1. Privacy Laws, Practices and YOU The Mental Health Association April 2009

2. The Health Insurance Portability and Accountability Act of 1996

3. “The Privacy Rule” Standards for Privacy of Individually Identifiable Health Information Implemented and enforced by the Office for Civil Rights HIPAA Helps Us Know What Information Should Be Kept Confidential.

4. What does the Privacy Rule do? It defines and limits the circumstances in which an individual’s protected health information may be used or disclosed.

5. What is “Protected Health Information”? All individually identifiable health information maintained in any form.

6. Types of Protected Health Information Past, present, or future physical or mental health. Conversations your provider has with others in their agency about your care or treatment. Information about you in your health insurer’s computer system. Billing information about you at your provider’s office.

7. Common Identifiers Name Address Birth Date Social Security Number

8. Protected Health Information must be kept confidential, and shared or accessed only as the law allows.

9. Who Has to Comply with The Privacy Rule? Providers who transmit health information electronically. All “providers of medical or health services” as defined by Medicare. Any person or organization that provides or is paid for health care.

10. What Information is Not Protected by HIPAA? Employment records of the agency. Family Educational Rights and Privacy Act (FERPA) records.

11. Keep in mind:

12. What do you think? Sally left the completed referral form of a person who wants to participate in the Peer-To-Peer program on her desk while she took a phone call in the library. Did this violate confidentiality standards for Protected Health Information?

13. Some of the Exceptions The provider who generated the notes may use them for treatment, training, or to defend itself in court. To determine compliance with the Privacy Rules. To avert a serious and imminent threat to public health or safety.

14. What are “Serious Threats to Health or Safety?” Telling someone they are, or someone else is, the target of a threat. It is also lawful to disclose PHI to law enforcement if it will help them to identify or apprehend an escapee or violent criminal.

15. When Can Protected Health Information be Shared? For treatment and care coordination. To pay providers for health care or help them run their businesses. With family, relatives, friends, and others you identify, unless you object. For health and safety compliance checks on providers. For public health protection. For required police reports.

16. Your Permission Must be Obtained to: Give health information to your employer. Share or use your information for marketing or advertising. Share private notes about your mental health counseling sessions.

17. Written Authorization is NOT Needed for Treatment Payment Health Care Operations (i.e., satisfaction surveys)

18. You Have the Right to: Get a copy of your own health record. Have corrections added to the health record. Have an accounting of how, when, and why health information has been used and shared. File a complaint with the provider and/or the U.S. Government.

19. Additional Confidentiality for Substance Abuse Treatment Substance abuse treatment providers must obtain written consent from a patient before disclosing any information about that person. Disclosure must meet the “minimum necessary” requirement. Consents must be retained in the patient’s treatment file and a copy given to the patient and to the requesting program, such as IFST.

20. What About Minors Receiving Substance Abuse Treatment? A minor must always sign a substance abuse treatment consent form for a program to release information even to parents or guardians.

21. The “Minimum Necessary” Providers must make reasonable efforts to use, disclose, and request only the minimum amount of protected health information needed to accomplish the intended purpose.

22. What Do You Think? Bob Smith called a person on his survey list to do a survey. When they began talking, he thought he recognized the person’s voice, and said, “Didn’t I meet you at the Doctor’s office last week? Do you see Dr. Jones?” Does this meet the “minimum necessary” principle?

23. Keeping Information Private Shred documents with protected health information before throwing them away. Use a locked filing cabinet for all files with protected health information. Use pass codes for computer access.

24. What do you think? Lynn had to go to a meeting. She turned over the call list she was working on so the names didn’t show, and left. No one was in the area. Did this violate confidentiality standards for Protected Health Information?

25. Yes! She should have put the information in the filing cabinet. She should have locked the cabinet before leaving the room.

26. Computer Safety While checking her email at work, Josie notices she keeps getting obvious “spam” from a particular company and decides to respond to the company’s offer to “unsubscribe” so that she won’t receive anymore emails from them. She clicks on the link and completes the process outlined there. What did she do wrong? How could this affect confidentiality?

27. More Computer Safety NEVER email an MHA client’s name, date of birth, address, phone number, social security number, MA number, etc. Why not?

28. Computer Safety Andrew was online at work and an ad popped up offering him a free program. Since it was free, he figured the agency wouldn’t mind, and downloaded it to his computer. What did he do wrong? How could this affect confidentiality?

29. More Computer Safety Do not respond to “spam.” Discard and delete it. Do not unsubscribe to spam. It confirms your address. Do not open email attachments if the message looks even a little bit suspicious. Make sure every person has a password protected account to ensure that only those who are supposed to have access to records gain access. Make sure you password protect your PDA in case it is stolen.

30. Your Responsibilities Access information only in support of your job duties. Report lost information promptly to your supervisor. Comply with all security and privacy policies. Remember, YOU will be held accountable for the security of protected information.

31. MHA Employees Follow HIPAA Privacy Laws MHA policies and procedures concerning confidentiality Program contractual obligations

32. Practice Time at MHA! Janice answered the phone at MHA, and the caller asked if she could confirm that Lynn Davis was an employee of MHA. Janice said, “Oh sure! She works with IFST.” Did she follow MHA policies and procedures in releasing that information?

33. No! She should have answered only that “It is not our policy to give out that information.”

34. More Practice Mary Jones is a Peer Specialist. One of her peers is in the hospital. When she goes to the clubhouse, a member there says, “Is your peer ok? I’m really worried about her and I haven’t seen her.” What could Mary say? How does this pertain to HIPAA?

35. About Disclosure... During a survey, the individual discloses that they are in recovery from drug addiction. The surveyor says, “I am too.” Was the surveyor’s disclosure appropriate? What do MHA policies and procedures say about this?

36. More Disclosure... During a survey, the individual discloses that he is struggling with thoughts of self- harm. The surveyor says, “Me too. It’s a struggle just to keep going. I have OCD as well.” Was the surveyor’s disclosure appropriate?

37. More Disclosure... The IFST supervisor stops in to visit with Helpline staff over the weekend. She says, “Did Fred Smith call tonight?” What should the Helpline staff say? Does HIPAA pertain to this?

38. The Need to Know MHA’s policy is that information about program participants is shared only with the supervisor of the program, the mental health professional, or the Executive Director. No one else really needs to know.

39. More Disclosure... Jenny and Pam are Peer Specialists. Jenny says to Pam, “How is your peer coming along with his anxiety issues?” What should Pam say?

40. The Need to Know MHA’s policy is that information about peers is shared only with the supervisor of the program, the mental health professional, or the Executive Director. No one else really needs to know.

41. Disclosure In a Public Area Cassie sees the case manager of a peer at the hospital. They are in the waiting room, and the case manager begins talking to Cassie about the peer. What should Cassie do?

42. Disposal of Information Jonathan has finished his shift on the helpline and is cleaning up his workspace. He tears off the papers from his notepad where he has written notes about callers and throws them away. What should Jonathan have done with the notes?

43. Penalties for Non-Compliance with HIPAA $100 per failure to comply up to $25,000/year for the agency. $50,000 and up to one year imprisonment for a person who knowingly obtains or discloses individually identifiable health information in violation of HIPAA law.

44. Privacy and confidentiality is a priority at our agency. When in doubt, ask your supervisor.

45. For More Information http://hhs.gov/ocr/hipaa http://www.hipaa.samhsa.gov