dhs privacy trainingdhs.sd.gov/guardianship/docs/hipaa training handouts.pdf · 2013. 3. 11. · 1...

1

DHS Privacy Training

HIPAA: It’s the Right Thing to Do


HealthInsurancePortability &AccountabilityAct

Privacy Rules & Regulations



HIPAA Privacy Rules protect you & your clients/patients

2



HIPAA will change…How you workHow you use & share informationForms Work site



HIPAA will change…HIPAA will change…HIPAA will change…How you workHow you workHow you workHow you use & share informationForms Forms Forms Work siteWork siteWork site


Training will provide overview of…

HIPAA & new DHSprivacy requirementsDefinitions of terms

3


Definitions


Definitions

“Portability”

Making information easier to transfer

to health care providers

HIPAA applies to all formats:ElectronicWrittenSpoken


Definitions

“Accountability”

Responsibility for keeping

information private

4


Definitions

Includes information about:Physical & mental healthTreatmentPayments

Insurance claimsBilling

“PHI” Protected

Health Information


Definitions

HIPAA HIPAA protects “PHI” protects “PHI”

DHS protects DHS protects allallconfidential confidential client/patient client/patient informationinformation

“PHI” Protected

Health Information


Definitions

“Covered Entities”

People & organizations

that must comply with HIPAA

5


Summary

Use your best judgment

Remember that HIPAA is not about…Refusing to share information, orWhether to work together

…it’s about privacy protection


Summary

DHS Policies & Procedures


Summary

DHS Policies & Procedures1. General Privacy2. Client/Patient Privacy Rights3. Uses & Disclosures4. Minimum Necessary5. Administrative, Technical & Physical Safeguards6. Research & Waivers7. De-Identification8. Business Associates9. Enforcement, Sanctions & Compliance

6

General Privacy

General Privacy

As a DHS employee, you…Have access to information that must be safeguardedMust understand:

How to use informationWhen to use itWhen not to use it

Must sign a “Privacy Program Statement of Understanding,” DHS Form 2091.

General Privacy

HIPAA Privacy Rules cover PHI

7

General Privacy

HIPAA Privacy Rules cover PHISee DHS

“Notice of Privacy Practices”

DHS Privacy Rulescover all information

General Privacy

DHS keeps information about:

DHS Clients/Patients

Participants

Licensees & Providers

General Privacy

DHS Clients/PatientsDHS Clients/Patients

8

General Privacy

DHS ServicesGuardianshipsOutpatientCommunity Programs


General Privacy

All client and patient information

is confidential

When can you use & disclose information? With authorization of client/patient orpersonal/legal repIf permitted by DHS “Uses & Disclosures” policy


General Privacy

Provide, use & disclose… minimum necessaryProvide, use & disclose… minimum necessary


9

General Privacy

“DHS Notice of Privacy Practices”

Provide to all clients, patients & applicantsDescribes client/patient rights re: use & disclosure


General Privacy

Participants

General Privacy

Participants

Must take Must take “reasonable “reasonable

steps” to steps” to safeguard safeguard

informationinformation

Is information “individually identifiable”?

If yes, it’s subject to…

Federal & state restrictionsDHS policies

10

General Privacy

Need to safeguard…Confidential informationInformation on client/patient payment responsibilityClient/patient information obtained during oversight activities

Licensees & Providers

General Privacy

When DHS policies conflict with laws, regulations or court orders…

Follow the stricter standardConsult supervisor

Clients/Patients can access…Their own information

Information DHS used to make decisions

Such as:

Drug test results

Client/Patient Privacy Rights

11


Clients/Patients cannot access…Psychotherapy notes


Clients/Patients cannot access…Psychotherapy notes

Information used in civil, criminal or administrative proceedings


Denial of AccessDenial of Access

DHS can deny access if…DHS can deny access if…May result in risk or harm

12



Does DHS have to let client/patient review denial?Does DHS have to let client/patient review denial?




NO, if…Information obtained under confidentiality promiseMust be someone other than health care provider




YES, if…

Information may endanger life or safety

13


AlternativesAlternatives


AlternativesAlternativesCan request DHS to send information:Can request DHS to send information:

By alternative means

To alternative location


AlternativesAlternativesCan request DHS to send information:Can request DHS to send information:

By alternative means

To alternative location

So it won’t be seen by

Family members

Abuser

14


AlternativesAlternativesRequests for alternatives…Requests for alternatives…

Must specify how or where to receive information


Accounting of DisclosuresAccounting of Disclosures

Who received information & PHI from DHS?



