Training Module:Understanding SCCCC

Confidentiality and Privacy Policies and Procedures

Training Objectives• Basic understanding of how HIPAA and other

State and Federal regulations are implemented at SCCCC

• Learn where to find SCCCC privacy and confidentiality policies, procedures, and forms

• Learn how these policies affect your day-to-day work at SCCCC

HIPAAHealth Insurance Portability and

Accountability Act

HIPAA is a federal law passed in 1996, which created new national standards to

protect the privacy of personal health information. This information is known

as “protected health information” or PHI.

Protected Health Information

• PHI is individually identifiable information related to the past, present or future health condition of the individual

• PHI applies to electronic, paper, or oral communications

• PHI has been interpreted to include mental health and substance abuse disorders

SCCCC Policies and Procedures are based on the following State and Federal

laws or regulations:

• Health Insurance Portability and Accountability Act of 1966 (HIPAA)

• 42 CFR Confidentiality of Alcohol and Drug Abuse Patient Records

• Lanterman-Petris-Short Act of the State Welfare and Institutions Code

• Title 22, California Code of Regulations

*In our work at SCCCC, we must comply with HIPAA as well as the other applicable laws and regulations. When there is a conflict between HIPAA and State law, HIPAA takes precedence as a Federal law.

Policy 315SCCCC Policies and Procedures Manual

ConfidentialityAgreed-upon rules and regulations that pertain to

information about staff or clients being given to outside sources.

Although the SCCCC policy covers staff and client confidentiality, this training covers only client

confidentiality.

No information, including acknowledgment that an individual is or has been a client,

will be released without prior written consent of the client or authorized person.

There are legal exceptions such as:

• Child and elder abuse reports

• Subpoenas or court orders

• Risk of harm to self or to warn potential victims of intended harm (refer to component director, manager or State-licensed therapist)

Component Confidentiality Agreement

All employees sign a Confidentiality Agreement upon hire

For more information about confidentiality policies and

procedures, consult theConfidentiality Training Guide

located on SCCCC’s web page at www.scccc.org

In the following slides, you will answer questions about the topics below.

Business Associate AgreementHandling of Confidential InformationConfidential ConversationsSending EmailsSending FaxesMailingUse of Client Photos, Audio, VideoClient Access to Records

Business Associate Agreement

Agreements are required with businesses that would have access to protected client health

information as part of their job.

1. Your component plans to hire Confidential Shredding Services to shred personnel records. The files contain physical exams. Do you need to have a business associate agreement with Confidential Shredding Services?

2. You are going to hire a temporary employee from a Temp Agency. This individual will be filing client health information. Do you need a Business Associate Agreement with the Temp Agency?

Answers: 1. no 2. yes (we also ask the temp agency employee to sign a Confidentiality Agreement).

Confidential DocumentsWhich of the scenarios below is good HIPAA practice?

1. Joe leaves a client record on his desk face down since he plans to be gone only a minute or two.

2. Monica has been doing on-line data entry to client records. Before going to lunch, she turns her computer screen off .

3. Mary is sending a confidential client record by courier from Admin Services to a program site. She stamps the record “confidential” and places it in an envelope with the recipients name and location. She uses a ”CONFIDENTIAL” sticker to seal the opening.

Answers: 1. No2. No 3. Yes

Client Lists and Photographs

1. Margaret is working in a preschool classroom. She posts a list of children (using their first and last name) who need to take medication during classroom hours. Is this good HIPAA practice?

2. Ray works in a residential program. He hangs a list of residents who are on kitchen duty. He uses their first name and initial of their last name. Is this good HIPAA practice?

3. Jamie receives permission from the Program Director to videotape the client graduation ceremony at a residential treatment program for the purpose of showing it to graduates and staff the next day. Is this good HIPAA practice?

Answers: 1. No 2. Yes 3. Yes, however, it should be destroyed after viewing.

Confidential Conversations

Which of these examples represents good practice in regards to confidentiality?

1. Gina works at SCCCC. A friend, Ralph, whom she hasn’t seen in years comes to repair the office copy machine. Gina tells Ralph that a mutual friend of theirs, Bryanna, will be coming in for a group session in about an hour.

2. A client comes in to fill out an application. Gina reserves a room where she and the client can complete the forms without interruption.

3. After meeting with a client, Gina goes to the mail room to check her mail box and runs into another employee. Gina begins to tell the employee what she thinks of the client.

Answers: 1. No 2. Yes 3. No

E-Mail1. Margaret, a counselor, is going on vacation. A co-

worker has agreed to see the client while Margaret is gone. Margaret emails her co-worker to confirm the appointment. She uses the client’s first and last initial. Is this good HIPAA practice?

2. True or false? When sending client information, all staff must use the signature block at the end of each email which contains wording regarding the confidentiality of the contents of the email.

Answers: 1. Yes 2. True Notice to recipient: This communication is intended for the

person(s) to whom it is addressed and may contain information that is protected by Federal and/or State law. If you receive this in error, any review, use, dissemination, distribution, or reproduction is strictly prohibited. Please notify us immediately by telephone or email and delete the email and any attachment from your system.

Thank you for your cooperation.

FaxWhich of the examples below represent good

HIPAA practice?

1. The office fax machine is located at the front reception desk.2. Jennie uses speed dial for frequently faxed numbers when

sending client information because it eliminates the possibility of a transmission error.

3. Faxing highly sensitive client information such as assessments, service plans, medical information is not recommended. True or false?

Answers: 1. No 2. True 3. True, if absolutely necessary, call ahead.

Mailing

True or False?

1. When sending documents to clients, use return address only…do not include program name.

2. Mail stamped CONFIDENTIAL may be opened only by the addressee.

3. Use a CONFIDENTIAL stamp or sticker on the outside of an envelope.

Answers: 1. True2. True3. True

Forms

Forms (CRS, CSS, YS) are available on the agency web site:

• “Notice of Health Information Practices and Privacy Policies” (Signed by the client; form describes how information will be used and disclosed and how to access it)

• “Request to Review Client File Information” (completed by the client or guardian)

• “Release of Confidential Information” (client signs to approve release of confidential information)

• “Audio/Video/Observation Release” (client and or parent signs to release use of a session which is audio recorded, video recorded or observed through a one-way mirror to be used as a training tool or other stated reason; release expires in one year)

• “Photograph/Video Release” (client or guardian signs to reproduce a photograph or video of the client)

What Happens If You Violate the Confidentiality Agreement?

True or False?

You may be fined up to $250,000 and/or receive disciplinary action up to and including termination

Answer: True

Congratulations!You have successfully completed the SCCCC HIPAA Training Module