minneapolis school based clinics hipaa privacy policy training august 23, 2011

Minneapolis School Based ClinicsHIPAA Privacy Policy Training

August 23, 2011

SBC HIPAAPrivacy Training

• HIPAA Overview • HIPAA impact on clinical practice• Client Rights • Operational Procedures for protecting Privacy• How does HIPAA impact SBC• Compliance

Training Overview


Why Now??

• 2002 HIPAA Assessment • Required compliance with EHR• City Resolution - HIPAA Hybrid Entity passed Council July 2011


City of Minneapolis HIPAA Hybrid Entity Structure

HIPAA Steering CommitteeMembers: HIPAA Privacy Officer – Casey Carl, HIPAA Security Officer, Privacy Coordinator City plans, Privacy Officer SBC, Security Coordinator City Plans, Security Coordinator SBC, representative from MFD and Office of City Attorney.

Human Resource Health Plans

Human Resources Director- Privacy Officer

Health Care ComponentMDHFS -School Based Clinics

School Based Clinic Manager- HIPAA Privacy Coordinator


What is HIPAA?

Health Insurance Portability and Accountability Act of 1996 (HIPAA)• Federal law passed by Congress• Part of the Social Security Administration Act• Purpose: To protect the confidentiality and security of personally

identifiable health information as it is used, disclosed and electronically transmitted by covered components.

• Creates a framework, using standardized formats, for transmitting electronic health information more cost effectively.


HIPAA Privacy Rule

• First national Standard• Provides safeguards to protect privacy of individual’s health information• Identifies permitted uses & disclosures• Specifies rights of the individual to control how their health information is

used & disclosed• Requires sanctions to be applied to employees who violate HIPAA policies

& procedures


HIPAA Privacy Rule Coverage

Who• Covered Entities: healthcare providers, health care plans, health care

clearing houses

What is required• Covered Entity: Name a privacy officer to be responsible for

communicating policies & procedures, identify staff whose roles require access to PHI, staff training, ensure safeguards are in place to protect PHI, maintain documentation and monitor compliance & apply sanctions

• Staff: attend training, read and understand SBC Notice of Privacy Practice, Understand HIPAA Rule impact on their jobs

When• Rule enforcement began in 2003 • SBC to become a covered entity in 2012 when we implement Electronic

Medical Record/ Practice Management


The HIPAA Privacy Rule

• Applies to health care providers, health plans &healthcare clearinghouses. SBC will be required to comply with HIPAA and constitute a Covered Entity

• Establishes conditions under which PHI can be used and disclosed.– Use of PHI refers to sharing the information within the SBC Covered Entity.– Disclosure refers to sharing PHI to individuals or organizations outside of the

SBC Covered Entity; • Grants individuals certain rights regarding their PHI• Requires that we maintain the privacy and security of PHI. • Requires sanctions to be applied to employees who violate HIPAA policies

& procedures.


The HIPAA Security Rule

• Establishes administrative, technical and physical standards for the security of electronic health information

• Implemented to protect confidentiality, integrity and availability of PHI that is maintained and transmitted electronically

• Requires a sanction policy to discipline employees who do not follow security policies


HITECH HIPAA

The American Recovery and Reinvestment Act of 2009

• Enhanced privacy & security rules• Promotes the use of electronic health records (EHRs) by providing

incentives to health care providers who convert their medical records from paper files to EHRs

• Breach Notification Rule: unauthorized acquisition, use, disclosure of PHI• Enforcement & increased penalties to Covered Entities and their Business

Associates


Protected Health Information

• Protected Health Information (PHI) under HIPAA means health information that identifies an individual and is:

– Created or received by a health care provider.– Relates to an individual’s past, present or future physical or mental health or

the provision of or payment of health care.– Transmitted or maintained in any form or medium by a covered entity or

business associate.PHI includes demographics

• Our general practice is to treat all client information as PHI


How is Protected Information Used?

Client authorization is not required when providers use information to carry out essential health care functions

– Treatment: provision, coordination, or management of health care & related services by one or more providers ( includes 3rd party consultation & referrals)

– Payment: to obtain payment or be reimbursed for services– Health Care Operations: administrative, financial, legal & quality

improvement activities necessary to run clinic and support core functions of treatment and payment.

