Privacy and Security Training Session! Draft v. 11 03-31-09 Welcome to the Privacy and Security Training Session! © Copyright 2009 HIPAA COW

Disclaimers This HIPAA Privacy & Security Training Session is Copyright  2009 by the HIPAA Collaborative of Wisconsin (“HIPAA COW”). It may be freely redistributed in its entirety provided that this copyright notice is not removed. It may not be sold for profit or used in commercial documents without the written permission of the copyright holder. This HIPAA Privacy & Security Training Session is provided “as is” without any express or implied warranty. This HIPAA Privacy & Security Training Session is for educational purposes only and does not constitute legal advice. If you require legal advice, you should consult with an attorney. HIPAA COW has not yet addressed all state pre-emption issues related to this HIPAA Privacy & Security Training Session. Therefore, this document may need to be modified in order to comply with Wisconsin law. © Copyright 2009 HIPAA COW

Disclaimers continued… This is an example training session containing only some of the Privacy & Security topics which organizations are required to train. It is not legal advice and is not intended to cover all privacy & security laws’ training requirements. It may contain items not required by your organization and/or that need to be tailored to your organization’s P&Ps. It may also be too lengthy to provide in just one session. Slides are provided for informational purposes only. © Copyright 2009 HIPAA COW

HIPAA Topics Covered Release of Information Identity Verification Documenting Disclosures Safeguarding Information BAAs & Other Agreements Your Role Reporting Violations HIPAA Privacy & Security Contacts What is HIPAA? Why Follow HIPAA? HIPAA Definitions Who protects PHI? Patient Rights Security Audit Trails Violations © Copyright 2009 HIPAA COW

Privacy and Security and/or Compliance Committee Members Privacy Officer: Jackie Maurer Security Officer: Jeff Raschke Name, title, extension and email address Jackie Maurer, Billing Office Supervisor 715-327-4322, ext 126. jackiem@nwcgc.com Jeff Raschke, Director IT & Security Officer 715-327-4322, ext 125 jeffr@nwcgc.com © Copyright 2009 HIPAA COW

What is HIPAA? HIPAA is an acronym for the Health Insurance Portability & Accountability Act of 1996 (45 C.F.R. parts 160 & 164). Provides a framework for the establishment of a nationwide protection of patient confidentiality, security of electronic systems, and standards and requirements for electronic transmission of health information. © Copyright 2009 HIPAA COW

What is HIPAA? HIPAA Consists of three separate parts: 1) Privacy, 2) Security, and 3) Electronic Data Exchange HIPAA mandates accountability PRIVACY ELECTRONIC DATA EXCHANGE SECURITY Each part has separate regulations to comply with © Copyright 2009 HIPAA COW

Parts of HIPAA: 1. The Privacy Rule The Privacy Regulations went into effect April 14, 2003. Privacy refers to the protection of an individual’s health care data. Defines how patient information is used and disclosed. Gives patients privacy rights and greater control over their own health information. Outlines ways to safeguard Protected Health Information (PHI). We also need to keep in mind Wisconsin privacy laws, such as WI Chapters 51, 146, 252 and DHS 92, which in some situations continue to protect patients’ rights more than the HIPAA Regulations. © Copyright 2009 HIPAA COW

Parts of HIPAA: 2. The Security Rule Security (IT) regulations went into effect April 21, 2005. Security means controlling: The confidentiality of electronic protected health information (ePHI). How patient data is electronically stored. How patient data is electronically accessed. © Copyright 2009 HIPAA COW

Parts of HIPAA: 3. EDI Electronic Data Exchange (EDI) – defines the format of electronic transfers of information between providers and payers to carry out financial or administrative activities related to health care. Information includes coding, billing and insurance verification. The goal of using the same formats is to ultimately make the billing process more efficient. © Copyright 2009 HIPAA COW

Why Should Our Organization Comply with HIPAA? We must be committed to protecting our patients’ privacy. Northwest Counseling and Guidance Clinic is placing trust in you to follow the policies. This is not an option, it is required. Choosing not to follow these rules, Could put you at risk. Could put Northwest Counseling and Guidance Clinic at risk. © Copyright 2009 HIPAA COW

Why Should Our Organization Comply with HIPAA? The right thing to do is to: Protect patient records. Protect business data. Protect patient data and reduce the risk of litigation to organizations. There are significant penalties associated with non-compliance to organizations and employees of those organizations. © Copyright 2009 HIPAA COW

HIPAA Regulations The HIPAA Regulations require that we protect our patients’ PHI in all media including, but not limited to, PHI created, stored, or transmitted in/on the following media: Verbal discussions (i.e. in person, on the phone, etc.). Written on paper (i.e. chart, progress note, encounter form, prescription, x-ray order, referral form, explanation of benefits (EOBs), scratch paper, etc.). In all of our computer applications/systems (i.e. electronic health record (EHR), Practice Management, Lab, X-ray, Microsoft, etc.). In all of our computer hardware/equipment (PCs, laptops, PDAs, pagers, fax machines/servers, cell/multifunctional phones, patient care devices, servers, etc.). © Copyright 2009 HIPAA COW

This training session provides reminders of Northwest Counseling & Guidance Clinic’s policies and of how you, an employee or provider, are required to protect PHI. © Copyright 2009 HIPAA COW

Why is Privacy and Security Training Important? It outlines ways to prevent accidental and intentional misuse of PHI. To make PHI secure with minimal impact to staff and business processes. It’s not just about HIPAA – it’s about doing the right thing. We should treat personal electronic data with the same care and respect as weapons-grade plutonium -- it is dangerous, long-lasting and once it has leaked, there's no getting it back. -- Corey Doctorow © Copyright 2009 HIPAA COW

This training is designed to educate you on the importance of Privacy and Security It is everyone’s responsibility to take the confidentiality of patient information seriously. Anytime you come in contact with patient information or any PHI that is written, spoken or electronically stored, YOU become involved with some facet of the privacy and security regulations. The law requires us to train you. © Copyright 2009 HIPAA COW

HIPAA Definitions What is Protected Health Information (PHI)? PHI is Individually Identifiable Health Information (IIHI) relating to information about: Health/condition of an individual. Payment for health care of an individual. Reasonably identifies the individual (patient identifiers/demographics). © Copyright 2009 HIPAA COW

