Pasadena Villa

CONFIDENTIALITY, PRIVACY AND DATA / INFORMATION

SECURITY TRAINING

Copyright March 2003

Confidentiality / 42 CFR Part 2 / HIPAA

Pasadena Villa is bound to follow state and federal regulations governing the confidentiality and privacy of our clients. Federal Statute 397, Title 42 CFR, Part 2 and HIPAA (Health Information Portability and Accountability Act of 1996) 45 CFR §Part 160, 162, 164 mandate the ways in which we can communicate, access, use or disclose our clients health information.

These regulations were enacted to protect an individual’s private health / clinical information, which will be referred to PHI (Personal Health Information) throughout the remainder of this training, to reduce healthcare fraud and abuse and to give individuals rights towards how their PHI will be used, disclosed and how to access their information.

All employees, volunteers, business associates and interns have an obligation to maintain the confidentiality of all persons served by Pasadena Villa to the fullest extent outlined by law.

NOTES

___________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________

________________________________________________________________________________________________________________________________________________________________________________________________________

Page Two

Here are some examples of how an individual’s PHI was exposed;

About 400 pages of detailed psychological records concerning visits and diagnoses of at least 62 children and teenagers were accidentally posted on the University of Montana’s Web site for eight days. The information included names, dates of birth, home addresses, school attended with the results of the psychological tests.

A doctor’s laptop was stolen at a medical conference. The computer contained the names and histories of his patients in North Carolina.

Due to a software flaw, thousands of consumers who requested pamphlets and brochures about drug and alcohol addiction had their names, address, telephone numbers and e-mail addresses exposed on Health.org, a government health information Web site.

A Washington D.C. jury ordered a local hospital to pay $25,000 for failing to keep a patient’s medical records confidential. Coworkers learned of the victim’s HIV status after an employee at the Washington hospital revealed information in his medical record.

NOTES

____________________________________________________________________________________________________________________________________________

______________________________________________________________________

__________________________________________________________________________________________________________________________________________________________________________________________________________________

$$$$$$$__________________________________________________________________________________________________________________________________________________________________________________________________________________________________________

____________________________________________________________________________________________________________________________________________________________

Page Three

These examples represent the outcome of irresponsibility, lack of professionalism and not abiding by the law, as well as, policies & procedures within an organization.Penalties for Privacy violations under HIPAA include both criminal and civil penalties. Failure to comply with HIPAA requirements may result in civil monetary penalties of $100 per violation, which is capped at $25, 000 for each calendar year for each requirement or prohibition that is violated. Criminal penalties may reach as high as $50,000 and one-year in prison, if you knowingly or wrongfully disclose or receive PHI. If you attempt or obtain information under false pretenses, criminal penalties can be made up to $100,000 and five years in prison. If you obtain information with intent to sell or transfer the information, use it for commercial advantage, for your personal gain or use it for malicious harm, criminal penalties can reach up to $250,000 and ten years in prison.Under 42 CFR, Part 2, the violations are not more than $500 in the case of the first and not more than $5000 in the case of each subsequent event.

NOTES

_________________________________________________________________________________________________________________________________________________

___________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________

Page Four

We have taken steps to comply with the laws by developing internal policies and procedures, training program, a complaint process and an appointment of a Privacy and Security Officer. However, it is your responsibility to curb human nature (curiosity, sharing of information), to be sensitive to the clients information, to respect the client’s right to privacy and to know our policies and procedures. When we provide our clients with quality services, it includes protecting their confidential information.

As we go through this training, there will be differences in the HIPAA regulations as opposed to the 42 CFR, Part 2 Florida Statute 397 regulations. 42 CFR, Part 2, is the Code of Federal Regulations that governs the Confidentiality of Alcohol and Drug Abuse Patient Records. Florida Statute 397 prohibits disclosure or use of patient records (any information that is written or not) unless permitted by the patient or regulation.

NOTES

______________________________________________________________________________________________________________________________________________________

________________________________________________________________________________________________________________________________________________________________________________________________________

42 CFR preempts HIPAA in some respects because it is more stringent/restrictive.

Page FiveWhat is Protected Health Information/Individually Identifiable

Health Information?

It is information created or received by a medical/clinical provider, health plan or health care clearinghouse.

