HIPAA Privacy

Document Sample
HIPAA Privacy Powered By Docstoc
					  DPH Privacy and
Data Security Policies
          Annual Review

City and County of San Francisco
Department of Public Health and
   DPH Safety Net Providers
      Updated October 7, 2008
Training Overview

   Sharing PHI
   Data Security
   Compliance
   Summary
   Resources
   Post Test

         Health Insurance
Portability and Accountability Act
          1996 Kennedy/ Kassebaum Act)

3 Requirements of HIPAA

   Privacy Rule
    Affects how and which health information may be used or
    disclosed for an identified individual.

   Data Security Rule
    Affects electronic transmission, storage, processing and
    display of PHI, as well as access to and use of the equipment
    that does so.

   Transaction and Code Set Standards
    Affects how healthcare related billing and eligibility
    transactions are conducted. (Not covered in this handout)
The Language of the HIPAA
Privacy Rule
                   “PHI” (Protected
                    Health Information)

                   “Minimum Necessary”

                   “TPO” (Treatment,
                    Payment, and Health
                    Care Operations)

Language of the HIPAA Privacy Rule:
PHI, Protected Health Information

                         PHI is information
                      relating to an individual’s
                      health, care received, and/or
                      payment for services
                      (including demographics)
                      that can be individually-
                      identified as belonging to a
                      particular person.
                         It applies to both paper
                      documents and electronic
                      data sets that include PHI.

Language of the HIPAA Privacy Rule:
“Minimum Necessary”

                          Sharing of PHI shall
                          be restricted to the
                          minimum amount of
                          PHI a health worker
                          needs to know about
                          to complete his or
                          her task.

Language of the HIPAA Privacy Rule:
TPO: “Treatment”
   “Treatment” means providing,
    coordinating or managing a patient’s
    care, including patient education and
    training, consultations between
    providers and referrals.

   CAUTION! Unless you have
    administrative approval, you
    may only view or share PHI
    of clients/patients who are
    under your care.
Language of the HIPAA Privacy Rule:
TPO: “Payment”
                             “Payment” means
                              activities related to
                              DPH being paid for
                              services rendered,
                              including eligibility
                              determinations, billing,
                              claims management,
                              utilization review, and
                              debt collection.

Language of the HIPAA Privacy Rule:
TPO: ““Health Care Operations”
   “Health care operations”
    means activities such as
    quality assessment, student
    training, contracting for
    health care services,
    medical review, legal
    services, auditing, business
    planning and development,
    licensing and accreditation,
    business management, and
    general administrative

Client/Patient Rights under the
HIPAA Privacy Rule
             1.   To refuse to authorize
                  disclosures of PHI (for
                  purposes other than TPO);
             2.   To request confidential
             3.   To access medical records;
             4.   To request restrictions on
                  the use and disclosure of
                  PHI for TPO.
             5.   To revoke authorization
             6.   To request an accounting of
                  disclosures                 11
Client/Patient Rights under the
HIPAA Privacy Rule
         Every new DPH client must be
            provided with the “DPH Notice of
            HIPAA Privacy Practices.” This
            policy applies to individuals served
            by DPH, its contract providers,
            affiliates and providers covered
            under MOUs.
         The Notice describes how health
            information may be used and
            disclosed. It also describes the
            patient/client’s rights regarding
            the use of that information.
Summary DPH Notice of HIPAA Privacy
Practices says…

Mental Health staff must review the
DPH Privacy Notice annually with their
clients. Staff are also asked to discuss
with their clients that PHI may be
shared (as allowed and necessary) in
verbal, electronic, and paper formats.

Sharing PHI

PHI Use and Disclosure Policy
   Generally, when you are
    using a client’s/patient’s
    PHI for TPO, you do not
    need to ask them for their
    approval (exceptions
    follow on next page).
   Unless you have prior
    administrative approval,
    you may only view & share
    PHI of clients/ patients
    who are under your care.
HIPAA: Accounting of Disclosures
Providers have 60 calendar days to provide an accounting of disclosures
(made in the six years prior to the date on which the accounting is
requested, or shorter time period as requested) upon written request
by patient/client or family/guardian.

