Get 20M+ Full-Text Papers For Less Than $1.50/day. Start a 14-Day Trial for You or Your Team.

Learn More →

Legal aspects of information sharing and communication by poison centers in the United States

Legal aspects of information sharing and communication by poison centers in the United States CLINICAL TOXICOLOGY 2020, VOL. 58, NO. 7, 669–675 https://doi.org/10.1080/15563650.2019.1705478 COMMENTARY Legal aspects of information sharing and communication by poison centers in the United States a a b c Amy McDonald , Leslie Francis , Barbara Insley Crouch and Mollie Cummins a b S.J. Quinney College of Law, University of Utah, Salt Lake City, UT, USA; College of Pharmacy, University of Utah, Salt Lake City, UT, USA; College of Nursing, University of Utah, Salt Lake City, UT, USA ABSTRACT ARTICLE HISTORY Received 3 September 2019 To keep pace with changing technology and to provide better treatment to the public, U.S. poison Revised 3 December 2019 control centers have increasingly implemented new ways of communicating with healthcare providers Accepted 5 December 2019 and with patients, including electronic transfer of patient information. Innovation in communication and information sharing raises concerns over patient privacy and compliance with applicable laws. KEYWORDS This narrative review analyzes both typical activities and emerging innovations of PCCs in relation to Poison control center; U.S. law and regulation regarding privacy, specifically the Health Insurance Portability and toxicology; privacy; Health Accountability Act, the Substance Abuse and Mental Health Treatment Act, and the Federal Trade Insurance Portability and Commission Act. PCCs that are “covered entities” under HIPAA may exchange patient health informa- Accountability Act; United tion with other providers by telephone for purposes of treatment, and certainly during the emergency States Substance Abuse and Mental Health Services management of poisonings. SAMHSA regulations, however, limit information that can be shared out- Administration; electronic side of emergencies without patient consent. The FTC Act prohibits unfair or deceptive trade practices health records; health which may in some circumstances involve privacy violations. Text message exchanges between PCCs information exchange; text and patients present particularly difficult privacy challenges under these laws. messaging; jurisprudence I. Introduction II. Background: PCC information management Poison control centers (PCCs) share and receive patient PCC activities with the information it gathers typically information with healthcare providers, public health enti- include documentation, storage, transfer, and sharing. ties, and patients. Traditionally, PCCs have shared and Documentation and storage occur in several ways. First, received information via telephone, email and fax. similar to 9-1-1 call centers, PCCs usually implement a tele- However, new methods of communicating and sharing phone recording system that stores audio recordings of information are emerging that raise questions about infor- every telephone call. Audio recordings are stored differently mation privacy. PCCs are participating in health informa- by each PCC, raising potential questions about data security. tion exchange, electronically sending and receiving patient PCCs use stored audio recordings for operational purposes information with other organizations such as health depart- such as quality control and training. More rarely, audio ments and hospitals. PCCs also are beginning to use SMS recordings are used in health services and communica- messaging, instant messaging, and similar forms of elec- tions research. tronic communication with patients. Second, PCC specialists input information gathered via Several legal frameworks are applicable to these advances telephone, or ascertained through direct access to electronic in PCC methods of communication and information sharing. health records, into their poisoning information software sys- Information exchanged by PCCs with health care providers tem (e.g. toxiCALL , Computer Automation Systems, Inc., TM likely is protected health information (PHI) under the Health Aurora, CO or ToxSentry , Grady Memorial Hospital System/ Insurance Portability and Accountability Act (HIPAA) [1]. The University of Florida – Jacksonville, Jacksonville, Florida). The federal Substance Abuse and Mental Health Treatment Act data are stored in the form of case records and contain iden- (SAMHSA), and the Federal Trade Commission (FTC) Act may tifiers such as name, birth date, address, telephone number, also apply to PCCs. This narrative review discusses these pro- age, and dates and times associated with the toxic exposure tections as they apply to traditional information sharing or other medical events. Many poison centers store voice activities and explains how each might apply to novel use recordings of calls. Anecdotally, some poison control centers cases presented by emerging methods of communication are also storing information obtained through instant mes- and information sharing used by PCCs. saging, SMS messaging, and health information exchange. CONTACT Mollie Cummins mollie.cummins@utah.edu College of Nursing, University of Utah, Salt Lake City, UT, USA 2020 The Author(s). Published by Informa UK Limited, trading as Taylor & Francis Group. This is an Open Access article distributed under the terms of the Creative Commons Attribution-NonCommercial-NoDerivatives License (http://creativecommons.org/licenses/by-nc- nd/4.0/), which permits non-commercial re-use, distribution, and reproduction in any medium, provided the original work is properly cited, and is not altered, transformed, or built upon in any way. 670 A. MCDONALD ET AL. Traditional forms of information transfer and sharing and security rules. These rules set a minimum floor of protec- include sharing of the data collected in poison control center tions nationwide for most individual information within the information systems. All U.S. PCCs submit a subset of de- U.S. healthcare system. identified case data to the National Poisoning Data System HIPAA applies to “protected health information” (PHI) pos- (NPDS) for poisoning surveillance. Data may also be shared, sessed by HIPAA-”covered entities” (CEs) and their “business in identifiable or de-identified form, with local or regional associates” (BAs). Understanding whether a PCC and its activ- public health agencies for public health reporting and toxi- ities are subject to HIPAA requires analyzing each of cology research. In addition, data are used for operational these concepts. purposes including quality control and training. The informa- HIPAA defines PHI through linked definitions of health tion documented within the system also may be shared with information, identifiable health information, and protected health care providers via telephone to provide care during health information [2]. Health information is any information, poisoning emergencies. whether oral or recorded in any form, that relates to the Emerging forms of information transfer and sharing include past, present, or future physical or mental health or condi- sending or receiving patient information electronically, using tion of an individual, the provision of health care to an indi- widely accepted protocols and processes. For PCCs, elec- vidual, or payment for the provision of health care to an tronic health information exchange (HIE) is a new form of individual; and that is created or received by a health care information sharing and transfer that has not yet been provider, health plan, public health authority, employer, life widely adopted. For example, at the Utah PCC, we developed insurer, school or university, or health care clearinghouse. If a and implemented software called SNOWHITE that enables PCC is an entity on this list, such as a health care provider or PCC participation in standards-based HIE. Using SNOWHITE, public health authority, information that it receives relating we send case data to our regional health information to the condition or the health care of the individual is health exchange organization, the Utah Information Network information. Health information is identifiable if it identifies (UHIN), and route the data to designated recipients. the individual or if there is a reasonable basis to believe the Currently, we also send the data to the Utah Department of information can be used to identify the individual. PHI is Health for environmental exposure monitoring and to desig- identifiable health information that is transmitted by elec- nated emergency departments to support the care of tronic media, maintained in electronic media, or transmitted patients with poisoning emergencies. If the case record or maintained in any other form or medium.) matches an individual person’s identity in UHIN’s Master Based on this definition, the information standardly col- Patient Index, the data are also stored with the patient’s lected by PCCs from callers most likely is PHI. PCCs may be record in the Utah cHIE, a statewide repository for patient providers or public health authorities, in which case the information contributed by multiple health care organiza- information they collect is health information. They may col- tions via HIE processes. Authorized health care providers can lect information such as name or address that can be used log in and view the information in the Utah cHIE for to directly identify individuals. They maintain records in elec- their patients. tronic form or in some other medium, so it is PHI. The limit Alternatives to Telephone Communication. Some PCCs are of HIPAA protection to identifiable information is significant, exploring methods of communication that result in a text however. PCCs may receive some information that cannot be record of communications instead of an audio record. used to identify individuals. As example is an anonymous Examples include the use of instant messaging (IM) or text call to a PCC from a device that cannot be traced to an indi- messaging (SMS). This approach captures some