Thursday, September 3, 2020

HIPAA - Parents and Their Children’s Medical Records

Parents and Their Children’s Medical Records

Situations when parents can and cannot see their children’s medical records

Does the HIPAA Privacy Rule allow parents the right to see their children’s medical records?

The answer is YES; the Privacy Rule generally allows a parent to have access to the medical records about his or her child, as his or her minor child’s personal representative when such access is not inconsistent with State or other law.

Exceptions when the parent would not be the minor’s personal representative under the Privacy Rule.

1. When the minor is the one who consents to care, and the consent of the parent is not required under State or other applicable law;

2. When the minor obtains care at the direction of a court or a person appointed by the court and

3. When and to the extent that, the parent agrees that the minor and the health care provider may have a confidential relationship.

Four exceptions to the exceptions

Even in these exceptional situations, there are additional rules to follow:

1. The parent may have access to the medical records of the minor related to this treatment when State or other applicable law requires or permits such parental access.
2. Parental access would be denied when State or other law prohibits such access.
3. If State or other applicable law is silent on a parent’s right of access in these cases, the licensed health care provider may exercise his or her professional judgment to the extent allowed by law to grant or deny parental access to the minor’s medical information.
4. Finally, as is the case with respect to all personal representatives under the Privacy Rule, a provider may choose not to treat a parent as a personal representative when the provider reasonably believes, in his or her professional judgment, that the child has been or may be subjected to domestic violence, abuse, neglect or that treating the parent as the child’s personal representative could endanger the child.

Can a minor child’s doctor talk to the child’s parent about the patient’s mental health status and needs?

Again the answer is generally yes. With respect to general treatment situations, a parent, guardian, or other person acting in loco parentis usually is the personal representative of the minor child and a health care provider is permitted to share patient information with a patient’s personal representative under the Privacy Rule.

Here come the exceptions

However, section 164.502(g) of the Privacy Rule contains several important exceptions to this general rule. A parent is not treated as a minor child’s personal representative when:

1. State or other law does not require the consent of a parent or other person before a minor can obtain a particular health care service, the minor consents to the health care service and the minor child has not requested the parent be treated as a personal representative;
2. Someone other than the parent is authorized by law to consent to the provision of a particular health service to a minor and provides such consent, or
3. A parent agrees to a confidential relationship between the minor and a health care provider with respect to the health care service. For example, if State law provides an adolescent the right to obtain mental health treatment without parental consent, and the adolescent consents to such treatment, the parent would not be the personal representative of the adolescent with respect to that mental health treatment information.

HIPAA defers to State Laws

Unlike some HIPAA Rules, the Privacy Rule concedes to State or other applicable laws in allowing or not allowing disclosure. Regardless of whether the parent is otherwise considered a personal representative, the Privacy Rule defers to State or other applicable laws that expressly address the ability of the parent to obtain health information about the minor child. In doing so, the Privacy Rule permits a covered entity to disclose to a parent, or provide the parent with access to, a minor child’s protected health information when and to the extent that it is permitted or required by State or other laws (including relevant case law). Likewise, the Privacy Rule prohibits a covered entity from disclosing a minor child’s protected health information to a parent when and to the extent it is prohibited under State or other laws (including relevant case law).

What if the State Laws are silent?

In cases in which State or other applicable law is silent concerning disclosing a minor’s protected health information to a parent, and the parent is not the personal representative of the minor child based on one of the exceptional circumstances described above, a covered entity has the discretion to provide or deny a parent access to the minor’s health information, if doing so is consistent with State or other applicable law, and the decision is made by a licensed health care professional in the exercise of professional judgment.

Mental Health and Substance Abuse laws may be stricter

In situations where a minor patient is being treated for a mental health disorder and a substance abuse disorder, additional laws may be applicable. The Federal confidentiality statute and regulations that apply to federally-funded drug and alcohol abuse treatment programs contain provisions that are more stringent than HIPAA. In these cases, it is wise to know your State laws and HIPAA rules, found here: https://www.hhs.gov/hipaa/for-professionals/special-topics/mental-health/index.html

Reminder: A parent also may not be a personal representative if there are safety concerns. A provider may decide not to treat the parent as the minor’s personal representative if the provider believes that the minor has been or may be subject to violence, abuse, or neglect by the parent or the minor may be endangered by treating the parent as the personal representative; and the provider determines, in the exercise of professional judgment, that it is not in the best interests of the patient to treat the parent as the personal representative.

