THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) (known as THE PRIVACY RULE)

2 BACKGROUND  December 2000—HHS issued Standards for Privacy of Individually Identifiable Health Information (Privacy Rule), which became effective October 15, 2002  April 14, 2003—Entities covered by the Privacy Rule must be in compliance

3 PRIVACY RULE REQUIREMENTS  Students or parents/legal guardians sign an Authorization that describes, in writing, the uses and disclosures of their protected health information except for uses related to treatment, payment, and health care operations, and other uses permitted or required by law.

4 PRIVACY RULE REQUIREMENTS (continued)  Students must be provided with a written Notice about how their medical information may be used and disclosed without their written consent.  A Supplemental Authorization must be completed for disclosure of protected health information not covered in the Authorization.

5 PRIVACY RULE REQUIREMENTS (continued)  All disclosures (on the Supplemental Authorization) must be maintained for 6 years.  Students and former students may request, at any time, an accounting of disclosures during this 6 year time frame.

6 AUTHORIZATION  Must be specific and detailed, to reduce the chances that the health and wellness center will need to have students sign additional authorizations  Only the minimum amount of information needed can be released and only to those who have a need to know

7 THE AUTHORIZATION ALLOWS SHARING  Information about students’ physical and mental health, including any diagnosis and any recommended accommodations or modifications with the center director  Information about certain health conditions with the academic, vocational, and career counseling staff—conditions that may be aggravated by the activities being supervised or conducted

8 THE AUTHORIZATION ALLOWS SHARING (continued)  Information with career transition staff to meet health needs after Job Corps  Information with residential living staff (including counselors), TEAP specialist, and mental health staff for the purposes of meeting student’s health needs  Information with food service about dietary needs, including food allergies

9 THE AUTHORIZATION ALLOWS SHARING (continued)  Information with residential living staff about medications, allergies, medical (including mental) conditions that may warrant emergency or other immediate care  Information with safety and security staff, including federal safety officers, about illegal drug use or alcohol abuse  Information with recreational staff about allergies, asthma, or other health conditions

10 THE AUTHORIZATION ALLOWS SHARING (continued)  Information with student records and data management staff regarding leaves or medical separations  Information about illegal use of drugs to staff that “need to know”  Information at the student’s or parent/legal guardian’s request

11 THE AUTHORIZATION ALLOWS SHARING (continued)  Information with Job Corps center or DOL personnel or contractors for the purposes of resolving grievances  Information for other routine uses, such as with social services to provide Medicaid coverage

12 THE AUTHORIZATION ALLOWS  Transferring of separated student medical records and providing storage until forwarded to DOL archives

13 NOTICE  Describes how medical information may be used and disclosed without consent, and how to obtain access to this information  Is given to students on their first visit to the health and wellness center  Is sent to the parent or legal guardian of those students under the age of majority

14 NOTICE (continued)  Must be posted in the health and wellness areas and in off-center areas of center health providers, such as doctors, mental health consultants, and dentists

15 OTHER INFORMATION THAT MAY BE SHARED WITHOUT CONSENT  Required by law for certain public health activities  To government authorities about individuals that may be victims of abuse, neglect, or domestic violence  For health oversight activities, including audits  In certain court proceedings  For law enforcement purposes  With coroners, medical examiners

16 OTHER INFORMATION THAT MAY BE SHARED WITHOUT CONSENT (continued)  To allow authorized organ or tissue donations  For certain approved limited research  To avert serious threats to health and safety  For workers’ compensation purposes  For certain government functions including national security

17 AC RESPONSIBILITIES  Read the prepared script to the student or parent/guardian  Provide a copy of the Privacy Rule Information pamphlet to the student or parent/legal guardian  Explain the Authorization (available on OASIS)  Refer the applicant to the health and wellness manager of the receiving center if the applicant has questions; if a center has not been identified, refer to the national nurse consultant

18 AC RESPONSIBILITIES (continued)  Have the applicant or parent/legal guardian sign the Authorization  Provide the applicant a copy of the signed Authorization  Forward the Authorization to the receiving center prior to the applicant’s arrival (if the center does not have the Authorization, departure must be delayed)

19 HEALTH AND WELLNESS STAFF RESPONSIBILITIES  Post the Notice in the health and wellness center  Have the center physician, center mental health consultant, and center dentist post the Notice, if dental or other services are provided off-center  Develop center operating procedures (COPs) regarding the Privacy Rule