Information related to the past, present, or future physical or mental health or condition of the individual

Information related to the provision of health care/clinical care to an individual

Information related to the past, present, or future payment for the provision of health care/clinical care to an individual

Information that identifies the individual or there is reasonable basis to believe that the information can be used to identify the individual

Information transmitted or maintained in any medium.

PATIENT IDENTIFYING INFORMATION

UNDER 42 CFR PART 2 =

NAME

ADDRESS

SOCIAL SECURITY #

FINGERPRINTS

NOTES

______________________________________________________________________________________________________________________________________________________

__________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________

____________________________________________________________________________________________________

Page Six

PHOTOGRAPH OTHER SIMILAR

INFORMATION

UNDER HIPAA =

Same as 42 CFR Part 2 PLUS Address is defined more

broadly Names of relatives/household Name of Employer Variety of Dates Telephone / Fax Number E-mail address / URL/IP Client Medical/Clinical Record

number (applicable to group notes)

Account/Health Plan Number Vehicle or other device serial #

To ensure that PHI, Individually Identifiable Information is not disclosed or used improperly, Renaissance Healthcare Group has written policies and procedures to govern these releases. The next section will discuss the client’s rights regarding their PHI and the process in which individual’s may request the use and disclosure or his or her PHI.

NOTES

______________________________________________________________________________________________________________________________________________________

___________________________________________________________________________

See HIPAA & Confidentiality Plan!

____________________________________________________________________________________________________

Client Rights & Privacy Notice Page Seven

First of all, it is important to recognize and acknowledge the rights of the client concerning their PHI. The following will outline their rights and your responsibilities for upholding those rights.

• Clients have the right to receive Pasadena Villa “Notice of Privacy Practices”.

• Clients have the right to inspect and copy their medical record.

• Clients have the right to request an amendment to their records.

• Clients have the right to request restrictions on use and disclosures of their protected health information (Clinical record)

• Clients have the right to confidential communications (request alternative channels of communication)

• Clients have the right to receive an accounting of disclosures of their protected health information.

• Clients have a right to file a complaint if the client feels the above rights have been violated.

NOTES

________________________________________________________________________________________________________________________________________________________________________________________________________

See next page for Privacy Notice

________________________________________________________________________________________________________________________________________________________________________________________________________

To communicate with the client in a different area, not by mail or telephone, etc.

____________________________________________________________________________________________________

_________________________________________________________________________________________________________________________________________________________________________________________________________________________________

HIPAA Notice of Privacy Practices[

Pasadena VillaThis notice describes how medical information about you may be used and disclosed and how you can get access to this information. Please review it

carefully.

• This Notice of Privacy Practices describes how we may use and disclose your protected health information (PHI) to carry out treatment, payment or health care operations (TPO) and for other purposes that are permitted or required by law. It also describes your rights to access and control your protected health information. “Protected health information” is information about you, including demographic information, that may identify you and that relates to your past, present or future physical or mental health or condition and related health care services.

• 1. Uses and Disclosures of Protected Health Information• Uses and Disclosures of Protected Health Information• Your protected health information may be used and disclosed by your physician, our office

staff and others outside of our office that are involved in your care and treatment for the purpose of providing health care services to you, to pay your health care bills, to support the operation of the physician’s practice, and any other use required by law .

• Treatment: We will use and disclose your protected health information to provide, coordinate, or manage your health care and any related services. This includes the coordination or management of your health care with a third party. For example, we would disclose your protected health information, as necessary, to a home health agency that provides care to you. For example, your protected health information may be provided to a physician to whom you have been referred to ensure that the physician has the necessary information to diagnose or treat you.

• Payment: Your protected health information will be used, as needed, to obtain payment for your health care services. For example, obtaining approval for a hospital stay may require that your relevant protected health information be disclosed to the health plan to obtain approval for the hospital admission.

• Healthcare Operations: We may use or disclose, as-needed, your protected health information in order to support the business activities of your physician’s practice. These activities include, but are not limited to, quality assessment activities, employee review activities, training of medical students, licensing, and conducting or arranging for other business activities. For example, we may disclose your protected health information to medical school students that see patients at our office. In addition, we may use a sign-in sheet at the registration desk where you will be asked to sign your name and indicate your physician. We may also call you by name in the waiting room when your physician is ready to see you. We may use or disclose your protected health information, as necessary, to contact you to remind you of your appointment.