Friday, August 21, 2020

HVAC Systems and COVID-19

Do we need to protect employees from our building’s air conditioners?

Cause for concern?

In one study, available online as a preprint and has not undergone scientific review, researchers in Oregon collected samples from various places inside a hospital’s HVAC system and found genetic material from the virus that causes COVID-19. This demonstrates that it may be possible for the virus to be transmitted through HVAC systems.

The research started late; the final evidence is not in yet

However, researchers did not assess if the genetic material they found was able to cause infection, and they noted there were no confirmed COVID-19 cases associated with the samples found in the ventilation systems.

There is currently no conclusive evidence documenting the possibility of COVID-19 transmission through an air conditioning unit.

The known risk is non-circulation indoors

The known risk is that hot weather outside makes people seek air-conditioned comfort indoors. And indoors, there is less ventilation and more opportunity to spread disease. The risk to healthcare workers is that we are indoors and, on occasion, not socially distancing and rebreathing the air that people have just exhaled.

When we shut the doors and windows to keep the hot air outside, we are essentially eliminating the flow of fresh air, so everyone in the room is breathing and rebreathing the same air. If someone in the room is infected with COVID-19, then they are breathing out the virus, which can linger in airborne droplets and be inhaled by another person, potentially causing infection.

By comparison, if you were outside and near an infected person who breathed out some viral particles, there is a much larger volume of air flowing to disperse and dilute those particles quickly, reducing the risk of spread to another person nearby. That is why infectious disease experts consider outdoor gatherings and activities less risky than indoor ones (though not completely risk-free).

Another suspected risk of air conditioning

The other significant risk is that air conditioning units, fans, or even an open window can create strong enough air currents to move virus-containing droplets around a room. This happened in January at a restaurant in Guangzhou, China, where a person with COVID-19 infected five other people sitting at neighboring tables from 3 to 6 feet away, according to a study by scientists from the Chinese Center for Disease Control and Prevention. After examining video footage of the diners who were infected and simulating the transmission of the virus, scientists concluded that the small outbreak was caused by strong air currents from the air conditioning unit above the diners, which was blowing virus-containing aerosols from an infected person to those nearby. The restaurant also had no windows — and thus no ventilation bringing in fresh air and diluting virus particles in the air.

A clue: Flu particles can travel 30 feet in the air

The fact that aerosolized viral droplets can move in air currents in this way means that if you are in a room with an infected person and fresh air is not circulating, even if you are socially distancing to keep 6 feet apart at a minimum, you may not be safe. Although there are currently no published studies that have examined precisely how far airborne COVID-19 particles can travel, previous research on influenza found that viral particles may travel upward of 30 feet in the air.

To be clear, this is only a concern in shared public places. At home, the risk of contracting COVID-19 through air currents or air conditioning units is no more likely than spreading the virus through close contact or touching contaminated surfaces.

CDC Engineering recommendations for protecting employees right now:

Modify or adjust seats, furniture, and workstations to maintain social distancing of 6 feet between employees, where possible.

o Install transparent shields or other physical barriers where possible to separate employees and visitors where social distancing is not an option.

o Arrange chairs in reception or other communal seating areas by turning, draping (covering the chair with tape or fabric so seats cannot be used), spacing, or removing chairs to maintain social distancing.