The DHHS privacy rule regarding accounting of disclosures may be
found at 164.528 section of the following webpage:

   1. Mandatory reports made to CPS and APS;
   2. Authorized by client;
   3. Made to the client;
   4. To carry out treatment, payment, and health care ops;
   5. For national security or intelligence purposes.
HIPAA: Accounting of Disclosures

 ALL OTHER DISCLOSURES DO* need to be accounted for, thus
     programs must document if and when any of the following
     disclosures of PHI occur:

     Law Enforcement - Disclosures to all law enforcement, unless
      otherwise exempted.
     Public Health Authorities - Reports of disease and injury or to
      conduct of public health studies or investigations.
     Health and Safety Purposes - Disclosures to protect health or
      safety of a person, such as Tarasoff.
     Legal Proceedings - Pursuant to court order, subpoena, etc.
     Government Entity - Disclosures to any government entities, unless
      otherwise exempted.
     Wrongful disclosures of PHI, as disallowed by Federal and State
      laws and City and County of San Francisco policies.

 * Please refer to DHHS language for further clarification or contact
      your Privacy Officer with questions.                          17
PHI and Authorizations
   Authorization to Release
    PHI forms must meet
    HIPAA requirements, be
    signed, and placed in the
    respective patient’s/client’s

   Individuals have a right to
    revoke authorizations at any
    time if they do so in writing.

   Treatment shall not be
    denied based on the refusal
    of an individual to authorize
    the use or disclosure of his
    or her PHI.
Required Elements of an
“Authorization to Release PHI” Form
Authorization forms may not be combined with any
 other document (e.g., with consent for treatment
 forms) to create a “compound authorization.”
HIPAA and State regulations required that each
 authorization include certain elements as follows:
                     name and date of birth
   Client’s/Patient’s
   Name of the disclosing entity/facility
   Name and address of the facility/individual to receive
   Description of the information to be disclosed
   Description of the purpose of the disclosure
   Expiration Date or Condition Upon Which is terminated
   Signatures and Dates (Patient/Client) (if applicable
    Parent/Guardian/Conservator if pt/client is unable to sign
    and Witness, if patient/client is unable to sign)
Required Elements of an
“Authorization to Release PHI” Form

Core elements of form continued:
   The client/patient must initial the types of PHI
    being released in a “protected classes” section for
    release of:
     mental health information,
     substance abuse information,
     HIV/AIDS information,
     developmental disabilities,
     sexually transmitted disease information.

Required Elements of an
“Authorization to Release PHI” Form

Core elements of form continued:
   Client/pt acknowledge “I UNDERSTAND THAT:”
      I am authorizing the disclosure of this health information is voluntarily.
      I may not be denied treatment, payment, enrollment in a health plan or
        eligibility for benefits if I refuse to sign this authorization.
      I may receive a copy of this authorization if I request it.
      My consent for this release of information is effective for
        _______(time frame) or until ______ condition is met.
      I may cancel my authorization at any earlier time by writing a note of
        cancellation and giving it to __________________. I also understand
        that when I give or cancel my consent, it is effective from that date
        forward, and not retroactively.
      Healthcare organizations are bound by rules that govern the use and
        disclosure of protected health information. I have been given the DPH
        Notice of Privacy Practices. I understand that the health care providers
        within the San Francisco DPH Safety Net (which includes DPH civil
        service treatment programs, DPH treatment contractors, and DPH
        treatment affiliates) may further disclose information among themselves
        to improve the care I receive without my prior authorization.
      Recipients of this health information will not further use or disclose this
        information to any non-DPH Safety Net entity, other than authorized
        above, unless another authorization is obtained from me. (Exceptions 21
        mandated by law are outlined in the DPH Notice of Privacy Practices.)
Governing Entities on

      The Federal HIPAA Privacy Rule requires
       that individually-identifiable health
       information be protected from unlawful
       access or disclosure;
      Much of the HIPAA Privacy Rule is
       preempted by existing State laws; meaning
       California laws are stricter than HIPAA in
       many cases;
      The SF DPH Privacy Policies encompass the
       above, and provide for further protections.