20 HEALTH AND WELLNESS STAFF RESPONSIBILITIES (continued)  Ensure that ALL students on center have a signed Authorization and Notice in their medical folders or an explanation why the notice was not signed  Ensure that there is a signed Authorization for each applicant BEFORE the student arrives  Notify the center director and AC if an Authorization is not available; request delay of departure if the Authorization cannot be forwarded to the center prior to the student’s arrival

21 HEALTH AND WELLNESS STAFF RESPONSIBILITIES (continued)  Give and explain the Notice to the student during the student’s first visit to the health and wellness center; make additional copies of the Notice available for student requests  Send a copy to the parent/legal guardian for students under the age of majority and request that the Notice be returned signed. However, a signature is not mandatory. If a signed Notice is not received, document in the medical record that the Notice was sent to the parent or legal guardian

22 HEALTH AND WELLNESS STAFF RESPONSIBILITIES (continued)  If 18 or older, have the student sign the Notice; signing is not mandatory, but document that the Notice was given and the student declined to sign  File both the signed Authorization and Notice (all pages) in the student’s medical record  Conduct training on the Privacy Rule with all new health and wellness staff within 90 days of hiring and annually to all health and wellness staff

23 STUDENTS MAY  Revoke the Authorization at anytime by submitting a request, in writing, to the center director; however, revocation will be grounds for dismissal  Review information in their medical records  Request that information be changed if it is incorrect or incomplete  Can submit complaints to the privacy officer or to the Office of Civil Rights, Department of Health and Human Services

24 PARENTS/LEGAL GUARDIANS MAY  Submit a written request to revoke the Authorization; however, a revocation may result in dismissal  Have access to records unless prohibited by state laws

25 CENTER DIRECTOR RESPONSIBILITIES  Ensure that the Privacy Rule policy and procedures are enforced (legal counsel is advised)  Ensure that ALL students on center have a Notice and signed Authorization in the medical record  Designate a privacy officer to develop and implement Privacy Rule and review policies and procedures

26 CENTER DIRECTOR RESPONSIBILITIES (continued)  Designate a contact person (can be the same person as the privacy officer) responsible for receiving complaints and providing further information to students  Review and grant written requests to revoke the Authorization

27 CONTRACTOR AND SUBCONTRACTOR RESPONSIBILITIES  Ensure that the centers are compliant with the Privacy Rule; legal counsel is advised  Implement employee disciplinary policies for violations  Keep an accounting of disclosures

28 CONTRACTOR AND SUBCONTRACTOR RESPONSIBILITIES (continued)  Determine whether the Authorization and Notice are sufficient coverage for the center’s actual information practices  Modify the Authorization and Notice or change center practices, if needed

29 SUPPLEMENTAL AUTHORIZATION  If additional health information is required regarding an applicant, ACs MUST use a supplemental authorization that contains the elements of 45 CFR (example available at  The Supplemental Authorization must be written in plain language and a copy of the signed authorization must be given to the student

30 SUPPLEMENTAL AUTHORIZATION (continued)  Elements required in 45 CFR § including:  Description of the information to be shared  Identification of the person(s) authorized to make the requested use or disclosure  Identification of the person(s) with whom the information may be shared  Description of each purpose for sharing the information  Expiration date

31 SUPPLEMENTAL AUTHORIZATION (continued)  Must be signed by student or parent/legal guardian  Must describe how an individual can revoke the supplemental authorization  Must state that the health and wellness center may not condition treatment on whether the student signs the authorization  Must identify potential for redisclosure of shared information

32 DISCLOSURE DOCUMENTATION  All disclosures other than outlined in the Authorization must be documented and maintained for 6 years  Disclosure documentation should include:  Date of disclosure  Name and address of the person or entity receiving the disclosure  Brief description of the information disclosed  Students and former students may request an accounting of disclosures for a period covering 6 years

33 DISCLOSURE DOCUMENTATION (continued)  Centers must respond to requests for an accounting within 60 days  One 30-day extension can be obtained if it is stated, in writing, to the requester, including the reasons for the delay and the date the information will be sent  The first disclosure accounting in any given 12- month period is free; the center may impose a reasonable cost-based fee for additional disclosure information within the 12-month period

34 EXCLUDED FROM AN ACCOUNTING  Treatment, payment, and health care operations  Made to an individual about themselves  Incident to another disclosure permitted by the Privacy Rule (as when someone accidentally overhears a permitted conversation)

35 EXCLUDED FROM AN ACCOUNTING (continued)  For national security or intelligence purposes  To correctional institutions or other law enforcement in custodial situations  Occurred prior to April 14, 2003  Covered in the Authorization signed at the AC’s office or covered by another situation

36 RESOURCES  Health and Human Services HIPAA website  Job Corps Health website  Barbara Grove, National Nurse Consultant, (202)