of the com- vidual asking about what to do in case of a toxic exposure. munication that would normally be stored as audio record- This would not be PHI absent any further reason to think ing as text data, and this text data may or may not be that the information retained by the PCC can be used to stored in the same information system as other patient data. identify the individual. The audio recordings of calls to the Direct EHR Access. In recent years, some PCCs have been PCC could possibly be used to identify an individual using able to arrange direct access to patients’ electronic health voice recognition technology, so would potentially be PHI. If records (EHR) for the purpose of providing consultation on individuals access the PCC through the Internet from a pub- poison exposure cases. In a typical scenario, poison center lic computer, such as a computer in a public library, and do specialists access the system, search for a specific patient, not give any information that might be used to identify then search for relevant information. They may manually record some information, such as patient status or the results them, this access also is not PHI unless the access could in of diagnostic testing, into the PCC’s information system. some way be used to identify individuals. Questions about groups also are not PHI unless they contain individually iden- tifiable health information. III. HIPAA and PCC information sharing HIPAA defines CEs as health plans, health care clearing- houses, or health care providers who transmit any health HIPAA was enacted to further the electronic exchange of health information for billing and to increase portability of information in electronic form [2]. Depending on their struc- ture, PCCs may be part of the CE of a healthcare provider. health insurance coverage. To address privacy and security For example, a PCC that is part of an academic medical cen- concerns raised by this exchange, the Department of Health and Human Services (DHHS) developed the HIPAA privacy ter may be structured to be part of that medical center’s CE. CLINICAL TOXICOLOGY 671 HIPAA uses the definition of health care provider in the merely because of the exchange. Information sharing Social Security Act, a definition constructed for purposes of between PCCs and providers for patient care takes place as a Medicare reimbursement [2]. The Social Security Act defin- treatment relationship among CEs. The DHHS statement that ition includes hospitals, critical access hospitals, skilled nurs- PCCs are “providers” under the HIPAA regulations thus ing facilities, comprehensive outpatient rehabilitation means that PCCs may exchange PHI with other providers without having BA agreements for each exchange. facilities, home health agencies, hospices, and some funds For privacy, HIPAA divides uses and disclosures of PHI [3]. The definition also includes physicians’ services, services and supplies furnished as incident to a physician’s profes- into three levels of protection: uses and disclosures for which sional services or in professional offices, hospital outpatient patient authorization is required, uses and disclosures for services, diagnostic services, outpatient physical therapy, which patients must be given an opportunity to agree or object, and uses and disclosures for which neither authoriza- rural health clinic services, dialysis services and supplies, anti- tion nor an opportunity to object are required. gens prepared by a physician, nurse-midwife services, psych- Uses or disclosures requiring patient authorization include ology services, clinical social worker services, prescription research, but there are many exceptions. Information that drugs, nutritional services, preventive care services, rehabilita- has been appropriately de-identified to HIPAA standards is tion services, and a variety of screening tests [4]. no longer considered PHI [14–15]. “Limited data sets” of In promulgating the HIPAA regulations, DHHS explained information that include location and date of service may that it considered PCCs to be providers and their activities also be created for use in research or for public health with- therefore to be treatment: out authorization if a data use agreement is in place [16]. In We note that poison control centers are health care providers for addition, the authorization requirement for use of PHI in purposes of this rule. We consider the counseling and follow-up research may be waived by an IRB or privacy board if the consultations provided by poison control centers with individual providers regarding patient outcomes to be treatment. Therefore, research could not practicably occur if authorization were poison control centers and other health care providers can share required, the research is no more than minimal risk with pro- protected health information about the treatment of an tections in place, and privacy will be appropriately pro- individual without a business associate contract [1]. tected [17–18]. The providers with whom PCCs interact electronically Uses or disclosures requiring an opportunity to object almost certainly are CEs, because they are providers and include information relevant to an episode of care that is dis- maintain at least some information in electronic form. The closed to family members, other relatives, close personal Utah PCC also transmits and receives information from the friends, or others identified by the person as individuals cHIE maintained by UHIN. UHIN transforms non-standard involved in the person’s health care. The information dis- data into standard data elements, so that records from vari- closed must only be what is directly relevant to the person’s ous systems can communicate with each other; as thus a care [19]. Under this provision, PCCs could disclose informa- clearinghouse, it too is a CE. tion relevant to care of someone experiencing a toxic expos- BAs are entities that create, receive, maintain or transmit ure if the person has an opportunity to object and does not. PHI on behalf of a CE for activities such as claims processing In emergency circumstances in which the opportunity to or data analysis [2]. This definition was constructed to extend agree or object is not practicable; HIPAA permits providers HIPAA coverage to entities with access to PHI from CEs and to use their professional judgment to determine whether dis- to require these entities to have what are called BA agree- closure is in the best interests of the individual. Such emer- ments for protecting PHI. Importantly, the BA agreement gency disclosures must be limited to information directly does not create the BA relationship; the function the BA per- relevant to the individual’s care [20]. Thus if a PCC receives forms for the CE requiring PHI access determines BA status an apparent emergency call about an individual, the PCC [5]. Thus if UHIN transmits data for a provider for billing pur- may exercise its best professional judgment in disclosing poses, the provider must have a BA agreement with UHIN. information about the individual to those providing help. Similarly, if the PCC provides any quality or other data analy- Uses or disclosures not requiring authorization or an oppor- ses for CEs that requires the PCC to access PHI, the PCC is a tunity to object include treatment, payment, or health care BA of that CE for performing this function. An example operations [21]. Thus the PCC access to patient records, or would be a PCC accessing PHI from a CE in order to prepare the PCC’s addition of information to patient records, do not a report for the CE on whether its management of patients require HIPAA authorization. Interchanges between the PCC with poison exposures meets quality metrics. BA agreements and health care providers via a regional health information must ensure appropriate protections for PHI and must spe- exchange organization are treatment and do not require cify the uses and disclosures of PHI permitted by the BA HIPAA authorization or an opportunity to object from [6–8]. BAs also are responsible for meeting requirements the patient. specified as applying to them in the HIPAA rules [9–13]. Disclosures not requiring authorization also include uses Health care providers exchanging information for treat- or disclosures as required by law, including disclosures to ment are not, however, BAs of one another by virtue of this state public health authorities [21]. Thus PCCs may disclose exchange [2]. Thus if the PCC is a provider exchanging infor- the content of calls they receive, including identifying patient mation with the patient’s other health care providers for information, to state public health as legally required. patient care, these providers are not BAs of one another Disclosures required by law also include information about 672 A. MCDONALD ET AL. adverse drug events for post-marketing surveillance [21]. identify an individual as having a substance use disorder, They also include disclosures for health oversight, such as even acknowledging the presence of a person in a Part 2 licensing or investigations, and thus might include informa- facility [30]. Programs receiving funding from Medicare or tion needed to determine activities of pill mills or drug diver- Medicaid are included as receiving federal assistance [31]. To sion [22]. Importantly, however, these disclosures are limited qualify as a Part 2 program, a facility must hold itself out as to the information and manner of disclosure required by law. providing and provide substance abuse treatment, diagnosis, Uses and disclosures of PHI without authorization or or referral; identified units within a medical facility may also agreement also include certain disclosures for law enforce- qualify, as may medical personnel whose primary function is ment. An example is a disclosure about an individual who identified as providing such treatment [31]. Facilities that do may be a crime victim but who is unable to agree or object not hold themselves out as providing substance abuse dis- to a use or disclosure due to incapacity, if a law enforcement order treatment are not