Presentation on theme: "CONFIDENTIALITY, PRIVACY AND DATA / INFORMATION SECURITY TRAINING"— Presentation transcript:
1CONFIDENTIALITY, PRIVACY AND DATA / INFORMATION SECURITY TRAINING Pasadena VillaCONFIDENTIALITY, PRIVACY AND DATA / INFORMATION SECURITY TRAININGCopyright March 2003
2Confidentiality / 42 CFR Part 2 / HIPAA NOTES___________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________Pasadena Villa is bound to follow state and federal regulations governing the confidentiality and privacy of our clients. Federal Statute 397, Title 42 CFR, Part 2 and HIPAA (Health Information Portability and Accountability Act of 1996) 45 CFR §Part 160, 162, 164 mandate the ways in which we can communicate, access, use or disclose our clients health information.These regulations were enacted to protect an individual’s private health / clinical information, which will be referred to PHI (Personal Health Information) throughout the remainder of this training, to reduce healthcare fraud and abuse and to give individuals rights towards how their PHI will be used, disclosed and how to access their information.All employees, volunteers, business associates and interns have an obligation to maintain the confidentiality of all persons served by Pasadena Villa to the fullest extent outlined by law.
3Page TwoHere are some examples of how an individual’s PHI was exposed; About 400 pages of detailed psychological records concerning visits and diagnoses of at least 62 children and teenagers were accidentally posted on the University of Montana’s Web site for eight days. The information included names, dates of birth, home addresses, school attended with the results of the psychological tests.A doctor’s laptop was stolen at a medical conference. The computer contained the names and histories of his patients in North Carolina.Due to a software flaw, thousands of consumers who requested pamphlets and brochures about drug and alcohol addiction had their names, address, telephone numbers and addresses exposed on Health.org, a government health information Web site.A Washington D.C. jury ordered a local hospital to pay $25,000 for failing to keep a patient’s medical records confidential. Coworkers learned of the victim’s HIV status after an employee at the Washington hospital revealed information in his medical record.NOTES____________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________$$$$$$$______________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________
5Page FourWe have taken steps to comply with the laws by developing internal policies and procedures, training program, a complaint process and an appointment of a Privacy and Security Officer. However, it is your responsibility to curb human nature (curiosity, sharing of information), to be sensitive to the clients information, to respect the client’s right to privacy and to know our policies and procedures. When we provide our clients with quality services, it includes protecting their confidential information.As we go through this training, there will be differences in the HIPAA regulations as opposed to the 42 CFR, Part 2 Florida Statute 397 regulations. 42 CFR, Part 2, is the Code of Federal Regulations that governs the Confidentiality of Alcohol and Drug Abuse Patient Records. Florida Statute 397 prohibits disclosure or use of patient records (any information that is written or not) unless permitted by the patient or regulation.NOTES______________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________42 CFR preempts HIPAA in some respects because it is more stringent/restrictive.
6PATIENT IDENTIFYING INFORMATION Page Five What is Protected Health Information/Individually Identifiable Health Information?NOTES____________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________ It is information created or received by a medical/clinical provider, health plan or health care clearinghouse.Information related to the past, present, or future physical or mental health or condition of the individualInformation related to the provision of health care/clinical care to an individualInformation related to the past, present, or future payment for the provision of health care/clinical care to an individualInformation that identifies the individual or there is reasonable basis to believe that the information can be used to identify the individualInformation transmitted or maintained in any medium.PATIENT IDENTIFYING INFORMATIONUNDER 42 CFR PART 2 = NAME ADDRESS SOCIAL SECURITY # FINGERPRINTS
7OTHER SIMILAR INFORMATION UNDER HIPAA = Same as 42 CFR Part 2 PLUS Page SixPHOTOGRAPHOTHER SIMILAR INFORMATIONUNDER HIPAA = Same as 42 CFR Part 2 PLUSAddress is defined more broadlyNames of relatives/householdName of EmployerVariety of DatesTelephone / Fax Numberaddress / URL/IPClient Medical/Clinical Record number (applicable to group notes)Account/Health Plan NumberVehicle or other device serial #To ensure that PHI, Individually Identifiable Information is not disclosed or used improperly, Renaissance Healthcare Group has written policies and procedures to govern these releases. The next section will discuss the client’s rights regarding their PHI and the process in which individual’s may request the use and disclosure or his or her PHI.NOTES_________________________________________________________________________________________________________________________________________________________________________________________________________________________________See HIPAA & Confidentiality Plan!____________________________________________________________________________________________________
