Presentation is loading. Please wait.

Presentation is loading. Please wait.

Minneapolis School Based Clinics

Similar presentations

Presentation on theme: "Minneapolis School Based Clinics"— Presentation transcript:

1 Minneapolis School Based Clinics
HIPAA Privacy Policy Training August 23, 2011

2 Training Overview HIPAA Overview HIPAA impact on clinical practice
Client Rights Operational Procedures for protecting Privacy How does HIPAA impact SBC Compliance 1. Introduction: Why is the SBC a “covered entity”? City resolution designating city as hybrid entity- HIPAA steering committee What are HIPAA Privacy Rule, Security Rule, HI-Tech rules? 2. HIPAA impact on clinical practice? What is PHI? Permitted Uses & Disclosures 3. Client Rights ? Notice of Privacy Practices Individual Right to access Minor consent Accounting for disclosures 4. Operational Procedures for protecting Privacy “Minimal Necessary standard Every day steps for protecting privacy Protecting paper records Security considerations 5. How does HIPAA impact SBC? SBC HIPAA Policies FERPA Business associates 6. Compliance Enforcement Penalties

3 Why Now?? 2002 HIPAA Assessment Required compliance with EHR
City Resolution - HIPAA Hybrid Entity passed Council July 2011 2002 HIPAA Assessment SBC not conducting electronic transaction Compliant practices put into place- NPI#, NPP, Authorization form for PHI, Business Associates formally designated as “covered components” SBC- Health component HR- Health plan –

4 City of Minneapolis HIPAA Hybrid Entity Structure
HIPAA Steering Committee Members: HIPAA Privacy Officer – Casey Carl, HIPAA Security Officer, Privacy Coordinator City plans, Privacy Officer SBC, Security Coordinator City Plans, Security Coordinator SBC, representative from MFD and Office of City Attorney. Human Resource Health Plans Human Resources Director- Privacy Officer Health Care Component MDHFS -School Based Clinics School Based Clinic Manager- HIPAA Privacy Coordinator Add names of members,

5 Health Insurance Portability and Accountability Act of 1996 (HIPAA)
What is HIPAA? Health Insurance Portability and Accountability Act of 1996 (HIPAA) Federal law passed by Congress Part of the Social Security Administration Act Purpose: To protect the confidentiality and security of personally identifiable health information as it is used, disclosed and electronically transmitted by covered components. Creates a framework, using standardized formats, for transmitting electronic health information more cost effectively. HIPAA enacted to increase access to and the efficiency of the health care system in the US. Establishes a foundation of federal protections for the privacy of health information but does not replace other federal, state or law that provides individuals even greater privacy protections. A entity covered by the Privacy Rule of HIPAA must train all members of its workforce so they have an understanding & knowledge of the Privacy Rule and its impact on employee’s job responsibilities.

6 HIPAA Privacy Rule First national Standard
Provides safeguards to protect privacy of individual’s health information Identifies permitted uses & disclosures Specifies rights of the individual to control how their health information is used & disclosed Requires sanctions to be applied to employees who violate HIPAA policies & procedures 2002 established– 2005 compliance required for small practices

7 HIPAA Privacy Rule Coverage
Who Covered Entities: healthcare providers, health care plans, health care clearing houses What is required Covered Entity: Name a privacy officer to be responsible for communicating policies & procedures, identify staff whose roles require access to PHI, staff training, ensure safeguards are in place to protect PHI, maintain documentation and monitor compliance & apply sanctions Staff: attend training, read and understand SBC Notice of Privacy Practice, Understand HIPAA Rule impact on their jobs When Rule enforcement began in 2003 SBC to become a covered entity in 2012 when we implement Electronic Medical Record/ Practice Management

8 The HIPAA Privacy Rule Applies to health care providers, health plans &healthcare clearinghouses. SBC will be required to comply with HIPAA and constitute a Covered Entity Establishes conditions under which PHI can be used and disclosed. Use of PHI refers to sharing the information within the SBC Covered Entity. Disclosure refers to sharing PHI to individuals or organizations outside of the SBC Covered Entity; Grants individuals certain rights regarding their PHI Requires that we maintain the privacy and security of PHI. Requires sanctions to be applied to employees who violate HIPAA policies & procedures.