covered by Part 2, such as EDs that official represents that the information is needed to deter- diagnose and treat overdoses [32]. This exclusion is because mine whether a violation of law by someone other than the the presence of a patient in an ED does not reveal the type victim has occurred, the information is not intended to be of treatment that the patient is receiving. used against the victim, the immediate law enforcement PCCs that provide information about overdoses are not activity depending on the disclosure would be materially Part 2 providers, unless they also hold themselves out as affected adversely by waiting until the individual can agree, providing substance abuse treatment or diagnosis. Also, and the CE’s professional judgment is that disclosure is in diagnoses are not covered unless they provide evidence of the best interests of the individual [23]. The law enforcement substance use disorders; thus, accidental overdoses do not exception also includes information from a CE providing come within the purview of Part 2 unless they might reveal emergency medical care, if the information is needed to alert a connection to an underlying substance use disorder [33]. law enforcement about the commission of a crime [24]. CEs Individuals calling PCCs about opioid overdoses may have may also disclose information in response to express author- been, or currently be, receiving treatment that comes under izations in court orders, judicial subpoenas, legal require- the Part 2 protections. PCC access to information about ments for reporting wounds or injuries, and other treatment coming under Part 2 will therefore be limited by subpoenas, with satisfactory assurances that the individual the Part 2 protections. was given notice and an opportunity to respond [25]. In general, any disclosure of records protected by Part 2 Beyond these permitted disclosures, PHI may not be dis- requires specific written consent identifying explicitly what closed to law enforcement without patient authorization. information may be disclosed, and to which individuals [34]. One final HIPAA protection relevant to PCCs is that indi- This includes disclosures of information for treatment. Thus, viduals are permitted to request restrictions of the uses and the information PCCs may receive about patients for treat- disclosures of their PHI. So, an individual telephoning a PCC ment will not include Part 2 protected information unless that is a CE may request that the information provided not patients have given specific consent for the disclosure. And, be further disclosed for their treatment, payment, or health if the PCC is a Part 2 provider, any further disclosures of pro- care operations, or to individuals involved in their care [26]. tected information also require consent. As the consent must CEs are not, however, required to agree to this request [27]. be written, agreement in a telephone conversation for the Even if the CE does agree to the request, the CE may use or information to be shared will not suffice. disclose information needed to provide emergency treatment Recent adjustments in the Part 2 regulations account for for the individual [28]. Thus if a caller to a PCC provides HIEs and for entities with which a patient has a treatment information and the PCC agrees to a restriction on disclosure, relationship. A patient may consent to disclosure to a med- the PCC may still use or disclose the information as needed ical group with whom she has a treatment relationship [35], for emergency toxic exposure treatment. The PCC must, including not only her primary care physician but also men- however, request that the information not be further used or tal health professionals associated with the medical group. disclosed beyond the emergency [29]. Patients may consent to disclosures to HIEs, but only with specific names of the individuals, entities with which the patient has a treatment relationship, or general designation IV. SAMHSA and PCC information sharing of the type of entity with which the patient has a treating provider relationship [36], who may receive the protected SAMHSA (Substance Abuse and Mental Health Services information. Thus if a patient has received substance abuse Administration) protections are designed to encourage peo- ple to receive treatment. These regulations (called the “Part treatment from a Part 2 provider and consented to inclusion 2” regulations for short because of their location in the fed- of this information in the HIE, the PCC will not get the infor- eral regulations) provide stringent consent requirements for mation unless the patient consent named the PCC, the PCC the records they cover. is part of an entity with which the patient has a treatment SAMHSA Part 2 regulations apply to records generated relationship, or the PCC falls under a designation of a type about patients who have been treated, diagnosed, or of entity with which the patient has a treatment relationship. referred for treatment for substance use disorders at feder- Any disclosure made with consent must include a state- ally assisted programs for substance abuse treatment or ment that the information is Part 2 protected and may not diagnosis. Coverage includes all information that would be re-disclosed without explicit written consent [37]. PCCs CLINICAL TOXICOLOGY 673 receiving SAMHSA protected information thus must not re- members of the general public; electronic exchanges with disclose information without explicit written consent. health care providers; and uses of mobile communication Given these restrictions and especially the requirement methods such as text messaging and other non-telephone that the consent be explicit and written, PCC access to infor- communication. mation from the regional health information exchange Use Case #1: Exchanges with callers who are members of organization is likely not to include patient information pro- the general public. The HIPAA rules apply to PCCs if they are tected by the Part 2 regulations. There is an exception for CEs (or their BAs) who possess PHI. When callers to PCCs information needed to meet bona fide medical emergen- seek information for care, DHHS considers PCCs to be enter- cies—as information about prescriptions in an overdose ing into a treatment relationship with callers. PCCs in this emergency might be—when the patient’s prior informed context are therefore CEs and may exchange PHI with other consent cannot be obtained [38]. There is also an exception providers for purposes of treatment. for research as permitted under the HIPAA requirements [39]. The SAMHSA regulations also may affect information Certain court orders may also authorize disclosure of pro- exchange when calls come from the general public. As tected records. Beyond these exceptions, SAMHSA protection described above, the PCC itself will not be a Part 2 provider applies strictly. unless it is federally funded and holds itself out as providing substance abuse treatment. However, callers may have seen Part 2 providers as part of their care. Absent specific written V. FTC act and PCC information sharing consent by the caller for these records to be shared, the PCC will not have access to them unless SAMHSA exceptions The FTC (Federal Trade Commission) Act applies to entities occur. The most likely exception would be for bona fide engaged in interstate commerce. State agencies and, for the most part, charities, are not covered by the FTC Act. The FTC emergency care when the patient’s consent cannot be Act is included in this discussion, however, as some of the obtained. Other, less likely possibilities are that the patient entities with which PCCs deal may be covered, such as any may have already given consent for their Part 2-protected records to be exchanged with providers who are part of the for-profit health care provider. These providers are likely also same medical group and the PCC is a part of that group, or to be covered by HIPAA, as described above. In today’s healthcare world, however, many non-HIPAA covered entities that the patient may have named the PCC as an entity that also have important information about individual health. For may receive the Part 2-protected records through the example, an individual’s Facebook account that contains regional health information exchange organization. These health information is not covered by HIPAA but is covered SAMHSA restrictions may significantly limit the information by the FTC Act. about callers’ other care that is available to the PCC. For the many non-HIPAA covered entities engaged in Calls also may be made to PCCs by persons other than interstate commerce, the FTC Act is the only significant fed- patients. These callers may be seeking help for family, eral protection for health information. These non-HIPAA- friends, or even acquaintances or strangers in situations of covered entities include social media firms such as Facebook, apparent toxic exposure. Any identifiable information given personal health record vendors, patient registries maintained by the caller to the PCC about the patient for treatment is by pharmaceutical companies, genetic testing companies PHI. As part of the treatment relationship, HIPAA would per- such as 23andme or Ancestry, and wellness programs. The mit the PCC to access other records of the patient, although FTC prohibits unfair or deceptive trade practices on the part as discussed above the access would be subject to any of these entities [40]. It is deceptive for an entity to mislead applicable SAMHSA restrictions. Whether disclosures of add- or lie about its privacy practices. Thus if an entity’s privacy itional information about the patient to the caller would be policy available on its website states that it is “HIPAA- permitted under HIPAA is complex, however. If the patient compliant” but the entity discloses information in a manner has an opportunity to object and does not do so, informa- that would not be permitted by HIPAA, it has violated the tion directly relevant to the episode of care may be disclosed FTC Act. The FTC has taken a number of enforcement actions