A Covered Entity may not use or disclose PHI except as permitted or required by Privacy Rule


Permitted Disclosures without PHI Authorization

SBC may disclose PHI without authorization for a variety of public interest related purposes including the following:

– Legal Process– Public Health – Organ and Tissue Donation – Health Oversight Activities– Specialized Government Functions– Law Enforcement – Research– To advert a serious risk to health & safety (school)

• SBC policy to refer/consult with Privacy Coordinator prior to releasing PHI


Client Authorization for Use & Disclosure

• Clients can request release of their information by signing an authorization which includes all the statements required under the regulations. Use of the SBC Authorization for Request/Release of PHI form ( 8/11 #92) meets the regulatory requirements.

• If client is a minor at time of request and PHI includes non minor consent services parent of minor client must sign the request for authorization.

• When responding to an authorization from another organization for release of protected health information, the authorization must also meet the HIPAA requirements.

• If there is any doubt, the SBC Privacy Coordinator can provide assistance in reviewing the validity of the document.

• SBC provider must confirm identity of requester and note the date in the Medical record.


Authorization forRequest/Release of PHI


Psychotherapy Notes

• Psychotherapy notes receive stronger protection than other protected health information under the HIPAA privacy rule because of their potential sensitivity.

• Mental Health records need to be separate in EHR• Psychotherapy notes are defined as the notes of a mental health

professional which document or analyze the contents of a counseling session and which are stored separately from the rest of the medical record. Except in certain limited circumstances, use or disclosure of psychotherapy notes is permissible only if the patient signs a separate authorization that encompasses only psychotherapy notes and no other PHI.

• Psychotherapy notes exclude: – Medication prescription and monitoring – Counseling session start and stop times – Modalities and frequencies of treatment furnished – Results of clinical tests – Any summary of diagnosis, functional status, treatment plan, symptoms,

prognosis, or progress to date


Client Rights

Clients have the right to• Request confidential communications• Access their medical records• Request restrictions on their use & disclosure of PHI• Request Accounting of disclosures• Authorize disclosure to persons or entities of their choice• Revoke Authorizations


Client Rights

The Notice of Privacy Practices (NPP): • Explains privacy policies • Explains how client information may be used, disclosed and how they can

access this information.• Informs clients about their rights – including make complaints• Who receives the NPP?

– First time a client at time of clinic visit– Anyone who requests a copy

• Clients must be asked to sign an acknowledgement of Notice, although they are not required to sign it.

• Replace former separate Tennessen Warning- it is combined with NPP• The NPP must be posted prominently in clinic. • Client Bill of Rights and Access to Health Records must be posted in

clinical areas.


New Notice of Data Practices and Data Privacy Notice


Individual Right to Access and Amendment

• Clients have a right to inspect and copy their Medical Record• The client is required to complete a request access form• Clients can also request amendments to their medical records• Exceptions to this rule:

– Psychotherapy notes if could endanger civil or criminal hearings– Information compiled in reasonable anticipation of, or use in, a civil, criminal

or administrative action or proceeding.– The PHI was obtained from someone other than a health care provider under

a promise of confidentiality and access would be reasonably likely to reveal the source.

– The access is reasonably likely, in the judgment of a licensed health care professional, to endanger the life or physical safety or the individual or another person.

– If the PHI makes reference to another person and, in the judgment of a licensed health care professional, the access is reasonably likely to cause substantial harm to the individual or another person.


Accounting for Disclosures

• HIPAA requires SBC to log any disclosures including who accessed medical records. The logs must include who had access, for what reason and when access was provided.

• SBC Policy is to document all disclosures of PHI in client medical record and include a copy of signed authorization for release form.

• Inadvertent disclosure of PHI needs to be reported to supervisor & SBC Privacy coordinator immediately.


HIPAA Privacy Rule: Rights of Parents

• Parents are generally authorized ( under MN state law) to make medical decisions for non emancipated minor children.

• HIPAA treats parents as “Personal Representatives” of minor children if they are authorized to make decisions for them.

• As “Personal Representatives” parents exercise rights re: PHI for their minor children – Access to information & Control over disclosure.


