As many health care providers know and experience, exchanging patient information can be challenging from both a legal and operational perspective. From the legal perspective, providers are forced to sort through the myriad of privacy laws, rules, and regulations and determine which rules apply to a particular use or disclosure of patient information. Given that Minnesota Law often conflicts with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), this is no easy feat. From an operational perspective, organizations are required by HIPAA to develop privacy policies and procedures and train their workforce on these complex rules.
The Foundations in Privacy Toolkit (the “Toolkit”) was developed to address these challenges. In 2013, the Minnesota Departments of Health and Human Services were awarded $45 million in grant funding by The Center for Medicare and Medicaid Innovation (CMMI) as part of a State Innovation Model (SIM) cooperative agreement. The Minnesota Department of Health (MDH) used part of this funding to develop the Privacy, Security and Consent Management for Electronic Health Information Exchange grant, in which MDH partnered with the firm to analyze legal barriers and develop tools to support the exchange of health information in Minnesota. The Toolkit was developed as part of this grant.
The Toolkit contains the following types of material, organized by subject area:
- Template policies and procedures
- Flow charts
- Template agreements
- Checklists
These documents can be used by providers in many ways. The policy and procedure documents can be customized and implemented as part of an organization’s HIPAA privacy compliance efforts. The flow charts and checklists can be used to analyze business relationships and unique disclosure situations, and the template agreements can be used to guide negotiations and simplify execution. All of the documents can be used to educate and train workforce.
It is important to note that the Toolkit is a foundation for HIPAA and Minnesota law compliance. It does not address every scenario, and providers will need to supplement these materials to include legal requirements and standards specific to their organization. Further, some areas of privacy law are subject to multiple interpretations; while we have described alternative views for some of these issues we have not attempted to address all of the areas where differing interpretations exist. Providers will also need to modify Toolkit documents as the law changes.
This Toolkit is not intended as legal advice, which may often turn on specific facts. Readers should seek specific legal advice before acting with regard to the subjects mentioned herein. Please feel free to contact Lathrop GPM’s Health Law Group for more information.
Click here to view the full toolkit (.pdf)
Table of Contents
- Introduction to the Foundations in Privacy Toolkit
- Definitions
- Breach
- Business Associates
- Data Use Agreements
- Emergency Situations
- Fundraising
- Health Care Operations
- HIPAA Authorization
- Judicial and Administrative Proceedings
- Marketing
- Mental Health Records
- Minimum Necessary Standard
- Minnesota Government Data Practices Act
- Minnesota Law
- Out-of-State Providers
- Payment
- Research
- Substance Use Disorder Records
Introduction to the Foundations in Privacy Toolkit
Definitions
Breach
Business Associates
- Policy: Disclosing Information to Business Associates (.pdf) (.docx)
- Flowchart: How to Identify a “Business Associate” (.pdf)
- Checklist: Business Associate Agreement Checklist – Required and Optional Terms (.pdf) (.docx)
- Template Agreement: Business Associate Agreement (.pdf) (.docx)
- Template Agreement: Subcontractor Business Associate Agreement (.pdf) (.docx)
Data Use Agreements
Emergency Situations
Fundraising
Health Care Operations
HIPAA Authorization
- Policy: Authorization for Use and Disclosure of PHI (.pdf) (.docx)
- Checklist: HIPAA Authorization Checklist (.pdf) (.docx)
Judicial and Administrative Proceedings
Marketing
Mental Health Records
- Policy: Using and Disclosing Mental Health Records (.pdf) (.docx)
- Flowchart: Are the Notes “Psychotherapy Notes” Under HIPAA? (.pdf)
Minimum Necessary Standard
Minnesota Government Data Practices Act
- Policy Overlay: Additional Requirements Under the Minnesota Government Data Practices Act (.pdf) (.docx)
Minnesota Law
Out-of-State Providers
Payment
Research
Substance Use Disorder Records
- Policy: Disclosures of Substance Use Disorder Patient Records (.pdf) (.docx)
- Flowchart: Confidentiality of Substance Use Disorder Patient Records – Am I Subject to 42 CFR Part 2? (.pdf)