Get documents about "HIPAA Privacy
Shared by: jolinmilioncherie
-
Stats
- views:
- 7
- posted:
- 5/21/2012
- language:
- pages:
- 47
Document Sample
DPH Privacy and
Data Security Policies
Annual Review
City and County of San Francisco
Department of Public Health and
DPH Safety Net Providers
Updated October 7, 2008
Training Overview
HIPAA
Sharing PHI
Data Security
Compliance
Summary
Resources
Post Test
2
Health Insurance
Portability and Accountability Act
(HIPAA)
1996 Kennedy/ Kassebaum Act)
3
3 Requirements of HIPAA
Privacy Rule
Affects how and which health information may be used or
disclosed for an identified individual.
Data Security Rule
Affects electronic transmission, storage, processing and
display of PHI, as well as access to and use of the equipment
that does so.
Transaction and Code Set Standards
Affects how healthcare related billing and eligibility
transactions are conducted. (Not covered in this handout)
4
The Language of the HIPAA
Privacy Rule
“PHI” (Protected
Health Information)
“Minimum Necessary”
“TPO” (Treatment,
Payment, and Health
Care Operations)
5
Language of the HIPAA Privacy Rule:
PHI, Protected Health Information
PHI is information
relating to an individual’s
health, care received, and/or
payment for services
(including demographics)
that can be individually-
identified as belonging to a
particular person.
It applies to both paper
documents and electronic
data sets that include PHI.
6
Language of the HIPAA Privacy Rule:
“Minimum Necessary”
Sharing of PHI shall
be restricted to the
minimum amount of
PHI a health worker
needs to know about
to complete his or
her task.
7
Language of the HIPAA Privacy Rule:
TPO: “Treatment”
“Treatment” means providing,
coordinating or managing a patient’s
care, including patient education and
training, consultations between
providers and referrals.
CAUTION! Unless you have
administrative approval, you
may only view or share PHI
of clients/patients who are
under your care.
8
Language of the HIPAA Privacy Rule:
TPO: “Payment”
“Payment” means
activities related to
DPH being paid for
services rendered,
including eligibility
determinations, billing,
claims management,
utilization review, and
debt collection.
9
Language of the HIPAA Privacy Rule:
TPO: ““Health Care Operations”
“Health care operations”
means activities such as
quality assessment, student
training, contracting for
health care services,
medical review, legal
services, auditing, business
planning and development,
licensing and accreditation,
business management, and
general administrative
activities.
10
Client/Patient Rights under the
HIPAA Privacy Rule
1. To refuse to authorize
disclosures of PHI (for
purposes other than TPO);
2. To request confidential
communications;
3. To access medical records;
4. To request restrictions on
the use and disclosure of
PHI for TPO.
5. To revoke authorization
6. To request an accounting of
disclosures 11
Client/Patient Rights under the
HIPAA Privacy Rule
Every new DPH client must be
provided with the “DPH Notice of
HIPAA Privacy Practices.” This
policy applies to individuals served
by DPH, its contract providers,
affiliates and providers covered
under MOUs.
The Notice describes how health
information may be used and
disclosed. It also describes the
patient/client’s rights regarding
the use of that information.
12
Summary DPH Notice of HIPAA Privacy
Practices says…
Mental Health staff must review the
DPH Privacy Notice annually with their
clients. Staff are also asked to discuss
with their clients that PHI may be
shared (as allowed and necessary) in
verbal, electronic, and paper formats.
13
Sharing PHI
14
PHI Use and Disclosure Policy
Generally, when you are
using a client’s/patient’s
PHI for TPO, you do not
need to ask them for their
approval (exceptions
follow on next page).
Unless you have prior
administrative approval,
you may only view & share
PHI of clients/ patients
who are under your care.
15
HIPAA: Accounting of Disclosures
Providers have 60 calendar days to provide an accounting of disclosures
(made in the six years prior to the date on which the accounting is
requested, or shorter time period as requested) upon written request
by patient/client or family/guardian.