• We may use or disclose your protected health information in the following situations without your authorization. These situations include: as Required By Law, Public Health issues as required by law, Communicable Diseases: Health Oversight: Abuse or Neglect: Food and Drug Administration requirements: Legal Proceedings: Law Enforcement: Coroners, Funeral Directors, and Organ Donation: Research: Criminal Activity: Military Activity and National Security: Workers’ Compensation: Inmates: Required Uses and Disclosures: Under the law, we must make disclosures to you and when required by the Secretary of the Department of Health and Human Services to investigate or determine our compliance with the requirements of Section 164.500.

• Other Permitted and Required Uses and Disclosures Will Be Made Only With Your Consent, Authorization or Opportunity to Object unless required by law.

• You may revoke this authorization, at any time, in writing, except to the extent that your physician or the physician’s practice has taken an action in reliance on the use or disclosure indicated in the authorization.

PAGE 2

• Your Rights • Following is a statement of your rights with respect to your protected health information. • You have the right to inspect and copy your protected health information. Under federal law,

however, you may not inspect or copy the following records; psychotherapy notes; information compiled in reasonable anticipation of, or use in, a civil, criminal, or administrative action or proceeding, and protected health information that is subject to law that prohibits access to protected health information.

• You have the right to request a restriction of your protected health information. This means you may ask us not to use or disclose any part of your protected health information for the purposes of treatment, payment or healthcare operations. You may also request that any part of your protected health information not be disclosed to family members or friends who may be involved in your care or for notification purposes as described in this Notice of Privacy Practices. Your request must state the specific restriction requested and to whom you want the restriction to apply.

• Your physician is not required to agree to a restriction that you may request. If physician believes it is in your best interest to permit use and disclosure of your protected health information, your protected health information will not be restricted. You then have the right to use another Healthcare Professional.

• You have the right to request to receive confidential communications from us by alternative means or at an alternative location. You have the right to obtain a paper copy of this notice from us, upon request, even if you have agreed to accept this notice alternatively i.e. electronically.

• You may have the right to have your physician amend your protected health information. If we deny your request for amendment, you have the right to file a statement of disagreement with us and we may prepare a rebuttal to your statement and will provide you with a copy of any such rebuttal.

• You have the right to receive an accounting of certain disclosures we have made, if any, of your protected health information.

• We reserve the right to change the terms of this notice and will inform you by mail of any changes. You then have the right to object or withdraw as provided in this notice.

• Complaints • You may complain to us or to the Secretary of Health and Human Services if you believe your

privacy rights have been violated by us. You may file a complaint with us by notifying our privacy contact of your complaint. We will not retaliate against you for filing a complaint.

• This notice was published and becomes effective on/or before April 14, 2003. • We are required by law to maintain the privacy of, and provide individuals with, this notice of our legal

duties and privacy practices with respect to protected health information. If you have any objections to this form, please ask to speak with our HIPAA Compliance Officer in person or by phone at our Main Phone Number.

• Signature below is only acknowledgement that you have received this Notice of our Privacy Practices:

• Print Name:__________________________ Signature______________________Date_______

Client Access to PHI Page Ten

So far we have learned the client rights, violation penalties and the Privacy Notice. We now will review the breakdown of the client’s rights and how you and Pasadena Villa will carry out these functions.Clients have the right to inspect or have access to their records. The client shall complete a form, “Individual Request for Access to Personal Health Information” This form shall be completed by the client and given to the staff at admission.Individuals DO NOT have the right to access the following types of information; Psychotherapy Notes Information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding; and Protected health Information that is: subject to the Clinical Laboratory Improvements Amendments of 1988

The Record staff or designee will act upon the request by informing the individual of the acceptance of the request and provide access. If the request is denied due to the above circumstances, the Records staff will provide the individual with a written denial.

REQUEST TO INSPECT OR COPY PROTECTED HEALTH INFORMATION

This form is used by the patient to request an opportunity to examine or copy Protected Health Information in the possession of Pasadena Villa.

Information RequestedPlease describe the information that you would

like to examine or copy:Review ProceduresYour request to inspect or copy your Protected

Health Information will be reviewed by the Clinical Director, who will determine if the information requested cm be made available to you. We may legally prohibited from making certain information available to patients or patient representatives, including:

Psychotherapy NotesInformation related to legal proceedingsInformation that federal or state laws prevent us

from disclosingInformation that is related to medical research in

which you have agreed to participateInformation whose disclosure may result in harm

or injury to you or to another personInformation that was obtained under a promise of

confidentialityWithin the limitations of the law, we will make

every effort to accommodate your request.

