You are here

FAQs - Vendors

Vendors

Q: An offender in services at my agency has requested that I disclose his/her treatment records to a third party. Can I do this? Do I have get the permission of the probation office first?
Answer

The Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), allows federal vendors to provide individual federal clients access to their records or, alternatively, to request that a provider “mail a copy of the protected health information at the individual’s request” [Title 45 C.F.R. 164.524(c)(3)]. Vendors may release treatment information directly to requesting third parties in accordance with HIPAA regulations. Vendors should be aware, however, pursuant to Page C-45(b)(1) through (7) of the Blanket Purchase Agreement, the vendor is still required to notify the U.S. Probation & Pretrial Services Office of any request for treatment information prior to making the disclosure. For complicated matters or specific questions, it is recommended that vendors seek legal advise from your own counsel since HIPAA compliance is ultimately your obligation. Vendors may also allow defendant/offender access to their treatment records in accordance with HIPPA regulations.
Q: Our state’s licensing agency wants to review our federal files as part of our licensing audit. I know the federal files must be maintained as confidential. Can I let the state auditors review the federal files?
Answer

Whether an entity seeking to conduct an audit or evaluation is permitted to do so is a matter that each vendor must resolve under the federal regulations discussed below.

I. The HIPAA Privacy Rule Section 165.512 of the HIPAA privacy rule sets forth “[u]ses and disclosures for which an authorization or opportunity to agree or object [by the patient] is not required.” 45 C.F.R. § 165.512. Among such allowed disclosures are those for “health oversight activities”:

     (d) Standard: Uses and disclosures for health oversight activities.
     (1) Permitted disclosures. A covered entity may disclose protected health information to a health oversight agency for oversight activities authorized by law, including audits; civil, administrative, or criminal investigations; inspections; licensure or disciplinary actions; civil, administrative, or criminal proceedings or actions; or other activities necessary for appropriate oversight of:
     (i) The health care system;
     (ii) Government benefit programs for which health information is relevant to beneficiary eligibility;
     (iii) Entities subject to government regulatory programs for which health information is necessary for determining compliance with program standards; or
     (iv) Entities subject to civil rights laws for which health information is necessary for determining compliance.
     Id. § 164.512(d).

The privacy rule defines “health oversight agency” as follows: Health oversight agency means an agency or authority of the United States, a State, a territory, a political subdivision of a State or territory, or an Indian tribe, or a person or entity acting under a grant of authority from or contract with such public agency, including the employees or agents of such public agency or its contractors or persons or entities to whom it has granted authority, that is authorized by law to oversee the health care system (whether public or private) or government programs in which health information is necessary to determine eligibility or compliance, or to enforce civil rights laws for which health information is relevant. Id. at 164.512 (emphasis added). Notwithstanding that it is a non-governmental entity, CARF would qualify as a “health oversight agency” if either the probation office grants it oversight authority or the probation office authorizes the vendor to grant CARF oversight authority. Of course, CARF would have to be otherwise “authorized by law to oversee the health care system.” Presumably, state laws in the districts where CARF has conducted audits authorize CARF to oversee treatment facilities. Thus, the privacy rule allows health care providers (which are “covered entities”) to disclose protected health information to “health oversight agenc[ies] for oversight activities authorized by law.” This could potentially include state, federal, or nonprofits such as CARF. Whether an entity qualifies as a health oversight agency, however, is an issue for each vendor to resolve under § 164.512 and state law.

