SBC HIPAA Privacy Training HIPAA Overview HIPAA impact on clinical practice Client Rights Operational Procedures for protecting Privacy How does HIPAA impact SBC Compliance Training Overview
SBC HIPAA Privacy Training Why Now?? 2002 HIPAA Assessment Required compliance with EHR City Resolution - HIPAA Hybrid Entity passed Council July 2011
SBC HIPAA Privacy Training City of Minneapolis HIPAA Hybrid Entity Structure HIPAA Steering Committee Members: HIPAA Privacy Officer – Casey Carl, HIPAA Security Officer, Privacy Coordinator City plans, Privacy Officer SBC, Security Coordinator City Plans, Security Coordinator SBC, representative from MFD and Office of City Attorney. Human Resource Health Plans Human Resources Director- Privacy Officer Health Care Component MDHFS -School Based Clinics School Based Clinic Manager- HIPAA Privacy Coordinator
SBC HIPAA Privacy Training What is HIPAA? Health Insurance Portability and Accountability Act of 1996 (HIPAA) Federal law passed by Congress Part of the Social Security Administration Act Purpose: To protect the confidentiality and security of personally identifiable health information as it is used, disclosed and electronically transmitted by covered components. Creates a framework, using standardized formats, for transmitting electronic health information more cost effectively.
SBC HIPAA Privacy Training HIPAA Privacy Rule First national Standard Provides safeguards to protect privacy of individuals health information Identifies permitted uses & disclosures Specifies rights of the individual to control how their health information is used & disclosed Requires sanctions to be applied to employees who violate HIPAA policies & procedures
SBC HIPAA Privacy Training HIPAA Privacy Rule Coverage Who Covered Entities: healthcare providers, health care plans, health care clearing houses What is required Covered Entity: Name a privacy officer to be responsible for communicating policies & procedures, identify staff whose roles require access to PHI, staff training, ensure safeguards are in place to protect PHI, maintain documentation and monitor compliance & apply sanctions Staff: attend training, read and understand SBC Notice of Privacy Practice, Understand HIPAA Rule impact on their jobs When Rule enforcement began in 2003 SBC to become a covered entity in 2012 when we implement Electronic Medical Record/ Practice Management
SBC HIPAA Privacy Training The HIPAA Privacy Rule Applies to health care providers, health plans &healthcare clearinghouses. SBC will be required to comply with HIPAA and constitute a Covered Entity Establishes conditions under which PHI can be used and disclosed. –Use of PHI refers to sharing the information within the SBC Covered Entity. –Disclosure refers to sharing PHI to individuals or organizations outside of the SBC Covered Entity ; Grants individuals certain rights regarding their PHI Requires that we maintain the privacy and security of PHI. Requires sanctions to be applied to employees who violate HIPAA policies & procedures.
SBC HIPAA Privacy Training The HIPAA Security Rule Establishes administrative, technical and physical standards for the security of electronic health information Implemented to protect confidentiality, integrity and availability of PHI that is maintained and transmitted electronically Requires a sanction policy to discipline employees who do not follow security policies
SBC HIPAA Privacy Training HITECH HIPAA The American Recovery and Reinvestment Act of 2009 Enhanced privacy & security rules Promotes the use of electronic health records (EHRs) by providing incentives to health care providers who convert their medical records from paper files to EHRs Breach Notification Rule: unauthorized acquisition, use, disclosure of PHI Enforcement & increased penalties to Covered Entities and their Business Associates
SBC HIPAA Privacy Training Protected Health Information Protected Health Information (PHI) under HIPAA means health information that identifies an individual and is: –Created or received by a health care provider. –Relates to an individuals past, present or future physical or mental health or the provision of or payment of health care. –Transmitted or maintained in any form or medium by a covered entity or business associate. PHI includes demographics Our general practice is to treat all client information as PHI
SBC HIPAA Privacy Training How is Protected Information Used? Client authorization is not required when providers use information to carry out essential health care functions –Treatment: provision, coordination, or management of health care & related services by one or more providers ( includes 3 rd party consultation & referrals) –Payment: to obtain payment or be reimbursed for services –Health Care Operations: administrative, financial, legal & quality improvement activities necessary to run clinic and support core functions of treatment and payment. A Covered Entity may not use or disclose PHI except as permitted or required by Privacy Rule
SBC HIPAA Privacy Training Permitted Disclosures without PHI Authorization SBC may disclose PHI without authorization for a variety of public interest related purposes including the following: –Legal Process –Public Health –Organ and Tissue Donation –Health Oversight Activities –Specialized Government Functions –Law Enforcement –Research –To advert a serious risk to health & safety (school) SBC policy to refer/consult with Privacy Coordinator prior to releasing PHI
SBC HIPAA Privacy Training Client Authorization for Use & Disclosure Clients can request release of their information by signing an authorization which includes all the statements required under the regulations. Use of the SBC Authorization for Request/Release of PHI form ( 8/11 #92) meets the regulatory requirements. If client is a minor at time of request and PHI includes non minor consent services parent of minor client must sign the request for authorization. When responding to an authorization from another organization for release of protected health information, the authorization must also meet the HIPAA requirements. If there is any doubt, the SBC Privacy Coordinator can provide assistance in reviewing the validity of the document. SBC provider must confirm identity of requester and note the date in the Medical record.