Lists disclosures for last 6 years

Will not include requests:

Made before April 14, 2003

Authorized by client/patient

Made for treatment, payment & health care operations

15



DHS can suspend right to receive accounting…

If it impedes work of health oversight agencies or law

enforcement

Clients/patients can request disclosure restrictions on information that is:

Required for treatment, payment, or health care operations

Disclosed to person involved in care

RestrictionsRestrictions




DHS can DHS can limit limit

or deny or deny restrictionrestriction

16



DHS cannot agree to restrict disclosure if it would:Adversely affect careLimit or prevent payment for services

Or if:Client/patient needs emergency treatment



Information is confidential under state law if it concerns:

Mental health treatment

STDs

Alcohol and Drug treatment



Must document:

All requests for restriction

Reasons for denying or granting requests

17

Client/Patient Privacy RightsAmendmentsAmendments

Clients/patients can requestamendment if information isnot:

Accurate

Timely

Relevant

Complete


Clients/patients must:Provide reason

DHS must:Honor valid requests


DHS can

deny requests

For example:

If information is accurate & complete

18


ComplaintsComplaintsClients/patients can file complaints about:

Improper use & disclosure

DHS privacy policies

DHS compliance with policies


ComplaintsComplaintsDHS must provide information

on how to file complaints


ComplaintsComplaintsCannot retaliate against complainantCannot retaliate against complainant

19


ComplaintsComplaintsCannot retaliate against complainant

Cannot require client/patient to relinquish rights as Cannot require client/patient to relinquish rights as condition for:condition for:Treatment

Payment

Enrollment

Eligibility


ComplaintsComplaints

All complaints & actions must be documented

Uses & Disclosures

Generally need signed authorization to release information

20

Uses & Disclosures

Treatment PaymentEnrollment inhealth planEligibility for benefits

Authorizations are generally voluntary

Cannot make authorization a condition of

Uses & Disclosures

Treatment PaymentEnrollment inhealth planEligibility for benefits

UnlessProviding research-related treatmentDetermining eligibilityPreparing PHI solely for disclosure

Authorizations are generally voluntary

Cannot make authorization a condition of

Authorization Form Must be completed jointlyCannot combine voluntary & required authorizations

How do you get client/patient authorization?

Uses & Disclosures

21

When is authorization…

Uses & Disclosures

Required?Disclosure from banks for financial qualificationIf not disclosed, client/patient is not eligible

Voluntary?Exchange of information with therapistIf not disclosed, client/patient is still eligible

Uses & Disclosures

A valid authorization form includes:Required elements

Uses & Disclosures

Once form is signed…Keep signed copy

Before disclosing information…Verify identityMake sure person has authority

22

Uses & Disclosures

Verbal AuthorizationVerbal AuthorizationUse for disclosure

to “previously named” person

Document oral communication in

client/patient’s case file

Inform client/patient in advanceClient/patient must agree, object, or restrict disclosure

Uses & Disclosures

Limited Disclosures without AuthorizationLimited Disclosures without Authorization

1. 1. Individual requests PHI

Uses & Disclosures


1. 1. Individual requests PHI

Cannot include:Psychotherapy notesInformation that could cause harmDocuments protected by attorney privilege

…among other information

23

Uses & Disclosures


2. 2. Information for payment, treatment & health care operations

Uses & Disclosures


3. 3. Psychotherapy notes for limited purposesTo provide treatmentTo train mental health practitionersFor health oversight activitiesTo defend DHS in legal action

Uses & Disclosures


4. 4. Adult abuse or neglect

24

Uses & Disclosures



Can disclose PHI if:Serious harm may result without itRequired by lawPerson agrees to disclosure

Uses & Disclosures



Can disclose PHI if:Serious harm may result without itRequired by lawPerson agrees to disclosure

What if victim is incapacitated?Can disclose to public official

if:Information won’t be used against victimWaiting would affect law enforcement

Uses & Disclosures


5. 5. Health oversight

25

Uses & Disclosures


5. 5. Health oversight

Can make disclosures to:Government agencies & benefit programsEntities seeking compliance information