to persons identified as involved in that care. If the oppor- against social media firms for failure to adhere to their tunity to object is not possible, in emergency situations fur- announced privacy policies. Privacy violations that are con- ther disclosures are permissible within the reasonable sidered “unfair” by the FTC are very few, but do include dis- medical judgment of the PCC. Even if the patient has closures of information that could significantly harm an requested that the information not be disclosed and the pro- individual and that the individual could not reasonably pro- vider has agreed to the non-disclosure, it may be shared in tect against. An example would be security violations that reasonable professional judgment in an emergency. So, for exposed consumers to identity theft by revealing information example, PCCs may disclose information about other medica- about them. tions prescribed to the patient in order to address needs for emergency care. Some callers, however, may not share identifiable informa- VI. Application to emerging forms of tion with PCCs or otherwise give information that reasonably information sharing could enable them to be identified. In such situations, the Several newer use cases of information by PCCs present chal- PCC does not have PHI and the information given by the lenging privacy questions: exchanges with callers who are caller would not be HIPAA-protected. It could then be used 674 A. MCDONALD ET AL. without HIPAA authorization for purposes such as research, VII. Conclusion although it might be subject to other legal rules governing This paper summarizes the legal framework for information the protection of information used in research. sharing practices for PCCs with traditional information shar- Use Case #2: Electronic exchanges with providers. As ing practices as well as emerging methods of communica- explained above, PCCs are considered to be CEs providing tion. Under HIPAA, PCCs may exchange information treatment to patients. They thus may exchange information electronically for treatment without patient authorization, electronically with other providers for purposes of treatment but may not otherwise inadvertently reveal PHI through without patient authorization. Information may also be mobile and other non-telephone communications. SAMHSA exchanged without authorization for purposes of health care may limit the ability of PCCs to access records of treatment operations such as quality improvement. provided under federally funded substance abuse treatment SAMHSA Part 2 regulations, however, may continue to programs. For commercial entities not covered by HIPAA, the erect substantial barriers to electronic exchanges among pro- FTC Act prohibits unfair or deceptive trade practices, includ- viders for treatment. Few patients are likely to have specified ing practices dealing with important information about indi- the PCC as a provider that can receive Part 2-protected vidual health. records through the regional health information exchange organization. Also, the PCC is unlikely to be part of the med- ical group treating the patient for SAMHSA purposes. Only in Disclosure statement emergencies, therefore, will the PCC be likely to be able to No potential conflict of interest was reported by the authors. breach the SAMHSA protective wall. Use Case # 3: Mobile technologies such as text messaging. Some PCCs are exploring new methods for communicating Funding with callers using mobile devices. For example, when a PCC This review was supported by the US Department of Health and Human receives a call from a mobile device, it will have a record of Services, Agency for Healthcare Research and Quality Grant the telephone number. After the call has ended, the PCC 5R01HS021472, and by the University of Utah. may wish to text back to see how the patient is doing or to give further advice. From a HIPAA perspective, this communi- ORCID cation may be problematic unless it is very carefully made. Text messages to patients that reveal PHI violate HIPAA Leslie Francis http://orcid.org/0000-0002-7356-3459 Barbara Insley Crouch http://orcid.org/0000-0002-2752-5072 unless they are a use or disclosure that is otherwise permit- Mollie Cummins http://orcid.org/0000-0001-7078-8479 ted. The safest method for the PCC is therefore to craft a message in such a way that it does not reveal PHI, although this may be difficult if the PCC wishes to inquire by name References about a particular individual. An example might be a text [1] Treatment, 65 Fed. Reg. 82,625, 82,626 (Dec. 28, 2000). that reads: “This is a general alert. Poison control centers [2] Public Welfare, Security and Privacy 2013 45 C.F.R. § 160.103. may have useful information in cases of overdose. For infor- [3] Health Insurance Portability and Accountability Act 1996 42 U.S.C. § mation, call xxx-xxx-xxxx.” Like information about weather 1385x(u). [4] Health Insurance Portability and Accountability Act 1996 42 U.S.C. § alerts, this does not convey specific information about a 1385x(s). patient, even the information that a call may have been [5] Public Welfare, Uses and Disclosures of Protected Health made from that mobile device to the PCC. Information: General Rules 2013 45 C.F.R. § 164.502(e). Messages to the patient for treatment are permitted with- [6] Public Welfare, Compliance reviews 2013 45 C.F.R. § 164.308(b). out authorization; however, a text to a mobile device may [7] Public Welfare, Investigational subpoenas and inquiries 2006 45 C.F.R. § 164.314(a). be read by someone other than the patient. PCCs cannot [8] Public Welfare, Uses and disclosures: Organizational requirements assume that the call was made from the patient’s mobile 2013 164.504(e) (2019). device, either, so encrypting the message in a way that ena- [9] Public Welfare, General Administrative Requirements, Applicability bles it to be read only by the owner of the mobile device 2013 45 C.F.R. § 160.102(b). will not necessarily protect PHI. Messages to those involved [10] Public Welfare, Security and Privacy, Applicability 2013 45 C.F.R. § 164.104(b). in the patient’s care, containing only information directly [11] Public Welfare, Relationship to other parts 2013 45 C.F.R. § relevant to that care, also are permissible if the patient has 164.106. an opportunity to object and does not do so. However, there [12] Public Welfare, Security and Privacy, Definitions 2013 45 C.F.R § are no guarantees that a mobile device will be picked up 164.302. only by the patient or persons involved in the patient’s care, [13] Public Welfare, Privacy of Individually Identifiable Health Information, Applicability 2013, 45 C.F.R. § 164.500(b). or that the patient can be given an opportunity to object [14] Public Welfare, Uses and Disclosures for Which an Authorization is and not do so. Only if the PCC believes in reasonable med- Required 2013 45 C.F.R. § 164.508. ical judgment that the situation is a continuing emergency [15] Public Welfare, Other requirements relating to uses and disclosures necessitating disclosure of the PHI is it likely to be permis- of protected health information 2013 45 C.F.R. § 164.514(a). sible under HIPAA for the PCC to text back in a way that [16] Public Welfare, Other requirements relating to uses and disclosures might reveal PHI to anyone picking up the device. of protected health information 2013 45 C.F.R. § 164.514(e). CLINICAL TOXICOLOGY 675 [17] Public Welfare, Uses and disclosures for which an authorization or [26] Public Welfare, Rights to request privacy protection for protected opportunity to agree or object is not required 2016 45 C.F.R. § health information 2013 45 C.F.R. § 164.522(a)(1)(i). 164.512(i). [27] Public Welfare, Rights to request privacy protection for protected [18] Public Welfare, Uses and disclosures for which an authorization or health information 2013 45 C.F.R. § 164.522(a)(1)(ii). opportunity to agree or object is not required 2016 45 C.F.R. § [28] Public Welfare, Rights to request privacy protection for protected 164.512(i)(2)(ii). health information 2013 45 C.F.R. § 164.522(a)(1)(iii). [19] Public Welfare, Uses and disclosures requiring an opportunity for [29] Public Welfare, Rights to request privacy protection for protected the individual to agree or to object 2013 45 C.F.R. § 164.510(b). health information 2013 45 C.F.R. § 164.522(a)(1)(iv). [20] Public Welfare, Uses and disclosures requiring an opportunity for [30] Public Health, Confidentiality restrictions and safeguards 2017 42 the individual to agree or to object 2013 45 C.F.R. § 164.510(b)(3). C.F.R. § 2.13(c). [21] Public Welfare, Uses and disclosures of protected health informa- [31] Public Health, Definitions 2017 42 C.F.R. § 2.11. tion: General rules 2013 45 C.F.R. § 164.502(a)(1)(ii). [32] Public Health, Applicability 2017 42 C.F.R. § 2.12(e)(1). [22] Public Welfare, Uses and disclosures for which an authorization or [33] Public Health, Applicability 2017 42 C.F.R. § 2.12(e)(4). opportunity to agree or object is not required 2016 45 C.F.R. § [34] Public Health, Consent Requirements 2017 42 C.F.R. § 2.31(a). 164.512(d). [35] Public Health, Consent Requirements 2017 42 C.F.R. § 2.31(a)(4)(ii). [23] Public Welfare, Uses and disclosures for which an authorization or [36] Public Health, Consent Requirements 2017 42 C.F.R. § 2.31(a)(4)(iii). opportunity to agree or object is not required 2016 45 C.F.R. § [37] Public Health, Prohibition on re-disclosure 2018 42 C.F.R. § 2.32. 164.512(f)(3)(ii). [38] Public Health, Medical emergencies 2017 42 C.F.R. § 2.51(a). [24] Public Welfare, Uses and disclosures for which an authorization or [39] Public Health, Research 2017 42 C.F.R. § 2.52. opportunity to agree or object is not required 2016 45 C.F.R. § [40] Commerce and Trade, Unfair methods of competition unlawful; pre- 164.512(f)(6). vention by Commission 2006 15 U.S.C. § 45. [25] Public Welfare, Uses and disclosures for which an authorization or opportunity to agree or object is not required 2016 45 C.F.R. § 164.512(e). http://www.deepdyve.com/assets/images/DeepDyve-Logo-lg.png Clinical Toxicology Taylor & Francis