The DHHS privacy rule regarding accounting of disclosures may be
found at 164.528 section of the following webpage:
http://www.access.gpo.gov/nara/cfr/waisidx_02/45cfr164_02.html
DISCLOSURES THAT DO NOT* NEED TO BE ACCOUNTED
FOR:
1. Mandatory reports made to CPS and APS;
2. Authorized by client;
3. Made to the client;
4. To carry out treatment, payment, and health care ops;
5. For national security or intelligence purposes.
16
HIPAA: Accounting of Disclosures
continued
ALL OTHER DISCLOSURES DO* need to be accounted for, thus
programs must document if and when any of the following
disclosures of PHI occur:
Law Enforcement - Disclosures to all law enforcement, unless
otherwise exempted.
Public Health Authorities - Reports of disease and injury or to
conduct of public health studies or investigations.
Health and Safety Purposes - Disclosures to protect health or
safety of a person, such as Tarasoff.
Legal Proceedings - Pursuant to court order, subpoena, etc.
Government Entity - Disclosures to any government entities, unless
otherwise exempted.
Wrongful disclosures of PHI, as disallowed by Federal and State
laws and City and County of San Francisco policies.
* Please refer to DHHS language for further clarification or contact
your Privacy Officer with questions. 17
PHI and Authorizations
Authorization to Release
PHI forms must meet
HIPAA requirements, be
signed, and placed in the
respective patient’s/client’s
chart/file.
Individuals have a right to
revoke authorizations at any
time if they do so in writing.
Treatment shall not be
denied based on the refusal
of an individual to authorize
the use or disclosure of his
or her PHI.
18
Required Elements of an
“Authorization to Release PHI” Form
Authorization forms may not be combined with any
other document (e.g., with consent for treatment
forms) to create a “compound authorization.”
HIPAA and State regulations required that each
authorization include certain elements as follows:
name and date of birth
Client’s/Patient’s
Name of the disclosing entity/facility
Name and address of the facility/individual to receive
Description of the information to be disclosed
Description of the purpose of the disclosure
Expiration Date or Condition Upon Which is terminated
Signatures and Dates (Patient/Client) (if applicable
Parent/Guardian/Conservator if pt/client is unable to sign
and Witness, if patient/client is unable to sign)
19
Required Elements of an
“Authorization to Release PHI” Form
continued
Core elements of form continued:
The client/patient must initial the types of PHI
being released in a “protected classes” section for
release of:
mental health information,
substance abuse information,
HIV/AIDS information,
developmental disabilities,
sexually transmitted disease information.
Continued…
20
Required Elements of an
“Authorization to Release PHI” Form
continued
Core elements of form continued:
Client/pt acknowledge “I UNDERSTAND THAT:”
I am authorizing the disclosure of this health information is voluntarily.
I may not be denied treatment, payment, enrollment in a health plan or
eligibility for benefits if I refuse to sign this authorization.
I may receive a copy of this authorization if I request it.
My consent for this release of information is effective for
_______(time frame) or until ______ condition is met.
I may cancel my authorization at any earlier time by writing a note of
cancellation and giving it to __________________. I also understand
that when I give or cancel my consent, it is effective from that date
forward, and not retroactively.
Healthcare organizations are bound by rules that govern the use and
disclosure of protected health information. I have been given the DPH
Notice of Privacy Practices. I understand that the health care providers
within the San Francisco DPH Safety Net (which includes DPH civil
service treatment programs, DPH treatment contractors, and DPH
treatment affiliates) may further disclose information among themselves
to improve the care I receive without my prior authorization.
Recipients of this health information will not further use or disclose this
information to any non-DPH Safety Net entity, other than authorized
above, unless another authorization is obtained from me. (Exceptions 21
mandated by law are outlined in the DPH Notice of Privacy Practices.)
Governing Entities on
Confidentiality
The Federal HIPAA Privacy Rule requires
that individually-identifiable health
information be protected from unlawful
access or disclosure;
Much of the HIPAA Privacy Rule is
preempted by existing State laws; meaning
California laws are stricter than HIPAA in
many cases;
The SF DPH Privacy Policies encompass the
above, and provide for further protections.
