58.722 individual the opportunity by the coroner or ● Specified individuals are to agree or object and medical examiner required to report certain without an authorization if without violating deaths, including deaths it is required by law and is HIPAA because of children under age limited to the disclosure of PHI eighteen to the coroner. requirements of such law. assists coroners or ● The coroner or medical medical examiners examiner is required to Coroners and Medical in fulfilling their make inquiry into the Examiners statutory duties of cause and manner of §164.512(g) identifying the cause death (by implication ● CEs may disclose PHI to of death and is includes examination of the coroner or medical required by law. 2 1664508.6 *This document does not address electronic signatures or contracts under federal law. Under Missouri law, electronic records, contracts and signatures are legal and enforceable in accordance with the law per RSMo. §432.230. Missouri Statute HIPAA Privacy Regulations Con- State Law Discussion and Implications for flict? or HIPAA? Conclusion Electronic HIE medical records). examiner for purposes of identifying the deceased and the cause of death. ● CEs may use PHI for the same purposes if they are acting as the coroner or medical examiner in a given situation. EDUCATION AND LIBRARIES Pupils and Special Services Immunizations Public Health Activities No State • CEs may disclose • None §§167.181 and 167.183 §164.512(b)(1)(i) immunization records • A record of immunization • CEs may disclose PHI to a to employees of must be prepared by public health authority public agencies, school superintendent for authorized to receive such departments and each student showing information for the political subdivisions; immunization status and purpose of preventing or health records staff of such records may be controlling disease, injury school districts; child disclosed and exchanged or disability. care facilities; health to the following to assure care professionals; compliance with state As Required by Law and those entrusted statutes: employees of §164.512(a) with regular care of public agencies, • CEs may use or disclose those under care and departments and political PHI without giving the custody of state subdivisions; health individual the opportunity agency without records staff of school to agree or object and violating HIPAA districts; child care without an authorization if because it is a facilities; health care it is required by law and is permissible public professionals; and those limited to the health activity. entrusted with regular requirements of such law. 3 1664508.6 *This document does not address electronic signatures or contracts under federal law. Under Missouri law, electronic records, contracts and signatures are legal and enforceable in accordance with the law per RSMo. §432.230. Missouri Statute HIPAA Privacy Regulations Con- State Law Discussion and Implications for flict? or HIPAA? Conclusion Electronic HIE care of those under care Health Oversight Activities No State • CEs may disclose and custody of state §164.512(d) PHI to the above agency. • CEs may disclose PHI to listed individuals public health oversight and entities to agencies for oversight comply with state activities authorized by statutes. law. PUBLIC HEALTH AND WELFARE Regulation of Abortions Reporting of Abortions §§188.052 and 188.055 ● §188.052 Abortion Preemption Exception No State ● CEs may report reports and abortion §160.203(c) abortions and their complication reports, ● Generally, HIPAA complications which contain health preempts contrary state pursuant to state law information, must be laws. without violating submitted to DHSS. ● One exception to that rule HIPAA because is when the state law such reports are provides for the reporting exempted from of disease or injury, child preemption and their abuse, birth or death, or disclosure is for the conduct of public required by law and health surveillance, is a permissible investigation or public health intervention. activity. As Required by Law §164.512(a) ● CEs may use or disclose 4 1664508.6 *This document does not address electronic signatures or contracts under federal law. Under Missouri law, electronic records, contracts and signatures are legal and enforceable in accordance with the law per RSMo. §432.230. Missouri Statute HIPAA Privacy Regulations Con- State Law Discussion and Implications for flict? or HIPAA? Conclusion Electronic HIE PHI without giving the individual the opportunity to agree or object and without an authorization if it is required by law and is limited to the requirements of such law. §188.055 TPO Yes HIPAA ● Because the ● Information obtained by §164.506 disclosure of PHI by a physician, hospital or ● CEs may use and disclose CEs that are direct abortion facility from a PHI for treatment, treatment providers patient for the purpose of payment and health care for TPO under preparing reports to operations. HIPAA requires DHSS and the compliance with the information included in Notice of Privacy Practices requirements for the the reports received by §164.520(c) HIPAA NPP DHSS is confidential. ● CEs that are direct acknowledgment, treatment providers must HIPAA is more ● Such information may provide the NPP to their stringent than state generally be used only patients and attempt to law. for statistical purposes. obtain a written ● Thus, CEs that are acknowledgment of direct treatment receipt of the NPP. providers may use abortion information for statistical purposes (health care operations) only if they comply with the more stringent 5 1664508.6 *This document does not address electronic signatures or contracts under federal law. Under Missouri law, electronic records, contracts and signatures are legal and enforceable in accordance with the law per RSMo. §432.230. Missouri Statute HIPAA Privacy Regulations Con- State Law Discussion and Implications for flict? or HIPAA? Conclusion Electronic HIE requirements for the HIPAA NPP acknowledgment. ● Such information may be Public Health Activities No State ● CEs may disclose disclosed as part of an §164.512(b)(1)(i) abortion information inspection for public ● CEs may disclose PHI to a to public health health purposes. public health authority authorities for public authorized to receive such health purposes information for the pursuant to state law purpose of preventing or without violating controlling disease, injury HIPAA because it is or disability. a permissible public health activity. Emergency Services Licensure: Emergency Health Oversight Activities