Use methods to physically separate employees in all areas of the building, including work areas and other areas such as meeting rooms, break rooms, parking lots, entrance and exit areas, and locker rooms.

o Use signs, tape marks, or other visual cues such as decals or colored tape on the floor, placed 6 feet apart, to show where to stand when physical barriers are not possible.

o Replace high-touch communal items, such as coffee pots and bulk snacks, with alternatives such as pre-packaged, single-serving items. Encourage staff to bring their own water to minimize the use and touching of water fountains or consider installing no-touch activation methods for water fountains.

o Consider taking steps to improve ventilation in the building, in consultation with an HVAC professional, based on local environmental conditions (temperature/humidity) and ongoing community transmission in the area:

o Increase the percentage of outdoor air (e.g., using economizer modes of HVAC operations) potentially as high as 100% (first, verify compatibility with HVAC system capabilities for both temperature and humidity control as well as compatibility with outdoor/indoor air quality considerations).

o Increase total airflow supply to occupied spaces, if possible.

o Disable demand-control ventilation (DCV) controls that reduce air supply based on temperature or occupancy.

o Consider using natural ventilation (i.e., opening windows if possible and safe to do so) to increase outdoor air dilution of indoor air when environmental conditions and building requirements allow.

o Improve central air filtration:

Increase air filtration to as high as possible without significantly diminishing design airflow.
Inspect filter housing and racks to ensure appropriate filter fit and check for ways to minimize filter bypass.

o Consider running the HVAC system at maximum outside airflow for 2 hours before and after occupied times, in accordance with industry standards.

o Generate clean-to-less-clean air movements by re-evaluating the positioning of supply and exhaust air diffusers and/or dampers and adjusting zone supply and exhaust flow rates to establish measurable pressure differentials. Have staff work in “clean” ventilation zones that do not include higher-risk areas such as visitor reception or exercise facilities (if open).

Consider using portable high-efficiency particulate air (HEPA) fan/filtration systems to help enhance air cleaning (especially in higher-risk areas).
Ensure exhaust fans in restroom facilities are functional and operating at full capacity when the building is occupied.
Consider using ultraviolet germicidal irradiation (UVGI) as a supplemental technique to inactivate potential airborne virus in the upper-room air of common occupied spaces, in accordance with industry guidelines.

CDC References and links for these recommendations are found here: https://www.cdc.gov/coronavirus/2019-ncov/community/office-buildings.html

Thursday, August 13, 2020

Dangerous Hand Sanitizers

The FDA's list of dangerous hand sanitizers is now at 100+

On August 7, 2020, the FDA issued updated guidance to provide additional clarification on testing of alcohol used in hand sanitizers manufactured under FDA’s temporary policies to help ensure that harmful levels of methanol are not present in these products. This testing will help ensure widespread access to alcohol-based hand sanitizers that are free of contamination.

The FDA updated their guidance to provide clarification that companies must test each lot of the active ingredient (ethanol or isopropyl alcohol (IPA)) for methanol if the ethanol or IPA is obtained from another source. The FDA recommended using the test methods described in the USP monograph for alcohol (ethanol) and conducting the testing in a laboratory that has been previously inspected by the FDA and is compliant with current good manufacturing practices (CGMP).

Additionally, any alcohol (ethanol) or IPA found to contain more than 630 ppm methanol does not fall within the policies described in the temporary guidance and as a result, may be considered evidence of substitution or contamination, or both. Alcohol-based hand sanitizers that are contaminated with methanol are subject to adulteration charges under the FD&C Act. The alcohol (ethanol) or IPA should be destroyed following guidelines for hazardous waste, and the manufacturer or compounder should contact the FDA regarding the test results and the alcohol’s source.

Pharmacy list also updated

The temporary guidance has also been updated to provide adverse event reporting guidelines for state-licensed pharmacies and outsourcing facilities.

The agency also included an additional denaturant formula in the temporary guidance. Denaturing alcohol in hand sanitizers is critical to deterring children from unintentional ingestion. The FDA has said that consumer and health care professional safety is a top priority for FDA, and an important part of the FDA’s mission is to protect the public from harm, especially as they seek to help increase hand sanitizer supply.

For questions, email the FDA here: COVID-19-Hand-Sanitizers@fda.hhs.gov

The list of dangerous hand sanitizers

For the latest list of dangerous hand sanitizers as of August 10, 2020, and a list of products on their dangerous hand sanitizer list, go here (scroll down to see the list).