22
Use and Disclosure Policy
When you are
disclosing (sharing) a
patient’s PHI outside
of DPH Safety Net,
special rules may apply
(as follows).
23
DPH Privacy Policy Matrix for
Sharing Patient Health Information Between Treatment Providers
# When And the agency being And the patient’s health Then a PRIOR signed client authorization form***:
asked for patient information being requested
information is a: relates to:
I Both 1. Mental Health a. Medical Condition, IS NOT necessary before patient information may be
programs program or facility, b. Mental Health Condition*****, shared.
ARE members 2. HIV Program or c. Substance Use/Abuse**,
of the DPH Facility,
Safety Net* d. HIV /AIDS Condition, including
3. Medical Program or HIV test results,
Facility, and/or e. STD Condition****, and/or
4. A program where f. Other Health Condition
diagnostic information
is known
5. Substance Abuse Any condition. IS EXCEPTION: During an emergency
Program necessary situation when the patient’s life is
before threatened.
patient
information
may be
shared.
II One program is NOT a member of the DPH Safety Net* IS EXCEPTIONS:
necessary During an emergency situation when the
before patient’s life is threatened.
patient When the course of treatment requires
information that an individual be referred to another
may be provider outside the DPH Safety Net.
shared.
For the City Clinic when information is
necessary to complete treatment of STD
****.
To treatment providers of a correctional
facility when the individual is currently
incarcerated. 24
SEE NEXT SLIDE FOR FOOTNOTE EXPLANATIONS. Revised 01-03-07
DPH Privacy Policy Matrix for
Sharing Patient Health Information Between Treatment Providers
* DPH Safety Net includes individuals, programs and agencies that furnish health services in the normal
course of their business, and is comprised of DPH hospitals, DPH clinics, DPH civil service providers,
EMS Treatment Providers, DPH affiliate and contract treatment providers and Human Service Agency
case management and clinical providers as listed in the document located at
http://dphnet/Privacy/default.htm for DPH staff and
http://www.sfdph.org/dph/comupg/oservices/medSvs/HIPAA/default.asp from outside the DPH.
** Physical patient records/documents received previously from substance abuse programs may not be
re-released without client authorization; however the knowledge gained or clinical impressions provided
may be released to another treatment provider without prior client authorization.
*** Authorization to Release Protected Health Information forms must meet the requirements of the
Federal Privacy Rule (HIPAA), be signed, and placed in the respective patient’s/client’s chart/file.
**** The City Clinic, which screens and treats STDs, will release information without authorization only if
necessary to complete treatment of the patient’s STD. All other requests for information require a
signed client authorization form before patient information may be shared.
***** The following types of client/patient information are to be included and integrated into the
patient/client’s medical record/chart and are to be shared verbally and/or in writing with other Safety Net
treatment providers when requested (prior authorizations are not required): medication prescription and
monitoring, counseling session start and stop times, the modalities and frequencies of treatment
furnished, results of clinical tests, and any summary of the following items: diagnosis, functional status,
the treatment plan, symptoms, prognosis, and progress to date.
25
PHI and the Media
All: No information may be released
about mental health and substance
abuse clients (including their presence
in the facility or program). HIV test
results may not be released.
DPH Workforce: You must consult
the DPH Public Information Officer
before speaking to the press (554-
2507). Due to the sensitive and legal
implications surrounding patient’s
rights and their confidentiality, you
must also confer with your Privacy
Officer before speaking to the press
about any client or patient.
26
“Privacy and the
Conduct of Research” Policy
Research conducted
using PHI of DPH
patients:
must have DPH
administrative approval
must be approved by a
duly-constituted IRB
must have the patient’s
authorization to use his
or her PHI, or an
IRB/DPH Waiver
27
Data Security
28
Data Security Policies
Guiding Principle: Each of us is responsible for
protecting data/information and workstations/PDAs
that are entrusted to us for use in our jobs
From LOSS (theft, erasure, copying)
From DAMAGE (inaccuracy, error, deception)
From MISUSE (unauthorized access, non-
mission activities)
29
Level of Access to Data
Users are granted information system privileges
on basis of job assignment
You may only give PHI to someone who is
authorized to receive it.