SBC HIPAA Privacy Training Authorization for Request/Release of PHI
SBC HIPAA Privacy Training Psychotherapy Notes Psychotherapy notes receive stronger protection than other protected health information under the HIPAA privacy rule because of their potential sensitivity. Mental Health records need to be separate in EHR Psychotherapy notes are defined as the notes of a mental health professional which document or analyze the contents of a counseling session and which are stored separately from the rest of the medical record. Except in certain limited circumstances, use or disclosure of psychotherapy notes is permissible only if the patient signs a separate authorization that encompasses only psychotherapy notes and no other PHI. Psychotherapy notes exclude: –Medication prescription and monitoring –Counseling session start and stop times –Modalities and frequencies of treatment furnished –Results of clinical tests –Any summary of diagnosis, functional status, treatment plan, symptoms, prognosis, or progress to date
SBC HIPAA Privacy Training Client Rights Clients have the right to Request confidential communications Access their medical records Request restrictions on their use & disclosure of PHI Request Accounting of disclosures Authorize disclosure to persons or entities of their choice Revoke Authorizations
SBC HIPAA Privacy Training Client Rights The Notice of Privacy Practices (NPP): Explains privacy policies Explains how client information may be used, disclosed and how they can access this information. Informs clients about their rights – including make complaints Who receives the NPP? –First time a client at time of clinic visit –Anyone who requests a copy Clients must be asked to sign an acknowledgement of Notice, although they are not required to sign it. Replace former separate Tennessen Warning- it is combined with NPP The NPP must be posted prominently in clinic. Client Bill of Rights and Access to Health Records must be posted in clinical areas.
SBC HIPAA Privacy Training New Notice of Data Practices and Data Privacy Notice
SBC HIPAA Privacy Training Individual Right to Access and Amendment Clients have a right to inspect and copy their Medical Record The client is required to complete a request access form Clients can also request amendments to their medical records Exceptions to this rule: –Psychotherapy notes if could endanger civil or criminal hearings –Information compiled in reasonable anticipation of, or use in, a civil, criminal or administrative action or proceeding. –The PHI was obtained from someone other than a health care provider under a promise of confidentiality and access would be reasonably likely to reveal the source. –The access is reasonably likely, in the judgment of a licensed health care professional, to endanger the life or physical safety or the individual or another person. –If the PHI makes reference to another person and, in the judgment of a licensed health care professional, the access is reasonably likely to cause substantial harm to the individual or another person.
SBC HIPAA Privacy Training Accounting for Disclosures HIPAA requires SBC to log any disclosures including who accessed medical records. The logs must include who had access, for what reason and when access was provided. SBC Policy is to document all disclosures of PHI in client medical record and include a copy of signed authorization for release form. Inadvertent disclosure of PHI needs to be reported to supervisor & SBC Privacy coordinator immediately.
SBC HIPAA Privacy Training HIPAA Privacy Rule: Rights of Parents Parents are generally authorized ( under MN state law) to make medical decisions for non emancipated minor children. HIPAA treats parents as Personal Representatives of minor children if they are authorized to make decisions for them. As Personal Representatives parents exercise rights re: PHI for their minor children – Access to information & Control over disclosure.