No State ● CEs may disclose Services §164.512(d) PHI to DHSS under §190.175.4 ● CEs may disclose PHI to a state licensing ● An ambulance service public health oversight inspection without licensee or emergency agencies for oversight violating HIPAA medical response agency activities authorized by because it is a licensee must make law, including audits, permissible health records available for investigations, oversight activity. inspection by DHSS. inspections, licensure etc. As Required by Law §164.512(a) ● CEs may use or disclose 6 1664508.6 *This document does not address electronic signatures or contracts under federal law. Under Missouri law, electronic records, contracts and signatures are legal and enforceable in accordance with the law per RSMo. §432.230. Missouri Statute HIPAA Privacy Regulations Con- State Law Discussion and Implications for flict? or HIPAA? Conclusion Electronic HIE PHI without giving the individual the opportunity to agree or object and without an authorization if it is required by law and is limited to the requirements of such law. Data Collection Law Preemption Exception No State ● CEs may report data §190.176 §160.203(c) to DHSS pursuant to ● DHSS shall develop and ● Generally, HIPAA the data collection administer a uniform data preempts contrary state law without collection system on all laws. violating HIPAA ambulance runs and ● One exception to that rule because such reports injured patients. is when the state law are exempted from ● Hospitals are not provides for the reporting preemption and their required to disclose of disease or injury, child disclosure is certain data. abuse, birth or death, or required by law and for the conduct of public is a permissible health surveillance, public health investigation or activity. intervention. As Required by Law §164.512(a) ● CEs may use or disclose PHI without giving the individual the opportunity to agree or object and without an authorization if it is required by law and is 7 1664508.6 *This document does not address electronic signatures or contracts under federal law. Under Missouri law, electronic records, contracts and signatures are legal and enforceable in accordance with the law per RSMo. §432.230. Missouri Statute HIPAA Privacy Regulations Con- State Law Discussion and Implications for flict? or HIPAA? Conclusion Electronic HIE limited to the requirements of such law. Public Health Activities §164.512(b)(1)(i) ● CEs may disclose PHI to a public health authority authorized to receive such information for the purpose of preventing or controlling disease, injury or disability. Licensure: Peer Review Health Oversight Activities No State ● CEs such as trauma Systems of Trauma §164.512(d) centers may disclose Centers ● CEs may disclose PHI to PHI to DHSS as part §190.245 public health oversight of the licensing ● Hospitals designated as agencies for oversight authority of DHSS trauma centers are activities authorized by without violating required to implement a law, including audits, HIPAA because it is peer review system for investigations, a permissible health trauma patients and inspections, licensure etc. oversight activity. DHSS has licensing ● DHSS is a CE to the authority necessary to As Required by Law extent it is a health ensure compliance. §164.512(a) care provider but it ● DHSS may only use the ● CEs may use or disclose is a hybrid entity records to implement PHI without giving the because it also has such statutes and may not individual the opportunity non-covered re-disclose the PHI. to agree or object and functions. without an authorization if ● Because the state 8 1664508.6 *This document does not address electronic signatures or contracts under federal law. Under Missouri law, electronic records, contracts and signatures are legal and enforceable in accordance with the law per RSMo. §432.230. Missouri Statute HIPAA Privacy Regulations Con- State Law Discussion and Implications for flict? or HIPAA? Conclusion Electronic HIE it is required by law and is law limitations on limited to the further disclosure by requirements of such law. DHSS relate to its function as a public health authority and Covered Entity not as a covered §160.103 health care provider, ● A covered entity includes HIPAA does not health care providers that regulate such transmit health disclosure. information in electronic ● Thus, further form in connection with a disclosure by DHSS transaction covered by is governed by state HIPAA. law. Hybrid Entity §164.504(a) ● A hybrid entity is a type of covered entity that has covered and non-covered functions. Such entities have the obligation to designate their health care components. Health Care Component §164.504(b) ● HIPAA only applies to the health care component of a hybrid entity. 9 1664508.6 *This document does not address electronic signatures or contracts under federal law. Under Missouri law, electronic records, contracts and signatures are legal and enforceable in accordance with the law per RSMo. §432.230. Missouri Statute HIPAA Privacy Regulations Con- State Law Discussion and Implications for flict? or HIPAA? Conclusion Electronic HIE Health and Welfare Patients’ Access to Medical Access of Individuals to PHI Records §164.524 §191.227 Access Access No State Access ● Requires a licensed ● CEs must allow, with ● Because both health care provider to certain limitations, an Missouri law and furnish copies of individual to inspect and HIPAA allow patient’s medical records obtain a copy of his or her individuals to have to patients or their legal PHI contained in a access to their PHI, representatives upon designated record set. CEs may follow request. state law regarding such access, except as limited below. Limitations on Access Limitations on Access Yes State Limitations on Access ● Allows denial of access ● Individuals have no access ● CEs must disclose based on therapeutic to psychotherapy notes psychotherapy notes privilege (limits access if that are maintained that are part of the consistent with the separately from the rest of patient’s medical patient’s condition and their medical record. record pursuant to sound therapeutic Missouri law, even treatment). though it is prohibited under HIPAA because Missouri law provides greater rights of access by patients and is 10 1664508.6 *This document does not address electronic signatures or contracts under federal law. Under Missouri law, electronic records, contracts and signatures are legal and enforceable in accordance with the law per RSMo. §432.230.

See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.