HIPAA Definitions PHI Includes: Items in the record, such as: Encounter/visit documentation Lab Results Appointment dates/times Invoices Radiology films and reports History and Physicals (H&Ps), etc. © Copyright 2009 HIPAA COW

PHI Includes: Patient Identifiers HIPAA Definitions PHI Includes: Patient Identifiers PHI includes information by which the identity of a patient can be determined with reasonable accuracy and speed either directly or by reference to other publicly available information. © Copyright 2009 HIPAA COW

PHI Includes Patient Identifiers Examples include: HIPAA Definitions PHI Includes Patient Identifiers Examples include: Names Medical Record Numbers Social Security Numbers Account Numbers License/Certification numbers Vehicle Identifiers/Serial numbers/License plate numbers Internet protocol addresses Health plan numbers Full face photographic images and any comparable images Web universal resource locaters (URLs) Any dates related to any individual (date of birth) Telephone numbers Fax numbers Email addresses Biometric identifiers including finger and voice prints Any other unique identifying number, characteristic or code © Copyright 2009 HIPAA COW

HIPAA Definitions Use: when we review or use PHI internally (audits, training, customer service, quality improvement). Disclose: when we release or provide PHI to someone (ex. an attorney, a patient, faxing records to another provider, etc.). © Copyright 2009 HIPAA COW

HIPAA Definitions What does releasing the “minimum necessary” PHI mean? To use or disclose/release only the minimum necessary to accomplish the intended purposes of the use, disclosure, or request. Requests from employees at NWCGC: Identify each workforce member who needs to access PHI. Limit the PHI provided on a “need-to-know” basis. Requests from individuals not employed at NWCGC: Limit the PHI provided to what is needed to accomplish the purpose for which the request was made. © Copyright 2009 HIPAA COW

HIPAA Definitions What is TPO? HIPAA allows us to Use and/or Disclose PHI for the purpose of: Treatment – providing care to patients. Payment – the provision of benefits and premium payment. Operations – normal business activities (reporting, quality improvement, training, auditing, customer service and resolution of grievances data collection and eligibility checks, accreditation, etc.). These terms are collectively referred to as TPO. PHI used outside of TPO is not allowed without a signed authorization. TPO must be within the minimum necessary to perform your job! © Copyright 2009 HIPAA COW

Why Do We Need to Protect PHI? It’s the law. To protect our reputation. To avoid potential withholding of federal Medicaid and Medicare funds. To build trust between providers and patients. If patients feel that their PHI will be kept confidential, they will be more likely to share the information needed for their care. © Copyright 2009 HIPAA COW

Who or What Protects PHI? The Federal Government through the laws of HIPAA. Civil penalties up to $25,000 for Failure to Comply. Criminal penalties: $50,000 fine and 1 year prison for knowingly obtaining and wrongfully sharing information. $100,000 fine and 5 years prison for obtaining and disclosing through false pretenses. $250,000 fine and 10 years prison for obtaining and disclosing for commercial advantage, personal gain, or malicious harm. Our organization, through the Notice of Privacy Practices (NOPP). You, by following our policies and procedures. © Copyright 2009 HIPAA COW

Enforcement The Public. The public will be educated about their privacy rights and will not tolerate violations to their privacy! They will take action. Office For Civil Rights (OCR). This is the agency that enforces the privacy regulations. They will provide guidance and monitor compliance. Department of Justice (DOJ). This agency is involved in criminal privacy violations. Provides fines, penalties and imprisonment to offenders. © Copyright 2009 HIPAA COW

HIPAA Regulations Brought individual privacy rights to patients. Require that we provide these rights to them. The following slides explain patient rights… © Copyright 2009 HIPAA COW

Patient Rights: Access Right to inspect and copy their PHI. Situations where access may be denied or delayed: Psychotherapy notes. PHI compiled for civil, criminal or administrative action or proceedings. PHI subject to CLIA Act of 1988 when access would be prohibited by law. Access would endanger a person’s life or safety based upon a professional judgment. A correctional inmate’s request may jeopardize health and safety of the inmate, other inmates or others at the correctional institution. A research study has previously secured agreement from the individual to deny access. Access is protected by the Federal Privacy Act. PHI was obtained under promise of confidentiality and access would reveal the source of the PHI. © Copyright 2009 HIPAA COW

Patient Rights: Alternative Communications Right to request to receive communication by alternative means or location. Examples: The patient may request a bill be sent directly to him instead of to his insurance company. The patient may request we contact her on her cell phone instead of at her home telephone number. © Copyright 2009 HIPAA COW

Patient Rights: Special PHI Requests What should I do if a patient requests we always call a family member instead of her? Request patients with permanent and special/unique calling and/or mailing instructions to go to their primary mental health provider or onsite administrator to complete and sign a release of information. Alternative communication requests © Copyright 2009 HIPAA COW

Patient Rights: Amendment Requests Right to Request an Amendment or Correct PHI. Situations where a request may be denied. Northwest Counseling & Guidance Clinic did not create the information. Record is accurate according to the health care professional that wrote it. Information is not part of the Northwest Counseling & Guidance Clinic record. A patient states there is an error in his electronic record and wants it corrected. What should I do? Request the patient contact the onsite administrator to request to have the record amended. © Copyright 2009 HIPAA COW

Patient Rights: Restrictions and AOD Right to Request a Restriction on use and disclosure of their PHI (ex. revoke a previous authorization, request to not give to certain providers, request to not provide for research purposes). We are not required to approve the request, but must make reasonable efforts to approve it, when possible. Right to an Accounting of Disclosures (AOD). Must give information on disclosures of information released except those that were given to: The Individual. TPO. Law enforcement officials, correction institutions or national security. © Copyright 2009 HIPAA COW

Patient Rights: Right to Receive an Accounting of Disclosures of PHI A. An individual may request an accounting for disclosures as far back as six years before the time of the request - but to start no earlier than April 14, 2003. B. A covered entity must suspend accounting of disclosures to a patient if an agency or law enforcement indicate the accounting is likely to impede the agency’s activity. © Copyright 2009 HIPAA COW