Legal aspects of information sharing and communication by poison centers in the United States

Download PDF
7 pages

Loading next page...
 
/lp/taylor-francis/legal-aspects-of-information-sharing-and-communication-by-poison-jTtqdM0z2l

References (21)

Publisher
Taylor & Francis
Copyright
© 2020 The Author(s). Published by Informa UK Limited, trading as Taylor & Francis Group.
ISSN
1556-9519
eISSN
1556-3650
DOI
10.1080/15563650.2019.1705478
Publisher site
See Article on Publisher Site

Abstract

CLINICAL TOXICOLOGY 2020, VOL. 58, NO. 7, 669–675 https://doi.org/10.1080/15563650.2019.1705478 COMMENTARY Legal aspects of information sharing and communication by poison centers in the United States a a b c Amy McDonald , Leslie Francis , Barbara Insley Crouch and Mollie Cummins a b S.J. Quinney College of Law, University of Utah, Salt Lake City, UT, USA; College of Pharmacy, University of Utah, Salt Lake City, UT, USA; College of Nursing, University of Utah, Salt Lake City, UT, USA ABSTRACT ARTICLE HISTORY Received 3 September 2019 To keep pace with changing technology and to provide better treatment to the public, U.S. poison Revised 3 December 2019 control centers have increasingly implemented new ways of communicating with healthcare providers Accepted 5 December 2019 and with patients, including electronic transfer of patient information. Innovation in communication and information sharing raises concerns over patient privacy and compliance with applicable laws. KEYWORDS This narrative review analyzes both typical activities and emerging innovations of PCCs in relation to Poison control center; U.S. law and regulation regarding privacy, specifically the Health Insurance Portability and toxicology; privacy; Health Accountability Act, the Substance Abuse and Mental Health Treatment Act, and the Federal Trade Insurance Portability and Commission Act. PCCs that are “covered entities” under HIPAA may exchange patient health informa- Accountability Act; United tion with other providers by telephone for purposes of treatment, and certainly during the emergency States Substance Abuse and Mental Health Services management of poisonings. SAMHSA regulations, however, limit information that can be shared out- Administration; electronic side of emergencies without patient consent. The FTC Act prohibits unfair or deceptive trade practices health records; health which may in some circumstances involve privacy violations. Text message exchanges between PCCs information exchange; text and patients present particularly difficult privacy challenges under these laws. messaging; jurisprudence I. Introduction II. Background: PCC information management Poison control centers (PCCs) share and receive patient PCC activities with the information it gathers typically information with healthcare providers, public health enti- include documentation, storage, transfer, and sharing. ties, and patients. Traditionally, PCCs have shared and Documentation and storage occur in several ways. First, received information via telephone, email and fax. similar to 9-1-1 call centers, PCCs usually implement a tele- However, new methods of communicating and sharing phone recording system that stores audio recordings of information are emerging that raise questions about infor- every telephone call. Audio recordings are stored differently mation privacy. PCCs are participating in health informa- by each PCC, raising potential questions about data security. tion exchange, electronically sending and receiving patient PCCs use stored audio recordings for operational purposes information with other organizations such as health depart- such as quality control and training. More rarely, audio ments and hospitals. PCCs also are beginning to use SMS recordings are used in health services and communica- messaging, instant messaging, and similar forms of elec- tions research. tronic communication with patients. Second, PCC specialists input information gathered via Several legal frameworks are applicable to these advances telephone, or ascertained through direct access to electronic in PCC methods of communication and information sharing. health records, into their poisoning information software sys- Information exchanged by PCCs with health care providers tem (e.g. toxiCALL , Computer Automation Systems, Inc., TM likely is protected health information (PHI) under the Health Aurora, CO or ToxSentry , Grady Memorial Hospital System/ Insurance Portability and Accountability Act (HIPAA) [1]. The University of Florida – Jacksonville, Jacksonville, Florida). The federal Substance Abuse and Mental Health Treatment Act data are stored in the form of case records and contain iden- (SAMHSA), and the Federal Trade Commission (FTC) Act may tifiers such as name, birth date, address, telephone number, also apply to PCCs. This narrative review discusses these pro- age, and dates and times associated with the toxic exposure tections as they apply to traditional information sharing or other medical events. Many poison centers store voice activities and explains how each might apply to novel use recordings of calls. Anecdotally, some poison control centers cases presented by emerging methods of communication are also storing information obtained through instant mes- and information sharing used by PCCs. saging, SMS messaging, and health information exchange. CONTACT Mollie Cummins mollie.cummins@utah.edu College of Nursing, University of Utah, Salt Lake City, UT, USA 2020 The Author(s). Published by Informa UK Limited, trading as Taylor & Francis Group. This is an Open Access article distributed under the terms of the Creative Commons Attribution-NonCommercial-NoDerivatives License (http://creativecommons.org/licenses/by-nc- nd/4.0/), which permits non-commercial re-use, distribution, and reproduction in any medium, provided the original work is properly cited, and is not altered, transformed, or built upon in any way. 670 A. MCDONALD ET AL. Traditional forms of information transfer and sharing and security rules. These rules set a minimum floor of protec- include sharing of the data collected in poison control center tions nationwide for most individual information within the information systems. All U.S. PCCs submit a subset of de- U.S. healthcare system. identified case data to the National Poisoning Data System HIPAA applies to “protected health information” (PHI) pos- (NPDS) for poisoning surveillance. Data may also be shared, sessed by HIPAA-”covered entities” (CEs) and their “business in identifiable or de-identified form, with local or regional associates” (BAs). Understanding whether a PCC and its activ- public health agencies for public health reporting and toxi- ities are subject to HIPAA requires analyzing each of cology research. In addition, data are used for operational these concepts. purposes including quality control and training. The informa- HIPAA defines PHI through linked definitions of health tion documented within the system also may be shared with information, identifiable health information, and protected health care providers via telephone to provide care during health information [2]. Health information is any information, poisoning emergencies. whether oral or recorded in any form, that relates to the Emerging forms of information transfer and sharing include past, present, or future physical or mental health or condi- sending or receiving patient information electronically, using tion of an individual, the provision of health care to an indi- widely accepted protocols and processes. For PCCs, elec- vidual, or payment for the provision of health care to an tronic health information exchange (HIE) is a new form of individual; and that is created or received by a health care information sharing and transfer that has not yet been provider, health plan, public health authority, employer, life widely adopted. For example, at the Utah PCC, we developed insurer, school or university, or health care clearinghouse. If a and implemented software called SNOWHITE that enables PCC is an entity on this list, such as a health care provider or PCC participation in standards-based HIE. Using SNOWHITE, public health authority, information that it receives relating we send case data to our regional health information to the condition or the health care of the individual is health exchange organization, the Utah Information Network information. Health information is identifiable if it identifies (UHIN), and route the data to designated recipients. the individual or if there is a reasonable basis to believe the Currently, we also send the data to the Utah Department of information can be used to identify the individual. PHI is Health for environmental exposure monitoring and to desig- identifiable health information that is transmitted by elec- nated emergency departments to support the care of tronic media, maintained in electronic media, or transmitted patients with poisoning emergencies. If the case record or maintained in any other form or medium.) matches an individual person’s identity in UHIN’s Master Based on this definition, the information standardly col- Patient Index, the data are also stored with the patient’s lected by PCCs from callers most likely is PHI. PCCs may be record in the Utah cHIE, a statewide repository for patient providers or public health authorities, in which case the information contributed by multiple health care organiza- information they collect is health information. They may col- tions via HIE processes. Authorized health care providers can lect information such as name or address that can be used log in and view the information in the Utah cHIE for to directly identify individuals. They maintain records in elec- their patients. tronic form or in some other medium, so it is PHI. The limit Alternatives to Telephone Communication. Some PCCs are of HIPAA protection to identifiable information is significant, exploring methods of communication that result in a text however. PCCs may receive some information that cannot be record of communications instead of an audio record. used to identify individuals. As example is an anonymous Examples include the use of instant messaging (IM) or text call to a PCC from a