Each must sign a compliance agreement prior to
access
Privileges may be restricted, changed, or revoked
if job duties change
30
User ID / Password Rules
No one is allowed to log onto a client/patient
information system anonymously;
When systems allow it, each user who is assigned a
User ID and a Password should change them
periodically;
Always create and use “complex” passwords
containing letters, numbers, symbols;
Do NOT tell anyone else your User ID or
Password, not even your supervisor or IS staff;
Do NOT write them down.
31
System Access Considerations
Each attempt to log-on or read
files is monitored and recorded;
Do NOT attempt to access DPH
systems or data to which you
are not authorized;
Do NOT search, open, or view
patient PHI unless your are
authorized to do so (Is that
client/patient verifiably under
your care?);
Do NOT remove PHI via
portable media or devices
without administrative approval.
32
Workstations/PDAs
Devices must be set to “time-out;”
Do NOT leave workstations or portable devices
unattended;
DO log out / disable your device before you leave area;
Do NOT place your monitor so it can be read by
unauthorized persons;
Store portable devices in secure locations;
Store PHI in encrypted form or password protected
when encryption is not available;
Be present at the fax and printer when documents
print-out;
Immediately report theft or loss of PDAs to
management and, as appropriate, site security staff
and/or local law enforcement authorities.
33
Storage of PHI
PHI & confidential
information must
be stored such
that it cannot be
accessed by
unauthorized
personnel.
34
PHI Disposal / Destruction
Disposal of equipment
must be in accordance
with HIPAA security
policies.
Documents and discs
may be put in
confidential shredding
bins.
Data storage devices
that may contain PHI
must be rendered
unreadable before
being recycled or
discarded.
35
PHI may be sent as regular text
PHI only within e-mails sent between
Protected Network users ending
Transmission in /DPH/SFGOV or @sfdph.org)
or the UCSF directory.
E-mails sent outside the
Protected Network must have all
PHI encrypted or password-
protected.
Unprotected PHI should not be
sent to, or transmitted from,
personal email accounts (aol,
yahoo, earthlink, etc).
A confidentiality statement should
be appended to emails, faxes, or
paper documents that include PHI
or personal/confidential
information.
Prior to transmission, E-mail
addresses, fax numbers, phone
numbers, URLs, etc. are to be
confirmed as correct and valid. 36
Communicating with Clients
Be sure clients have not
restricted
communication before
telephoning or
attempting to contact.
Do not leave results on
voicemail.
Speak only with clients
about results or
appointments. 37
Compliance
38
DPH Privacy Policy Compliance
Effective July 1, 2004, all DPH Safety Net
providers (contract and civil service) became subject to
audits to determine their compliance with the DPH Privacy
Policy using the six compliance standards as outlined on the
next slide.
Beginning in FY0506, findings of compliance or non-
compliance and corrective actions (if any) were integrated
into the provider’s monitoring report under the
“Compliance” category.
39
Privacy Policy Compliance
Standards
Item #1: DPH Privacy Policy is integrated in the program's governing
policies and procedures regarding patient privacy and confidentiality.
Item #2: All staff who handle patient health information are oriented (new
hires) and trained in the program's privacy/confidentiality policies and
procedures.
Item #3: A Privacy Notice that meets the requirements of the Federal
Privacy Rule (HIPAA) is written and provided to all patients/clients served
in their threshold and other languages. If document is not available in the
patient’s/client’s relevant language, verbal translation is provided.
Item #4: A Summary of the above Privacy Notice is posted and visible in
registration and common areas of treatment facility.
Item #5: Each disclosure of a patient's/client’s health information for
purposes other than treatment, payment, or operations is documented.
Item #6: Authorization for disclosure of a patient's/client’s health
information is obtained prior to release (1) to providers outside the DPH
Safety Net or (2) from a substance abuse program.