8Client Rights & Privacy Notice Page Seven First of all, it is important to recognize and acknowledge the rights of the client concerning their PHI. The following will outline their rights and your responsibilities for upholding those rights.Clients have the right to receive Pasadena Villa “Notice of Privacy Practices”.Clients have the right to inspect and copy their medical record.Clients have the right to request an amendment to their records.Clients have the right to request restrictions on use and disclosures of their protected health information (Clinical record)Clients have the right to confidential communications (request alternative channels of communication)Clients have the right to receive an accounting of disclosures of their protected health information.Clients have a right to file a complaint if the client feels the above rights have been violated.NOTES________________________________________________________________________________________________________________________________________________________________________________________________________See next page forPrivacy NoticeTo communicate with the client in a different area, not by mail or telephone, etc._____________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________
9HIPAA Notice of Privacy Practices [ Pasadena Villa This notice describes how medical information about you may be used and disclosed and how you can get access to this information. Please review it carefully.This Notice of Privacy Practices describes how we may use and disclose your protected health information (PHI) to carry out treatment, payment or health care operations (TPO) and for other purposes that are permitted or required by law. It also describes your rights to access and control your protected health information. “Protected health information” is information about you, including demographic information, that may identify you and that relates to your past, present or future physical or mental health or condition and related health care services.1. Uses and Disclosures of Protected Health InformationUses and Disclosures of Protected Health InformationYour protected health information may be used and disclosed by your physician, our office staff and others outside of our office that are involved in your care and treatment for the purpose of providing health care services to you, to pay your health care bills, to support the operation of the physician’s practice, and any other use required by law .Treatment: We will use and disclose your protected health information to provide, coordinate, or manage your health care and any related services. This includes the coordination or management of your health care with a third party. For example, we would disclose your protected health information, as necessary, to a home health agency that provides care to you. For example, your protected health information may be provided to a physician to whom you have been referred to ensure that the physician has the necessary information to diagnose or treat you.Payment: Your protected health information will be used, as needed, to obtain payment for your health care services. For example, obtaining approval for a hospital stay may require that your relevant protected health information be disclosed to the health plan to obtain approval for the hospital admission.Healthcare Operations: We may use or disclose, as-needed, your protected health information in order to support the business activities of your physician’s practice. These activities include, but are not limited to, quality assessment activities, employee review activities, training of medical students, licensing, and conducting or arranging for other business activities. For example, we may disclose your protected health information to medical school students that see patients at our office. In addition, we may use a sign-in sheet at the registration desk where you will be asked to sign your name and indicate your physician. We may also call you by name in the waiting room when your physician is ready to see you. We may use or disclose your protected health information, as necessary, to contact you to remind you of your appointment.We may use or disclose your protected health information in the following situations without your authorization. These situations include: as Required By Law, Public Health issues as required by law, Communicable Diseases: Health Oversight: Abuse or Neglect: Food and Drug Administration requirements: Legal Proceedings: Law Enforcement: Coroners, Funeral Directors, and Organ Donation: Research: Criminal Activity: Military Activity and National Security: Workers’ Compensation: Inmates: Required Uses and Disclosures: Under the law, we must make disclosures to you and when required by the Secretary of the Department of Health and Human Services to investigate or determine our compliance with the requirements of SectionOther Permitted and Required Uses and Disclosures Will Be Made Only With Your Consent, Authorization or Opportunity to Object unless required by law.You may revoke this authorization, at any time, in writing, except to the extent that your physician or the physician’s practice has taken an action in reliance on the use or disclosure indicated in the authorization.