Patient Rights: Right to Receive an Accounting of Disclosures of PHI C. Disclosures NOT requiring accounting include disclosures made: For Treatment (to persons involved in the individual’s care), Payment or Operations. To the individual subjects of the PHI. Incident to an otherwise permitted disclosure. Based on the individual’s signed authorization. For a facility directory. For national security or intelligence purposes. To correctional facilities or law enforcement on behalf of inmates. As part of a limited data set (see 164.514). That occur prior to the compliance date of April 14, 2003. © Copyright 2009 HIPAA COW

Patient Rights: Right to Receive an Accounting of Disclosures of PHI D. Disclosures requiring accounting include: Required by law For public health activities Victims of abuse, neglect, violence. Health oversight activities Judicial/Administrative proceedings Law enforcement purposes Organ/eye/tissue donations Research purposes To avert threat to health and safety For specialized government functions About decedents Workers’ compensation Releases made in error to an incorrect person/entity (i.e. breach) © Copyright 2009 HIPAA COW

Patient Rights: NOPP Are we still required to request patients sign the Notice of Privacy Practices (NOPP) acknowledgment prior to their first visit? Yes. Please continue to request they sign the acknowledgment before they see a provider for their first appointment at Northwest Counseling & Guidance Clinic. (except in the case of emergency services where staff will attempt to provide notification based on the needs of the client). Patient signs the Acknowledgment of Receipt to confirm that they have been offered and/or received the Notice. What is the purpose of the NOPP? Summarizes how Northwest Counseling & Guidance Clinic uses and discloses patient’s PHI. Details patient’s rights in respect to their PHI. © Copyright 2009 HIPAA COW

Patient Rights: NOPP Reminders If a patient or legal guardian refuses to take a NOPP, this is their right; do not force them to take one. If a patient or legal guardian refuses to sign the acknowledgment form, document this on the form and in the system. Once the patient turns 18, he/she must sign an acknowledgment form. Host parents of a foreign exchange student may act on behalf of the student’s biological parent(s) and sign the NOPP acknowledgment form. © Copyright 2009 HIPAA COW

Patient Rights: Privacy Complaints Right to file a privacy complaint. Direct all requests or complaints regarding these rights to the Privacy Officer at 715-327-4322, extension 126. © Copyright 2009 HIPAA COW

Security Read on to explore this… One key element of protecting our patient’s PHI lies in maintaining the security of our systems, which houses and transmits ePHI (electronic protected health information). The HIPAA Security Rule outlines how we are to do this. How do we protect our computer systems and our patients’ information in them? Read on to explore this… © Copyright 2009 HIPAA COW

Applying the Security Rule Administrative Safeguards Policies and procedures of the organization are REQUIRED and must be followed by the employees to maintain security (i.e. disaster recovery of computer systems, use of the internet, use of email, faxing, use of voicemail, computer hardware and software standards). Technical Safeguards Many technical devices are needed to maintain security. Examples include different levels of computer passwords, screen savers and devices to scan ID badges, data backups, disposal of media, encryption, audit trails. Computer and system processes are set up to protect, control and monitor information access. © Copyright 2009 HIPAA COW

Applying the Security Rule Physical Safeguards. Many physical barriers and devices are needed to maintain security. Examples include installing locks on doors, securing buildings and rooms, identifying visitors, locking file cabinets to protect the organization’s property and the health information. Personnel Security. Organizational policies and procedures manage the assignment of access authority to employees and other workforce members. Procedures should address employee transfers, role changes and terminations. Effective security and privacy training must be conducted. © Copyright 2009 HIPAA COW

Access to ePHI: UNs and PWs How do we control access to electronic protected health information (ePHI) in our computer systems? By requiring all users to utilize individually unique Usernames (UNs) and Passwords (PWs), we control access to the information in each of our computer systems and applications. UNs and PWs control what users are able to access and help us identify what information users accessed in our applications. © Copyright 2009 HIPAA COW

Access to ePHI: UNs and PWs Cont. For these reasons, you may not share your UNs and PWs with anyone else (the only exception to this is to share a UN and PW with IS, if necessary, for troubleshooting a computer problem). When leaving a computer, ALWAYS: Log off, OR Lock the computer screen (Ctrl-Alt-Del and select lock). This prevents other users from using your applications. © Copyright 2009 HIPAA COW

Access to ePHI: UNs and PWs Cont. Creating strong passwords. Use at least 6-8 characters. Use a minimum of 2 letters and 1 number, and capital and lower case letters. Do not use pw’s that may be easily guessed, such as: names (spouse’s, pet’s, child’s, etc.), significant dates, words, favorite team names, etc. Note: UN and PW controls are required by law. TIP: Use a “pass-phrase” to help you remember your password such as: MbcFi2yo (My brown cat, Fluffy, is two years old). © Copyright 2009 HIPAA COW

Protect Your UNs and PWs Memorize your PW. Don’t post UNs and PWs on your computer, notebook, tablet, under your keyboard, etc. Lock up your UNs and PWs so they may not be accessed by anyone else. If you believe one of your PWs has been compromised, request the IT Department to change it. If you think PHI may have been inappropriately accessed, discuss it with the Privacy Officer. © Copyright 2009 HIPAA COW

Help Protect Our Systems/Equipment It is your responsibility to protect Northwest Counseling & Guidance Clinic’s systems/ equipment/computers at all times. Do not disable anti-virus software, malware protection, or any other security items unless directed by the IS Department. If you have access from offsite (remote Citrix, Outlook web access, VPN, SSL, URL, etc.) and/or a PC, pager, phone, or PDA, this is for your use only. Family and friends may not utilize it. © Copyright 2009 HIPAA COW

Email Security It is against Northwest Counseling & Guidance Clinic policy to forward “joke emails”. “Joke” emails frequently have viruses attached to them and they take up a lot of space on our servers. Refer to the Release of Information slides for emailing ePHI requirements. Please report it to IT if you receive a suspicious and/or threatening email. © Copyright 2009 HIPAA COW