Thursday, July 30, 2020

Medical Records Retention Time-frames

If you Google “Medical Records Retention,” it says to keep records 4, 6, 7, up to 10 years or forever. That is why our call center at HCSI receives many questions about how long medical records need to be retained. Medical Records Retention (MRR) is a challenging issue. There are many variables. This entire newsletter is dedicated to helping explain a few of these variables.

The idea that records, either in paper or electronic form, should be saved for around ten years to comply with all requirements is an oft-touted rule of thumb. And it is often a good one. But, of course, there are exceptions. It is confusing! Unfortunately, there is no single "exact line" that describes federal, state, and other statutory laws that establish how long medical records must be maintained in every case. But we have assembled Ten MRR Rules to help you understand how long to keep your patient records. This list is not exhaustive, but it covers the majority of situations.

Why is it so important to properly maintain medical records?

Beyond the laws and regulations, at its core, your medical records retention policy should be based primarily on two principles:

1. Medical Considerations
2. Continuity of Care for your practice and with other providers who care for your patients

Additional reasons for retaining medical records

1. Providing Patients with Information should they wish to access their records
2. Protecting the Provider in case a legal claim is made in the future

a. Relying on the practitioner’s testimony of general habit and practice to show that the standard of care was met—without supporting documentation to establish the treatment that was rendered—often fails to convince a jury that the treatment the patient received was consistent with community standards.

3. Complying with Federal and State Laws for such things as billing audits
4. MRR establishes the quality of care rendered in the event of a medical board or peer review inquiry.

a. Patient complaints are often based on an individual’s mistaken recollection of events or on a failure to understand the course of treatment or adverse consequences involved in the dispute. With complete charting, frivolous allegations are readily resolved, frequently well before a formal administrative process is even initiate

MMR Rule #1: Is it practical to keep all your records?

Should we begin thinking about keeping all records for 30 years or more?

With the advent of inexpensive high-speed storage, HCSI would like to suggest the idea that if all your medical records are electronic, they may be kept permanently. This would be helpful should access to patient information becomes necessary, as has been evidenced by litigation cases involving exposure to chemicals, drugs, or substances such as asbestos.

We realize that the storage of hard copy records makes permanent retention impractical; however,

Sound too expensive. It used to be. One estimate states that 2000 patient over 30 years could take up 4000 gigabytes of computer storage, or about 30 Terabytes. At today’s prices, a 30 TB hard drive can be purchased for under $1,000.

Another side of the coin

There’s another side of this that is sometimes suggested by law firms. Here’s the argument:

Destroying records, digital or otherwise, once their retention deadlines arrive lessens the volume of Protected Health Information (PHI) theft that is possible. Even if your backroom is locked and your health IT system offers top-notch encryption, security breaches and HIPAA violations can still occur.

There’s no reason to leave any patient information – especially data that’s unnecessary to retain – vulnerable to being compromised. As long as you keep documented records of all destructions, proper disposal of old data is the best way to ensure patient confidentiality is upheld. If you’ve got plenty of space at your practice for stowing old paper records, you may be tempted to hang on to them forever, if only to avoid the hassle of electronic archiving or digging through them to determine what you can pitch.

So comb through your old charts, dig through your electronic data and destroy what no longer needs to be retained.

MRR Rule #2: Coordinate State and Federal laws

Whichever law instructs you to keep medical records the longest prevails

Know your State Laws:

Providers must comply with individual state regulations on Medical Record Retention (which often differ from the national standards) and their states’ statutes of limitations on malpractice lawsuits.
If Federal laws require individual medical records to be kept 10 years and your state law says 12 years, keep them 12 years – and vice versa. This rule applies to all other retention laws.
You can find the state laws on retention periods for your state and practice type at: (PDF)

MRR Rule #3: Maintain a policy for retaining your medical records

Share it with your staff and patients

Share your medical record retention rules with your entire staff and new employees

Even a simple practice such as holding a meeting (and making a record of it) to go through the rules in this newsletter will help your staff understand the importance of medical records. You can customize your policies based on your specialty and needs.

Some practices provide a summary MMR policy to new patients as part of their "introduction to the practice" materials.