40
Non-Adherence…
Workforce members who violate the DPH Privacy
Policies may be faced with disciplinary action up
to, and including, termination;
Findings of non-compliance with DPH Privacy
policies will result in corrective action plans and
may jeopardize contracts and MOUs with the DPH;
For all, violation of Federal and State laws
regarding patient privacy may subject you to
substantial monetary penalties and/or make you
the subject of a civil or criminal action pursuant to
HIPAA, the California Medical Information Act,
the Welfare and Institutions Code, and other
federal and state privacy laws.
41
Resources
42
Complaints about Privacy
All violations must be
reported to your Privacy
Officer (see next to last
slide).
Complaints regarding
privacy may be referred to
your DPH Privacy Officer.
Individuals may also
anonymously call the DPH
Privacy Hotline at 415-
206-2354
Or call the Secretary of
the US Department of
Health and Human Services
at 415-437-8310
43
Questions?
Please take time to read and review the policy documents located
at your worksite or at the following websites:
DPH staff (intranet):
http://dphnet/Privacy/default.htm
Outside the DPH (public site):
http://www.sfdph.org/dph/comupg/oservices/medSv
s/HIPAA/default.asp
Review DHHS Privacy Rule Language:
http://www.access.gpo.gov/nara/cfr/waisidx_02/45
cfr164_02.html
Or contact your Privacy Officer (see next slide).
44
DPH Privacy Board
Name, Representing Phone
Chair, Deborah Sherwood, Community Programs (Research)
255-3435
Cheryl Austin, Laguna Honda Hospital 759-2349
Frank Kuziel, SFGHMC Campus 206-6210
Dan Kelly, Human Services Agency 557-5871
Dave Counter, Information Systems Department 255-3575
Doug Eckman / Sue Carlisle, SFGH/UCSF Dean's Office
206-3195
Joe Goldenson, Jail Medical Services 995-1701
Kathy Murphy, City Attorney’s Office 206-2380
Maria X Martinez 255-3706
Community Programs, EMS, and all DPH affiliate/contractor
programs not covered above. 45
Post Test
46
Certificate of Completion – DPH Privacy and Data Security Policies-Annual Review [v.Sept08]
After completing the course, print this page, answer the questions below, and submit it to your immediate supervisor.
Name (please print): ____________________________________________________________
Section/Division: ______________________________________ Phone: ___________________
Signature: _________________________________________ Date: _________Year:________
Supervisor’s Name: _____________________________________________________________
Please circle the correct answer (reference slide #):
1 True or False: (12) Every new client/patient must be provided with (and be given the opportunity to sign that they
received) the document “Summary DPH Notice of HIPAA Privacy Practices.”
2 True or False: (25) The DPH Safety Net includes clinicians and treatment providers employed by the DPH as well as with
programs and agencies that are covered under contracts, affiliations, or MOUs by the DPH.
3 True or False: (24) Client/Patient authorizations are not necessary for mental health and primary care providers to
share PHI for treatment purposes, if both providers are in the DPH Safety Net.
4 True or False: (24) Client/Patient authorizations are always necessary for substance abuse programs to share PHI with
anyone outside their program, except as allowed or required by law.
5 True or False: (12) Mental Health staff must review privacy rights annually with their clients and review that PHI may
be shared (as allowed and necessary) in verbal, electronic, and paper formats.
6 True or False: (26) No information about mental health or substance abuse clients, including their presence in the
facility or program, may be released to the media.
7 True or False: (8) I may only view/share PHI of clients/patients who are under my care (unless otherwise authorized by
administration).
8 True or False: (35) Data storage devices that may contain PHI must be rendered unreadable before being recycled or
discarded.
9 True or False: (37) Be sure clients have not restricted communication before telephoning or attempting to contact.
10 True or False: (34) PHI and personal/confidential information may be sent as regular text only within E-mails sent
between Protected Network users (email addresses ending in /DPH/SFGOV or @sfdph.org) or the UCSF 47
directory. Unprotected PHI should not be sent to, or transmitted from, personal email accounts (aol,