device that cannot be traced to an indi- messaging (SMS). This approach captures some of the com- vidual asking about what to do in case of a toxic exposure. munication that would normally be stored as audio record- This would not be PHI absent any further reason to think ing as text data, and this text data may or may not be that the information retained by the PCC can be used to stored in the same information system as other patient data. identify the individual. The audio recordings of calls to the Direct EHR Access. In recent years, some PCCs have been PCC could possibly be used to identify an individual using able to arrange direct access to patients’ electronic health voice recognition technology, so would potentially be PHI. If records (EHR) for the purpose of providing consultation on individuals access the PCC through the Internet from a pub- poison exposure cases. In a typical scenario, poison center lic computer, such as a computer in a public library, and do specialists access the system, search for a specific patient, not give any information that might be used to identify then search for relevant information. They may manually record some information, such as patient status or the results them, this access also is not PHI unless the access could in of diagnostic testing, into the PCC’s information system. some way be used to identify individuals. Questions about groups also are not PHI unless they contain individually iden- tifiable health information. III. HIPAA and PCC information sharing HIPAA defines CEs as health plans, health care clearing- houses, or health care providers who transmit any health HIPAA was enacted to further the electronic exchange of health information for billing and to increase portability of information in electronic form [2]. Depending on their struc- ture, PCCs may be part of the CE of a healthcare provider. health insurance coverage. To address privacy and security For example, a PCC that is part of an academic medical cen- concerns raised by this exchange, the Department of Health and Human Services (DHHS) developed the HIPAA privacy ter may be structured to be part of that medical center’s CE. CLINICAL TOXICOLOGY 671 HIPAA uses the definition of health care provider in the merely because of the exchange. Information sharing Social Security Act, a definition constructed for purposes of between PCCs and providers for patient care takes place as a Medicare reimbursement [2]. The Social Security Act defin- treatment relationship among CEs. The DHHS statement that ition includes hospitals, critical access hospitals, skilled nurs- PCCs are “providers” under the HIPAA regulations thus ing facilities, comprehensive outpatient rehabilitation means that PCCs may exchange PHI with other providers without having BA agreements for each exchange. facilities, home health agencies, hospices, and some funds For privacy, HIPAA divides uses and disclosures of PHI [3]. The definition also includes physicians’ services, services and supplies furnished as incident to a physician’s profes- into three levels of protection: uses and disclosures for which sional services or in professional offices, hospital outpatient patient authorization is required, uses and disclosures for services, diagnostic services, outpatient physical therapy, which patients must be given an opportunity to agree or object, and uses and disclosures for which neither authoriza- rural health clinic services, dialysis services and supplies, anti- tion nor an opportunity to object are required. gens prepared by a physician, nurse-midwife services, psych- Uses or disclosures requiring patient authorization include ology services, clinical social worker services, prescription research, but there are many exceptions. Information that drugs, nutritional services, preventive care services, rehabilita- has been appropriately de-identified to HIPAA standards is tion services, and a variety of screening tests [4]. no longer considered PHI [14–15]. “Limited data sets” of In promulgating the HIPAA regulations, DHHS explained information that include location and date of service may that it considered PCCs to be providers and their activities also be created for use in research or for public health with- therefore to be treatment: out authorization if a data use agreement is in place [16]. In We note that poison control centers are health care providers for addition, the authorization requirement for use of PHI in purposes of this rule. We consider the counseling and follow-up research may be waived by an IRB or privacy board if the consultations provided by poison control centers with individual providers regarding patient outcomes to be treatment. Therefore, research could not practicably occur if authorization were poison control centers and other health care providers can share required, the research is no more than minimal risk with pro- protected health information about the treatment of an tections in place, and privacy will be appropriately pro- individual without a business associate contract [1]. tected [17–18]. The providers with whom PCCs interact electronically Uses or disclosures requiring an opportunity to object almost certainly are CEs, because they are providers and include information relevant to an episode of care that is dis- maintain at least some information in electronic form. The closed to family members, other relatives, close personal Utah PCC also transmits and receives information from the friends, or others identified by the person as individuals cHIE maintained by UHIN. UHIN transforms non-standard involved in the person’s health care. The information dis- data into standard data elements, so that records from vari- closed must only be what is directly relevant to the person’s ous systems can communicate with each other; as thus a care [19]. Under this provision, PCCs could disclose informa- clearinghouse, it too is a CE. tion relevant to care of someone experiencing a toxic expos- BAs are entities that create, receive, maintain or transmit ure if the person has an opportunity to object and does not. PHI on behalf of a CE for activities such as claims processing In emergency circumstances in which the opportunity to or data analysis [2]. This definition was constructed to extend agree or object is not practicable; HIPAA permits providers HIPAA coverage to entities with access to PHI from CEs and to use their professional judgment to determine whether dis- to require these entities to have what are called BA agree- closure is in the best interests of the individual. Such emer- ments for protecting PHI. Importantly, the BA agreement gency disclosures must be limited to information directly does not create the BA relationship; the function the BA per- relevant to the individual’s care [20]. Thus if a PCC receives forms for the CE requiring PHI access determines BA status an apparent emergency call about an individual, the PCC [5]. Thus if UHIN transmits data for a provider for billing pur- may exercise its best professional judgment in disclosing poses, the provider must have a BA agreement with UHIN. information about the individual to those providing help. Similarly, if the PCC provides any quality or other data analy- Uses or disclosures not requiring authorization or an oppor- ses for CEs that requires the PCC to access PHI, the PCC is a tunity to object include treatment, payment, or health care BA of that CE for performing this function. An example operations [21]. Thus the PCC access to patient records, or would be a PCC accessing PHI from a CE in order to prepare the PCC’s addition of information to patient records, do not a report for the CE on whether its management of patients require HIPAA authorization. Interchanges between the PCC with poison exposures meets quality metrics. BA agreements and health care providers via a regional health information must ensure appropriate protections for PHI and must spe- exchange organization are treatment and do not require cify the uses and disclosures of PHI permitted by the BA HIPAA authorization or an opportunity to object from [6–8]. BAs also are responsible for meeting requirements the patient. specified as applying to them in the HIPAA rules [9–13]. Disclosures not requiring authorization also include uses Health care providers exchanging information for treat- or disclosures as required by law, including disclosures to ment are not, however, BAs of one another by virtue of this state public health authorities [21]. Thus PCCs may disclose exchange [2]. Thus if the PCC is a provider exchanging infor- the content of calls they receive, including identifying patient mation with the patient’s other health care providers for information, to state public health as legally required. patient care, these providers are not BAs of one another Disclosures required by law also include information about 672 A. MCDONALD ET AL. adverse drug events for post-marketing surveillance [21]. identify an individual as having a substance use disorder, They also include disclosures for health oversight, such as even acknowledging the presence of a person in a Part 2 licensing or investigations, and thus might include informa- facility [30]. Programs receiving funding from Medicare or tion needed to determine activities of pill mills or drug diver- Medicaid are included as receiving federal assistance [31]. To sion [22]. Importantly, however, these disclosures are limited qualify as a Part 2 program, a facility must hold itself out as to the information and manner of disclosure required by law. providing and provide substance abuse treatment, diagnosis, Uses and disclosures of PHI without authorization or or referral; identified units within a medical facility may also agreement also include certain disclosures for law enforce- qualify, as may medical personnel whose primary function is ment. An example is a disclosure about an individual who identified as providing such treatment [31]. Facilities that do may be a crime victim but who is unable to agree or object not hold themselves out as providing substance abuse dis- to a use or disclosure due to incapacity, if a law enforcement order treatment are not covered by Part 2, such as EDs that