Foundations in Privacy Toolkit
As many health care providers know and experience, exchanging patient information can be challenging from both a legal and operational perspective. From the legal perspective, providers are forced to sort through the myriad of privacy laws, rules, and regulations and determine which rules apply to a particular use or disclosure of patient information. Given that Minnesota Law often conflicts with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), this is no easy feat. From an operational perspective, organizations are required by HIPAA to develop privacy policies and procedures and train their workforce on these complex rules.
The Foundations in Privacy Toolkit (the “Toolkit”) was developed to address these challenges. In 2013, the Minnesota Departments of Health and Human Services were awarded $45 million in grant funding by The Center for Medicare and Medicaid Innovation (CMMI) as part of a State Innovation Model (SIM) cooperative agreement. The Minnesota Department of Health (MDH) used part of this funding to develop the Privacy, Security and Consent Management for Electronic Health Information Exchange grant, in which MDH partnered with the firm to analyze legal barriers and develop tools to support the exchange of health information in Minnesota. The Toolkit was developed as part of this grant.
The Toolkit contains the following types of material, organized by subject area:
- Template policies and procedures
- Flow charts
- Template agreements
These documents can be used by providers in many ways. The policy and procedure documents can be customized and implemented as part of an organization’s HIPAA privacy compliance efforts. The flow charts and checklists can be used to analyze business relationships and unique disclosure situations, and the template agreements can be used to guide negotiations and simplify execution. All of the documents can be used to educate and train workforce.
It is important to note that the Toolkit is a foundation for HIPAA and Minnesota law compliance. It does not address every scenario, and providers will need to supplement these materials to include legal requirements and standards specific to their organization. Further, some areas of privacy law are subject to multiple interpretations; while we have described alternative views for some of these issues we have not attempted to address all of the areas where differing interpretations exist. Providers will also need to modify Toolkit documents as the law changes.
This Toolkit is not intended as legal advice, which may often turn on specific facts. Readers should seek specific legal advice before acting with regard to the subjects mentioned herein. Please feel free to contact Lathrop GPM’s Health Law Group for more information.
Table of Contents
- Flowchart: How to Identify a “Business Associate” (.pdf)
- Flowchart: Are the Notes “Psychotherapy Notes” Under HIPAA? (.pdf)
- Policy Overlay: Additional Requirements Under the Minnesota Government Data Practices Act (.pdf) (.docx)
- Flowchart: Confidentiality of Substance Use Disorder Patient Records - Am I Subject to 42 CFR Part 2? (.pdf)
Developed in partnership with