II. The Drug Treatment Confidentiality Regulations Section 2.53 of the drug treatment confidentiality regulations allows federal, state, and local governmental agencies to review treatment records if authorized by law to regulate the vendor's activities. 42 C.F.R. § 2.53(a)(1)(i). In addition “a quality  improvement organization performing a utilization or quality control review” or an entity “determined by the program director to be qualified to conduct [] audit or evaluation activities” may review treatment records. Id. § 2.53(a)(1)(ii) & (a)(2). If the vendor determines that any of the foregoing entities are authorized to have access to treatment records under § 2.53(a), the reviewing entity must “agree[] in writing to comply with the limitations on redisclosure and use in [§ 2.53(d)].”  Section 2.53(d) essentially limits an auditor to disclosing and using treatment information that was disclosed during an audit to notify the treatment provider of the auditor's evaluation. Section 2.53(d) also provides for disclosure and use to investigate or prosecute a program, or a person holding the records, if the agency obtains a court order under 42 C.F.R. § 2.66. In sum, the HIPAA privacy rule allows auditors to have access to records if they are employed by a “health oversight agency” and they are performing “oversight activities authorized by law.” The drug treatment confidentiality regulations also allow access so long as a § 2.53 compliant form is signed by the auditor who qualifies under § 2.53(a). Attached is a draft form demonstrating what the drug treatment confidentiality regulations would require an auditor to sign before receiving access to drug treatment records. Vendors should currently be using a form similar to this. The regulations do not specify that such a form need be completed for each file reviewed. Rather, they state that when an auditor  reviews “patient records,” she must sign a written agreement to comply with the § 2.53 limits on disclosure. [This is interpreted] as simply requiring one written agreement for each audit or review of multiple records. A sample release form for these purposes can be found on this website in the Vendor Information/Forms section.
Q: In order to comply with state substance abuse licensure requirements, I must complete an intake assessment on each individual referred for services. The USPO didn’t authorize an intake assessment on the program plan. Can I complete an assessment and charg
Answer

No and No. The Blanket Purchase Agreement (BPA) between the vendor and the U.S. Probation & Pretrial Services Office states on page C-1, “The vendor shall provide services strictly in accordance with the program plan for each defendant/offender. The government shall not be liable for any services provided by the vendor that have not been authorized for that defendant/offender in the program plan.”

Oftentimes, a U.S. Probation Officer has enough supporting documentation regarding an offender’s substance abuse history, that it is not necessary for the U.S. Probation Officer to request an assessment to know that an offender/defendant is in need of treatment. U.S. Probation Officer’s have at their disposal a presentence investigation report, institutional treatment and adjustment reports, and they have also administered the Texas Christian University Drug Screen (TCUDS) prior to making the treatment referral.

If the vendor must complete an assessment for state licensure, purposes, the vendor should still complete an assessment. The vendor may not, however, charge the government for this assessment. If the U.S. Probation Officer has authorized individual counseling sessions, it would be appropriate for the vendor to spend the initial counseling sessions completing the state- required assessment.  If the U.S. Probation Officer has not authorized individual counseling sessions, the vendor must completed the state-required assessment on the vendor’s time. The vendor should factor this possible scenario into the price bid for services during the contract solicitation cycle.
Q: My BPA with the probation office says I have to keep all federal files separate from other client files. Does this mean that I also can’t put federal offenders/defendants in services with other clients?
Answer

No. You are correct that your BPA requires in section section C that, “The vendor shall segregate defendant/offender files from other vendor records.” This separation is required only for the actual treatment files, not the clients themselves. The vendor, may place federal defendants/offenders in group counseling sessions with other non-federal clients. For example, a cognitive-behavioral treatment group of federal offenders and state offenders would be appropriate under this contract. The vendor should, however, check with other contracted agencies to ensure those agencies are in agreement with such a “mixed” group. The vendor  would also be cautioned about placing federal offenders/defendants in a group with non-criminal justice clients.
Q: I have been subpoenaed by a defendant/offender’s attorney to testify in court. How do I proceed?
Answer

If you are requested or subpoenaed by an attorney to appear in court, you should immediately contact your assigned contract specialist. The BPA with the probation/pretrial services office does provide in section C for the event of vendor testimony. Your contract specialist will guide you through this process.
Q: Will officers inform our agency about defendants/offenders who are HIV positive or who have been diagnosed with AIDS?
Answer

The U.S. Probation Office policy regarding disclosure of HIV to third parties is governed by Guidelines for U.S. Probation and U.S. Pretrial Services Officers Supervising Person Who Have Been Exposed to the Human Immunodeficiency Virus (HIV) or Who Have Acquired Immune Deficiency Syndrome (AIDS), as approved by the Judicial Conference Committee on Criminal Law. In short, we are not authorized to disclose HIV/AIDS information without written informed consent by the defendant/offender. (There are some exceptions for custodial situations). In addition, we are bound by state law in this regard. Please remember that universal precautions should be used in all cases.