Use and Disclosure Policy

                  When you are
                   disclosing (sharing) a
                   patient’s PHI outside
                   of DPH Safety Net,
                   special rules may apply
                   (as follows).

DPH Privacy Policy Matrix for
Sharing Patient Health Information Between Treatment Providers
#    When            And the agency being     And the patient’s health            Then a PRIOR signed client authorization form***:
                     asked for patient        information being requested
                     information is a:        relates to:

I    Both            1. Mental Health         a. Medical Condition,               IS NOT necessary before patient information may be
     programs        program or facility,     b. Mental Health Condition*****,    shared.
     ARE members     2. HIV Program or        c. Substance Use/Abuse**,
     of the DPH      Facility,
     Safety Net*                              d. HIV /AIDS Condition, including
                     3. Medical Program or    HIV test results,
                     Facility, and/or         e. STD Condition****, and/or
                     4. A program where       f. Other Health Condition
                     diagnostic information
                     is known

                     5. Substance Abuse       Any condition.                      IS            EXCEPTION: During an emergency
                     Program                                                      necessary     situation when the patient’s life is
                                                                                  before        threatened.
                                                                                  may be
II   One program is NOT a member of the DPH Safety Net*                           IS            EXCEPTIONS:
                                                                                  necessary      During an emergency situation when the
                                                                                  before        patient’s life is threatened.
                                                                                  patient        When the course of treatment requires
                                                                                  information   that an individual be referred to another
                                                                                  may be        provider outside the DPH Safety Net.
                                                                                                 For the City Clinic when information is
                                                                                                necessary to complete treatment of STD
                                                                                                 To treatment providers of a correctional
                                                                                                facility when the individual is currently
                                                                                                incarcerated.                             24
SEE NEXT SLIDE FOR FOOTNOTE EXPLANATIONS.                                                                           Revised 01-03-07
DPH Privacy Policy Matrix for
Sharing Patient Health Information Between Treatment Providers

*      DPH Safety Net includes individuals, programs and agencies that furnish health services in the normal
       course of their business, and is comprised of DPH hospitals, DPH clinics, DPH civil service providers,
       EMS Treatment Providers, DPH affiliate and contract treatment providers and Human Service Agency
       case management and clinical providers as listed in the document located at
       http://dphnet/Privacy/default.htm for DPH staff and
       http://www.sfdph.org/dph/comupg/oservices/medSvs/HIPAA/default.asp from outside the DPH.

**     Physical patient records/documents received previously from substance abuse programs may not be
       re-released without client authorization; however the knowledge gained or clinical impressions provided
       may be released to another treatment provider without prior client authorization.

***    Authorization to Release Protected Health Information forms must meet the requirements of the
       Federal Privacy Rule (HIPAA), be signed, and placed in the respective patient’s/client’s chart/file.

****   The City Clinic, which screens and treats STDs, will release information without authorization only if
       necessary to complete treatment of the patient’s STD. All other requests for information require a
       signed client authorization form before patient information may be shared.

***** The following types of client/patient information are to be included and integrated into the
      patient/client’s medical record/chart and are to be shared verbally and/or in writing with other Safety Net
      treatment providers when requested (prior authorizations are not required): medication prescription and
      monitoring, counseling session start and stop times, the modalities and frequencies of treatment
      furnished, results of clinical tests, and any summary of the following items: diagnosis, functional status,
      the treatment plan, symptoms, prognosis, and progress to date.
PHI and the Media
   All: No information may be released
    about mental health and substance
    abuse clients (including their presence
    in the facility or program). HIV test
    results may not be released.
   DPH Workforce: You must consult
    the DPH Public Information Officer
    before speaking to the press (554-
    2507). Due to the sensitive and legal
    implications surrounding patient’s
    rights and their confidentiality, you
    must also confer with your Privacy
    Officer before speaking to the press
    about any client or patient.
“Privacy and the
Conduct of Research” Policy
   Research conducted
    using PHI of DPH
     must have DPH
      administrative approval
     must be approved by a
      duly-constituted IRB
     must have the patient’s
      authorization to use his
      or her PHI, or an
      IRB/DPH Waiver
Data Security