9 The HIPAA Security Rule
Establishes administrative, technical and physical standards for the security of electronic health information Implemented to protect confidentiality, integrity and availability of PHI that is maintained and transmitted electronically Requires a sanction policy to discipline employees who do not follow security policies HIPAA requires that the privacy of PHI be maintained by limiting its uses and disclosures and that reasonable steps are taken to ensure that PHI is secure. Most often, breeches of privacy can be traced to lax security, so the two issues are intimately related. In April 2005, a portion of HIPAA known as the Security Rule became effective. The Security Rule requires institutions and individuals to take appropriate steps to secure the integrity, availability, and confidentiality of electronic PHI (ePHI). ePHI is defined as any PHI that is created, stored, accessed, or transmitted electronically. The Security Rule requirements apply to all electronic computing and communication systems that create, store, or transmit PHI. Scalable to size of practice Risk analysis- Mitigation of risk Formalize policies & procedures, Documentation

10 The American Recovery and Reinvestment Act of 2009
HITECH HIPAA The American Recovery and Reinvestment Act of 2009 Enhanced privacy & security rules Promotes the use of electronic health records (EHRs) by providing incentives to health care providers who convert their medical records from paper files to EHRs Breach Notification Rule: unauthorized acquisition, use, disclosure of PHI Enforcement & increased penalties to Covered Entities and their Business Associates Breach means the acquisition, access, use or disclosure of PHI in manner not permitted

11 Protected Health Information
Protected Health Information (PHI) under HIPAA means health information that identifies an individual and is: Created or received by a health care provider. Relates to an individual’s past, present or future physical or mental health or the provision of or payment of health care. Transmitted or maintained in any form or medium by a covered entity or business associate. PHI includes demographics Our general practice is to treat all client information as PHI Information is deemed to identify an individual if it includes either the individual’s name or any other information that could enable someone to determine the individual’s identity (e.g., address, age, Social Security number, address). Not covered: Employement records of covered entity or FERPA Records

12 How is Protected Information Used?
Client authorization is not required when providers use information to carry out essential health care functions Treatment: provision, coordination, or management of health care & related services by one or more providers ( includes 3rd party consultation & referrals) Payment: to obtain payment or be reimbursed for services Health Care Operations: administrative, financial, legal & quality improvement activities necessary to run clinic and support core functions of treatment and payment. A Covered Entity may not use or disclose PHI except as permitted or required by Privacy Rule

13 Permitted Disclosures without PHI Authorization
SBC may disclose PHI without authorization for a variety of public interest related purposes including the following: Legal  Process Public Health Organ and Tissue Donation Health Oversight  Activities Specialized Government Functions Law Enforcement  Research To advert a serious risk to health & safety (school) SBC policy to refer/consult with Privacy Coordinator prior to releasing PHI Disclosure is also permitted without authorization in a number of other situations, such as where disclosures are required by law. The list is some common situations where PHI can be released without a patient’s authorization: Required by Other Law. We may disclose health information when required by other federal, state or local laws. For example, other laws require us to report minor neglect, physical or sexual abuse and health information necessary to follow laws relating to workers’ compensation or other similar programs established by law. Legal  Process. We may disclose health information in response to court orders, subpoenas or other legal documents. Public Health We may disclose your health information for public health purposes such as birth reporting, to prevent or control disease, injury or disability, to let a person know if they were exposed to a disease or may be at risk for getting or spreading a disease or condition, or to report problems with medicines or other products. Organ and Tissue Donation . If you are an organ donor, we may release health information to organizations that handle organ procurement, transplantation, or to an organ donation bank. We may also release health information to a coroner, medical examiner, or a funeral director. Health Oversight Activities. We may disclose health information to a health oversight agency for activities authorized by law such as audits, investigations, inspections and licensing. These activities are needed for the government to oversee the health care system. Specialized Government Functions. If you are a member of the armed forces or a foreign military, or become an individual at a correctional institution, we may share health information as required by law. We may also disclose your health information to authorized federal officials for activities authorized by law related to national security. Law Enforcement If we believe you have been the victim of abuse, neglect or domestic violence, we must report it to law enforcement. If you are emancipated, we will get your permission first. Other situations are when a crime occurs at the clinic, or when it is necessary to prevent a serious health and safety threat to you, another person or the public. Research . We may use of share your health information for research purposes as allowed by law or if you have given permission. Threat - “To advert a serious risk to health & safety (school)”  Replace risk with threat  and inform audience that this disclosure must be necessary 1) to “prevent or lessen a serious and imminent threat to the health or safety of a person or the public and that the disclosure is to a person or persons reasonably able to prevent or lessen the threat or 2) for “law enforcement authorities to identify or apprehend an individual because the individual admitted participating in a violent crime that the covered entity believes may have caused serious physical harm to the victim or it appears that the individual has escaped from a correctional institution or from lawful custody.  See (j)