SBC HIPAA Privacy Training HIPAA Privacy Rule: Rights of Minors Minor is treated as the Individual & parent is not necessarily the Personal Representative –When minor has right to consent & has consented; –When the minor or services fall under the MN Minor Consent Law the minor may authorize disclosure. Minor acting as the Individual can exercise rights regarding PHI –Access to information –Control over disclosure –Request privacy protection If minor client holds the right to consent, the minor client holds the right to disclose
SBC HIPAA Privacy Training SBC Consent Requirements Clinic Consent: a parent signed consent form is required for any clinic service except those under minor consent. Minor Consent: minor client can consent for confidential medical services including: emergency related care, pregnancy related care, STI Care, Contraceptive care, inpatient mental health care and treatment of drug and alcohol abuse. Mental Health Consent: minor clients can receive mental health services if their parent has signed clinic consent. MN DHS rules requires parent MH consent to bill for MH diagnosis or treatment. SBC policy is to get Parent MH consent for minor clients requiring ongoing care. A Minor can request nondisclosure of their private data to parents by written request and if provider determines in minors best interest.
SBC HIPAA Privacy Training Minor Consent Form A minor who is emancipated ( age 18, legally married, has a child, declared emancipated by court order or is living separate & managing own financial affairs) may give effective consent for personal medical and mental health services. In case of a mother of child, she may also give consent for her child. Minor client can consent for confidential medical services including: emergency related care, pregnancy related care, STI Care, Contraceptive care, inpatient mental health care and treatment of drug and alcohol abuse. SBC provider will review consent and have minor client sign consent form.
SBC HIPAA Privacy Training HIPAA Privacy Rule: Domestic Violence or Abuse Provider may elect NOT to treat parent as the personal representative if Provider has reasonable belief minor has been or may be subject to domestic violence or abuse or neglect by the parent OR Treating parent as personal representative could endanger the minor AND Provider believes that it is not in the best interest of minor to give parent access and control.
SBC HIPAA Privacy Training Operational Procedures for Protecting Privacy The Minimum Necessary Standard – Need to know SBC staff must make a reasonable effort to disclose or use only the minimum necessary amount of protected health information in order to accomplish the intended purpose. They can disclose information requested by other health care providers if the information is necessary for treatment. SBC providers who are directly involved in the care of the client can see PHI. Providers can disclose to consulting physicians or for referrals, but not to people who dont have clinical responsibilities. Making minimum necessary determinations is a balancing act. Providers must weigh the need to protect clients privacy against their reasonable ability to limit the information that is disclosed while delivering quality care.
SBC HIPAA Privacy Training Everyday Steps for Protecting Privacy Safeguards Communications: avoid unnecessary disclosures of PHI by monitoring voice levels on phone or talking with clients or others in clinic. Do not have discussions about clients in other parts of the building. Sign-in Sheets: avoid using last names Phone or Text Messages: Do not leave messages on answering machines regarding client conditions or test results. can leave message about appointment if client has given permission. Faxes: Use on machine in clinic, use coversheet that includes confidentiality notice. Mail: PHI mailed will be concealed. Copies: Only copy PHI on SBC machine. Desk: Never leave a clients medical record on your desk or computer screen open when you leave your desk. It is required to log-off when leaving a workstation. In public areas, point computer monitors so that visitors or people walking by cannot view information.
SBC HIPAA Privacy Training Security Safeguards SBC practices to secure data include: Always lock-up paper files in locking cabinets Keep clinic locked when not occupied by SBC staff Lock-up all documents containing PHI (Lab book, appointment schedule, lab reports, medical records, referrals) Transport clinic records containing PHI in locked bins via courier Monitor visitors/clients in clinic All SBC providers must use their assigned unique MPS network password– do not share login passwords PHI can not be transmitted using email Computing devices must be physically secured via use of locking cables for laptops. All electronic computing and communication devices must be stripped of all PHI prior to disposal or re-use.