Uses & Disclosures


6. 6. Judicial & administrative proceedings

Uses & Disclosures



Provide only PHI specified in the Court OrderRequires subpoena, discovery request, other legal processRecipient must make reasonable attempts to notify individual or secure protective order

26

Uses & Disclosures



Exception:

Special court order required for PHI about:Alcohol or drug treatment client/patient

Uses & Disclosures

Limited Disclosures without AuthorizationLimited Disclosures without Authorization7. Law enforcement7. Law enforcement

Uses & Disclosures


Can report wounds & injuriesCan disclose PHI to comply with legal ordersCan disclose to help identify or locate someone

27

Uses & Disclosures


Cannot disclose PHIrelated to:

DNA or DNA analysisDental recordsBodily fluids or tissues

Uses & Disclosures


Crime victims must agree to disclosure orally or in writing

Uses & Disclosures


In cases of incapacitation or emergency, you can disclose PHI if:Someone other than victim broke the lawInformation will not be used against victimLaw enforcement cannot waitDHS determines it is in the person’s best interests

28

Uses & Disclosures


8. 8. Specialized government functions

Uses & Disclosures


8. 8. Specialized government functions

Can disclose to:Can disclose to:Military command authorities re: Armed Forces personnelFederal officials engaged in national security activities

Uses & Disclosures


9. 9. Correctional institution & law enforcement officials

29

Uses & Disclosures


9. 9. Correctional institution & law enforcement officials

To provide inmate health careTo protect health & safety of inmates

Uses & Disclosures


10. 10. For DHS internal communications

Disclose “minimum necessary”

only

Uses & Disclosures


11. 11. Coroners & medical examiners12. 12. Funeral directors13. 13. Organ procurement organizations14. 14. Research purposes15. 15. To avert serious threat to health or safety16. 16. In case of emergency

30

Uses & Disclosures

ReRe--DisclosureDisclosure

Uses & Disclosures

ReRe--DisclosureDisclosureRecipient may disclose PHI to third party

Once PHI leaves DHS, it’s no longer protected by DHS

policy

Uses & Disclosures

ReRe--DisclosureDisclosureRecipient may disclose PHI to third party

Laws prohibit re-disclosure about:HIV/AIDSGeneticsMental health or developmentally disabled clients/patientsAlcohol & drug treatmentVocational rehabilitation

31

Uses & Disclosures

RevocationRevocationWritten authorizations can be revoked

Must be in writingMust be signed

Uses & Disclosures

RevocationRevocationWritten authorizations can be revoked

Exception:Drug & alcohol treatment clients/patientscan give oral revocation unless court ordered to treatment Revocation cannot apply to information already released

Minimum Necessary

Disclose & use least amount of information needed to accomplish purpose

32

Minimum Necessary

Disclose & use least amount of information needed to accomplish purposeMake reasonable effort to limit disclosures & requests……while having enough information to do your job

Minimum Necessary

Disclosure is “minimum necessary” if:Disclosing InformationDisclosing Information

Minimum Necessary

Disclosing InformationDisclosing InformationDisclosure is “minimum necessary” if:

Authorized public official requests “minimum necessary” & has client/patient permissionRequester is “covered entity” under HIPAADHS employee or business associate uses information for DHS purposes & requests “minimum necessary”For qualified research purposes

33

Minimum Necessary

Disclosing InformationDisclosing Information

Cannot disclose entire record unless justifiedCannot disclose entire record unless justified

Minimum Necessary


Refer to “Uses & Disclosures” for disclosure guidelines

Minimum Necessary


Routine & Recurring

34

Minimum Necessary


Routine & Recurring

DHS will identify:What type of information to discloseWho can receive itConditions of access

Decisions apply to all subsequent disclosures

Minimum Necessary

Can access & use information to do

your job only while at work


Minimum Necessary

Not Routine

Not compatible with original

purpose.


35

Is disclosure routine or not?

Minimum Necessary


Is disclosure routine or not?Who is requesting information?Purpose of request?

Handle non-routine disclosures on case-by-case basis

Limit disclosures to “minimum necessary”

Minimum Necessary


Minimum Necessary

Non-routine disclosures are not common


36

If disclosure is routine:

Make sure DHS policies & rules permit requested useIdentify what kind of information is neededIdentify how much information is needed

Minimum Necessary


How do you know if it’s “minimum necessary”?

