1. Confidentiality and HIPAA

2. Learning Objectives
Articulate the basic rules governing privacy of medical information and records.
Identify the client’s rights under HIPAA.
Demonstrate the ability to respond appropriately when faced with situations involving confidentiality.

3. The importance of confidentiality
Find a partner. Discuss your experiences with confidentiality.

4. The Health Insurance Portability and Accountability Act - HIPAA
This act is about privacy regulations – it requires that providers protect the privacy and security of their consumers health information in new ways.
Allows consumers additional rights to access, amend and protect their own health care information.

5. What is Protected Health Information?
PHI is information that contains identifiers.
PHI replaces the phrase “confidential medical information”
What are basic identifiers that we use?

6. Protected Health Information
PHI includes the following:
Treatment Plans
Medical Records
Incident Reports
Outcomes Databases
Data Collection Sheets
Treatment Team Meeting Notes

7. Protected Health Information
PHI also includes:
Treatment information
Health information (physical or mental)
Payment information
It includes past, present or future info
It includes information that is verbal, electronic or on paper

8. Informing Clients
A Privacy Notice is given to each client upon entry into mental health services
Each person must sign that he/she has received this Privacy Notice

9. Authorization of Disclosure
Releasing of PHI requires authorization from the consumer, except under very specific circumstances.
The request must state the type and amount of information the consumer is willing to disclose.
HIPAA authorization forms must be signed and updated annually.

10. Basic guidelines
Be conscientious about “need to know” in all situations
Outside the team, disclosure should be guided by
Authorization
Staying within the parameters of the specific information required
During emergencies, the safety and health of the consumer permits disclosure of necessary PHI
Let’s look at some examples:

11. Permitted Disclosures
To the consumer, subject to certain restrictions.
For treatment, payment or healthcare operations (I.e., Quality, Risk Management) within the agency.
Child abuse, elder abuse, Tarasoff warnings
Secret Service
To Guardians of adults
To parents/family member of minors

12. Permitted Disclosures, cont.
With a valid authorization:
for any reason to a third party
To family members or other persons involved with the individual’s care.

13. Disclosures Usually Permitted
To Public Health Authorities – reports of death or disease
In response to a court order or as permitted by law with regard to litigation
To avert a serious threat to health or safety to the individual or others.

14. Substance Abuse Records
Substance abuse records are highly protected – the client must make a specific authorization to disclose this information
There are three exceptions to the rule requiring client authorization of substance abuse records
Child Abuse Reporting
Crime committed at/or threatened at the treatment facility
Medical emergency

15. Confidentiality and Teams
HIPAA, California law and W&I Code permit sharing of healthcare and mental health information, without authorization, for treatment purposes.
If a new team is developing, including non-medical partners such as probation officers, law enforcement, teachers or social workers, it is easiest to get an authorization signed at the outset.

16. Sharing substance abuse information
HOWEVER, authorization is required when sharing substance abuse treatment program information with providers who are “outside of the program.”

17. The Designated Record Set
All of the client’s information is contained in the Designated Record Set
DRS replaces the term “medical record”
A DRS is a group or records maintained by a provider or for a provider that is the medical and billing records; case or medical management records; or information used in whole or in part to make healthcare decisions about the individual.

18. The DRS
The information within the DRS is what the HIPAA regulations protect.
Consumers have specific rights under HIPAA with regard to their DRS.

19. Consumer Rights Under HIPAA
Right to access DRS
Right to amend DRS
Right to restrict sharing of PHI
Right to accounting of uses and disclosures of PHI
Right to file complaints concerning a providers Privacy Practices

20. Accountability Under HIPAA
Civil penalties
$100/violation up to $25,000 per calendar year (Office of Civil Rights)

21. Accountability Under HIPAA
Criminal penalties (enforced by the Dept. of Justice)
Up to $50,000 and 1 year of imprisonment for knowingly obtaining and disclosing PHI
Up to $100,000 and 5 years imprisonment if committed under false pretenses.
Up to $250,000 and 10 years imprisonment if committed with intent to sell, transfer, or use for commercial advantage, personal gain or malicious harm.

22. Accountability Under HIPAA
The provider can be sued by consumers for improper disclosures of PHI
Disciplinary actions against employees for failure to follow policies and procedures regarding consumer privacy.

23. Protecting the Security of PHI
Each healthcare site must have appropriate administrative, technical and physical safeguards to protect the privacy of protected health information.

24. Protecting the Security of PHI
Agencies must put into place reasonable safeguards to prevent intentional or unintentional use or disclosure.

25. Exercise
Identifying Breaches of Confidentiality

26. The Bottom Line Think confidentiality and privacy.
Share only what you need to share.
Always have an authorization before sharing someone’s confidential information.

27. Exercise
Confidentiality Situations