Audit Trails of What I Access The Security regulations require this. Northwest Counseling & Guidance Clinic conducts random audits of employee and provider access to determine: Appropriateness of access, and If access is in compliance with Northwest Counseling & Guidance Clinic policies. Audit trails show what patients have been accessed, the date and time of the access, what was accessed, etc. If access appears to be inappropriate, the Privacy Officer works with leaders, Human Resources and the employee/provider to determine whether or not it was appropriate. © Copyright 2009 HIPAA COW

Audit Trails and HIPAA Violations What are some common types of HIPAA privacy and security violations found in these audit trails and/or reported? Following are a few examples from which to learn… © Copyright 2009 HIPAA COW

Audit Trails: Access to Own ePHI An employee viewed his own appointment list. Another employee accessed her own lab results from her own workstation (using her own password). Is this against Northwest Counseling & Guidance Clinic policies? © Copyright 2009 HIPAA COW

Audit Trails: Access to Own ePHI Yes, it is Northwest Counseling & Guidance Clinic policy that you may not directly access your own medical record, using your own password in any system/application. PHI in the electronic medical record, scheduling/billing system, etc. are considered a part of your medical record. In fact, PHI in all Northwest Counseling & Guidance Clinic systems make up your medical record. To view your medical record, contact the NWCGC Privacy Officer at 715-327-4322. To view your appointment list, contact a receptionist in the department in which you schedule appointments. To view your billing information, contact the billing office at 715-327-4322. © Copyright 2009 HIPAA COW

Audit Trails: Access to a Family Member’s PHI and Unassigned Tasks A receptionist scheduled an appointment for her child in a different department/site than she works. Is this against Northwest Counseling & Guidance Clinic policies? © Copyright 2009 HIPAA COW

Audit Trails: Access to a Family Member’s PHI and Unassigned Tasks Yes. Only schedule appointments as assigned in the departments in which you work. If you don’t work in that department, call the receptionist in that department and request him/her to schedule the appointment. Note: while scheduling this appointment, the employee may have viewed appointment information which she did not have the right to see. Don’t schedule appointments for or otherwise view, access, edit, etc. family members’ PHI, unless it is a part of your assigned duties, it is an urgent matter, AND nobody else is available to do the job at that time. © Copyright 2009 HIPAA COW

Audit Trails: Access to PHI by a Coworker An employee requested a coworker to view his/her appointment list to find the last time the employee had a physical in Internal Medicine. Her coworker does not work in the Internal Medicine department. Is this against Northwest Counseling & Guidance Clinic policies? © Copyright 2009 HIPAA COW

Audit Trails: Access to PHI by a Coworker Yes. It is inappropriate to ask your coworkers to do this if it is not part of their regular assigned job responsibilities. If you need to know when you had your last physical, call the department in which you had this appointment (or will be scheduling your next appointment). © Copyright 2009 HIPAA COW

Audit Trails: Securing Systems When leaving his/her computer, an employee didn’t log off the electronic medical record; another employee then utilized it to look up her own and her family members’ transcriptions, appointment lists, medications, etc. Important Note: in this situation, both employees did not follow Northwest Counseling & Guidance Clinic P&Ps which require: Logging off/securing all applications when unattended. Using the password protected screensaver when leaving it unattended. Not using another person’s login, unless they are training you and directly observing what you do. © Copyright 2009 HIPAA COW

Audit Trails: Accessing More Than the Minimum Necessary A clinical staff employee is assigned to routinely view and update medications, blood pressure, pulse, and weight for each patient being seen by the provider with whom she works. She was curious and concerned about a particular patient’s health, and therefore viewed several other records, such as lab results, and specialist transcriptions. Note: It was determined this was a breach of confidentiality as she was not requested by her provider and/or supervisor to access this patient’s additional records. © Copyright 2009 HIPAA COW

Audit Trails: Accessing More Than the Minimum Necessary We may only access the minimum necessary to complete our assigned job responsibilities. This means we may not access information out of curiosity and/or concern about a patient’s health. © Copyright 2009 HIPAA COW

The following slides provide examples of Privacy and Security violations to help you better understand how they occur so that you may help prevent them. © Copyright 2009 HIPAA COW

Security Violations: Downloading Onto PCs Users have downloaded software onto Northwest Counseling & Guidance Clinic computer/laptop/tablet. Is this ok? © Copyright 2009 HIPAA COW

Security Violations: Downloading Onto PCs No. We may not download anything onto our computers, laptops, notebooks, PDAs, etc. without the permission from the IT Administrator or Security Officer. This includes not downloading from the Internet, CD, flash drive, DVD, disc, software, etc. Why not? The IT Department or Security Officer verifies we have appropriate licenses and virus protection in place. Did you know that downloading may slow down our systems? Some downloads have interfered with the appropriate functioning of web based EHRs! © Copyright 2009 HIPAA COW

Security Violations: Downloading From PCs If it is absolutely necessary to copy or save files onto removable media, obtain approval from your Supervisor and encrypt the file so that it may only be accessed by utilizing the password (ask the IT Department how to encrypt a file). This includes downloading anything off our computers onto media such as a flash drive, USB, disc, CD, etc. Safeguard this removable media, and the password to access the information, at all times so that the information may not be inappropriately accessed. Immediately contact the IT Department and Security Officer if a device is lost or stolen. © Copyright 2009 HIPAA COW

Other Types of Security Issues and Incidents Theft (or loss) of a computer, laptop, PDA. Inappropriate usage of Northwest Counseling & Guidance Clinic computers. A technology-related situation which results in a significant adverse effect on people, process, technology, facilities, etc., such as: A system “glitch” which results in ePHI being accessed and/or sent to an inappropriate recipient. A virus that prevents users from being able to access PHI. © Copyright 2009 HIPAA COW

What is Misuse of PHI? U n a u t h o r i z e d: Access to… Using… Taking… Possession of… Release of… Edit of… Destruction of… Patient PHI Without Authorization. © Copyright 2009 HIPAA COW

Privacy Violations: How Do They Happen? What are some common ways breaches of confidentiality occur? Many incident reports happen due to common human errors, such as the following: © Copyright 2009 HIPAA COW