We will complete our review of your request and either arrange for you to inspect your records within 30 days of your request, or provide you with a written explanation of any restriction on the information that we can provide you.

If we deny your request, in whole or in part, you may request that we review that decision.

Obtaining Authorizations for Use and Disclosure Page Eleven

• Renaissance Healthcare Group must obtain authorization from the client for us to be able to use and disclose their PHI. Renaissance Healthcare Group does not need to obtain authorization for treating / providing services, payment and organizational operations. The purpose for obtaining an authorization is to provide the individual with an opportunity to determine how his or her PHI may be used or disclosed, and to inform the individual of his or her rights under the Privacy rule. For all uses and disclosures of an individual’s PHI, RHG will obtain a signed authorization from the individual, unless the use or disclosure is required, or otherwise permitted without an authorization. Prior to all marketing communications, we will obtain authorization from the individuals who would receive such communications, except if:

– the communication is made face-to-face by an employee; or

– the communication is a promotional gift of nominal value

NOTES

________________________________________________________________________________________________________________________________________________________________________________________________________

_________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________

Authorization continued Page Twelve

Prior to any use or disclosure of psychotherapy notes, including for treatment, payment or health care operations, RHG will obtain authorization from the individual, except if the use or disclosure is for:

– the service activities of the originator of the psychotherapy notes;

– Our own training programs in which mental health students, interns or practitioners practice, under supervision, their skills in counseling; or

– Pasadena Villa’s own defense in a legal action or other proceeding brought by the individual.

RHG is not required to obtain authorization for the following purposes:

– to carry out service, payment or health care operations;

– uses and disclosures required by law

– uses and disclosures for public health activities

– disclosures about victims of abuse, neglect or domestic violence

– uses and disclosures for health oversight activities

– disclosures for judicial and administrative proceedings

NOTES

________________________________________________________________________________________________________________________________________________________________________________________________________

__________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________

Authorization continued Page Thirteen

– disclosures for law enforcement purposes

– disclosing PHI about decedents

– uses and disclosures for research purposes

– uses and disclosures to avert a serious threat to health or safety

– uses and disclosures for specialized government functions and

– disclosures for workers’ compensation

• The authorization will be written in plain language.

• The authorization document will allow individuals to request that their protected health information be used or disclosed for specific purposes.

• When RHG initiates an authorization to use or disclose protected health information for its own purposes, RHG will provide individuals with any facts they need to make an informed decision as to whether to allow release of the information.

• The authorization will not be combined with another document to create a compound authorization, unless:

• the other document is a similar such authorization;

NOTES

_________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________

Authorization continued Page Fourteen

• if the authorization is for the disclosure of psychotherapy notes, the other document is also an authorization for the disclosure of psychotherapy notes; or

• the authorization is for the use or disclosure of protected health information created for a research study, and is to be combined with another written permission for the study.

• Any authorization for the use or disclosure of protected health information requested by the individual subject of that information will contain the following:

• a description of the information to be used or disclosed that identifies the information in a specific and meaningful fashion;

• the name or other specific identification of the person(s), or class of persons, authorized to make the requested use or disclosure;

• the name or other specific identification of the person(s), or class of persons, to whom RHG may make the requested use or disclosure;

NOTES

__________________________________________________________A specific authorization is required for the disclosure of psychotherapy notes. Psychotherapy notes are defined as primarily of use to the mental health professional who wrote them and are not part of the medical record, and not involved in the documentation necessary to carry out treatment, payment, or health care operations. There are few reasons why other health care/clinical entities should need access to this information. This excludes diagnosis, medications, treatment, symptoms, prognosis, and progress to date.________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________

Authorization continued Page Fifteen• an expiration date or an

expiration event that relates to the individual or the purpose of the use or disclosure;

• a statement of the individual’s right to revoke the authorization in writing and the exceptions to the right to revoke;

• a description of how the individual may revoke the authorization; Individuals may revoke their authorizations at any time.

• a statement that the entity will not condition treatment, payment, enrollment in a health plan, or eligibility for benefits on the provision of an authorization, except as permitted by law.

• a statement that information used or disclosed pursuant to the authorization may be subject to redisclosure by the recipient and no longer be protected by 45 C.F.R. Part 164;

• the signature of the individual and date.