Minimum NecessaryAccessing & Using InformationAccessing & Using Information


How do you know if it’s “minimum necessary”? Depends on jobIs information needed to answer questions?

If uncertain, check with:Supervisor or HIPAA Privacy contact

37


Do not request entire record without justification



For routine & recurring requests:Limit information requested to “minimum necessary”



For non-routine requests:Limit information requested to “minimum necessary”Handle on case-by-case basisDocument request & disclosure

38

To health care providers involved in client/patient’s treatmentTo Secretary of Health & Human ServicesTo client/patientAuthorized by client/patientRequired by lawRequired by HIPAA for electronic transactions

Minimum Necessary

Does not apply to requests & disclosures:Does not apply to requests & disclosures:

Administrative, Technical & Physical Safeguards

Must take reasonable steps to safeguard information against privacy

violations


Whether violation is…Intentional or unintentionalOn paper, electronic, oral or visual

Must take reasonable steps to safeguard information against privacy violations

39


“Reasonable safeguards”

Cannot guarantee privacy from “any & all potential risks”


Must take workplace circumstances into account, including:Effects on careExpenseAdministrative burden

“Reasonable safeguards”

Cannot guarantee privacy from

“any & all potential risks”


“Safeguards Assessment Tool” will help you:Assess security of PHIImprove privacy protection

“Safeguards Assessment Tool”

40


“Safeguards Assessment Tool” will help you:Assess security of PHIImprove privacy protection

“Safeguards Assessment Tool”

Administrators or Directors will determineAdministrators or Directors will determine“reasonable safeguards” “reasonable safeguards” for each office or facilityfor each office or facility


Help each other by:

Pointing out potential problems

Employees can help each other


Confidential information

Workplace PracticesWorkplace Practices

41


Confidential informationPaper

Must be in locked storage……or otherwise safeguarded by “reasonable efforts”




Must be in locked Must be in locked Must be in locked storage…storage…storage……or otherwise …or otherwise …or otherwise safeguarded by safeguarded by safeguarded by “reasonable“reasonable“reasonableefforts”efforts”efforts”

Workplace PracticesWorkplace PracticesBefore disposal…

Retain records for required timeStore in containers labeled “confidential”Secure after business hours




If no lockable storage If no lockable storage is available,is available,

use reasonable use reasonable procedures to procedures to

minimize accessminimize access

42



Shred on regular basis



Confidential informationOral

Make sure you’re not overheardUse designated rooms

OR…Use “reasonable safeguards”



Confidential informationOral


What are What are “reasonable “reasonable

safeguards”?safeguards”?

43



What are What are “reasonable “reasonable

safeguards”?safeguards”?In part…In part…

Depends on location Depends on location of conversationof conversation

Confidential informationOral– Low-risk locations

(enclosed rooms)– Medium-risk locations

(individual cubicles)– High-risk locations

(public areas)


Confidential informationVisual




Confidential informationVisual– Computer screens– Paper documents on faxes,

copiers & printers– Paper documents left in

common areas

44


Confidential informationVisual

Computer screensPaper documents on faxes, copiers & printersPaper documents left in common areas

Safeguard Safeguard paper paper

documentsdocuments

Use “minimum Use “minimum necessary”necessary”


Research & Waivers

What is research?

Research & Waivers

What is research?Contributes to knowledge of population as a wholeBased on sampleIncludes development, testing & evaluation

45

Research & Waivers

When can you disclose information?With client/patient’s written authorizationWithout client/patient’s written authorization

Requires waiver approved by:• Institutional Review Board (IRB)• DHS Privacy Board

Research & Waivers

Does research fall under HIPAA exceptions?

OR

Do other laws permit disclosure?

Disclosure Without Authorization or Waiver

Requests for PHI before research beginsRequests for PHI before research begins

Research & WaiversDisclosure Without Authorization or Waiver

Requests for PHI before research beginsRequests for PHI before research begins

Researcher must agree to certain conditions

in writing

In case of doubt,request review & waiver

46


Requests for PHI about deceasedRequests for PHI about deceased

Does research fall under HIPAA exceptions?

OR

Do other laws permit disclosure?



Check policies or

askHIPAA

PrivacyContact



Disclosure may be Disclosure may be inappropriateinappropriate

47



In case of doubt,request

review & waiver

De-Identification

Does not specifically identify peopleDoesn’t need privacy protectionCan be used by anybody for any purpose

DeDe--identified information…identified information…

De-Identification

How do you know if information is How do you know if information is properly deproperly de--identified?identified?

