Presentation on theme: "Minneapolis School Based Clinics"— Presentation transcript:
2 Training Overview HIPAA Overview HIPAA impact on clinical practice Client RightsOperational Procedures for protecting PrivacyHow does HIPAA impact SBCCompliance1. Introduction:Why is the SBC a “covered entity”?City resolution designating city as hybrid entity- HIPAA steering committeeWhat are HIPAA Privacy Rule, Security Rule, HI-Tech rules?2. HIPAA impact on clinical practice?What is PHI?Permitted Uses & Disclosures3. Client Rights ?Notice of Privacy PracticesIndividual Right to accessMinor consentAccounting for disclosures4. Operational Procedures for protecting Privacy“Minimal Necessary standardEvery day steps for protecting privacyProtecting paper recordsSecurity considerations5. How does HIPAA impact SBC?SBC HIPAA PoliciesFERPABusiness associates6. ComplianceEnforcement Penalties
3 Why Now?? 2002 HIPAA Assessment Required compliance with EHR City Resolution - HIPAA Hybrid Entity passed Council July 20112002 HIPAA AssessmentSBC not conducting electronic transactionCompliant practices put into place-NPI#, NPP, Authorization form for PHI, Business Associatesformally designated as “covered components”SBC- Health component HR- Health plan –
4 City of Minneapolis HIPAA Hybrid Entity Structure HIPAA Steering CommitteeMembers: HIPAA Privacy Officer – Casey Carl,HIPAA Security Officer, Privacy Coordinator City plans,Privacy Officer SBC, Security Coordinator City Plans,Security Coordinator SBC,representative from MFD andOffice of City Attorney.Human ResourceHealth PlansHuman Resources Director- Privacy OfficerHealth Care ComponentMDHFS -School Based ClinicsSchool Based Clinic Manager- HIPAA Privacy CoordinatorAdd names of members,
5 Health Insurance Portability and Accountability Act of 1996 (HIPAA) What is HIPAA?Health Insurance Portability and Accountability Act of 1996 (HIPAA)Federal law passed by CongressPart of the Social Security Administration ActPurpose: To protect the confidentiality and security of personally identifiable health information as it is used, disclosed and electronically transmitted by covered components.Creates a framework, using standardized formats, for transmitting electronic health information more cost effectively.HIPAA enacted to increase access to and the efficiency of the health care system in the US.Establishes a foundation of federal protections for the privacy of health information but does not replace other federal, state or law that provides individuals even greater privacy protections.A entity covered by the Privacy Rule of HIPAA must train all members of its workforce so they have an understanding & knowledge of the Privacy Rule and its impact on employee’s job responsibilities.
6 HIPAA Privacy Rule First national Standard Provides safeguards to protect privacy of individual’s health informationIdentifies permitted uses & disclosuresSpecifies rights of the individual to control how their health information is used & disclosedRequires sanctions to be applied to employees who violate HIPAA policies & procedures2002 established– 2005 compliance required for small practices
7 HIPAA Privacy Rule Coverage WhoCovered Entities: healthcare providers, health care plans, health care clearing housesWhat is requiredCovered Entity: Name a privacy officer to be responsible for communicating policies & procedures, identify staff whose roles require access to PHI, staff training, ensure safeguards are in place to protect PHI, maintain documentation and monitor compliance & apply sanctionsStaff: attend training, read and understand SBC Notice of Privacy Practice, Understand HIPAA Rule impact on their jobsWhenRule enforcement began in 2003SBC to become a covered entity in 2012 when we implement Electronic Medical Record/ Practice Management
8 The HIPAA Privacy RuleApplies to health care providers, health plans &healthcare clearinghouses. SBC will be required to comply with HIPAA and constitute a Covered EntityEstablishes conditions under which PHI can be used and disclosed.Use of PHI refers to sharing the information within the SBC Covered Entity.Disclosure refers to sharing PHI to individuals or organizations outside of the SBC Covered Entity;Grants individuals certain rights regarding their PHIRequires that we maintain the privacy and security of PHI.Requires sanctions to be applied to employees who violate HIPAA policies & procedures.