• An expiration date, event or condition

• In the event that the authorization is signed by a personal representative of the individual, the authorization will contain a description of the representative’s authority to act for the individual.

• RHG will provide the individual with a copy of the signed authorization.

NOTES

___________________________________________________________________________________________________________________________________________________________________________________________________________42 CFR prohibits redisclosureA General Authorization for Mental Health and Substance Abuse Records is not acceptable to release information. To release these sensitive records Pasadena Villa must receive a subpoena accompanied by a court order, that is issued by a Judge. This goes for law enforcement requests as well. Pasadena Villa may disclose this information if it is in relation to reporting a victim of abuse or neglect, or in our professional judgment believes the disclosure is necessary to prevent serious harm to an individual or other potential victim.

_________________________________________________________________________________________________________________________________________________________________________________________________________________________________

Authorization continued Page Sixteen

• RHG will invalidate the authorization if:

• any material information in the authorization is known by to be false;

• the requirements of the authorization have not been filled out completely;

• the expiration date has passed or the expiration event is known to have occurred.

• We will document and retain the signed authorization for a period of at least six years from the date of its creation or the date when it last was in effect, whichever is later.

It is important that each and every authorization form is completed accurately and in it’s entirety. It is imperative all employees are knowledgeable of what an authorization must contain and how to identify a defective authorization. If you observe authorizations with blank spaces or signatures, dates, etc. are not present, you must report it to the Privacy Officer immediately!

NOTES

________________________________________________________________________________________________________________________________________________________________________________________________________

______________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________

Client Rights to Amend their Records Page Seventeen

Clients have the right to request an amendment (clarification or challenge) to their medical/clinical file. *Remember psychotherapy notes are not disclosed. However, the remaining parts of their file, group notes, daily progress notes, medication records, demographic information are subject to their review. If the client does not agree with certain documentation in their records, they may request for the entry to amended. The client must put the request in writing. Pasadena Villa will review and determine if they agree or disagree with the requested amendment. The Privacy Officer will appoint an individual not involved in the client’s care to review the request. If the request is denied, the Privacy Officer shall notify the client in writing. These requests for amendments are to be placed in the client file and are considered a permanent form in the file. The amendment request form is outlined on the following page.

NOTES

________________________________________________________________________________________________________________________________________________________________________________________________________

______________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________

Human Services Associates, Inc.

MEDICAL/CLINICAL RECORD CORRECTION/AMENDMENT FORM

• REQUEST TO AMEND PROTECTED HEALTH INFORMATION• This form is to be used by patients who wish to request that information kept in the records of Pasadena Villa be amended.

The following summarizes our policies and procedures with respect to amending patient information:• Requests to amend information must be submitted in writing.• Your request will be reviewed by the Clinical Director and other staff members as appropriate.• If the Clinical Director determines that the amendment you have requested should be made, the records will be updated as

required by federal regulations.• If the Clinical Director determines that the information in our records is complete and accurate, you request will be denied. A

written notice of this decision will be sent to you as required by federal regulations. You will have an opportunity to send us a written statement explaining your disagreement with this decision. That statement will be included in your records, along with any response that we believe is necessary to help future users of the information understand that information. You will be given a copy of any response that we include in the record.

• Information to be Amended• Please identify the information that you believe needs to be amended in the spaces provided below. Identify the source of

the information (for example, your medical records or billing records), the specific information that you believe to be incorrect and the reason you believe the information to be incorrect. If no reason is given, your request will be denied.

• If you need help with this form, please contact:• Dr. George Kachmarik, Clinical Director• (407) 246-5250• Item to be changed:____________________________________________• Data Source:_________________________________________________• Change:_____________________________________________________• Reason:_____________________________________________________• ____________________________________________________________• ___________________________________________________________

*Response___________________________________________________

• ____________________________________________________________Item to be changed:____________________________________________

• Data Source:_________________________________________________• Change:_____________________________________________________• Reason:_____________________________________________________• ____________________________________________________________• *Response:__________________________________________________• ____________________________________________________________• Attach additional copies of this page as needed.• Patient Signature• Please sign and date this form:• Name of Patient ________________________________________________• Signature of Patient______________________________________________ ___________

Date• Signature of Patient Representative_________________________________• Relationship of Patient Representative to Patient_______________________• Decision• Approved amendments• The following requests for amendment of information have been approved:• This information will be corrected and other organizations to which this information has been disclosed will be notified as

required by federal regulations.• Requests for Amendment That Have Been Denied• The following requests for amendment of information have been denied for the reasons given section describing the

information you have requested:• This information will not be amended in our records. If you disagree with this decision, you may submit a written statement

of disagreement. Your statement must be limited to one standard letter-sized page (8 inches X 11 inches) per correction. Your disagreement will be included in our records and it, or an accurate summary of it that we will prepare, will be transmitted to any entity to whom the affected information is disclosed in the future. We also may include own comments on your statements. If we do include such a statement, you will be sent a copy of the statement.