Data Security Policies

Guiding Principle: Each of us is responsible for
protecting data/information and workstations/PDAs
that are entrusted to us for use in our jobs
    From   LOSS (theft, erasure, copying)
    From   DAMAGE (inaccuracy, error, deception)
    From MISUSE (unauthorized access, non-
    mission activities)

Level of Access to Data

   Users are granted information system privileges
    on basis of job assignment
   You may only give PHI to someone who is
    authorized to receive it.
   Each must sign a compliance agreement prior to
   Privileges may be restricted, changed, or revoked
    if job duties change

User ID / Password Rules

   No one is allowed to log onto a client/patient
    information system anonymously;
   When systems allow it, each user who is assigned a
    User ID and a Password should change them
   Always create and use “complex” passwords
    containing letters, numbers, symbols;
   Do NOT tell anyone else your User ID or
    Password, not even your supervisor or IS staff;
   Do NOT write them down.
System Access Considerations
               Each attempt to log-on or read
                files is monitored and recorded;
               Do NOT attempt to access DPH
                systems or data to which you
                are not authorized;
               Do NOT search, open, or view
                patient PHI unless your are
                authorized to do so (Is that
                client/patient verifiably under
                your care?);
               Do NOT remove PHI via
                portable media or devices
                without administrative approval.
   Devices must be set to “time-out;”
   Do NOT leave workstations or portable devices
   DO log out / disable your device before you leave area;
   Do NOT place your monitor so it can be read by
    unauthorized persons;
   Store portable devices in secure locations;
   Store PHI in encrypted form or password protected
    when encryption is not available;
   Be present at the fax and printer when documents
   Immediately report theft or loss of PDAs to
    management and, as appropriate, site security staff
    and/or local law enforcement authorities.
Storage of PHI

                 PHI & confidential
                 information must
                 be stored such
                 that it cannot be
                 accessed by

PHI Disposal / Destruction
                    Disposal of equipment
                     must be in accordance
                     with HIPAA security
                    Documents and discs
                     may be put in
                     confidential shredding
                    Data storage devices
                     that may contain PHI
                     must be rendered
                     unreadable before
                     being recycled or
                  PHI may be sent as regular text
PHI                only within e-mails sent between
                   Protected Network users ending
Transmission       in /DPH/SFGOV or @sfdph.org)
                   or the UCSF directory.
                  E-mails sent outside the
                   Protected Network must have all
                   PHI encrypted or password-
                  Unprotected PHI should not be
                   sent to, or transmitted from,
                   personal email accounts (aol,
                   yahoo, earthlink, etc).
                  A confidentiality statement should
                   be appended to emails, faxes, or
                   paper documents that include PHI
                   or personal/confidential
                  Prior to transmission, E-mail
                   addresses, fax numbers, phone
                   numbers, URLs, etc. are to be
                   confirmed as correct and valid.    36
    Communicating with Clients
   Be sure clients have not
    communication before
    telephoning or
    attempting to contact.
   Do not leave results on
   Speak only with clients
    about results or
    appointments.                37

  DPH Privacy Policy Compliance

        Effective July 1, 2004, all DPH Safety Net
providers (contract and civil service) became subject to
audits to determine their compliance with the DPH Privacy
Policy using the six compliance standards as outlined on the
next slide.

        Beginning in FY0506, findings of compliance or non-
compliance and corrective actions (if any) were integrated
into the provider’s monitoring report under the
“Compliance” category.

            Privacy Policy Compliance
   Item #1: DPH Privacy Policy is integrated in the program's governing
    policies and procedures regarding patient privacy and confidentiality.
   Item #2: All staff who handle patient health information are oriented (new
    hires) and trained in the program's privacy/confidentiality policies and
   Item #3: A Privacy Notice that meets the requirements of the Federal
    Privacy Rule (HIPAA) is written and provided to all patients/clients served
    in their threshold and other languages. If document is not available in the
    patient’s/client’s relevant language, verbal translation is provided.
   Item #4: A Summary of the above Privacy Notice is posted and visible in
    registration and common areas of treatment facility.
   Item #5: Each disclosure of a patient's/client’s health information for
    purposes other than treatment, payment, or operations is documented.
   Item #6: Authorization for disclosure of a patient's/client’s health
    information is obtained prior to release (1) to providers outside the DPH
    Safety Net or (2) from a substance abuse program.
   Workforce members who violate the DPH Privacy
   Policies may be faced with disciplinary action up
   to, and including, termination;

