COBB/DOUGLAS COMMUNITY SERVICES BOARD LAWS and REGULATIONS GOVERNING PRIVACY Official Code of Georgia Annotated Chapters 37-3, 37-7 and 37-4 Chapter 290-4-9 of the Rules of the Department of Human Resources Federal statutes (42 USCA 290dd-2) and regulations (42 CFR Part 2) related to substance abuse records Federal regulations 45 CFR Parts 160 and 164 - Standards for Privacy of Individually Identifiable Health Information under the Health Insurance Portability and Accountability Act (HIPAA)
COBB/DOUGLAS COMMUNITY SERVICES BOARD Individually Identifiable Health Information (IIHI) Information about an individual that relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and identifies the individual or can be used to identify an individual TERMS AND DEFINITIONS
COBB/DOUGLAS COMMUNITY SERVICES BOARD Protected Health Information (PHI) Individually identifiable health information including name, geographic subdivisions smaller than a state (street address, city, county, zip code, geocodes), all elements of a date except year for all dates related to the consumer (including birth date, admission date, discharge date, date of death), telephone number, fax number, email address, social security number, account number, insurance number, license number, certificate number, vehicle ID, device number, URL, IP address, biometric ID, facial photograph and comparable images and any other unique identifier or code. TERMS AND DEFINITIONS
COBB/DOUGLAS COMMUNITY SERVICES BOARD TERMS AND DEFINITIONS Preemption If a state or federal law or regulation grants the consumer greater access to their PHI, then it will preempt HIPAA. If a state or federal law or regulation gives consumer health information greater protections from disclosure then it will preempt HIPAA. TPO TREATMENT PAYMENT HEALTH CARE OPERATIONS
COBB/DOUGLAS COMMUNITY SERVICES BOARD Privacy Officer (PO) Lorraine Harris Business Associates Must have a contract/agreement that holds them to the same HIPAA standards. Complaint Process Consumers can file a complaint if they believe we have violated their rights under HIPAA. ADMINISTRATIVE REQUIREMENTS
COBB/DOUGLAS COMMUNITY SERVICES BOARD HIPAA CONSUMER RIGHTS Receive Notice of Privacy Practices Access to Designated Record Set (DRS) Request Amendment to DRS Request Restriction on Communications Request Confidential Communications Accounting of Disclosures File a Complaint
COBB/DOUGLAS COMMUNITY SERVICES BOARD NOTICE OF PRIVACY PRACTICES What is the NPP? The Notice of Privacy Practices describes how information about the consumer is used by the Cobb/Douglas CSB and when we will disclose it without their authorization. Must be posted at each service site Must be posted on web Must be given to each consumer after April 14, 2003 HIPA
COBB/DOUGLAS COMMUNITY SERVICES BOARD MINIMUM NECESSARY STANDARD This refers to the practice of limiting the disclosure of information to that information reasonably necessary to accomplish the purpose for which disclosure is sought. This includes use internally by staff. Staff should have access to and use only the minimum necessary. ALL STAFF ARE RESPONSIBLE FOR APPLYING THE MINIMUM NECESSARY STANDARD IN THE COURSE OF CARRYING OUT THEIR JOB DUTIES.
COBB/DOUGLAS COMMUNITY SERVICES BOARD PRIVACY AND SECURITY BEST PRACTICES Protect your computer passwords - never share or give to anyone else Log off of CADIS and any other open files that contain PHI or IIHI Keep computer screens out of eye site of others Keep medical record rooms locked/secured Only access consumer information you need to do your job - limit to minimum necessary
COBB/DOUGLAS COMMUNITY SERVICES BOARD PRIVACY AND SECURITY BEST PRACTICES Keep consumer records and other documents containing PHI/IIHI out of site - don’t leave lying around Monitor faxes containing PHI/IIHI Documents with PHI/IIHI to be discarded should be shredded Don’t talk about consumers in public areas If asked for consumer information - question why Report problems/violations ?
COBB/DOUGLAS COMMUNITY SERVICES BOARD PENALTIES FOR VIOLATION Violation but not willful $100 penalty for each violation – limited to $25,000 per calendar year Wrongful Disclosure Up to $50,000 and/or imprisoned for not more than 1 year Obtained PHI under false pretenses $100,000 and/or imprisoned for not more than 5 years Intent to sell, transfer or use for gain or malicious harm $250,000 and/or imprisoned for not more than 10 years
COBB/DOUGLAS COMMUNITY SERVICES BOARD SUBPEONAS and COURT ORDERS Notify your supervisor Supervisor notify site/program director Notify Medical Record Director Privileged information can never be released with a subpoena SA information can never be released with a subpoena
COBB/DOUGLAS COMMUNITY SERVICES BOARD QUESTIONS