Privacy Violations: How Do They Happen? Faxing to the wrong individual/location. When searching for a patient’s address, her name is typed, her date of birth is not validated, and a patient with the same name is selected instead. These can be prevented by double checking you have the right patient’s records prior to releasing PHI. © Copyright 2009 HIPAA COW

Privacy Violations: Incorrect Patient on a Form Jane Doe’s name, medical record number, and date of birth was placed on a prescription and handed to Molly Sue. Is this considered a breach of confidentiality? Yes. If Molly Sue reads Jane Doe’s name on this form, or any other document, it is a breach of confidentiality. Request Molly Sue to return the incorrect prescription and contact the Privacy Officer to walk through the reporting process. © Copyright 2009 HIPAA COW

Privacy Violations: Incorrect Records Released A patient requested we send 2006 mental health diagnosis to her non-Northwest Counseling & Guidance Clinic provider. In addition to the 2006 mental health diagnosis, we also released 2004 and 2005 mental health diagnosis. Is this a breach of confidentiality? © Copyright 2009 HIPAA COW

Privacy Violations: Incorrect Records Released Yes. This is a breach of confidentiality as more information than was requested by the patient was released (the 2004 and 2005 test results). Always keep in mind we may only release the minimum necessary PHI to accomplish the purpose of the request – even when releasing to another treating provider, insurance company, etc. Request the provider to return the 2004 and 2005 test results, and contact the Privacy Officer. © Copyright 2009 HIPAA COW

Privacy Violations: Incorrect Patient’s Results Mailed Treatment plan of one patient was mailed to a different patient. Is this a breach of confidentiality? Yes. It is a breach of confidentiality if the treatment plan includes a different patient’s name. Request the patient to return the incorrect treatment plan, document the disclosure, and contact the Privacy Officer. © Copyright 2009 HIPAA COW

Privacy Violations: Patient’s Records Sent to Wrong Company Patient records were sent to the wrong insurance company. Is this a breach of confidentiality? Yes, because this insurance company does not provide coverage for this patient, they did not have a need to know anything about him/her. Request the company return the incorrect records, document the disclosure, and contact the Privacy Officer. © Copyright 2009 HIPAA COW

Release of Information (ROI) What PHI may I release? What WI Laws and Federal Regulations apply? What information can be released without an authorization? What are the steps in releasing information? When is an authorization required? How do I verify the authority and identify the requestor? Are there any restrictions which do not allow this release? Do I need to document the release? Why do I need to be doing all this? What are some practical release of information examples? Please proceed to learn more about how to correctly release PHI © Copyright 2009 HIPAA COW

ROI: Applying the Steps I received a request to release a patient’s PHI. What now? Whether releasing verbally or in writing, determine the following: Is the requestor legally authorized to receive the PHI? Important Note: when uncertain, ask the onsite administrator, Privacy Officer, or obtain a signed authorization from the patient. Is a signed Authorization required? If yes, determine if the Authorization is HIPAA and WI compliant (refer to next slide). © Copyright 2009 HIPAA COW

ROI: Valid Authorizations Elements of a valid authorization: Client/Patient Name and date of birth. Name of the individual or agency authorized to make the requested disclosure. Name of the person or organization to whom the disclosure is to be made. Purpose of the disclosure. Specific description of the type and amount of information to be released. If the release includes mental health, alcohol or drug abuse or test results, or developmental disability records, these must be specified. If the release includes HIV test result, AIDS, or AIDS related disease, the statement “HIV test results” is required. Statement on possibility of re-disclose by the recipient and that it is no longer protected by Northwest Counseling & Guidance Clinic. Right to inspect a copy of the records released (required only for WI DHS 92 records). © Copyright 2009 HIPAA COW

ROI: Valid Authorizations Refer to the HIPAA COW Authorization Form located at http://hipaacow.org/home/PrivacyDocs.aspx Elements of a valid authorization Cont.: Statement of the ability or inability to condition treatment, payment, enrollment or eligibility for benefits . If the release involves marketing and direct or indirect remuneration to Northwest Counseling & Guidance Clinic by a third party, include a statement reflecting this. A statement of the right to revoke the authorization in writing, exceptions to the right to revoke, and how to request a revocation. Expiration date or event. Time period during which the authorization is effective. Signature of client/patient or legal personal representative and date signed. If signed by a legal personal representative, a description of his/her authority to sign. A copy of the form is required to be given to the client/patient. © Copyright 2009 HIPAA COW

ROI: Authorization Not Required There are times when an authorization is not needed. Read on to find out when authorizations are not required… © Copyright 2009 HIPAA COW

ROI: Permitted Uses and Disclosures of PHI Without an Authorization Uses and disclosures of PHI for (TPO): Treatment Payment Health Care Operations Mandatory disclosures by law. If use of the information does not fall under one of these categories you must have the patient’s signed authorization (written permission) before sharing that information with anyone. © Copyright 2009 HIPAA COW

ROI: When is an Authorization Required? © Copyright 2009 HIPAA COW

ROI: General Wisconsin “Confidentiality” Laws WI laws may require authorizations, even though HIPAA doesn’t require them. The next few slides summarize a few of the more commonly utilized WI laws… © Copyright 2009 HIPAA COW

ROI: General Wisconsin “Confidentiality” Laws Statute Summary 146.82, Wis. Stat. Covers general medical health care PHI and authorization requirements. 51.30, Wis. Stat. Covers PHI relating to mental health, AODA, and developmentally disabled treatment, authorization requirements, and penalties. DHS 92 Adm. Code Further covers confidentiality of mental health treatment records (with 51.30). DHS 144, Adm. Code Covers release of immunizations between vaccine providers, and to schools specifically for minors. © Copyright 2009 HIPAA COW

ROI: General Wisconsin “Confidentiality” Laws Statute Summary 102.13 & 102.33 Wis. Stat. Covers records reasonably related to a worker’s compensation claim and release to the employee (patient), employer, worker’s compensation insurer, or Department with a written request. 610.70 Wis. Stat. Covers disclosure of personal medical information by insurers. 252.15, Wis. Stat. Covers health care information relating to HIV testing and authorization requirements. © Copyright 2009 HIPAA COW

