ELECTRONIC HEALTH RECORD PRIVACY TRAINING

Purpose of this training This training addresses the essential elements of maintaining the privacy and security of consumer protected health information (PHI). During this course you will learn/review: The basics of the privacy requirements The minimum necessary standard for the job related and assigned responsibilities of employee access to the systems and the risk associated with this access. Enforcement actions relative to inappropriate, impermissible access and disclosures; and Expected behaviors related to access to information (for KCMHSAS consumers and others whose information is in the system but who are not consumers in your program)

HIPAA Privacy & Security Rules The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law designed to protect consumer PHI. Mental Health Code Confidentiality 330.1748 – general requirements and considerations Information in the record of a recipient shall be kept confidential. Information may be disclosed outside of the holder of the record only with customer authorization and/or under specific circumstances.

Privacy Rule The Privacy Regulations went into effect April 14, 2003 Privacy refers to the protection of an individual’s health care data. Defines how participant information is used and disclosed. Gives individuals privacy rights and greater control over their own health information. Outlines ways to safeguard Protected Health Information (PHI).

Protected Health Information Protected Health Information (PHI) – Any individually identifiable health or financial information, whether verbal, written, electronic, or otherwise recorded in any form or medium that is: 1. created or received by KCMHSAS or one of its participating providers or one of their employees, agents or contracted service providers. 2. related to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual or the past, present, or future payment for the provision of health care to an individual. Protected Health and Billing Information (PHI) may not be released without a complete and valid written consent or authorization signed by the participant or legally authorized representative unless a release of the PHI is specifically allowed by State and Federal law without valid authorization.

Electronic mail addresses; Social security numbers; The Federal Privacy Regulations specify the following 18 pieces of “Individually Identifiable Information” that, when linked with health or medical information, constitutes PHI (45 CFR 164.514): Names of the individual, and relatives, employees or household members of the individual; Geographic identifiers of the individual, including subdivisions smaller than a street, street addresses, city, county and precinct; Zip code at any level less than the initial three digits; except if the initial three digits cover a geographical area of 20,000 or less people, then zip code is considered an identifier; All elements of dates, except year, or dates directly related to an individual including birth date, admission date, discharge date, date of death and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older; Telephone numbers; Fax numbers; Electronic mail addresses; Social security numbers;

Web Universal Resource Locators (URLs); The Federal Privacy Regulations specify the following 18 pieces of “Individually Identifiable Information” that, when linked with health or medical information, constitutes PHI (45 CFR 164.514): (Cont) Medical record numbers; Health plan beneficiary numbers; Account numbers; Certificate/license numbers; Vehicle identifiers and serial numbers, including license plate numbers; Device identifiers and serial numbers; Web Universal Resource Locators (URLs); Internet Protocol (IP) address numbers; Biometric identifiers, including finger and voice prints; Full-face photographic images and any comparable images; and Any other unique identifying number, characteristic, or code

PHI In All Media The HIPAA Regulations require we protect our consumers’ PHI in all media including, but not limited to, PHI created, stored or transmitted in/on the following media: Verbal discussions (i.e. in person, on the phone, etc.) Written on paper (i.e. referral form, explanation of benefits, prescreen assessments, etc.) In computer applications/systems (i.e. KCMHSAS Office, Streamline SmartCare, Provider Access, and Care Management etc.) In/on computer hardware/equipment (i.e. PCs, laptops, PDAs, fax machines/servers, cell/multifunctional phones, etc.)

Minimum Necessary What does releasing the “minimum necessary” PHI mean? To use or disclose/release only the information minimally necessary to accomplish the intended purposes of the use, disclosure, or request. Requests from employees within KCMHSAS: Identify each workforce member who needs to access to consumer PHI. Limit the PHI provided to a “need to know” basis. Requests from individuals not employed at KCMHSAS: Limit the PHI provided to what is minimally necessary to accomplish the purpose for which the request was made.

Employee Access Employee Access to Consumer PHI is permitted on an as needed basis for the required performance of employee job related and assigned responsibilities and does not allow access to any information that is not part of the specific job duties and responsibilities. (i.e., it is never acceptable for an employee to look at PHI “just out of curiosity,” even if no harm is intended.) Any information acquired or accessed during the performance of work assigned duties will be kept confidential.

Searching & Selecting Consumer Records When your job related duty requires you to search for a consumer record in KCMHSAS Care Management, Provider Access or Smartcare systems, only open the record when you are reasonably assured that it is the correct consumer. Search with more than just the consumer’s name, i.e. search with the dob.

Accidental Violations Mistakes happen. If you mistakenly view or disclose PHI or provide confidential information to an unauthorized person or if you breach the security of confidential data: Acknowledge the mistake and notify your supervisor and/or the Breach Response Team immediately. If the report is made to a supervisor, the supervisor is required to then report to the Breach Response Team immediately. Learn from the error and help revise procedures (when necessary) to prevent it from happening again. Assist in correcting the error only as requested by your manager or the Privacy Officer. Don’t cover up or try to make it “right” by yourself. ***Accidental disclosures are Privacy Incidents and must be reported to the Privacy Officer immediately. We are required to document this type of disclosure.***

Misuse of PHI and Impermissible Disclosures Unauthorized Access to… Using… Taking… Possession of… Release of… Edit of… Destruction of… Consumer PHI without authorization.

Breach An acquisition, access, use, or disclosure of protected health information in a manner not permitted under the Privacy Rule is presumed to be a breach unless the Covered Entity demonstrates that there is a low probability that the PHI has been compromised based on a risk assessment. A breach may occur when information that must be protected is: Lost, stolen or improperly disposed of; Reviewed by individuals who are not authorized to have access, or Sent or communicated to others who are not authorized to receive it.

Disciplinary Action We must be committed to protecting our consumers’ privacy. KCMHSAS is placing trust in you to follow the privacy policies. This is not an option, it is required. Unauthorized or improper release of PHI by an employee may result in disciplinary action up to and including termination of employment, civil fines and/or penalties, and/or criminal sanctions, lawsuits and judgments against the employee and/or KCMHSAS for civil and/or criminal damages (see 45 CFR 164.530 (e)(1)&(2)).

Employees Must Report Employees who believe they have observed a violation of this policy should report it to their immediate supervisor and/or the Privacy Officer. An employee may also report a violation anonymously or confidentially to the KCMHSAS Compliance hotline. Calls received on this line will be investigated consistent with applicable KCMHSAS compliance policies. There will be no retaliation taken against any employee for making such a report in good faith.

Monitoring Employee access and use of KCMHSAS Care Management, Provider Access and Smartcare systems will be monitored by the Privacy & Compliance Officers. Based on access monitoring activities, you may be asked questions regarding your apparent access to consumer records and information. You will be expected to provide an acceptable rationale for access to all consumer information based upon your job related responsibilities.

Questions Any reports of suspected compliance violations, questions or possible concerns may be directed to the Privacy Officer via telephone, verbally or in writing to: Karyn Bouma Ellie DeLeon KCMHSAS Health Information Officer KCMHSAS Compliance Officer 615 E Crosstown Parkway or to 2030 Portage St Kalamazoo, MI 49001 Kalamazoo, MI 49001 Email: kbouma@kazoocmh.org Email: edeleon@kazoocmh.org    Phone: 269-553-7024 Phone: 269-364-6986 Hotline: 1-888-939-4823 Please sign and keep the Electronic Health Record Training Attestation form as part of your agency training records.