• Title of Privacy Official____________________________________• Signature _____________________________________________

Date

Accounting of Disclosures Page Nineteen

HIPAA provides that individuals have a right to receive an accounting of certain instances when protected health information about them is disclosed by a covered entity. This requirement is subject to exceptions for disclosures made to the individual; for treatment, payment and health care operations; or authorized by the individual; as well as certain time-limited exceptions for disclosures to law enforcement and oversight agencies. RHG has developed procedures to address instances when an accounting of disclosures of protected health information must be provided.

• RHG will allow an individual to obtain an accounting of instances when their protected health information has been disclosed.

NOTES

________________________________________________________________________________________________________________________________________________________________________________________________________

_____________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________

Accounting Continued Page Twenty

RHG will allow an individual to receive an accounting of disclosures of protected health information in the seven years prior to the date on which the accounting is requested, beginning April 14, 2003.

The accounting will be in writing and will include disclosures made to or by business associates.Each accounting of a disclosure will include the following:the date of disclosure;the name of the entity or person who received the protected health information and, if known, the address of such entity or person; a brief description of the protected health information disclosed; a brief statement of the purpose of the disclosure that reasonably informs the individual of the basis for the disclosure; or in lieu of such statement:

a copy of the individual’s written authorization to use or disclose the protected health information, or

NOTES

_________________________________________________________________________________________________________________________________________________________________________________________________________________________________

______________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________

________________________________________________________________________________________________________________________________________________________________________________________________________

Accounting continued Page Twenty-One

• We will act on the individual’s request for an accounting not later than 60 days after receipt of the request by:

• providing the individual with the accounting requested, or

• extending the time to provide the accounting by no more than 30 days.

• In the event that RHG extends the time to provide the accounting, within 60 days after receipt of the request, it will provide the individual with a written statement of the reasons for the delay and the date by which the covered entity will provide the accounting.

• We will not extend the time to provide the accounting more than once.

• The first accounting to an individual in any 12-month period will be without charge.

NOTES

_________________________________________________________________________________________________________________________________________________________________________________________________________________________________

______________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________

________________________________________________________________________________________________________________________________________________________________________________________________________

Accounting continued Page Twenty-two

• Upon imposing a fee RHG will inform the individual in advance of the fee and provide the individual with an opportunity to withdraw or modify the request for a subsequent accounting in order to avoid or reduce the fee.

• We will document and retain the following for a period of at least 7 years, or from the date of its creation or the date when it last was in effect, whichever is later:

• the information required to be included in an accounting;

• the written accounting that is provided to the individual;

• the title of the persons or officer responsible for receiving and processing requests for an accounting by individual.

• The Privacy Officer is responsible for responding to a request from an individual for an audit trail of instances when their protected health information has been disclosed for purposes other than treatment, payment, or health care operations.

NOTES

_________________________________________________________________________________________________________________________________________________________________________________________________________________________________

______________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________

___________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________

Page Twenty-three

• REQUEST FOR ACCOUNTING OF PROTECTED HEALTH INFORMATION DISCLOSURES

• Consistent with federal regulations, we will provide you with an accounting of certain disclosures of your protected health information. You will not receive an accounting for the following:

• Disclosures of your Protected Health Information for the purposes of treatment, payment, or the day-to-day operation of the medical practice

• Disclosures to law enforcement, correctional institutions, or for any other legally required or permitted disclosure listed on our Notice of Privacy Practices

• Disclosures that occurred prior to April 14, 2003, the effective date of the federal privacy rules

• Disclosures that occurred six or more years prior to the date of this request• We will contact you when the information you have requested is available, generally

within 60 days of your request.• • Name of Patient (Type or Print)__________________________________• Signature of Patient __________________________________________

Date• Telephone Number____________________________________________• Street Address_______________________________________________• City, State, Zip Code__________________________________________

Disclosures Page Twenty-four

Now that we’ve explained how the client has the right to see the types of disclosures and when those disclosures were made, we need to examine the general rules of disclosures. It is expected under HIPAA and 42CFR Part 2, that we only disclose the minimum necessary information. This requires us to make “reasonable efforts” to limit PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request. This “minimum necessary” rule applies in three circumstances; when using PHI internally when disclosing PHI to an external party in response to a request or when requesting PHI from another covered entity /organization.