10PAGE 2Your RightsFollowing is a statement of your rights with respect to your protected health information.You have the right to inspect and copy your protected health information. Under federal law, however, you may not inspect or copy the following records; psychotherapy notes; information compiled in reasonable anticipation of, or use in, a civil, criminal, or administrative action or proceeding, and protected health information that is subject to law that prohibits access to protected health information.You have the right to request a restriction of your protected health information. This means you may ask us not to use or disclose any part of your protected health information for the purposes of treatment, payment or healthcare operations. You may also request that any part of your protected health information not be disclosed to family members or friends who may be involved in your care or for notification purposes as described in this Notice of Privacy Practices. Your request must state the specific restriction requested and to whom you want the restriction to apply.Your physician is not required to agree to a restriction that you may request. If physician believes it is in your best interest to permit use and disclosure of your protected health information, your protected health information will not be restricted. You then have the right to use another Healthcare Professional.You have the right to request to receive confidential communications from us by alternative means or at an alternative location. You have the right to obtain a paper copy of this notice from us, upon request, even if you have agreed to accept this notice alternatively i.e. electronically.You may have the right to have your physician amend your protected health information. If we deny your request for amendment, you have the right to file a statement of disagreement with us and we may prepare a rebuttal to your statement and will provide you with a copy of any such rebuttal.You have the right to receive an accounting of certain disclosures we have made, if any, of your protected health information.We reserve the right to change the terms of this notice and will inform you by mail of any changes. You then have the right to object or withdraw as provided in this notice.ComplaintsYou may complain to us or to the Secretary of Health and Human Services if you believe your privacy rights have been violated by us. You may file a complaint with us by notifying our privacy contact of your complaint. We will not retaliate against you for filing a complaint.This notice was published and becomes effective on/or before April 14, 2003.We are required by law to maintain the privacy of, and provide individuals with, this notice of our legal duties and privacy practices with respect to protected health information. If you have any objections to this form, please ask to speak with our HIPAA Compliance Officer in person or by phone at our Main Phone Number.Signature below is only acknowledgement that you have received this Notice of our Privacy Practices:Print Name:__________________________ Signature______________________Date_______
11Client Access to PHI Page Ten So far we have learned the client rights, violation penalties and the Privacy Notice. We now will review the breakdown of the client’s rights and how you and Pasadena Villa will carry out these functions.Clients have the right to inspect or have access to their records. The client shall complete a form, “Individual Request for Access to Personal Health Information” This form shall be completed by the client and given to the staff at admission.Individuals DO NOT have the right to access the following types of information; Psychotherapy Notes Information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding; and Protected health Information that is: subject to the Clinical Laboratory Improvements Amendments of 1988The Record staff or designee will act upon the request by informing the individual of the acceptance of the request and provide access. If the request is denied due to the above circumstances, the Records staff will provide the individual with a written denial. REQUEST TO INSPECT OR COPY PROTECTED HEALTH INFORMATIONThis form is used by the patient to request an opportunity to examine or copy Protected Health Information in the possession of Pasadena Villa.Information RequestedPlease describe the information that you would like to examine or copy:Review ProceduresYour request to inspect or copy your Protected Health Information will be reviewed by the Clinical Director, who will determine if the information requested cm be made available to you. We may legally prohibited from making certain information available to patients or patient representatives, including:Psychotherapy NotesInformation related to legal proceedingsInformation that federal or state laws prevent us from disclosingInformation that is related to medical research in which you have agreed to participateInformation whose disclosure may result in harm or injury to you or to another personInformation that was obtained under a promise of confidentialityWithin the limitations of the law, we will make every effort to accommodate your request.We will complete our review of your request and either arrange for you to inspect your records within 30 days of your request, or provide you with a written explanation of any restriction on the information that we can provide you.If we deny your request, in whole or in part, you may request that we review that decision.