9 The HIPAA Security Rule Establishes administrative, technical and physical standards for the security of electronic health informationImplemented to protect confidentiality, integrity and availability of PHI that is maintained and transmitted electronicallyRequires a sanction policy to discipline employees who do not follow security policiesHIPAA requires that the privacy of PHI be maintained by limiting its uses and disclosures and that reasonable steps are taken to ensure that PHI is secure. Most often, breeches of privacy can be traced to lax security, so the two issues are intimately related. In April 2005, a portion of HIPAA known as the Security Rule became effective. The Security Rule requires institutions and individuals to take appropriate steps to secure the integrity, availability, and confidentiality of electronic PHI (ePHI). ePHI is defined as any PHI that is created, stored, accessed, or transmitted electronically. The Security Rule requirements apply to all electronic computing and communication systems that create, store, or transmit PHI.Scalable to size of practiceRisk analysis- Mitigation of riskFormalize policies & procedures, Documentation
10 The American Recovery and Reinvestment Act of 2009 HITECH HIPAAThe American Recovery and Reinvestment Act of 2009Enhanced privacy & security rulesPromotes the use of electronic health records (EHRs) by providing incentives to health care providers who convert their medical records from paper files to EHRsBreach Notification Rule: unauthorized acquisition, use, disclosure of PHIEnforcement & increased penalties to Covered Entities and their Business AssociatesBreach means the acquisition, access, use or disclosure of PHI in manner not permitted
11 Protected Health Information Protected Health Information (PHI) under HIPAA means health information that identifies an individual and is:Created or received by a health care provider.Relates to an individual’s past, present or future physical or mental health or the provision of or payment of health care.Transmitted or maintained in any form or medium by a covered entity or business associate.PHI includes demographicsOur general practice is to treat all client information as PHIInformation is deemed to identify an individual if it includes either the individual’s name or any other information that could enable someone to determine the individual’s identity (e.g., address, age, Social Security number, address).Not covered: Employement records of covered entity or FERPA Records
12 How is Protected Information Used? Client authorization is not required when providers use information to carry out essential health care functionsTreatment: provision, coordination, or management of health care & related services by one or more providers ( includes 3rd party consultation & referrals)Payment: to obtain payment or be reimbursed for servicesHealth Care Operations: administrative, financial, legal & quality improvement activities necessary to run clinic and support core functions of treatment and payment.A Covered Entity may not use or disclose PHI except as permitted or required by Privacy Rule
13 Permitted Disclosures without PHI Authorization SBC may disclose PHI without authorization for a variety of public interest related purposes including the following:Legal ProcessPublic HealthOrgan and Tissue DonationHealth Oversight ActivitiesSpecialized Government FunctionsLaw Enforcement ResearchTo advert a serious risk to health & safety (school)SBC policy to refer/consult with Privacy Coordinator prior to releasing PHIDisclosure is also permitted without authorization in a number of other situations, such as where disclosures are required by law. The list is some common situations where PHI can be released without a patient’s authorization:Required by Other Law. We may disclose health information when required by other federal, state or local laws. For example, other laws require us to report minor neglect, physical or sexual abuse and health information necessary to follow laws relating to workers’ compensation or other similar programs established by law.Legal Process. We may disclose health information in response to court orders, subpoenas or other legal documents.Public Health We may disclose your health information for public health purposes such as birth reporting, to prevent or control disease, injury or disability, to let a person know if they were exposed to a disease or may be at risk for getting or spreading a disease or condition, or to report problems with medicines or other products.Organ and Tissue Donation . If you are an organ donor, we may release health information to organizations that handle organ procurement, transplantation, or to an organ donation bank. We may also release health information to a coroner, medical examiner, or a funeral director.Health Oversight Activities. We may disclose health information to a health oversight agency for activities authorized by law such as audits, investigations, inspections and licensing. These activities are needed for the government to oversee the health care system.Specialized Government Functions. If you are a member of the armed forces or a foreign military, or become an individual at a correctional institution, we may share health information as required by law. We may also disclose your health information to authorized federal officials for activities authorized by law related to national security.Law Enforcement If we believe