Under 42 CFR Part 2, there is a “General Non-disclosure Rule” – an alcohol and/or drug program may not disclose any information about any patient. However, this rule (42CFR) has nine exceptions to the Non-disclosure Rule, where information can be disclosed without proper authorization;

1. No patient-identifying information

NOTES

_________________________________________________________________________________________________________________________________________________________________________________________________________________________________

______________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________

________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________

Disclosures continued Page Twenty-five

2. Disclosure permitted with proper consent

3. For Internal communications4. For a Qualified Service

Agreement with another organization performing services for our agency

5. For a medical emergency6. For reporting of suspected

abuse and neglect7. For when a crime is committed

on facility premises or against program personnel

8. For Research and auditing9. With a Court Order (with a

good cause hearing)

Internal Communications – that don’t disclose client identifying information. You and your co-worker in the normal operations of your work day can discuss clients, as long as it pertains to your job. HIPAA does allow some room for allowances; if a physician has a discussion with a client in a semi-private room, this is permitted.

NOTES

_________________________________________________________________________________________________________________________________________________________________________________________________________________________________

______________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________

___________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________

Disclosures and Security continued Page Twenty-six

However, the physician must use a low tone of voice and only discuss the minimum necessary to ensure the client possesses his or her health information. Our employees must reasonably safeguard protected health information from any intentional or unintentional use or disclosure that is in violation of the Privacy Rule (HIPAA / 42 CFR). We must have in place appropriate administrative, technical and physical safeguards to protect the privacy of PHI. This includes client sign-in sheets laying at the main desk, client records laying out on top of a table or desk when performing individual session with another client (clean desk protocol), talking on the cell phone about a client (cell phones are not secure), releasing information without verifying the caller, faxing any document. Faxing should only be performed when it is absolutely necessary. The information to be faxed should be very limited. Mailing information is preferred.

NOTES

_________________________________________________________________________________________________________________________________________________

____________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________

Disclosures and Security continued Page Twenty-seven

When sending a fax, you will call the individual to receive the fax and let them know it is coming and then call upon completion to verify receipt. All Pasadena Villa fax machines are on dedicated lines. All Fax machines need to be located in an area not accessible to the public.If you have a computer at your work station and the screen contains PHI, you must sign-off once you leave your area. Making unnecessary copies of client information, think twice before making copies. Use the clean desk protocol; staff need to clear their desk/area of all paperwork and files prior to leaving, this may prevent other persons who leave later or arrive earlier from viewing PHI they have no right to access. During the workday, paper files and records with PHI should not be piled on desks or left unattended in the open. They should be kept in drawers or cabinets to reduce exposure. When transporting documents / files from location to location, make sure they are in sleeves, bags or envelopes that make them inaccessible to those transporting them.

NOTES

_________________________________________________________________________________________________________________________________________________________________________________________________________________________________

______________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________

______________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________

Disclosure and Security continued Page Twenty-eight

Paper that contains PHI should be shredded when it is obsolete, not reused, recycled not discarded in the trash.Incoming correspondence should be funneled a through distinct channel that involves the smallest number of viewers as possible.It is imperative to minimize telephone conversations when other clients or visitors are within earshot. While there is no full proof way to identify clients over the phone, the goal should always be to increase the degree of certainty. This is also applicable to third parties who call to discuss clients or be requesting PHI. You must verify the caller (call back, ask for supervisor) by asking the caller for their telephone number, address of business and then call back to confirm. This will be another cumbersome task compared to the past, but that is what it is, and the law is how we need to conduct business now. Caution yourself to leave PHI in voice mail messages, these messages could easily be received by someone other than you intended. You should never make telephone announcements that reveal the nature of the client’s condition or the type of provider he or she may be seeing. “Ms. Brown, the psychiatrist will see you now”!