48

De-Identification

1. Statistician (or other professional) de-identifies information


De-Identification


2. DHS removes identifiers for individual, relatives, employers & household members:

A. NamesB. Geographic information (smaller than state)C. All specific dates except yearD. Telephone numbers

De-Identification


2. DHS removes identifiers for individual, relatives, employers & household members:

E. Social Security numbersF. Medical record numbersG. Health plan beneficiary numbersH. Unique characteristic, number or code

49

De-Identification

If individual cannot be identified based on information:Provided, orCombined with other information


De-Identification

Limited Data SetsLimited Data Sets

De-Identification

Do not contain direct identifiersCan contain “potentially identifying”information


50

De-Identification


Can be used…Can be used…

De-Identification

1. By DHS (for its own work)2. For research &

non-governmental public health purposes– Requires data use agreement


Can be used…Can be used…

De-Identification

DHS is not obligated to disclose informationOther disclosure policies may apply

51

De-Identification

Enables you to check original recordsRe-identification process done at DHSProcess cannot be disclosed

ReRe--Identifying InformationIdentifying Information

Business Associates

New category of business relationship

Business Associates are…

Not DHS employeesContractors or business partnersWork on behalf of DHSRequire disclosure of PHI

52

DHS Business Associates

Examples:Food managementPsychiatric servicesComputer servicesLegal servicesMedical servicesFinancial services

Summary

A Business AssociateProvides specific services…on behalf of DHS…that require use or disclosure of PHI.

Business Associates

Must haveLegal contract, orMemorandum of Understanding

Must requireSafeguards

53

Business Associates

Provides specific services…on behalf of DHS…that require use or disclosure of PHI.

Government Agency?Government Agency?

Can You Disclose PHI to Government Agencies?

Can You Disclose PHI to Government Agencies?

Only if they are involved in:

Paying for health care servicesProviding health care servicesProcessing claims

54

Business Associates

Government Agency?Government Agency?

DHS should have

Memorandum of Understanding

with government

agencies

A Business Associate requiresContract orMemorandum of Understanding

...to establish good-faith assurance of privacy

Summary

Business Associates

Client/patient authorizes PHI releaseDHS does not need to release PHIClient/patient cannot be identified

NO Business Associate relationship neededwhen:

55

Summary

Before you execute a Business Associate contract...Is entity doing business on behalf of DHS?Will PHI be exchanged?Is entity an “exception”?

Summary

If you don’t need it, don’t do it !If you don’t need it, don’t do it !

Enforcement, Sanctions & Penalties

Employees have to:Safeguard PHIKnow responsibilities under DHS policies


What happens if you violate policies?What happens if you violate policies?

Subject to penalties & disciplinary action?Subject to penalties & disciplinary action?

56



Subject to penalties & disciplinary action?Subject to penalties & disciplinary action?You can lose your jobDid you knowingly & willfully violate law?If so, subject to:

Criminal investigation & prosecutionCivil penalties



Subject to penalties & disciplinary action?Subject to penalties & disciplinary action?You can lose your jobDid you knowingly & willfully violate law?If so, subject to:

Criminal investigation & prosecutionCivil penalties

DHS can be held

responsible


Retaliation is prohibitedRetaliation is prohibited

57


Cannot retaliate in any way against someone who:Files a complaintTestifies or participates in an investigationOpposes practice they believe is unlawful



Cannot retaliate in any way against someone who:Files a complaintTestifies or participates in an investigationOpposes practice they believe is unlawful


Penalties include disciplinary & legal actions


Whistle Blowers & Workforce Crime VictimsWhistle Blowers & Workforce Crime Victims

58


A Whistle Blower discloses:Evidence of DHS violations of lawOn behalf of public interest

Whistle BlowersWhistle Blowers


Workforce Crime VictimsWorkforce Crime Victims

A Workforce Crime Victim:Victim of criminal act while on the jobCan disclose suspect’s information to law enforcement officer


Workforce Crime VictimsWorkforce Crime Victims

Must limit information to:Suspect’s name & addressDate & place of birthSocial Security numberABO blood type & RH factorType of injury receivedDate & time of treatmentDate & time of suspect’s death