you have been the victim of abuse, neglect or domestic violence, we must report it to law enforcement. If you are emancipated, we will get your permission first. Other situations are when a crime occurs at the clinic, or when it is necessary to prevent a serious health and safety threat to you, another person or the public.Research . We may use of share your health information for research purposes as allowed by law or if you have given permission.Threat - “To advert a serious risk to health & safety (school)” Replace risk with threat and inform audience that this disclosure must be necessary 1) to “prevent or lessen a serious and imminent threat to the health or safety of a person or the public and that the disclosure is to a person or persons reasonably able to prevent or lessen the threat or 2) for “law enforcement authorities to identify or apprehend an individual because the individual admitted participating in a violent crime that the covered entity believes may have caused serious physical harm to the victim or it appears that the individual has escaped from a correctional institution or from lawful custody. See (j)
14 Client Authorization for Use & Disclosure Clients can request release of their information by signing an authorization which includes all the statements required under the regulations. Use of the SBC Authorization for Request/Release of PHI form ( 8/11 #92) meets the regulatory requirements.If client is a minor at time of request and PHI includes non minor consent services parent of minor client must sign the request for authorization.When responding to an authorization from another organization for release of protected health information, the authorization must also meet the HIPAA requirements.If there is any doubt, the SBC Privacy Coordinator can provide assistance in reviewing the validity of the document.SBC provider must confirm identity of requester and note the date in the Medical record.
16 Psychotherapy NotesPsychotherapy notes receive stronger protection than other protected health information under the HIPAA privacy rule because of their potential sensitivity.Mental Health records need to be separate in EHRPsychotherapy notes are defined as the notes of a mental health professional which document or analyze the contents of a counseling session and which are stored separately from the rest of the medical record. Except in certain limited circumstances, use or disclosure of psychotherapy notes is permissible only if the patient signs a separate authorization that encompasses only psychotherapy notes and no other PHI.Psychotherapy notes exclude:Medication prescription and monitoringCounseling session start and stop timesModalities and frequencies of treatment furnishedResults of clinical testsAny summary of diagnosis, functional status, treatment plan, symptoms, prognosis, or progress to datedefinitionWe will work with Legal to clarify & write in SBC Proceedure
17 Client Rights Clients have the right to Request confidential communicationsAccess their medical recordsRequest restrictions on their use & disclosure of PHIRequest Accounting of disclosuresAuthorize disclosure to persons or entities of their choiceRevoke AuthorizationsFrom our NPP _ Your Rights Regarding Your Health InformationAlthough your health record belongs to the Clinics, the information in it belongs to you. You have the right to:* look at and /or ask for a copy of your health record. An appointment is required to view the record with your health care provider. We may deny your request to inspect and copy in certain very limited circumstances. You may request that the denial be reviewed in most circumstances .* ask to restrict certain uses and disclosures of your record. If we deny your request , we will tell you in writing why we do not agree.* ask for a correction or change to your health record. We do not have to make the change you request. If we deny your request you can write a statement of disagreement with the denial that we will keep with your medical record .* get a list of when and to whom your health information has been sent for reasons other than treatment, payment, or health operations as of April 14, 2003* ask us to communicate your health information to you by other means or to another location. For example, you can ask that we only contact you through use of a certain telephone number
18 Client Rights The Notice of Privacy Practices (NPP): Explains privacy policiesExplains how client information may be used, disclosed and how they can access this information.Informs clients about their rights – including make complaintsWho receives the NPP?First time a client at time of clinic visitAnyone who requests a copyClients must be asked to sign an acknowledgement of Notice, although they are not required to sign it.Replace former separate Tennessen Warning- it is combined with NPPThe NPP must be posted prominently in clinic.Client Bill of Rights and Access to Health Records must be posted in clinical areas.NPP – Required at 1st visit – Offer copy of NPP have them sign acknowledgmentAlso must post in clinical areas & on Web site : client bill of rights & Access to medical recordsTennessen Warning ( orally or in writing) must include the following elements:Purpose for the data collection & the intended use of the dataWhether the client can refuse or is required by lawThe consequences of either providing or refusing to disclose the dataIdentities of all persons or entities that are authorized by law to access the data