SBC HIPAA Privacy Training Record Retention HIPAA related documentation must be maintained for 6 years. This requirement applies to accounting for disclosures records, authorizations, data use agreements and any other. SBC follows City record retention schedules as required by MN Law. Inactive client files annually are transported to department archive files for 3 years then are located in City archive. refer to SBC record archive policy
SBC HIPAA Privacy Training Federal Family Education Rights & Privacy ACT (FERPA) Education Records covered by FERPA includes health information included in education records Intended to protect the privacy of educational records & assure parental access to records Education Records are Excluded from definition of protected health information in HIPAA privacy rule Educational Records do not include oral communications
SBC HIPAA Privacy Training Who Are Business Associates? HIPAA defines business associates as entities outside of The SBC that perform or assist SBC in performing activities that require the use or disclosure of PHI. The information includes claims processing, data analysis, billing, or practice management Business associates can include lawyers, actuarial professionals, accountants, health care consultants, transcription agencies, computer support, and billing companies. Business associates are covered entities under HIPAA and are directly accountable for compliance with regulations. SBC business associates are Pat Neska, Fairview Lab, pending for NexGen, Gateway clearinghouse Disclosure of PHI to a business associate requires an executed Business Associate Agreement.
SBC HIPAA Privacy Training HIPAA Compliance Compliance is no longer voluntary State Attorneys General are authorized to conduct independent investigations Office of Civil Rights is named the enforcement agency for both privacy & security breaches Breach Notification Rule covers both covered entities and Business Associates Covered Entities must report all unsecured security breaches to HHS
SBC HIPAA Privacy Training Complaints and Breaches All violations and breaches, including lost or stolen PHI must be reported immediately to SBC Privacy Coordinator Complaints regarding privacy may be referred to City Privacy Officer Staff are prohibited from intimidating clients who wish to make a compliant You may also anonymously report violations to the US Department of Health and Human Services.
SBC HIPAA Privacy Training Sanctions Violations of SBC privacy or security policies may result in Disciplinary action including termination Revocation by licensing boards Fines and/or criminal prosecution
SBC HIPAA Privacy Training Penalties for Noncompliance: Civil HIPAA's enforcement provisions authorize the Secretary of Health and Human Services to impose penalties to non-complying entities. Definitions Reasonable cause: circumstances that would make it unreasonable for the covered entity, despite the exercise of ordinary business care and prudence, to comply with the administrative simplification provision violated. Reasonable diligence: the business care and prudence expected from a person seeking to satisfy a legal requirement under similar circumstances Willful neglect: conscious, intentional failure or reckless indifference to the obligation to comply with the administrative simplification provision violated. Violation CategoryEach ViolationAll Such Violations of an Identical Provision in a Calendar Year Did Not Know$11-$50,000$1,500,000 Reasonable Cause$1,000-50,000$1,500,000 Willful Neglect-Corrected$10,000-50,000$1,500,000 Willful Neglect-Not Corrected$50,000$1,500,000
SBC HIPAA Privacy Training Penalties for Noncompliance: Criminal Covered entities and specified individuals, as explained below, whom "knowingly" obtain or disclose individually identifiable health information in violation of the Administrative Simplification Regulations face a fine of up to $50,000, as well as imprisonment up to one year. Offenses committed under false pretenses allow penalties to be increased to a $100,000 fine, with up to five years in prison. Finally, offenses committed with the intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain or malicious harm permit fines of $250,000, and imprisonment for up to ten years. Covered Entity and Specified Individuals The DOJ concluded that the criminal penalties for a violation of HIPAA are directly applicable to covered entitiesincluding health plans, health care clearinghouses, health care providers who transmit claims in electronic form, and Medicare prescription drug card sponsors. Individuals such as directors, employees, or officers of the covered entity, may also be directly criminally liable under HIPAA in accordance with principles of "corporate criminal liability." Where an individual of a covered entity is not directly liable under HIPAA, they can still be charged with conspiracy or aiding and abetting. Knowingly The DOJ interpreted the "knowingly" element of the HIPAA statute for criminal liability as requiring only knowledge of the actions that offense action being in constitute an offense. Specific knowledge of an Violation of the HIPAA statute is not required.
SBC HIPAA Privacy Training HIPAA Contacts and Links U.S. Department of Health & Human Services Office of Civil Rights (OCR) www.hhs.gov/ocr/hipaa/privacy.html www.hhs.gov/ocr/hipaa/privacy.html Approved HIPAA policies and forms will be on the new SBC web page www.minneapolismn.gov/dhfs/sbc_clinicsource www.minneapolismn.gov/dhfs/sbc_clinicsource
SBC HIPAA Privacy Training SBC HIPAA Compliance Policy: Privacy