ROI: Other Regulations to Consider Statute Summary 42 CFR, Part 2 Federal Alcohol and Drug Regulations which covers use and release of a patient’s drug and alcohol abuse records in a federally assisted program. © Copyright 2009 HIPAA COW

ROI: Identity Verification Prior to releasing PHI, ask the individual to provide you with enough information to identify the patient, such as: Name Date of Birth Address Other identifiers: Social security number, mother’s maiden name Identify someone other than the patient by requesting he provide you with all the above information, as well as his relationship to the patient. Check a physical signature against a known one on file Make a call-back to a known number Ask for a photo ID Ask for a business card Provide only the minimum necessary to safeguard PHI. Refer to the HIPAA COW Identity Verification Policy located at http://hipaacow.org/home/PrivacyDocs.aspx © Copyright 2009 HIPAA COW

ROI: Authority Verification Once you know who the requestor is, be sure he or she has the right to access this information. Routine requests from employees you know in our organization who have a need to know information for business reasons, are ok. Unusual requests from individuals you don’t know can be risky, so before sharing PHI: Ask your supervisor. And/or check your procedure. Who are you? © Copyright 2009 HIPAA COW

ROI: Individual Needs to Find Patient In Any Setting If an individual would like to find out if a patient is in our facility. Do not confirm or deny the patient is here, and politely end the phone call. After ending the call, notify the client and/ or parent/guardian in the case of a minor client that the individual inquired about them and ask them how they would like to proceed for future contacts with this person. © Copyright 2009 HIPAA COW

ROI: Minimum Necessary Release only the requested PHI, and only include sensitive PHI (mental health, HIV/AIDS, STDs, etc.) if specifically authorized. Release the minimum necessary (note, this may be less than what was requested). Limit access to what is needed to accomplish the purpose for which the request was made (or that which was authorized). May not disclose an entire medical record unless it is specifically justified as the amount of PHI that is reasonably needed to accomplish the purpose for the use or disclosure. © Copyright 2009 HIPAA COW

ROI: Documentation Document the release, when required by law, and our organization’s policies. See “Accounting of disclosures” policy in the HIPAA policy manual. Effective April 1, 2008, Wisconsin Statute 146 no longer requires documentation of disclosures for purposes relating to treatment (providing and coordinating care); payment (billing for services rendered); and health care operation (internal business). © Copyright 2009 HIPAA COW

ROI: Documentation (Continued) Document the release, per WI Statute, HIPAA and our organization policies. See “Accounting of disclosures” policy in the HIPAA policy manual. For example, HIPAA requires documentation of breaches, public health reporting, etc.) This documentation would be made directly into the clients file. © Copyright 2009 HIPAA COW

ROI: Documentation (Continued) What are we required to document? Date of the disclosure The name of the person the PHI was released to (and address if known) A brief description of the PHI disclosed The purpose of the release Other suggested items but not required: Received date Who released the information How the information was disclosed * * Also required if information is from a 51.30 treatment record. © Copyright 2009 HIPAA COW

ROI: Documentation Why do we have to document when we release PHI (when required by law)? Patients have the right to request from us a record of what PHI was released and to whom (Accounting of Disclosures). © Copyright 2009 HIPAA COW

ROI: Note: those steps must be followed each time you release information verbally and in writing. Wow! That’s a lot to know! Were you aware you can ask the onsite administrator/and or the Privacy Officer if you have questions or concerns related to the release of information. That’s right! If you aren’t absolutely 100% certain on whether or not you can (or how to) release information, STOP and ask for help by calling 715-327-4322, extension 126. Following are some examples of release situations … © Copyright 2009 HIPAA COW

ROI: Family and Friends Patient present and alert – patient decides. Patient incapable to make wishes known – inferred permission to discuss current care. Care or payment. Information needed for patient’s care. Must clearly be involved in payment for care (involvement is obvious, patient stated so). Notify family or friend(s): When involved in their care. Of patient’s general condition. Of patient’s location. When patient’s ready for discharge. Of patient’s death. Note: paper copies may not be released under these examples © Copyright 2009 HIPAA COW

ROI: Divorced Parents A parent calls to get information on their child. Can you release it? If the parents are divorced, either parent may get access to the records with a proper release. Assume that they can get records unless told otherwise. In the case where parental rights of one parent have been terminated, the parent with sole right is responsible to provide the information. When in doubt, call the parent who has physical placement to ask if the other parent is allowed to obtain records. If they say no, then they would be required to present the corresponding court documents. If they say “yes”, obtain permission and document what was provided. © Copyright 2009 HIPAA COW

ROI: Legal Guardians An individual calls to discuss appointment information with you for a patient and states he is the patient’s Legal Guardian, may I discuss this with the individual? Yes, after verifying the individual is the patient’s Legal Guardian and has access rights to the type of records being requested. Here’s how to verify: Prior to releasing PHI, ask the individual to provide you with enough information to identify the patient, such as: Name Date of Birth Address Other identifiers: Ask them to verify other identifying information that we would have in the client file. S.S.# etc.. © Copyright 2009 HIPAA COW

ROI: Step-Parents A step-parent calls to discuss her stepchild’s care. May you discuss this with her? No, unless the step-parent is a legal guardian and we have the guardianship papers on file, or a legal guardian has provided authorization. Step-parents may call to schedule appointments, but do not have access to their step-children’s PHI, without authorization by a legal guardian. © Copyright 2009 HIPAA COW

ROI: Foster Parents Can foster parents get information on the child they are caring for? Yes, if they have guardianship, other court papers, or an authorization from the birth parent, allowing them the right of access. If they don’t have any legal papers and a health care provider is in need of the information, you may release directly to the care provider. © Copyright 2009 HIPAA COW

ROI: Workers’ Compensation PHI to an Employer When releasing workers’ compensation records to an employer and/or work comp carrier, may I release the rest of the patient’s medical history (not related to the work comp claim with that employer)? No. The patient’s employer and work comp insurance carrier have the right to only those records reasonably related to the workers’ compensation claim/condition without an authorization. Request the patient to sign an authorization form to release additional types of records. © Copyright 2009 HIPAA COW