official represents that the information is needed to deter- diagnose and treat overdoses [32]. This exclusion is because mine whether a violation of law by someone other than the the presence of a patient in an ED does not reveal the type victim has occurred, the information is not intended to be of treatment that the patient is receiving. used against the victim, the immediate law enforcement PCCs that provide information about overdoses are not activity depending on the disclosure would be materially Part 2 providers, unless they also hold themselves out as affected adversely by waiting until the individual can agree, providing substance abuse treatment or diagnosis. Also, and the CE’s professional judgment is that disclosure is in diagnoses are not covered unless they provide evidence of the best interests of the individual [23]. The law enforcement substance use disorders; thus, accidental overdoses do not exception also includes information from a CE providing come within the purview of Part 2 unless they might reveal emergency medical care, if the information is needed to alert a connection to an underlying substance use disorder [33]. law enforcement about the commission of a crime [24]. CEs Individuals calling PCCs about opioid overdoses may have may also disclose information in response to express author- been, or currently be, receiving treatment that comes under izations in court orders, judicial subpoenas, legal require- the Part 2 protections. PCC access to information about ments for reporting wounds or injuries, and other treatment coming under Part 2 will therefore be limited by subpoenas, with satisfactory assurances that the individual the Part 2 protections. was given notice and an opportunity to respond [25]. In general, any disclosure of records protected by Part 2 Beyond these permitted disclosures, PHI may not be dis- requires specific written consent identifying explicitly what closed to law enforcement without patient authorization. information may be disclosed, and to which individuals [34]. One final HIPAA protection relevant to PCCs is that indi- This includes disclosures of information for treatment. Thus, viduals are permitted to request restrictions of the uses and the information PCCs may receive about patients for treat- disclosures of their PHI. So, an individual telephoning a PCC ment will not include Part 2 protected information unless that is a CE may request that the information provided not patients have given specific consent for the disclosure. And, be further disclosed for their treatment, payment, or health if the PCC is a Part 2 provider, any further disclosures of pro- care operations, or to individuals involved in their care [26]. tected information also require consent. As the consent must CEs are not, however, required to agree to this request [27]. be written, agreement in a telephone conversation for the Even if the CE does agree to the request, the CE may use or information to be shared will not suffice. disclose information needed to provide emergency treatment Recent adjustments in the Part 2 regulations account for for the individual [28]. Thus if a caller to a PCC provides HIEs and for entities with which a patient has a treatment information and the PCC agrees to a restriction on disclosure, relationship. A patient may consent to disclosure to a med- the PCC may still use or disclose the information as needed ical group with whom she has a treatment relationship [35], for emergency toxic exposure treatment. The PCC must, including not only her primary care physician but also men- however, request that the information not be further used or tal health professionals associated with the medical group. disclosed beyond the emergency [29]. Patients may consent to disclosures to HIEs, but only with specific names of the individuals, entities with which the patient has a treatment relationship, or general designation IV. SAMHSA and PCC information sharing of the type of entity with which the patient has a treating provider relationship [36], who may receive the protected SAMHSA (Substance Abuse and Mental Health Services information. Thus if a patient has received substance abuse Administration) protections are designed to encourage peo- ple to receive treatment. These regulations (called the “Part treatment from a Part 2 provider and consented to inclusion 2” regulations for short because of their location in the fed- of this information in the HIE, the PCC will not get the infor- eral regulations) provide stringent consent requirements for mation unless the patient consent named the PCC, the PCC the records they cover. is part of an entity with which the patient has a treatment SAMHSA Part 2 regulations apply to records generated relationship, or the PCC falls under a designation of a type about patients who have been treated, diagnosed, or of entity with which the patient has a treatment relationship. referred for treatment for substance use disorders at feder- Any disclosure made with consent must include a state- ally assisted programs for substance abuse treatment or ment that the information is Part 2 protected and may not diagnosis. Coverage includes all information that would be re-disclosed without explicit written consent [37]. PCCs CLINICAL TOXICOLOGY 673 receiving SAMHSA protected information thus must not re- members of the general public; electronic exchanges with disclose information without explicit written consent. health care providers; and uses of mobile communication Given these restrictions and especially the requirement methods such as text messaging and other non-telephone that the consent be explicit and written, PCC access to infor- communication. mation from the regional health information exchange Use Case #1: Exchanges with callers who are members of organization is likely not to include patient information pro- the general public. The HIPAA rules apply to PCCs if they are tected by the Part 2 regulations. There is an exception for CEs (or their BAs) who possess PHI. When callers to PCCs information needed to meet bona fide medical emergen- seek information for care, DHHS considers PCCs to be enter- cies—as information about prescriptions in an overdose ing into a treatment relationship with callers. PCCs in this emergency might be—when the patient’s prior informed context are therefore CEs and may exchange PHI with other consent cannot be obtained [38]. There is also an exception providers for purposes of treatment. for research as permitted under the HIPAA requirements [39]. The SAMHSA regulations also may affect information Certain court orders may also authorize disclosure of pro- exchange when calls come from the general public. As tected records. Beyond these exceptions, SAMHSA protection described above, the PCC itself will not be a Part 2 provider applies strictly. unless it is federally funded and holds itself out as providing substance abuse treatment. However, callers may have seen Part 2 providers as part of their care. Absent specific written V. FTC act and PCC information sharing consent by the caller for these records to be shared, the PCC will not have access to them unless SAMHSA exceptions The FTC (Federal Trade Commission) Act applies to entities occur. The most likely exception would be for bona fide engaged in interstate commerce. State agencies and, for the most part, charities, are not covered by the FTC Act. The FTC emergency care when the patient’s consent cannot be Act is included in this discussion, however, as some of the obtained. Other, less likely possibilities are that the patient entities with which PCCs deal may be covered, such as any may have already given consent for their Part 2-protected records to be exchanged with providers who are part of the for-profit health care provider. These providers are likely also same medical group and the PCC is a part of that group, or to be covered by HIPAA, as described above. In today’s healthcare world, however, many non-HIPAA covered entities that the patient may have named the PCC as an entity that also have important information about individual health. For may receive the Part 2-protected records through the example, an individual’s Facebook account that contains regional health information exchange organization. These health information is not covered by HIPAA but is covered SAMHSA restrictions may significantly limit the information by the FTC Act. about callers’ other care that is available to the PCC. For the many non-HIPAA covered entities engaged in Calls also may be made to PCCs by persons other than interstate commerce, the FTC Act is the only significant fed- patients. These callers may be seeking help for family, eral protection for health information. These non-HIPAA- friends, or even acquaintances or strangers in situations of covered entities include social media firms such as Facebook, apparent toxic exposure. Any identifiable information given personal health record vendors, patient registries maintained by the caller to the PCC about the patient for treatment is by pharmaceutical companies, genetic testing companies PHI. As part of the treatment relationship, HIPAA would per- such as 23andme or Ancestry, and wellness programs. The mit the PCC to access other records of the patient, although FTC prohibits unfair or deceptive trade practices on the part as discussed above the access would be subject to any of these entities [40]. It is deceptive for an entity to mislead applicable SAMHSA restrictions. Whether disclosures of add- or lie about its privacy practices. Thus if an entity’s privacy itional information about the patient to the caller would be policy available on its website states that it is “HIPAA- permitted under HIPAA is complex, however. If the patient compliant” but the entity discloses information in a manner has an opportunity to object and does not do so, informa- that would not be permitted by HIPAA, it has violated the tion directly relevant to the episode of care may be disclosed FTC Act. The FTC has taken a number of enforcement actions to persons identified as involved in that care. If the oppor- against social media firms for failure to adhere to their tunity to object is not possible, in