   Findings of non-compliance with DPH Privacy
   policies will result in corrective action plans and
   may jeopardize contracts and MOUs with the DPH;

   For all, violation of Federal and State laws
   regarding patient privacy may subject you to
   substantial monetary penalties and/or make you
   the subject of a civil or criminal action pursuant to
   HIPAA, the California Medical Information Act,
   the Welfare and Institutions Code, and other
   federal and state privacy laws.

Complaints about Privacy
   All violations must be
    reported to your Privacy
    Officer (see next to last
   Complaints regarding
    privacy may be referred to
    your DPH Privacy Officer.
   Individuals may also
    anonymously call the DPH
    Privacy Hotline at 415-
   Or call the Secretary of
    the US Department of
    Health and Human Services
    at 415-437-8310
Please take time to read and review the policy documents located
at your worksite or at the following websites:

DPH staff (intranet):

Outside the DPH (public site):

Review DHHS Privacy Rule Language:

Or contact your Privacy Officer (see next slide).
DPH Privacy Board
Name, Representing                                Phone

Chair, Deborah Sherwood, Community Programs (Research)
Cheryl Austin, Laguna Honda Hospital              759-2349
Frank Kuziel, SFGHMC Campus                       206-6210
Dan Kelly, Human Services Agency                  557-5871
Dave Counter, Information Systems Department      255-3575
Doug Eckman / Sue Carlisle, SFGH/UCSF Dean's Office
Joe Goldenson, Jail Medical Services              995-1701
Kathy Murphy, City Attorney’s Office              206-2380
Maria X Martinez                                    255-3706
  Community Programs, EMS, and all DPH affiliate/contractor
  programs not covered above.                             45
Post Test

Certificate of Completion – DPH Privacy and Data Security Policies-Annual Review [v.Sept08]
After completing the course, print this page, answer the questions below, and submit it to your immediate supervisor.

Name (please print): ____________________________________________________________
Section/Division: ______________________________________ Phone: ___________________
Signature: _________________________________________ Date: _________Year:________
Supervisor’s Name: _____________________________________________________________

Please circle the correct answer (reference slide #):
1 True or False:    (12) Every new client/patient must be provided with (and be given the opportunity to sign that they
                    received) the document “Summary DPH Notice of HIPAA Privacy Practices.”
2 True or False:    (25) The DPH Safety Net includes clinicians and treatment providers employed by the DPH as well as with
                    programs and agencies that are covered under contracts, affiliations, or MOUs by the DPH.
3 True or False:    (24) Client/Patient authorizations are not necessary for mental health and primary care providers to
                    share PHI for treatment purposes, if both providers are in the DPH Safety Net.
4 True or False:    (24) Client/Patient authorizations are always necessary for substance abuse programs to share PHI with
                    anyone outside their program, except as allowed or required by law.
5 True or False:    (12) Mental Health staff must review privacy rights annually with their clients and review that PHI may
                    be shared (as allowed and necessary) in verbal, electronic, and paper formats.
6 True or False:    (26) No information about mental health or substance abuse clients, including their presence in the
                    facility or program, may be released to the media.
7 True or False:    (8) I may only view/share PHI of clients/patients who are under my care (unless otherwise authorized by
8 True or False:    (35) Data storage devices that may contain PHI must be rendered unreadable before being recycled or
9 True or False:    (37) Be sure clients have not restricted communication before telephoning or attempting to contact.
10 True or False:   (34) PHI and personal/confidential information may be sent as regular text only within E-mails sent
                    between Protected Network users (email addresses ending in /DPH/SFGOV or @sfdph.org) or the UCSF    47
                    directory. Unprotected PHI should not be sent to, or transmitted from, personal email accounts (aol,