19 New Notice of Data Practices and Data Privacy Notice
20 Individual Right to Access and Amendment Clients have a right to inspect and copy their Medical RecordThe client is required to complete a request access formClients can also request amendments to their medical recordsExceptions to this rule:Psychotherapy notes if could endanger civil or criminal hearingsInformation compiled in reasonable anticipation of, or use in, a civil, criminal or administrative action or proceeding.The PHI was obtained from someone other than a health care provider under a promise of confidentiality and access would be reasonably likely to reveal the source.The access is reasonably likely, in the judgment of a licensed health care professional, to endanger the life or physical safety or the individual or another person.If the PHI makes reference to another person and, in the judgment of a licensed health care professional, the access is reasonably likely to cause substantial harm to the individual or another person.“Exceptions to this rule:– Psychotherapy notes– Information compiled in reasonable anticipation of, or use in, a civil, criminal or administrative action or proceeding”– PHI that that the individual is prohibited from accessing pursuant to certain laws– The PHI was obtained from someone other than a health care provider under a promise of confidentiality and access would be reasonably likely to reveal the source– The access is reasonably likely, in the judgment of a licensed health care professional, to endanger the life or physical safety or the individual or another person.– The PHI makes reference to another person and, in the judgment of a licensed health care professional, the access is reasonably likely to cause substantial harm to the individual or another personSee
21 Accounting for Disclosures HIPAA requires SBC to log any disclosures including who accessed medical records. The logs must include who had access, for what reason and when access was provided.SBC Policy is to document all disclosures of PHI in client medical record and include a copy of signed authorization for release form.Inadvertent disclosure of PHI needs to be reported to supervisor & SBC Privacy coordinator immediately.New Rule being proposed?Logs will be incorporated in EMR
22 HIPAA Privacy Rule: Rights of Parents Parents are generally authorized ( under MN state law) to make medical decisions for non emancipated minor children.HIPAA treats parents as “Personal Representatives” of minor children if they are authorized to make decisions for them.As “Personal Representatives” parents exercise rights re: PHI for their minor children – Access to information & Control over disclosure.
23 HIPAA Privacy Rule: Rights of Minors Minor is treated as “ the Individual” & parent is not necessarily the “Personal Representative”When minor has right to consent & has consented;When the minor or services fall under the MN Minor Consent Law the minor may authorize disclosure.Minor acting as “ the Individual” can exercise rights regarding PHIAccess to informationControl over disclosureRequest privacy protectionIf minor client holds the right to consent, the minor client holds the right to disclose
24 SBC Consent Requirements Clinic Consent: a parent signed consent form is required for any clinic service except those under minor consent.Minor Consent: minor client can consent for confidential medical services including: emergency related care, pregnancy related care, STI Care, Contraceptive care, inpatient mental health care and treatment of drug and alcohol abuse.Mental Health Consent: minor clients can receive mental health services if their parent has signed clinic consent. MN DHS rules requires parent MH consent to bill for MH diagnosis or treatment. SBC policy is to get Parent MH consent for minor clients requiring ongoing care.A Minor can request nondisclosure of their private data to parents by written request and if provider determines in minor’s best interest.Per MN law – The SBC will develop written proceedure to allow Minor to request to keep their record from parent.Proceedure to ensure :Notification is in writing about the right to request withholding data from parentRequire request in writing including the reasonInclude state that SBC can withhold information if in “best interests of minor”Upon receipt of such a request, the SBC Provider shall determine if honoring the request to deny parental access would be in the best interest of the minor data subject. In making the determination, the responsible authority shall be guided by at least the following:(1)whether the minor is of sufficient age and maturity to be able to explain the reasons for and to understand the consequences of the request to deny access;(2) whether the personal situation of the minor is such that denying parental access may protect the minor data subject from physical or emotional harm;(3)whether there is ground for believing that the minor data subject's reasons for precluding parental access are reasonably accurate;(4)whether the data in question is of such a nature that disclosure of it to the parent could lead to physical or emotional harm to the minor data subject; and(5)whether the data concerns medical, dental, or other health services provided pursuant to Minnesota Statutes, sections to If so, the data may be released only if failure to inform the parent would seriously jeopardize the health of the minor.