14 Client Authorization for Use & Disclosure
Clients can request release of their information by signing an authorization which includes all the statements required under the regulations. Use of the SBC Authorization for Request/Release of PHI form ( 8/11 #92) meets the regulatory requirements. If client is a minor at time of request and PHI includes non minor consent services parent of minor client must sign the request for authorization. When responding to an authorization from another organization for release of protected health information, the authorization must also meet the HIPAA requirements. If there is any doubt, the SBC Privacy Coordinator can provide assistance in reviewing the validity of the document. SBC provider must confirm identity of requester and note the date in the Medical record.

15 Authorization for Request/Release of PHI

16 Psychotherapy Notes Psychotherapy notes receive stronger protection than other protected health information under the HIPAA privacy rule because of their potential sensitivity. Mental Health records need to be separate in EHR Psychotherapy notes are defined as the notes of a mental health professional which document or analyze the contents of a counseling session and which are stored separately from the rest of the medical record. Except in certain limited circumstances, use or disclosure of psychotherapy notes is permissible only if the patient signs a separate authorization that encompasses only psychotherapy notes and no other PHI. Psychotherapy notes exclude: Medication prescription and monitoring Counseling session start and stop times Modalities and frequencies of treatment furnished Results of clinical tests Any summary of diagnosis, functional status, treatment plan, symptoms, prognosis, or progress to date definition We will work with Legal to clarify & write in SBC Proceedure

17 Client Rights Clients have the right to
Request confidential communications Access their medical records Request restrictions on their use & disclosure of PHI Request Accounting of disclosures Authorize disclosure to persons or entities of their choice Revoke Authorizations From our NPP _ Your Rights Regarding Your Health Information Although your health record belongs to the Clinics, the information in it belongs to you. You have the right to: * look at and /or ask for a copy of your health record. An appointment is required to view the record with your health care provider. We may deny your request to inspect and copy in certain very limited circumstances. You may request that the denial be reviewed in most circumstances . * ask to restrict certain uses and disclosures of your record. If we deny your request , we will tell you in writing why we do not agree. * ask for a correction or change to your health record. We do not have to make the change you request. If we deny your request you can write a statement of disagreement with the denial that we will keep with your medical record . * get a list of when and to whom your health information has been sent for reasons other than treatment, payment, or health operations as of April 14, 2003 * ask us to communicate your health information to you by other means or to another location. For example, you can ask that we only contact you through use of a certain telephone number

18 Client Rights The Notice of Privacy Practices (NPP):
Explains privacy policies Explains how client information may be used, disclosed and how they can access this information. Informs clients about their rights – including make complaints Who receives the NPP? First time a client at time of clinic visit Anyone who requests a copy Clients must be asked to sign an acknowledgement of Notice, although they are not required to sign it. Replace former separate Tennessen Warning- it is combined with NPP The NPP must be posted prominently in clinic. Client Bill of Rights and Access to Health Records must be posted in clinical areas. NPP – Required at 1st visit – Offer copy of NPP have them sign acknowledgment Also must post in clinical areas & on Web site : client bill of rights & Access to medical records Tennessen Warning ( orally or in writing) must include the following elements: Purpose for the data collection & the intended use of the data Whether the client can refuse or is required by law The consequences of either providing or refusing to disclose the data Identities of all persons or entities that are authorized by law to access the data