ROI: Leaving Messages A spouse answers the phone, or the voice mail picks up. What information may I provide? Unless client has requested we not call their home or leave them messages: State your first name and that you are calling from Northwest. Ask the patient to return your call, and provide your direct phone number. Do not provide detailed information, other than an appointment reminder. Example: “This is Sally from Northwest calling for Johnny Doe. Please call me back at your earliest convenience at (the phone number where you can be reached). Thank you.” Double check you ended the call. © Copyright 2009 HIPAA COW

ROI: Faxing PHI May we Fax PHI? Yes, we may fax PHI, but only when in the best interest of patient care or payment of claims. We may not fax sensitive PHI (HIV, mental health, AODA, STDs, etc.), unless approval is given on the ROI. It is best practice to test a fax number prior to faxing PHI to it. If this is not done, then complete the following: Restate the fax number to the individual providing it to you. Obtain a telephone number to contact the recipient with any questions. Do not include PHI on the cover sheet. Verify you are including only the correct patient’s information (i.e. check the top and bottom pages). Double check the fax number prior to “sending” it. © Copyright 2009 HIPAA COW

ROI: Email When sending ePHI to anyone for treatment, payment or healthcare operations, encrypt the email and verify that the organization’s confidentiality email disclaimer is included on the email. © Copyright 2009 HIPAA COW

And now, for some general safeguarding tips… How else can I protect our patients’ PHI? © Copyright 2009 HIPAA COW

Safeguarding: Discussing PHI You never know who may overhear you discussing a patient. The patient or coworker could be the patient’s neighbor, best friend, cousin, etc… Remember to talk quietly. When possible, discuss PHI privately, such as behind a closed door. Avoid having discussions in patient waiting rooms, elevators, cafeteria, etc. © Copyright 2009 HIPAA COW

Safeguarding PHI: Approaching a Co-worker You need to talk with a co-worker, but she is talking with a different patient to schedule his appointment. What should you do? Provide your co-worker with the privacy to finish working with that patient and approach her when she is done. © Copyright 2009 HIPAA COW

Safeguarding: Seeing a Patient Outside [Organization] You’re walking through the grocery store one day, and see a Northwest Counseling & Guidance Clinic patient. What should you do? It’s ok to say hello but don’t ask the patient “how she’s doing” or questions about her health. It’s ok to listen if she offers to update you on her health. Let the patient approach you first, but don’t make it seem like you are trying to avoid her. © Copyright 2009 HIPAA COW

Safeguarding: Talking with Friends About Work You had a negative encounter with a patient and really need to vent to a friend after work. What can you discuss? Working in health care isn’t easy and patient confidentiality MUST be maintained at all times: – at work, during non-work hours and after your employment ends with the organization. Here are some helpful tips… © Copyright 2009 HIPAA COW

Safeguarding: Talking with Friends About Work Do not share with family, friends, or anyone else a patient’s name, or any other information that may identify him/her, for instance: It would not be a good idea to tell your friend that a patient came in to be seen after a severe domestic dispute incident. Why? Your friend may hear about the domestic dispute on the news and know the person involved. Do not inform anyone that you know a famous person, or their family members, were seen at this organization. © Copyright 2009 HIPAA COW

Safeguarding PHI: Media If I am contacted by the media, may I release PHI to them? If I am contacted by an individual offering to pay me for PHI, may I release it to them? No! You may not release PHI under either of these circumstances. Both are grounds for disciplinary action. Refer the requestor to the Privacy Officer. © Copyright 2009 HIPAA COW

Safeguarding PHI: Delivery I need to transport paper records/PHI to another department. Is it ok for me to do this? Yes, you may transport documents to another department, Secure them so you don’t drop them: Carry them close to your person. Carry them in a facility designated bag, box, or container. Ensure no names are visible. Ensure that no records are left unattended. © Copyright 2009 HIPAA COW

Safeguarding PHI: Transporting Offsite When necessary to transport PHI externally: Place in a locked briefcase, closed container, sealed self-addressed interoffice envelope; Place PHI in the trunk of your vehicle, if available, or on the floor behind the front seat; Lock vehicles when PHI is left unattended . You may not transport patient charts between departments or offsite – unless authorized by the onsite administrator. © Copyright 2009 HIPAA COW

Safeguarding PHI: Interoffice Mail Send all PHI in sealed interoffice envelopes. Verify all PHI was removed from the envelope before stuffing it. Address them to the correct individual and department. Mark the envelope “confidential”. Confirm you are sending the correct PHI. © Copyright 2009 HIPAA COW

Safeguarding PHI: Paper Turn over/cover PHI when you leave your desk/cubicle so others cannot read it. If you have an office, you have the option of closing your door instead. Turn over/cover PHI when a coworker approaches you to discuss something other than that PHI. © Copyright 2009 HIPAA COW

Safeguarding PHI: Paper Continued Don’t leave documents containing PHI unattended in fax machines, printers, or copiers. Check your fax machine frequently so documents are not left on the machine. © Copyright 2009 HIPAA COW

Safeguarding PHI: Disposal How should I dispose of confidential paper? Shred or place all confidential paper in the designated confidential paper bins. Does this include Post-it notes, scratch paper, envelopes, and old non-confidential documents we no longer need? No. Please put these in the recycling paper bins! Does this include tissue, paper plates, cardboard, and pizza boxes? No. Please put these items in the regular trash or other appropriate recycling container! How should I dispose of electronic media (floppy disk, CD, USB Drive, etc.)? Provide electronic media to the IT Department to dispose it © Copyright 2009 HIPAA COW

Facility Security How can I help protect our facilities? Wear your ID Badge at all times, if provided (it helps identify you as a Northwest Counseling & Guidance Clinic employee/provider). Only let employees enter through employee entrances with you. Keep hallway doors that lead to patient care areas closed. Request vendors and contracted individuals to sign-in. © Copyright 2009 HIPAA COW

What are Restricted Areas? Restricted areas are those areas within our facilities where PHI and/or organizationally sensitive information is stored or utilized. Receptionist stations Business office windows Records Department Patient care hallways/treatment areas Offices Storage closets and cabinets Accounting, Human Resources, Administration Offices, IT Department, etc. Employee meeting/rooms/kitchens in the departments Areas containing potential safety hazards (ex. medical imaging, lab, nuclear medicine, etc. © Copyright 2009 HIPAA COW