12Obtaining Authorizations for Use and Disclosure Page Eleven Renaissance Healthcare Group must obtain authorization from the client for us to be able to use and disclose their PHI. Renaissance Healthcare Group does not need to obtain authorization for treating / providing services, payment and organizational operations. The purpose for obtaining an authorization is to provide the individual with an opportunity to determine how his or her PHI may be used or disclosed, and to inform the individual of his or her rights under the Privacy rule. For all uses and disclosures of an individual’s PHI, RHG will obtain a signed authorization from the individual, unless the use or disclosure is required, or otherwise permitted without an authorization. Prior to all marketing communications, we will obtain authorization from the individuals who would receive such communications, except if:the communication is made face-to-face by an employee; orthe communication is a promotional gift of nominal valueNOTES_________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________
13Authorization continued Page Twelve Prior to any use or disclosure of psychotherapy notes, including for treatment, payment or health care operations, RHG will obtain authorization from the individual, except if the use or disclosure is for:the service activities of the originator of the psychotherapy notes;Our own training programs in which mental health students, interns or practitioners practice, under supervision, their skills in counseling; orPasadena Villa’s own defense in a legal action or other proceeding brought by the individual.RHG is not required to obtain authorization for the following purposes:to carry out service, payment or health care operations;uses and disclosures required by lawuses and disclosures for public health activitiesdisclosures about victims of abuse, neglect or domestic violenceuses and disclosures for health oversight activitiesdisclosures for judicial and administrative proceedingsNOTES__________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________
15Authorization continued Page Fourteen if the authorization is for the disclosure of psychotherapy notes, the other document is also an authorization for the disclosure of psychotherapy notes; orthe authorization is for the use or disclosure of protected health information created for a research study, and is to be combined with another written permission for the study.Any authorization for the use or disclosure of protected health information requested by the individual subject of that information will contain the following:a description of the information to be used or disclosed that identifies the information in a specific and meaningful fashion;the name or other specific identification of the person(s), or class of persons, authorized to make the requested use or disclosure;the name or other specific identification of the person(s), or class of persons, to whom RHG may make the requested use or disclosure;NOTES__________________________________________________________A specific authorization is required for the disclosure of psychotherapy notes. Psychotherapy notes are defined as primarily of use to the mental health professional who wrote them and are not part of the medical record, and not involved in the documentation necessary to carry out treatment, payment, or health care operations. There are few reasons why other health care/clinical entities should need access to this information. This excludes diagnosis, medications, treatment, symptoms, prognosis, and progress to date.________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________
16Authorization continued Page Fifteen an expiration date or an expiration event that relates to the individual or the purpose of the use or disclosure;a statement of the individual’s right to revoke the authorization in writing and the exceptions to the right to revoke;a description of how the individual may revoke the authorization; Individuals may revoke their authorizations at any time.a statement that the entity will not condition treatment, payment, enrollment in a health plan, or eligibility for benefits on the provision of an authorization, except as permitted by law.a statement that information used or disclosed pursuant to the authorization may be subject to redisclosure by the recipient and no longer be protected by 45 C.F.R. Part 164;the signature of the individual and date.An expiration date, event or conditionIn the event that the authorization is signed by a personal representative of the individual, the authorization will contain a description of the representative’s authority to act for the individual.RHG will provide the individual with a copy of the signed authorization.NOTES___________________________________________________________________________________________________________________________________________________________________________________________________________42 CFR prohibits redisclosureA General Authorization for Mental Health and Substance Abuse Records is not acceptable to release information. To release these sensitive records Pasadena Villa must receive a subpoena accompanied by a court order, that is issued by a Judge. This goes for law enforcement requests as well. Pasadena Villa may disclose this information if it is in relation to reporting a victim of abuse or neglect, or in our professional judgment believes the disclosure is necessary to prevent serious harm to an individual or other potential victim._________________________________________________________________________________________________________________________________________________________________________________________________________________________________
17Authorization continued Page Sixteen RHG will invalidate the authorization if:any material information in the authorization is known by to be false;the requirements of the authorization have not been filled out completely;the expiration date has passed or the expiration event is known to have occurred.We will document and retain the signed authorization for a period of at least six years from the date of its creation or the date when it last was in effect, whichever is later.It is important that each and every authorization form is completed accurately and in it’s entirety. It is imperative all employees are knowledgeable of what an authorization must contain and how to identify a defective authorization. If you observe authorizations with blank spaces or signatures, dates, etc. are not present, you must report it to the Privacy Officer immediately!NOTES______________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________