19 New Notice of Data Practices and Data Privacy Notice

20 Individual Right to Access and Amendment
Clients have a right to inspect and copy their Medical Record The client is required to complete a request access form Clients can also request amendments to their medical records Exceptions to this rule: Psychotherapy notes if could endanger civil or criminal hearings Information compiled in reasonable anticipation of, or use in, a civil, criminal or administrative action or proceeding. The PHI was obtained from someone other than a health care provider under a promise of confidentiality and access would be reasonably likely to reveal the source. The access is reasonably likely, in the judgment of a licensed health care professional, to endanger the life or physical safety or the individual or another person. If the PHI makes reference to another person and, in the judgment of a licensed health care professional, the access is reasonably likely to cause substantial harm to the individual or another person. “Exceptions to this rule: –         Psychotherapy notes –         Information compiled in reasonable anticipation of, or use in, a civil, criminal or administrative action or proceeding” –         PHI that that the individual is prohibited from accessing pursuant to certain laws –         The PHI was obtained from someone other than a health care provider under a promise of confidentiality and access would be reasonably likely to reveal the source –         The access is reasonably likely, in the judgment of a licensed health care professional, to endanger the life or physical safety or the individual or another person. –         The PHI makes reference to another person and, in the judgment of a licensed health care professional, the access is reasonably likely to cause substantial harm to the individual or another person See

21 Accounting for Disclosures
HIPAA requires SBC to log any disclosures including who accessed medical records. The logs must include who had access, for what reason and when access was provided. SBC Policy is to document all disclosures of PHI in client medical record and include a copy of signed authorization for release form. Inadvertent disclosure of PHI needs to be reported to supervisor & SBC Privacy coordinator immediately. New Rule being proposed? Logs will be incorporated in EMR

22 HIPAA Privacy Rule: Rights of Parents
Parents are generally authorized ( under MN state law) to make medical decisions for non emancipated minor children. HIPAA treats parents as “Personal Representatives” of minor children if they are authorized to make decisions for them. As “Personal Representatives” parents exercise rights re: PHI for their minor children – Access to information & Control over disclosure.

23 HIPAA Privacy Rule: Rights of Minors
Minor is treated as “ the Individual” & parent is not necessarily the “Personal Representative” When minor has right to consent & has consented; When the minor or services fall under the MN Minor Consent Law the minor may authorize disclosure. Minor acting as “ the Individual” can exercise rights regarding PHI Access to information Control over disclosure Request privacy protection If minor client holds the right to consent, the minor client holds the right to disclose

24 SBC Consent Requirements
Clinic Consent: a parent signed consent form is required for any clinic service except those under minor consent. Minor Consent: minor client can consent for confidential medical services including: emergency related care, pregnancy related care, STI Care, Contraceptive care, inpatient mental health care and treatment of drug and alcohol abuse. Mental Health Consent: minor clients can receive mental health services if their parent has signed clinic consent. MN DHS rules requires parent MH consent to bill for MH diagnosis or treatment. SBC policy is to get Parent MH consent for minor clients requiring ongoing care. A Minor can request nondisclosure of their private data to parents by written request and if provider determines in minor’s best interest. Per MN law – The SBC will develop written proceedure to allow Minor to request to keep their record from parent. Proceedure to ensure : Notification is in writing about the right to request withholding data from parent Require request in writing including the reason Include state that SBC can withhold information if in “best interests of minor” Upon receipt of such a request, the SBC Provider shall determine if honoring the request to deny parental access would be in the best interest of the minor data subject. In making the determination, the responsible authority shall be guided by at least the following: (1)whether the minor is of sufficient age and maturity to be able to explain the reasons for and to understand the consequences of the request to deny access; (2) whether the personal situation of the minor is such that denying parental access may protect the minor data subject from physical or emotional harm; (3)whether there is ground for believing that the minor data subject's reasons for precluding parental access are reasonably accurate; (4)whether the data in question is of such a nature that disclosure of it to the parent could lead to physical or emotional harm to the minor data subject; and (5)whether the data concerns medical, dental, or other health services provided pursuant to Minnesota Statutes, sections to If so, the data may be released only if failure to inform the parent would seriously jeopardize the health of the minor.