25 Minor Consent FormA minor who is emancipated ( age 18, legally married, has a child, declared emancipated by court order or is living separate & managing own financial affairs) may give effective consent for personal medical and mental health services. In case of a mother of child, she may also give consent for her child.Minor client can consent for confidential medical services including: emergency related care, pregnancy related care, STI Care, Contraceptive care, inpatient mental health care and treatment of drug and alcohol abuse.SBC provider will review consent and have minor client sign consent form.
26 HIPAA Privacy Rule: Domestic Violence or Abuse Provider may elect NOT to treat parent as the personal representative ifProvider has reasonable belief minor has been or may be subject to domestic violence or abuse or neglect by the parent ORTreating parent as personal representative could endanger the minor ANDProvider believes that it is not in the best interest of minor to give parent access and control.(g)(5)
27 Operational Procedures for Protecting Privacy The “Minimum Necessary” Standard – Need to knowSBC staff must make a reasonable effort to disclose or use only the minimum necessary amount of protected health information in order to accomplish the intended purpose. They can disclose information requested by other health care providers if the information is necessary for treatment.SBC providers who are directly involved in the care of the client can see PHI. Providers can disclose to consulting physicians or for referrals, but not to people who don’t have clinical responsibilities.Making “minimum necessary” determinations is a balancing act. Providers must weigh the need to protect clients’ privacy against their reasonable ability to limit the information that is disclosed while delivering quality care.Providers must be careful about what they disclose to other staff members, such as billing department workers or providers not involved in the care of their client.
28 Everyday Steps for Protecting Privacy Safeguards Communications: avoid unnecessary disclosures of PHI by monitoring voice levels on phone or talking with clients or others in clinic. Do not have discussions about clients in other parts of the building.Sign-in Sheets: avoid using last namesPhone or Text Messages: Do not leave messages on answering machines regarding client conditions or test results. can leave message about appointment if client has given permission.Faxes: Use on machine in clinic, use coversheet that includes confidentiality notice.Mail: PHI mailed will be concealed.Copies: Only copy PHI on SBC machine.Desk: Never leave a client’s medical record on your desk or computer screen open when you leave your desk. It is required to log-off when leaving a workstation. In public areas, point computer monitors so that visitors or people walking by cannot view information.
29 Security Safeguards SBC practices to secure data include: Always lock-up paper files in locking cabinetsKeep clinic locked when not occupied by SBC staffLock-up all documents containing PHI (Lab book, appointment schedule, lab reports, medical records, referrals)Transport clinic records containing PHI in locked bins via courierMonitor visitors/clients in clinicAll SBC providers must use their assigned unique MPS network password– do not share login passwordsPHI can not be transmitted usingComputing devices must be physically secured via use of locking cables for laptops.All electronic computing and communication devices must be stripped of all PHI prior to disposal or re-use.