18Client Rights to Amend their Records Page Seventeen Clients have the right to request an amendment (clarification or challenge) to their medical/clinical file. *Remember psychotherapy notes are not disclosed. However, the remaining parts of their file, group notes, daily progress notes, medication records, demographic information are subject to their review. If the client does not agree with certain documentation in their records, they may request for the entry to amended. The client must put the request in writing. Pasadena Villa will review and determine if they agree or disagree with the requested amendment. The Privacy Officer will appoint an individual not involved in the client’s care to review the request. If the request is denied, the Privacy Officer shall notify the client in writing. These requests for amendments are to be placed in the client file and are considered a permanent form in the file. The amendment request form is outlined on the following page.NOTES______________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________
19Human Services Associates, Inc Human Services Associates, Inc. MEDICAL/CLINICAL RECORD CORRECTION/AMENDMENT FORMREQUEST TO AMEND PROTECTED HEALTH INFORMATIONThis form is to be used by patients who wish to request that information kept in the records of Pasadena Villa be amended. The following summarizes our policies and procedures with respect to amending patient information:Requests to amend information must be submitted in writing.Your request will be reviewed by the Clinical Director and other staff members as appropriate.If the Clinical Director determines that the amendment you have requested should be made, the records will be updated as required by federal regulations.If the Clinical Director determines that the information in our records is complete and accurate, you request will be denied. A written notice of this decision will be sent to you as required by federal regulations. You will have an opportunity to send us a written statement explaining your disagreement with this decision. That statement will be included in your records, along with any response that we believe is necessary to help future users of the information understand that information. You will be given a copy of any response that we include in the record.Information to be AmendedPlease identify the information that you believe needs to be amended in the spaces provided below. Identify the source of the information (for example, your medical records or billing records), the specific information that you believe to be incorrect and the reason you believe the information to be incorrect. If no reason is given, your request will be denied.If you need help with this form, please contact:Dr. George Kachmarik, Clinical Director(407)Item to be changed:____________________________________________Data Source:_________________________________________________Change:_____________________________________________________Reason:____________________________________________________________________________________________________________________________________________________________________________ *Response___________________________________________________*Response:__________________________________________________Attach additional copies of this page as needed.Patient SignaturePlease sign and date this form:Name of Patient ________________________________________________Signature of Patient______________________________________________ ___________ DateSignature of Patient Representative_________________________________Relationship of Patient Representative to Patient_______________________DecisionApproved amendmentsThe following requests for amendment of information have been approved:This information will be corrected and other organizations to which this information has been disclosed will be notified as required by federal regulations.Requests for Amendment That Have Been DeniedThe following requests for amendment of information have been denied for the reasons given section describing the information you have requested:This information will not be amended in our records. If you disagree with this decision, you may submit a written statement of disagreement. Your statement must be limited to one standard letter-sized page (8 inches X 11 inches) per correction. Your disagreement will be included in our records and it, or an accurate summary of it that we will prepare, will be transmitted to any entity to whom the affected information is disclosed in the future. We also may include own comments on your statements. If we do include such a statement, you will be sent a copy of the statement.Title of Privacy Official____________________________________Signature _____________________________________________ Date
20Accounting of Disclosures Page Nineteen HIPAA provides that individuals have a right to receive an accounting of certain instances when protected health information about them is disclosed by a covered entity. This requirement is subject to exceptions for disclosures made to the individual; for treatment, payment and health care operations; or authorized by the individual; as well as certain time-limited exceptions for disclosures to law enforcement and oversight agencies. RHG has developed procedures to address instances when an accounting of disclosures of protected health information must be provided.RHG will allow an individual to obtain an accounting of instances when their protected health information has been disclosed.NOTES_____________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________
21Accounting Continued Page Twenty RHG will allow an individual to receive an accounting of disclosures of protected health information in the seven years prior to the date on which the accounting is requested, beginning April 14, 2003.The accounting will be in writing and will include disclosures made to or by business associates.Each accounting of a disclosure will include the following:the date of disclosure;the name of the entity or person who received the protected health information and, if known, the address of such entity or person; a brief description of the protected health information disclosed; a brief statement of the purpose of the disclosure that reasonably informs the individual of the basis for the disclosure; or in lieu of such statement: a copy of the individual’s written authorization to use or disclose the protected health information, orNOTES_______________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________ ________________________________________________________________________________________________________________________________________________________________________________________________________