25 Minor Consent Form A minor who is emancipated ( age 18, legally married, has a child, declared emancipated by court order or is living separate & managing own financial affairs) may give effective consent for personal medical and mental health services. In case of a mother of child, she may also give consent for her child. Minor client can consent for confidential medical services including: emergency related care, pregnancy related care, STI Care, Contraceptive care, inpatient mental health care and treatment of drug and alcohol abuse. SBC provider will review consent and have minor client sign consent form.

26 HIPAA Privacy Rule: Domestic Violence or Abuse
Provider may elect NOT to treat parent as the personal representative if Provider has reasonable belief minor has been or may be subject to domestic violence or abuse or neglect by the parent OR Treating parent as personal representative could endanger the minor AND Provider believes that it is not in the best interest of minor to give parent access and control. (g)(5)

27 Operational Procedures for Protecting Privacy
The “Minimum Necessary” Standard – Need to know SBC staff must make a reasonable effort to disclose or use only the minimum necessary amount of protected health information in order to accomplish the intended purpose. They can disclose information requested by other health care providers if the information is necessary for treatment. SBC providers who are directly involved in the care of the client can see PHI. Providers can disclose to consulting physicians or for referrals, but not to people who don’t have clinical responsibilities. Making “minimum necessary” determinations is a balancing act. Providers must weigh the need to protect clients’ privacy against their reasonable ability to limit the information that is disclosed while delivering quality care. Providers must be careful about what they disclose to other staff members, such as billing department workers or providers not involved in the care of their client.

28 Everyday Steps for Protecting Privacy Safeguards
Communications: avoid unnecessary disclosures of PHI by monitoring voice levels on phone or talking with clients or others in clinic. Do not have discussions about clients in other parts of the building. Sign-in Sheets: avoid using last names Phone or Text Messages: Do not leave messages on answering machines regarding client conditions or test results. can leave message about appointment if client has given permission. Faxes: Use on machine in clinic, use coversheet that includes confidentiality notice. Mail: PHI mailed will be concealed. Copies: Only copy PHI on SBC machine. Desk: Never leave a client’s medical record on your desk or computer screen open when you leave your desk. It is required to log-off when leaving a workstation. In public areas, point computer monitors so that visitors or people walking by cannot view information.

29 Security Safeguards SBC practices to secure data include:
Always lock-up paper files in locking cabinets Keep clinic locked when not occupied by SBC staff Lock-up all documents containing PHI (Lab book, appointment schedule, lab reports, medical records, referrals) Transport clinic records containing PHI in locked bins via courier Monitor visitors/clients in clinic All SBC providers must use their assigned unique MPS network password– do not share login passwords PHI can not be transmitted using Computing devices must be physically secured via use of locking cables for laptops. All electronic computing and communication devices must be stripped of all PHI prior to disposal or re-use.

30 Record Retention HIPAA related documentation must be maintained for 6 years. This requirement applies to accounting for disclosures records, authorizations, data use agreements and any other. SBC follows City record retention schedules as required by MN Law. Inactive client files annually are transported to department archive files for 3 years then are located in City archive. refer to SBC record archive policy

31 Federal Family Education Rights & Privacy ACT (FERPA)
“Education Records” covered by FERPA includes health information included in education records Intended to protect the privacy of educational records & assure parental access to records Education Records are Excluded from definition of “protected health information” in HIPAA privacy rule Educational Records do not include oral communications

32 Who Are Business Associates?
HIPAA defines business associates as entities outside of The SBC that perform or assist SBC in performing activities that require the use or disclosure of PHI. The information includes claims processing, data analysis, billing, or practice management’ Business associates can include lawyers, actuarial professionals, accountants, health care consultants, transcription agencies, computer support, and billing companies. Business associates are covered entities under HIPAA and are directly accountable for compliance with regulations. SBC business associates are Pat Neska, Fairview Lab, pending for NexGen, Gateway clearinghouse Disclosure of PHI to a business associate requires an executed Business Associate Agreement.