When new patients are informed in advance about how their medical records will be handled, there is substantially less likelihood of a complaint to the Medical Board if/when a practice is closed. Be sure current and future patients at some point receive assurance about their medical records. This may be as simple as a paragraph at the top or bottom of an intake form that says something like. “At ABC Medical, we carefully maintain and protect your private medical records according to all federal and state laws. Should you at any time desire access to these records, please consult with your physician or our staff.”

Have your MMR policy reviewed

It is a wise idea to check with your medical liability insurance carrier and legal representative before finalizing your policy. They have experience defending other practice policies.

MRR Rule #4: MINORS: Typically 3 Years after they reach majority

Consult State/Federal/Hospital/etc. laws and retaining them for whichever is longest

Typically Age of Majority is 18-20.
A typical exception for minors is hospitals usually require age of majority plus 6 years.
Once a minor reaches majority, the adult retention recommendation applies, e.g., 10 years from the last medical service for which a medical entry is required.
If a lawsuit is filed, it is essential to note that the statute of limitations may not begin to run until the plaintiff (patient) learns of the causal relationship between an injury and the care received.
The American Academy of Pediatrics recommends that, at a minimum, pediatric records should be retained for 10 years or the age of majority plus the applicable state statute of limitations (time to file a lawsuit), whichever is longer.

MRR Rule #5: Adults: 7-10 years

Measured from the date of the last medical service for which a medical entry is required.

In some instances Federal law mandates that a provider keep and retain each record for a minimum of 7-10 years from the date of last service to the patient, we recommend keeping them for a minimum of 10 years.
For Medicare Advantage patients, 10 years.
Deceased adult patients: 10 years from the time of death. State exceptions may apply.

MRR Rule #6: Legal matters: Keep accruing’ ‘till they’re all done suin’

In other words, maintain medical records as long as they might be used to defend against a malpractice allegation.

Should you ever discover or suspect that legal action is pending from a patient, be sure to save his relevant records, even if you’ve already kept them past their other retention deadlines.
No destruction is allowed once you have knowledge of the litigation.

MRR Rule #7: OSHA: 30 years

For workplace injuries, if OSHA was involved, keep them for 30 years after the last date of service.

MRR Rule #8: Veterans: 70 years - Indefinitely

Be prepared to store vet charts for a long time – 75 years.
If a patient was not mentally competent at the time of treatment, retain the records indefinitely.

MRR Rule #9: HIPAA: 6 Years

Six years from when the document was created, or – for policies – from when it was last in effect

According to the Department of Health and Human Services, the HIPAA Privacy Rule has no requirements for medical record retention at a doctor's office. Only HIPAA Related documents. How long a doctor is required to keep a chart is based on what each state's legislation decides. So, Tennessee's medical record retention rules may completely differ from Georgia's and so forth.
Although there are no HIPAA retention requirements for medical records, there is a requirement covering how long HIPAA-related documents should be retained. This is covered in
CFR §164.316(b)
While the HIPAA Privacy Rule does not determine how long a chart must be kept at a doctor's office, it does; however, require that any covered entities apply all safety guidelines necessary to protect the privacy of all patients,
As with all these rules, states requiring less than six years, health organizations must still retain HIPAA information for six years – the longer of the two rules.

The list of documents subject to the HIPAA retention requirements, and depends on the nature of business conducted by the Covered Entity or Business Associate. The following list is an example of the most common types of HIPAA documents beyond patient files.

Notices of Privacy Practices.
Authorizations for the Disclosure of PHI.
Risk Assessments and Risk Analyses.
Business Associate Agreements.
Employee Sanction Policies.
Incident and Breach Notification Documentation.
Complaint and Resolution Documentation.
IT Security System Reviews (including new procedures or technologies implemented).

MRR Rule #10: Rule of Thumb Rule: 10 years and 28 years

When all else fails

Where no statutory requirement exists, and no legal threat is imminent, HCSI makes the following

Adult patients, 10 years from the date the patient was last seen.
Minor patients, 28 years from the date of birth.

http://www.hcsiinc.com