22Accounting continued Page Twenty-One We will act on the individual’s request for an accounting not later than 60 days after receipt of the request by:providing the individual with the accounting requested, orextending the time to provide the accounting by no more than 30 days.In the event that RHG extends the time to provide the accounting, within 60 days after receipt of the request, it will provide the individual with a written statement of the reasons for the delay and the date by which the covered entity will provide the accounting.We will not extend the time to provide the accounting more than once.The first accounting to an individual in any 12-month period will be without charge.NOTES_______________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________ ________________________________________________________________________________________________________________________________________________________________________________________________________
23Accounting continued Page Twenty-two Upon imposing a fee RHG will inform the individual in advance of the fee and provide the individual with an opportunity to withdraw or modify the request for a subsequent accounting in order to avoid or reduce the fee.We will document and retain the following for a period of at least 7 years, or from the date of its creation or the date when it last was in effect, whichever is later:the information required to be included in an accounting;the written accounting that is provided to the individual;the title of the persons or officer responsible for receiving and processing requests for an accounting by individual.The Privacy Officer is responsible for responding to a request from an individual for an audit trail of instances when their protected health information has been disclosed for purposes other than treatment, payment, or health care operations.NOTES__________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________
24Page Twenty-threeREQUEST FOR ACCOUNTING OF PROTECTED HEALTH INFORMATION DISCLOSURESConsistent with federal regulations, we will provide you with an accounting of certain disclosures of your protected health information. You will not receive an accounting for the following:Disclosures of your Protected Health Information for the purposes of treatment, payment, or the day-to-day operation of the medical practiceDisclosures to law enforcement, correctional institutions, or for any other legally required or permitted disclosure listed on our Notice of Privacy PracticesDisclosures that occurred prior to April 14, 2003, the effective date of the federal privacy rulesDisclosures that occurred six or more years prior to the date of this requestWe will contact you when the information you have requested is available, generally within 60 days of your request.Name of Patient (Type or Print)__________________________________Signature of Patient __________________________________________ DateTelephone Number____________________________________________Street Address_______________________________________________City, State, Zip Code__________________________________________
25Disclosures Page Twenty-four Now that we’ve explained how the client has the right to see the types of disclosures and when those disclosures were made, we need to examine the general rules of disclosures. It is expected under HIPAA and 42CFR Part 2, that we only disclose the minimum necessary information. This requires us to make “reasonable efforts” to limit PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request. This “minimum necessary” rule applies in three circumstances; when using PHI internally when disclosing PHI to an external party in response to a request or when requesting PHI from another covered entity /organization.Under 42 CFR Part 2, there is a “General Non-disclosure Rule” – an alcohol and/or drug program may not disclose any information about any patient. However, this rule (42CFR) has nine exceptions to the Non-disclosure Rule, where information can be disclosed without proper authorization;1. No patient-identifying informationNOTES_______________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________
26Disclosures continued Page Twenty-five Disclosure permitted with proper consentFor Internal communicationsFor a Qualified Service Agreement with another organization performing services for our agencyFor a medical emergencyFor reporting of suspected abuse and neglectFor when a crime is committed on facility premises or against program personnelFor Research and auditingWith a Court Order (with a good cause hearing)Internal Communications – that don’t disclose client identifying information. You and your co-worker in the normal operations of your work day can discuss clients, as long as it pertains to your job.HIPAA does allow some room for allowances; if a physician has a discussion with a client in a semi-private room, this is permitted.NOTES__________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________
27Disclosures and Security continued Page Twenty-six NOTES_____________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________However, the physician must use a low tone of voice and only discuss the minimum necessary to ensure the client possesses his or her health information.Our employees must reasonably safeguard protected health information from any intentional or unintentional use or disclosure that is in violation of the Privacy Rule (HIPAA / 42 CFR).We must have in place appropriate administrative, technical and physical safeguards to protect the privacy of PHI. This includes client sign-in sheets laying at the main desk, client records laying out on top of a table or desk when performing individual session with another client (clean desk protocol), talking on the cell phone about a client (cell phones are not secure), releasing information without verifying the caller, faxing any document.Faxing should only be performed when it is absolutely necessary. The information to be faxed should be very limited.Mailing information is preferred.
28Disclosures and Security continued Page Twenty-seven When sending a fax, you will call the individual to receive the fax and let them know it is coming and then call upon completion to verify receipt. All Pasadena Villa fax machines are on dedicated lines. All Fax machines need to be located in an area not accessible to the public.If you have a computer at your work station and the screen contains PHI, you must sign-off once you leave your area.Making unnecessary copies of client information, think twice before making copies.Use the clean desk protocol; staff need to clear their desk/area of all paperwork and files prior to leaving, this may prevent other persons who leave later or arrive earlier from viewing PHI they have no right to access.During the workday, paper files and records with PHI should not be piled on desks or left unattended in the open. They should be kept in drawers or cabinets to reduce exposure.When transporting documents / files from location to location, make sure they are in sleeves, bags or envelopes that make them inaccessible to those transporting them.NOTES_______________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________