NOTES

_________________________________________________________________________________________________________________________________________________________________________________________________________________________________

______________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________

____________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________

Disclosures and Security continued Page twenty-nine

Our company utilizes an e-mail system to assist in the communication of daily operations. This tool has it’s positives and negatives. E-mail permits us to communicate effortlessly and at great speed, and to copy and distribute documents as never before. The flip side of these enormous opportunities for more effective communications are equally enormous risks that PHI will be distributed improperly. If you can, at all cost, conduct business without using the client’s PHI in your e-mails, do it. Once an e-mail that contains PHI is sent, the information is in a format that can be reissued over and over again, equally effortlessly whether it is a harmless communication or a psychiatric assessment. If a client asked you to e-mail them, don’t do it. Using e-mail to communicate between the client and provider is burdened with incredible risk. The comfortable, informal nature of the mode, coupled with the liability issues accompanying the provision of care, make for an unfortunate mix. You must have a client’s written consent and they must agree to accept the risks of this type of communication.

NOTES

_________________________________________________________________________________________________________________________________________________________________________________________________________________________________

______________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________

_______________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________

Security continued Page Thirty

Privacy versus SecurityPrivacy under HIPAA is the control of access to protected health information (PHI). Individuals are given the right (within limitations) to grant or deny the disclosure of information about themselves or minor children. Security is the employment of mechanisms to control access and protect PHI from accidental or unauthorized disclosure, destruction, modification, or loss. Also, under HIPAA, security includes ensuring the availability of PHI as part of our business continuation plan through emergency operations and disaster recovery. HIPAA requires the appointment of a Security Officer and a Privacy Officer. The Security Officer is responsible for ensuring the company maintains; administrative procedures to guard data integrity, confidentiality and availabilityphysical safeguards to guard data integrity, confidentiality and availability technical security services to guard data integrity, confidentiality and availability technical security mechanisms to guard against unauthorized access to data that is transmitted over a communications network

NOTES

_________________________________________________________________________________________________________________________________________________________________________________________________________________________________

______________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________

________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________

Security continued Page Thirty-one

The Administrative section for data integrity involves;

security management processes, i.e., data back-up, testing and revision, disaster recovery plan, emergency mode operations plan, risk analysis, security policy security configurations, i.e., personnel clearance procedures, system users, personnel security procedures, virus checking, hardware and software installation and maintenance, inventory security incident procedures and response procedures termination procedures training, user education, periodic security reminders, password management

The Physical safeguards for data integrity involves; Assigned security responsibility, access control, accountability, data storage, disposal physical access controls, disaster recovery, equipment control, facility security plan, procedures for verifying access authorizations prior to physical access policy/guidelines on work station use, security awareness training

NOTES

__________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________

____________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________

Security continued Page Thirty-two

The technical security mechanisms for data integrity, to guard against unauthorized access to data that is transmitted over a communications network; message authentication, access controls, encryption, event reporting, entity authentication use of electronic signatures, multiple signatures, transportability, independent verifiabilityAs you can see, the Security side of this law is a little more in-depth and may or may not involve you. However, it is important to know the main areas of data security. We talked about it a little earlier, with the fax machine, your work station and leaving your monitor on with PHI accessible.Along with the above, the facility relies on you to do the right thing and report any instance of computer problems to your supervisor. Water damage, dust and dirt, temperature of equipment, are all reportable incidents. Make sure doors are closed, your computer is not faced towards the windows or the public can see in plain sight. Make sure nobody else is using your computer. Just a few examples to give you a heads-up.

NOTES

_________________________________________________________________________________________________________________________________________________________________________________________________________________________________

______________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________

________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________

Doing your Part Page Thirty-three

Here we are, at the end of the training. There is a lot of information you are responsible for knowing and practicing beginning today. Pasadena Villa only asks you to do your part and we’ll do ours. To wrap it up a few last things to review………..only access confidential information if you have a need to know to do your job……………….protect your computer passwords………understand the law and our policies and procedures that show you and explain to you how to follow the law………….attend training and education programs for updates and last of all and most important….. REPORT any problems to the Privacy Officer.Treat your client’s information the way you would want your personal information treated. Quality of care is compromised when our client’s don’t trust us. We need to make sure we make them feel comfortable about these new privacy laws and we are here to abide by the laws and help them as well. If you feel unsure of how to follow a request for information, please review the policies and procedures, ask your supervisor or call the Privacy Officer.

NOTES

_________________________________________________________________________________________________________________________________________________________________________________________________________________________________

______________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________

_______________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________