33 HIPAA Compliance Compliance is no longer voluntary
State Attorneys General are authorized to conduct independent investigations Office of Civil Rights is named the enforcement agency for both privacy & security breaches Breach Notification Rule covers both covered entities and Business Associates Covered Entities must report all unsecured security breaches to HHS

34 Complaints and Breaches
All violations and breaches, including lost or stolen PHI must be reported immediately to SBC Privacy Coordinator Complaints regarding privacy may be referred to City Privacy Officer Staff are prohibited from intimidating clients who wish to make a compliant You may also anonymously report violations to the US Department of Health and Human Services.

35 Sanctions Violations of SBC privacy or security policies may result in
Disciplinary action including termination Revocation by licensing boards Fines and/or criminal prosecution

36 Penalties for Noncompliance: Civil
HIPAA's enforcement provisions authorize the Secretary of Health and Human Services to impose penalties to non-complying entities. Violation Category Each Violation All Such Violations of an Identical Provision in a Calendar Year Did Not Know $11-$50,000 $1,500,000 Reasonable Cause $1,000-50,000 Willful Neglect-Corrected $10,000-50,000 Willful Neglect-Not Corrected $50,000 Definitions Reasonable cause: circumstances that would make it unreasonable for the covered entity, despite the exercise of ordinary business care and prudence, to comply with the administrative simplification provision violated. Reasonable diligence: the business care and prudence expected from a person seeking to satisfy a legal requirement under similar circumstances Willful neglect: conscious, intentional failure or reckless indifference to the obligation to comply with the administrative simplification provision violated. 6/2009 – Hi-TECH Act

37 Penalties for Noncompliance: Criminal
Covered entities and specified individuals, as explained below, whom "knowingly" obtain or disclose individually identifiable health information in violation of the Administrative Simplification Regulations face a fine of up to $50,000, as well as imprisonment up to one year. Offenses committed under false pretenses allow penalties to be increased to a $100,000 fine, with up to five years in prison. Finally, offenses committed with the intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain or malicious harm permit fines of $250,000, and imprisonment for up to ten years. Covered Entity and Specified Individuals The DOJ concluded that the criminal penalties for a violation of HIPAA are directly applicable to covered entities—including health plans, health care clearinghouses, health care providers who transmit claims in electronic form, and Medicare prescription drug card sponsors. Individuals such as directors, employees, or officers of the covered entity, may also be directly criminally liable under HIPAA in accordance with principles of "corporate criminal liability." Where an individual of a covered entity is not directly liable under HIPAA, they can still be charged with conspiracy or aiding and abetting. Knowingly The DOJ interpreted the "knowingly" element of the HIPAA statute for criminal liability as requiring only knowledge of the actions that offense action being in constitute an offense. Specific knowledge of an Violation of the HIPAA statute is not required. Recent 2/2011 HIPAA violation case– Mass Gen Hospital- provider left client records (192 – infectious disease outpt cases with PHI – names, DOB, insurance, SSI, Dx, providers, ) on subway . Fined 1,000,000 part of corrective action plan – to develp P&P to ensure PHI is protected, training of workforce on P&P, Set up internal Audit.

38 HIPAA Contacts and Links
U.S. Department of Health & Human Services Office of Civil Rights (OCR) Approved HIPAA policies and forms will be on the new SBC web page Federal Regulations- paper copy avail for each site. Manual online

39 SBC HIPAA Compliance Policy: Privacy
Draft --SBC Privacy Policy

40 Minneapolis School Based Clinics
HIPAA Privacy Policy Training August 23, 2011

Download ppt "Minneapolis School Based Clinics"

Similar presentations

Ads by Google