30 Record RetentionHIPAA related documentation must be maintained for 6 years. This requirement applies to accounting for disclosures records, authorizations, data use agreements and any other.SBC follows City record retention schedules as required by MN Law.Inactive client files annually are transported to department archive files for 3 years then are located in City archive. refer to SBC record archive policy
31 Federal Family Education Rights & Privacy ACT (FERPA) “Education Records” covered by FERPA includes health information included in education recordsIntended to protect the privacy of educational records & assure parental access to recordsEducation Records are Excluded from definition of “protected health information” in HIPAA privacy ruleEducational Records do not include oral communications
32 Who Are Business Associates? HIPAA defines business associates as entities outside of The SBC that perform or assist SBC in performing activities that require the use or disclosure of PHI. The information includes claims processing, data analysis, billing, or practice management’Business associates can include lawyers, actuarial professionals, accountants, health care consultants, transcription agencies, computer support, and billing companies.Business associates are covered entities under HIPAA and are directly accountable for compliance with regulations.SBC business associates are Pat Neska, Fairview Lab, pending for NexGen, Gateway clearinghouseDisclosure of PHI to a business associate requires an executed Business Associate Agreement.
33 HIPAA Compliance Compliance is no longer voluntary State Attorneys General are authorized to conduct independent investigationsOffice of Civil Rights is named the enforcement agency for both privacy & security breachesBreach Notification Rule covers both covered entities and Business AssociatesCovered Entities must report all unsecured security breaches to HHS
34 Complaints and Breaches All violations and breaches, including lost or stolen PHI must be reported immediately to SBC Privacy CoordinatorComplaints regarding privacy may be referred to City Privacy OfficerStaff are prohibited from intimidating clients who wish to make a compliantYou may also anonymously report violations to the US Department of Health and Human Services.
35 Sanctions Violations of SBC privacy or security policies may result in Disciplinary action including terminationRevocation by licensing boardsFines and/or criminal prosecution
36 Penalties for Noncompliance: Civil HIPAA's enforcement provisions authorize the Secretary of Health and Human Services to impose penalties to non-complying entities.Violation CategoryEach ViolationAll Such Violations of an Identical Provision in a Calendar YearDid Not Know$11-$50,000$1,500,000Reasonable Cause$1,000-50,000Willful Neglect-Corrected$10,000-50,000Willful Neglect-Not Corrected$50,000DefinitionsReasonable cause: circumstances that would make it unreasonable for the covered entity, despite the exercise of ordinary business care and prudence, to comply with the administrative simplification provision violated.Reasonable diligence: the business care and prudence expected from a person seeking to satisfy a legal requirement under similar circumstancesWillful neglect: conscious, intentional failure or reckless indifference to the obligation to comply with the administrative simplification provision violated.6/2009 – Hi-TECH Act
37 Penalties for Noncompliance: Criminal Covered entities and specified individuals, as explained below, whom "knowingly" obtain or disclose individually identifiable health information in violation of the Administrative Simplification Regulations face a fine of up to $50,000, as well as imprisonment up to one year.Offenses committed under false pretenses allow penalties to be increased to a $100,000 fine, with up to five years in prison.Finally, offenses committed with the intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain or malicious harm permit fines of $250,000, and imprisonment for up to ten years.Covered Entity and Specified Individuals The DOJ concluded that the criminal penalties for a violation of HIPAA are directly applicable to covered entities—including health plans, health care clearinghouses, health care providers who transmit claims in electronic form, and Medicare prescription drug card sponsors. Individuals such as directors, employees, or officers of the covered entity, may also be directly criminally liable under HIPAA in accordance with principles of "corporate criminal liability." Where an individual of a covered entity is not directly liable under HIPAA, they can still be charged with conspiracy or aiding and abetting.Knowingly The DOJ interpreted the "knowingly" element of the HIPAA statute for criminal liability as requiring only knowledge of the actions that offense action being in constitute an offense. Specific knowledge of an Violation of the HIPAA statute is not required.Recent 2/2011 HIPAA violation case– Mass Gen Hospital- provider left client records (192 – infectious disease outpt cases with PHI – names, DOB, insurance, SSI, Dx, providers, ) on subway . Fined 1,000,000 part of corrective action plan – to develp P&P to ensure PHI is protected, training of workforce on P&P, Set up internal Audit.
38 HIPAA Contacts and Links U.S. Department of Health & Human Services Office of Civil Rights (OCR)Approved HIPAA policies and forms will be on the new SBC web pageFederal Regulations- paper copy avail for each site. Manual online