1. Training Module: Understanding SCCCC Confidentiality and Privacy Policies and Procedures

2. Training Objectives Basic understanding of how HIPAA and other State and Federal regulations are implemented at SCCCC Learn where to find SCCCC privacy and confidentiality policies, procedures, and forms Learn how these policies affect your day-to- day work at SCCCC

3. HIPAA Health Insurance Portability and Accountability Act HIPAA is a federal law passed in 1996, which created new national standards to protect the privacy of personal health information. This information is known as “protected health information” or PHI.

4. Protected Health Information PHI is individually identifiable information related to the past, present or future health condition of the individual PHI applies to electronic, paper, or oral communications PHI has been interpreted to include mental health and substance abuse disorders

5. SCCCC Policies and Procedures are based on the following State and Federal laws or regulations: Health Insurance Portability and Accountability Act of 1966 (HIPAA) 42 CFR Confidentiality of Alcohol and Drug Abuse Patient Records Lanterman-Petris-Short Act of the State Welfare and Institutions Code Title 22, California Code of Regulations *In our work at SCCCC, we must comply with HIPAA as well as the other applicable laws and regulations. When there is a conflict between HIPAA and State law, HIPAA takes precedence as a Federal law.

6. Policy 315 SCCCC Policies and Procedures Manual Confidentiality Agreed-upon rules and regulations that pertain to information about staff or clients being given to outside sources. Although the SCCCC policy covers staff and client confidentiality, this training covers only client confidentiality.

7. No information, including acknowledgment that an individual is or has been a client, will be released without prior written consent of the client or authorized person. There are legal exceptions such as: Child and elder abuse reports Subpoenas or court orders Risk of harm to self or to warn potential victims of intended harm (refer to component director, manager or State-licensed therapist)

8. Component Confidentiality Agreement All employees sign a Confidentiality Agreement upon hire

9. For more information about confidentiality policies and procedures, consult the Confidentiality Training Guide located on SCCCC’s web page at www.scccc.org In the following slides, you will answer questions about the topics below. Business Associate Agreement Handling of Confidential Information Confidential Conversations Sending Emails Sending Faxes Mailing Use of Client Photos, Audio, Video Client Access to Records

10. Business Associate Agreement Agreements are required with businesses that would have access to protected client health information as part of their job. 1.Your component plans to hire Confidential Shredding Services to shred personnel records. The files contain physical exams. Do you need to have a business associate agreement with Confidential Shredding Services? 2.You are going to hire a temporary employee from a Temp Agency. This individual will be filing client health information. Do you need a Business Associate Agreement with the Temp Agency? Answers: 1. no 2. yes (we also ask the temp agency employee to sign a Confidentiality Agreement).

11. Confidential Documents Which of the scenarios below is good HIPAA practice? 1.Joe leaves a client record on his desk face down since he plans to be gone only a minute or two. 2. Monica has been doing on-line data entry to client records. Before going to lunch, she turns her computer screen off. 3. Mary is sending a confidential client record by courier from Admin Services to a program site. She stamps the record “confidential” and places it in an envelope with the recipients name and location. She uses a ”CONFIDENTIAL” sticker to seal the opening. Answers: 1. No 2. No 3. Yes

12. Client Lists and Photographs 1.Margaret is working in a preschool classroom. She posts a list of children (using their first and last name) who need to take medication during classroom hours. Is this good HIPAA practice? 2.Ray works in a residential program. He hangs a list of residents who are on kitchen duty. He uses their first name and initial of their last name. Is this good HIPAA practice? 3. Jamie receives permission from the Program Director to videotape the client graduation ceremony at a residential treatment program for the purpose of showing it to graduates and staff the next day. Is this good HIPAA practice? Answers: 1.No 2.Yes 3.Yes, however, it should be destroyed after viewing.

13. Confidential Conversations Which of these examples represents good practice in regards to confidentiality? 1.Gina works at SCCCC. A friend, Ralph, whom she hasn’t seen in years comes to repair the office copy machine. Gina tells Ralph that a mutual friend of theirs, Bryanna, will be coming in for a group session in about an hour. 2.A client comes in to fill out an application. Gina reserves a room where she and the client can complete the forms without interruption. 3.After meeting with a client, Gina goes to the mail room to check her mail box and runs into another employee. Gina begins to tell the employee what she thinks of the client. Answers: 1. No 2. Yes 3. No

14. E-Mail 1.Margaret, a counselor, is going on vacation. A co- worker has agreed to see the client while Margaret is gone. Margaret emails her co-worker to confirm the appointment. She uses the client’s first and last initial. Is this good HIPAA practice? 2.True or false? When sending client information, all staff must use the signature block at the end of each email which contains wording regarding the confidentiality of the contents of the email. Answers:1. Yes 2. True Notice to recipient: This communication is intended for the person(s) to whom it is addressed and may contain information that is protected by Federal and/or State law. If you receive this in error, any review, use, dissemination, distribution, or reproduction is strictly prohibited. Please notify us immediately by telephone or email and delete the email and any attachment from your system. Thank you for your cooperation.

15. Fax Which of the examples below represent good HIPAA practice? 1.The office fax machine is located at the front reception desk. 2.Jennie uses speed dial for frequently faxed numbers when sending client information because it eliminates the possibility of a transmission error. 3.Faxing highly sensitive client information such as assessments, service plans, medical information is not recommended. True or false? Answers: 1. No 2. True 3. True, if absolutely necessary, call ahead.

16. Mailing True or False? 1.When sending documents to clients, use return address only…do not include program name. 2.Mail stamped CONFIDENTIAL may be opened only by the addressee. 3.Use a CONFIDENTIAL stamp or sticker on the outside of an envelope. Answers: 1. True 2. True 3. True

17. Forms Forms (CRS, CSS, YS) are available on the agency web site: “Notice of Health Information Practices and Privacy Policies” (Signed by the client; form describes how information will be used and disclosed and how to access it) “Request to Review Client File Information” (completed by the client or guardian) “Release of Confidential Information” (client signs to approve release of confidential information) “Audio/Video/Observation Release” (client and or parent signs to release use of a session which is audio recorded, video recorded or observed through a one-way mirror to be used as a training tool or other stated reason; release expires in one year) “Photograph/Video Release” (client or guardian signs to reproduce a photograph or video of the client)

18. What Happens If You Violate the Confidentiality Agreement? True or False? You may be fined up to $250,000 and/or receive disciplinary action up to and including termination Answer: True

19. Congratulations! You have successfully completed the SCCCC HIPAA Training Module