emergency situations fur- announced privacy policies. Privacy violations that are con- ther disclosures are permissible within the reasonable sidered “unfair” by the FTC are very few, but do include dis- medical judgment of the PCC. Even if the patient has closures of information that could significantly harm an requested that the information not be disclosed and the pro- individual and that the individual could not reasonably pro- vider has agreed to the non-disclosure, it may be shared in tect against. An example would be security violations that reasonable professional judgment in an emergency. So, for exposed consumers to identity theft by revealing information example, PCCs may disclose information about other medica- about them. tions prescribed to the patient in order to address needs for emergency care. Some callers, however, may not share identifiable informa- VI. Application to emerging forms of tion with PCCs or otherwise give information that reasonably information sharing could enable them to be identified. In such situations, the Several newer use cases of information by PCCs present chal- PCC does not have PHI and the information given by the lenging privacy questions: exchanges with callers who are caller would not be HIPAA-protected. It could then be used 674 A. MCDONALD ET AL. without HIPAA authorization for purposes such as research, VII. Conclusion although it might be subject to other legal rules governing This paper summarizes the legal framework for information the protection of information used in research. sharing practices for PCCs with traditional information shar- Use Case #2: Electronic exchanges with providers. As ing practices as well as emerging methods of communica- explained above, PCCs are considered to be CEs providing tion. Under HIPAA, PCCs may exchange information treatment to patients. They thus may exchange information electronically for treatment without patient authorization, electronically with other providers for purposes of treatment but may not otherwise inadvertently reveal PHI through without patient authorization. Information may also be mobile and other non-telephone communications. SAMHSA exchanged without authorization for purposes of health care may limit the ability of PCCs to access records of treatment operations such as quality improvement. provided under federally funded substance abuse treatment SAMHSA Part 2 regulations, however, may continue to programs. For commercial entities not covered by HIPAA, the erect substantial barriers to electronic exchanges among pro- FTC Act prohibits unfair or deceptive trade practices, includ- viders for treatment. Few patients are likely to have specified ing practices dealing with important information about indi- the PCC as a provider that can receive Part 2-protected vidual health. records through the regional health information exchange organization. Also, the PCC is unlikely to be part of the med- ical group treating the patient for SAMHSA purposes. Only in Disclosure statement emergencies, therefore, will the PCC be likely to be able to No potential conflict of interest was reported by the authors. breach the SAMHSA protective wall. Use Case # 3: Mobile technologies such as text messaging. Some PCCs are exploring new methods for communicating Funding with callers using mobile devices. For example, when a PCC This review was supported by the US Department of Health and Human receives a call from a mobile device, it will have a record of Services, Agency for Healthcare Research and Quality Grant the telephone number. After the call has ended, the PCC 5R01HS021472, and by the University of Utah. may wish to text back to see how the patient is doing or to give further advice. From a HIPAA perspective, this communi- ORCID cation may be problematic unless it is very carefully made. Text messages to patients that reveal PHI violate HIPAA Leslie Francis http://orcid.org/0000-0002-7356-3459 Barbara Insley Crouch http://orcid.org/0000-0002-2752-5072 unless they are a use or disclosure that is otherwise permit- Mollie Cummins http://orcid.org/0000-0001-7078-8479 ted. The safest method for the PCC is therefore to craft a message in such a way that it does not reveal PHI, although this may be difficult if the PCC wishes to inquire by name References about a particular individual. An example might be a text [1] Treatment, 65 Fed. Reg. 82,625, 82,626 (Dec. 28, 2000). that reads: “This is a general alert. Poison control centers [2] Public Welfare, Security and Privacy 2013 45 C.F.R. § 160.103. may have useful information in cases of overdose. For infor- [3] Health Insurance Portability and Accountability Act 1996 42 U.S.C. § mation, call xxx-xxx-xxxx.” Like information about weather 1385x(u). [4] Health Insurance Portability and Accountability Act 1996 42 U.S.C. § alerts, this does not convey specific information about a 1385x(s). patient, even the information that a call may have been [5] Public Welfare, Uses and Disclosures of Protected Health made from that mobile device to the PCC. Information: General Rules 2013 45 C.F.R. § 164.502(e). Messages to the patient for treatment are permitted with- [6] Public Welfare, Compliance reviews 2013 45 C.F.R. § 164.308(b). out authorization; however, a text to a mobile device may [7] Public Welfare, Investigational subpoenas and inquiries 2006 45 C.F.R. § 164.314(a). be read by someone other than the patient. PCCs cannot [8] Public Welfare, Uses and disclosures: Organizational requirements assume that the call was made from the patient’s mobile 2013 164.504(e) (2019). device, either, so encrypting the message in a way that ena- [9] Public Welfare, General Administrative Requirements, Applicability bles it to be read only by the owner of the mobile device 2013 45 C.F.R. § 160.102(b). will not necessarily protect PHI. Messages to those involved [10] Public Welfare, Security and Privacy, Applicability 2013 45 C.F.R. § 164.104(b). in the patient’s care, containing only information directly [11] Public Welfare, Relationship to other parts 2013 45 C.F.R. § relevant to that care, also are permissible if the patient has 164.106. an opportunity to object and does not do so. However, there [12] Public Welfare, Security and Privacy, Definitions 2013 45 C.F.R § are no guarantees that a mobile device will be picked up 164.302. only by the patient or persons involved in the patient’s care, [13] Public Welfare, Privacy of Individually Identifiable Health Information, Applicability 2013, 45 C.F.R. § 164.500(b). or that the patient can be given an opportunity to object [14] Public Welfare, Uses and Disclosures for Which an Authorization is and not do so. Only if the PCC believes in reasonable med- Required 2013 45 C.F.R. § 164.508. ical judgment that the situation is a continuing emergency [15] Public Welfare, Other requirements relating to uses and disclosures necessitating disclosure of the PHI is it likely to be permis- of protected health information 2013 45 C.F.R. § 164.514(a). sible under HIPAA for the PCC to text back in a way that [16] Public Welfare, Other requirements relating to uses and disclosures might reveal PHI to anyone picking up the device. of protected health information 2013 45 C.F.R. § 164.514(e). CLINICAL TOXICOLOGY 675 [17] Public Welfare, Uses and disclosures for which an authorization or [26] Public Welfare, Rights to request privacy protection for protected opportunity to agree or object is not required 2016 45 C.F.R. § health information 2013 45 C.F.R. § 164.522(a)(1)(i). 164.512(i). [27] Public Welfare, Rights to request privacy protection for protected [18] Public Welfare, Uses and disclosures for which an authorization or health information 2013 45 C.F.R. § 164.522(a)(1)(ii). opportunity to agree or object is not required 2016 45 C.F.R. § [28] Public Welfare, Rights to request privacy protection for protected 164.512(i)(2)(ii). health information 2013 45 C.F.R. § 164.522(a)(1)(iii). [19] Public Welfare, Uses and disclosures requiring an opportunity for [29] Public Welfare, Rights to request privacy protection for protected the individual to agree or to object 2013 45 C.F.R. § 164.510(b). health information 2013 45 C.F.R. § 164.522(a)(1)(iv). [20] Public Welfare, Uses and disclosures requiring an opportunity for [30] Public Health, Confidentiality restrictions and safeguards 2017 42 the individual to agree or to object 2013 45 C.F.R. § 164.510(b)(3). C.F.R. § 2.13(c). [21] Public Welfare, Uses and disclosures of protected health informa- [31] Public Health, Definitions 2017 42 C.F.R. § 2.11. tion: General rules 2013 45 C.F.R. § 164.502(a)(1)(ii). [32] Public Health, Applicability 2017 42 C.F.R. § 2.12(e)(1). [22] Public Welfare, Uses and disclosures for which an authorization or [33] Public Health, Applicability 2017 42 C.F.R. § 2.12(e)(4). opportunity to agree or object is not required 2016 45 C.F.R. § [34] Public Health, Consent Requirements 2017 42 C.F.R. § 2.31(a). 164.512(d). [35] Public Health, Consent Requirements 2017 42 C.F.R. § 2.31(a)(4)(ii). [23] Public Welfare, Uses and disclosures for which an authorization or [36] Public Health, Consent Requirements 2017 42 C.F.R. § 2.31(a)(4)(iii). opportunity to agree or object is not required 2016 45 C.F.R. § [37] Public Health, Prohibition on re-disclosure 2018 42 C.F.R. § 2.32. 164.512(f)(3)(ii). [38] Public Health, Medical emergencies 2017 42 C.F.R. § 2.51(a). [24] Public Welfare, Uses and disclosures for which an authorization or [39] Public Health, Research 2017 42 C.F.R. § 2.52. opportunity to agree or object is not required 2016 45 C.F.R. § [40] Commerce and Trade, Unfair methods of competition unlawful; pre- 164.512(f)(6). vention by Commission 2006 15 U.S.C. § 45. [25] Public Welfare, Uses and disclosures for which an authorization or opportunity to agree or object is not required 2016 45 C.F.R. § 164.512(e).

Journal

Clinical ToxicologyTaylor & Francis

Published: Jul 2, 2020

Keywords: Poison control center; toxicology; privacy; Health Insurance Portability and Accountability Act; United States Substance Abuse and Mental Health Services Administration; electronic health records; health information exchange; text messaging; jurisprudence

There are no references for this article.