Board of Directors – March 24, 2016 Denise Mannon, AHFI, CHPC Corporate Compliance Officer

HEALTH INSURANCE PORTABILITY & ACCOUNTABILITY ACT OF 1996 Enacted at 42 U.S.C. § 201 et seq. (42 U.S.C. 1320d-2) to create a national framework for privacy, security and transmission standards. HIPAA requires appropriate safeguards to protect the privacy of personal health information, sets limits & conditions on the uses & disclosures that may be made of such information, and gives patients rights over their health information, including the right to request corrections U.S.C. § 201 2

Security The HIPAA Security Rule concentrates on the physical safeguards related to information. CenterPoint has in place administrative, technical and physical safeguards to protect the confidentiality, integrity, and security of consumer information. Examples of those safeguards are: Servers and mainframes in a separate locked room encryption Keypunch access to areas Locked file cabinets Passwords (changed frequently) Antivirus and anti-spy software Policies against maintaining consumer data on portable hard drives or flash drives Debbie Lanning is the Security Officer who receives reports of a physical breach The Security Rule is located at 45 C.F.R. Part 160, & 45 C.F.R. Part 164, Subparts A & C 3

Privacy The HIPAA Privacy Rule establishes national standards to protect individuals’ medical records and other personal health information. The Privacy Rule is located at 45 C.F.R. Part 160, and 45 C.F.R Part 164, Subparts A & E 4

What is Protected by the Privacy Rule? The Privacy Rule protects all “individually identifiable health information” (IIHI) held or transmitted by a covered entity or its business associate in any form. Under HIPAA, IIHI is information that: Relates to an individual’s physical or mental health, the provision of health care to the individual, or the payment for the individual’s health care; Identifies, or could reasonably be used to identify, the individual; and Is created or received by a covered entity. The information can be in Electronic, Paper, or Oral Form 5

So What All Do I Need To Worry About? IIHI is more than just a name or address, it is any health information that can be used to identify a consumer, whether living or deceased, and relates to the consumer’s past, present, or future physical or mental health. Any of the following are considered IIHI: Patient names Patient Addresses Dates of Services/Appointments Telephone Numbers Social Security Numbers Photographs Addresses 6

Disclosure without Authorization (see NPP) §45 C.F.R. 160, Subpart B & N.C.G.S. §122C ‑ 55(a) To establish financial benefits for the consumer N.C.G.S. § 122C-55(a2) (a3) & (g) Within a Facility N.C.G.S. § 122C-55(h) To the Dept of Corrections; N.C.G.S. § 122C-55(c) Regarding referral to/from a physician or psychiatrist N.C.G.S. § 122C-55(i) For evaluation and management for commitment N.C.G.S. § 122C-55(b) Abuse or danger to self or others N.C.G.S. § 122C-55(d) Regarding suspected abuse or neglect Care coordination; N.C.G.S. § 122C-55(a) Department of Health and Human Services/Division/DMA § 122C-55 Pursuant to Court Orders, but NOT Subpoena’s or Search Warrants § 122C-54(a) 7

Disclosures pursuant to Court Orders The HIPAA Privacy Rule permits programs to release information in response to a subpoena if the patient signs a consent permitting release of the information requested in the subpoena or search warrant. When the patient does not consent, a program is prohibited from releasing information in response to a subpoena, unless a court has issued an order that complies with the rule. 8

Be a HIPAA Hero ANYONE can file a complaint. It doesn’t have to be the person violated. The US Dept. of Health and Human Services, Office for Civil Rights (OCR) is responsible for administering & enforcing HIPAA Your complaint must: Be in writing, either hard copy or electronic, by mail, fax, or e- mail; Name the covered entity involved & describe the acts or omissions you believe violated the requirements of the Privacy or Security Rule; and Be filed within 180 days of when you knew that the act or omission occurred. If you need help filing a complaint or have a question about the complaint or consent forms CenterPoint can help, or OCR at 9

Where to Go for More Information : US Dept of Health Human Services Substance Abuse Privacy Regulations are found at 42 C.F.R Part 2 idx?c=ecfr&rgn=div5&view=text&node=42: &idno=42http://ecfr.gpoaccess.gov/cgi/t/text/text- idx?c=ecfr&rgn=div5&view=text&node=42: &idno=42 North Carolina State Confidentiality Rules, APSM-45-1 HIPAA Privacy Rules 45C.F.R. Part 160 and 164 Records Management & Documentation Manual, APSM-45-2 North Carolina General Statutes, 122C Federal Substance Abuse Rule, 42C.F.R. Part 2 CenterPoint Policies and Procedures 10