29Disclosure and Security continued Page Twenty-eight Paper that contains PHI should be shredded when it is obsolete, not reused, recycled not discarded in the trash.Incoming correspondence should be funneled a through distinct channel that involves the smallest number of viewers as possible.It is imperative to minimize telephone conversations when other clients or visitors are within earshot. While there is no full proof way to identify clients over the phone, the goal should always be to increase the degree of certainty. This is also applicable to third parties who call to discuss clients or be requesting PHI. You must verify the caller (call back, ask for supervisor) by asking the caller for their telephone number, address of business and then call back to confirm. This will be another cumbersome task compared to the past, but that is what it is, and the law is how we need to conduct business now.Caution yourself to leave PHI in voice mail messages, these messages could easily be received by someone other than you intended. You should never make telephone announcements that reveal the nature of the client’s condition or the type of provider he or she may be seeing. “Ms. Brown, the psychiatrist will see you now”!NOTES___________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________
30Disclosures and Security continued Page twenty-nine Our company utilizes an system to assist in the communication of daily operations. This tool has it’s positives and negatives. permits us to communicate effortlessly and at great speed, and to copy and distribute documents as never before. The flip side of these enormous opportunities for more effective communications are equally enormous risks that PHI will be distributed improperly. If you can, at all cost, conduct business without using the client’s PHI in your s, do it. Once an that contains PHI is sent, the information is in a format that can be reissued over and over again, equally effortlessly whether it is a harmless communication or a psychiatric assessment. If a client asked you to them, don’t do it. Using to communicate between the client and provider is burdened with incredible risk. The comfortable, informal nature of the mode, coupled with the liability issues accompanying the provision of care, make for an unfortunate mix. You must have a client’s written consent and they must agree to accept the risks of this type of communication.NOTES______________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________
31Security continued Page Thirty Privacy versus SecurityPrivacy under HIPAA is the control of access to protected health information (PHI). Individuals are given the right (within limitations) to grant or deny the disclosure of information about themselves or minor children. Security is the employment of mechanisms to control access and protect PHI from accidental or unauthorized disclosure, destruction, modification, or loss. Also, under HIPAA, security includes ensuring the availability of PHI as part of our business continuation plan through emergency operations and disaster recovery. HIPAA requires the appointment of a Security Officer and a Privacy Officer.The Security Officer is responsible for ensuring the company maintains;administrative procedures to guard data integrity, confidentiality and availabilityphysical safeguards to guard data integrity, confidentiality and availability technical security services to guard data integrity, confidentiality and availability technical security mechanisms to guard against unauthorized access to data that is transmitted over a communications networkNOTES_______________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________
32Security continued Page Thirty-one The Administrative section for data integrity involves; security management processes, i.e., data back-up, testing and revision, disaster recovery plan, emergency mode operations plan, risk analysis, security policy security configurations, i.e., personnel clearance procedures, system users, personnel security procedures, virus checking, hardware and software installation and maintenance, inventory security incident procedures and response procedures termination procedures training, user education, periodic security reminders, password managementThe Physical safeguards for data integrity involves; Assigned security responsibility, access control, accountability, data storage, disposal physical access controls, disaster recovery, equipment control, facility security plan, procedures for verifying access authorizations prior to physical access policy/guidelines on work station use, security awareness trainingNOTES______________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________
33Security continued Page Thirty-two The technical security mechanisms for data integrity, to guard against unauthorized access to data that is transmitted over a communications network; message authentication, access controls, encryption, event reporting, entity authentication use of electronic signatures, multiple signatures, transportability, independent verifiabilityAs you can see, the Security side of this law is a little more in-depth and may or may not involve you. However, it is important to know the main areas of data security. We talked about it a little earlier, with the fax machine, your work station and leaving your monitor on with PHI accessible.Along with the above, the facility relies on you to do the right thing and report any instance of computer problems to your supervisor. Water damage, dust and dirt, temperature of equipment, are all reportable incidents. Make sure doors are closed, your computer is not faced towards the windows or the public can see in plain sight. Make sure nobody else is using your computer. Just a few examples to give you a heads-up.NOTES_______________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________
34Doing your Part Page Thirty-three Here we are, at the end of the training. There is a lot of information you are responsible for knowing and practicing beginning today. Pasadena Villa only asks you to do your part and we’ll do ours. To wrap it up a few last things to review………..only access confidential information if you have a need to know to do your job……………….protect your computer passwords………understand the law and our policies and procedures that show you and explain to you how to follow the law………….attend training and education programs for updates and last of all and most important….. REPORT any problems to the Privacy Officer.Treat your client’s information the way you would want your personal information treated. Quality of care is compromised when our client’s don’t trust us. We need to make sure we make them feel comfortable about these new privacy laws and we are here to abide by the laws and help them as well.If you feel unsure of how to follow a request for information, please review the policies and procedures, ask your supervisor or call the Privacy Officer.NOTES______________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________