Facility Security Continued… If you see someone in a restricted area and you do not recognize them, kindly ask “May I help you?” Escort the individual out of the restricted area and to the individual/area he/she is visiting. © Copyright 2009 HIPAA COW

Business Associate Agreements If you initiate negotiations to contract with a company to perform, or assist in the performance of a function or activity involving the use or disclosure of PHI, please contact the Northwest Counseling & Guidance Clinic Privacy Officer to obtain a Business Associate Agreement (BAA). Examples of when to obtain a BAA with a company include: Claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, billing, benefit management, practice management, and re-pricing; and Legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services. © Copyright 2009 HIPAA COW

Other Confidentiality Agreements When initiating a contract with a company to perform work for Northwest Counseling & Guidance Clinic which will not have direct access to PHI, request that they sign a Confidentiality Agreement. © Copyright 2009 HIPAA COW

HIPAA and Your Role Remember, it is your responsibility, as a Northwest Counseling & Guidance Clinic employee or provider, to comply with all privacy and security laws, regulations, and Northwest Counseling & Guidance Clinic policies pertaining to them. Employees and providers suspected of violating a privacy or security law, regulation, or Northwest Counseling & Guidance Clinic policy are provided reasonable opportunity to explain their actions. Violations of any law, regulation, and/or Northwest Counseling & Guidance Clinic policy will result in disciplinary action, up to and including termination. © Copyright 2009 HIPAA COW

HIPAA Violations: -How Much is Enough? -How Much is too Much? There are three types of violations: Incidental Accidental Intentional © Copyright 2009 HIPAA COW

Incidental Violations If reasonable steps are taken to safeguard a patient’s information and a visitor happens to overhear or see PHI that you are using, you will not be liable for that disclosure. Incidental disclosures are going to happen…even in the best of circumstances. An incidental disclosure is not a privacy incident. This type of disclosure is not required to be documented. © Copyright 2009 HIPAA COW

Accidental Violations Mistakes happen. If you mistakenly disclose PHI or provide confidential information to an unauthorized person or if you breach the security of confidential data: Acknowledge the mistake and notify your supervisor and the Privacy Officer immediately. Learn from the error and help revise procedures (when necessary) to prevent it from happening again. Assist in correcting the error only as requested by your leader or the Privacy Officer. Don’t cover up or try to make it “right” by yourself. Accidental disclosures are Privacy Incidents and must be reported to your Privacy Officer immediately! It is required to document this disclosure. © Copyright 2009 HIPAA COW

Intentional Violations If you ignore the rules and carelessly or deliberately use or disclose protected health or confidential information, you can expect: Disciplinary action, up to and including termination. Civil and/or criminal charges. Examples include: Accessing PHI for purposes other than assigned job responsibilities. Attempting to learn or use another person’s access information. If you’re not sure about a use or disclosure, check with your Supervisor or the Privacy Officer © Copyright 2009 HIPAA COW

Reporting HIPAA Violations If you are aware or suspicious of an accidental or intentional HIPAA violation, it is your responsibility to report it. Northwest Counseling & Guidance Clinic may not intimidate, threaten, coerce, discriminate against, or take other retaliatory action against anyone who in good faith reports a violation (whistle-blowing). Refer to the office of Civil Rights web page http://www.hhs.gov/ocr/privacy/hipaa/complaints/index.html for more examples of what and how to report. © Copyright 2009 HIPAA COW

It’s Important to Report HIPAA Violations… So they can be investigated, managed, and documented. So they can be prevented from happening again in the future. So damages can be kept to a minimum. To minimize your personal risk. In some instances, management may have to notify affected parties of lost, stolen, or compromised data. Incidental disclosures need not be reported, but if you’re not sure, report them anyway. © Copyright 2009 HIPAA COW

Patient Complaints Report all patient complaints. We are required by law to respond to privacy and security complaints. © Copyright 2009 HIPAA COW

How May I Report a HIPAA Privacy Violation? Directly to your Supervisor, who in turn reports it to the Privacy Officer. Call or email the Privacy Officer. © Copyright 2009 HIPAA COW

How May I Report a HIPAA Security Violation? If it involves a breach of patient confidentiality, report it through the same methods listed for Privacy Violations. If it does not involve a breach of confidentiality, report it through one of the following methods: The same methods listed for Privacy Violations Call or email the Security Officer. © Copyright 2009 HIPAA COW

Questions, Comments, Concerns… Not sure which way to go? Please contact your Privacy Officer, at 715-327-4322 Extension 126 jackiem@nwcgc.com Please contact your Security Officer, at 715-327-4322 Extension 126 jeffr@nwcgc.com © Copyright 2009 HIPAA COW

Remember to complete your training documentation and turn it into your supervisor. © Copyright 2009 HIPAA COW

Thank you, from.... Hand In - hand Protecting All Accounts! The Privacy and Security Committees Hand In - hand Protecting All Accounts! Refer to the HIPAA COW website for privacy, security, and EDI reference materials http://hipaacow.org/home/home.aspx © Copyright 2009 HIPAA COW

HIPAA COW Authors Primary author: Holly Schlenvogt, MSH, ProHealth Care Medical Associates, Privacy Officer Contributing authors: Cami Beaulieu, Red Cedar Medical Center, ROI Supervisor and Privacy Assistant Jane Duerst Reid, RHIA, Clear Medical Solutions, HIM Consultant Linda Huenink, MS, RHIA, Wk Co. Dept. of Health & Human Services, Records Supervisor Carla Jones, Senior Staff Attorney/Privacy Officer, Marshfield Clinic Legal Service Kathy Johnson, Privacy & Compliance Officer, Wisconsin Dept. of Health Services Melissa Meier, ProHealth Care Medical Associates, Corporate Compliance Coordinator Kim Pemble, Executive Director, WI Health Information Exchange (WHIE) LaVonne Smith, Information Services Director, Tomah Memorial Hospital Reviewed by: HIPAA COW Privacy & Security Networking Groups © Copyright 2009 HIPAA COW