HIPAA Privacy Rule: Rights of Minors

Minor is treated as “ the Individual” & parent is not necessarily the “Personal Representative”

– When minor has right to consent & has consented; – When the minor or services fall under the MN Minor Consent Law the minor

may authorize disclosure.

Minor acting as “ the Individual” can exercise rights regarding PHI– Access to information – Control over disclosure– Request privacy protection

If minor client holds the right to consent, the minor client holds the right to disclose


SBC Consent Requirements

• Clinic Consent: a parent signed consent form is required for any clinic service except those under minor consent.

• Minor Consent: minor client can consent for confidential medical services including: emergency related care, pregnancy related care, STI Care, Contraceptive care, inpatient mental health care and treatment of drug and alcohol abuse.

• Mental Health Consent: minor clients can receive mental health services if their parent has signed clinic consent. MN DHS rules requires parent MH consent to bill for MH diagnosis or treatment. SBC policy is to get Parent MH consent for minor clients requiring ongoing care.

• A Minor can request nondisclosure of their private data to parents by written request and if provider determines in minor’s best interest.


Minor Consent Form

• A minor who is emancipated ( age 18, legally married, has a child, declared emancipated by court order or is living separate & managing own financial affairs) may give effective consent for personal medical and mental health services. In case of a mother of child, she may also give consent for her child.

• Minor client can consent for confidential medical services including: emergency related care, pregnancy related care, STI Care, Contraceptive care, inpatient mental health care and treatment of drug and alcohol abuse.

• SBC provider will review consent and have minor client sign consent form.


HIPAA Privacy Rule:Domestic Violence or Abuse

Provider may elect NOT to treat parent as the personal representative if• Provider has reasonable belief minor has been or may be subject to

domestic violence or abuse or neglect by the parent OR• Treating parent as personal representative could endanger the minor AND• Provider believes that it is not in the best interest of minor to give parent

access and control.


Operational Procedures forProtecting Privacy

The “Minimum Necessary” Standard – Need to know• SBC staff must make a reasonable effort to disclose or use only the

minimum necessary amount of protected health information in order to accomplish the intended purpose. They can disclose information requested by other health care providers if the information is necessary for treatment.

• SBC providers who are directly involved in the care of the client can see PHI. Providers can disclose to consulting physicians or for referrals, but not to people who don’t have clinical responsibilities.

• Making “minimum necessary” determinations is a balancing act. Providers must weigh the need to protect clients’ privacy against their reasonable ability to limit the information that is disclosed while delivering quality care.


Everyday Steps for ProtectingPrivacy Safeguards

• Communications: avoid unnecessary disclosures of PHI by monitoring voice levels on phone or talking with clients or others in clinic. Do not have discussions about clients in other parts of the building.

• Sign-in Sheets: avoid using last names• Phone or Text Messages: Do not leave messages on answering machines

regarding client conditions or test results. can leave message about appointment if client has given permission.

• Faxes: Use on machine in clinic, use coversheet that includes confidentiality notice.

• Mail: PHI mailed will be concealed. • Copies: Only copy PHI on SBC machine. • Desk: Never leave a client’s medical record on your desk or computer

screen open when you leave your desk. It is required to log-off when leaving a workstation. In public areas, point computer monitors so that visitors or people walking by cannot view information.


Security Safeguards

SBC practices to secure data include: • Always lock-up paper files in locking cabinets• Keep clinic locked when not occupied by SBC staff• Lock-up all documents containing PHI (Lab book, appointment schedule,

lab reports, medical records, referrals) • Transport clinic records containing PHI in locked bins via courier• Monitor visitors/clients in clinic• All SBC providers must use their assigned unique MPS network password–

do not share login passwords• PHI can not be transmitted using email • Computing devices must be physically secured via use of locking cables for

laptops. • All electronic computing and communication devices must be stripped of

all PHI prior to disposal or re-use.


Record Retention

• HIPAA related documentation must be maintained for 6 years. This requirement applies to accounting for disclosures records, authorizations, data use agreements and any other.

• SBC follows City record retention schedules as required by MN Law. • Inactive client files annually are transported to department archive files

for 3 years then are located in City archive.refer to SBC record archive policy


Federal Family Education Rights & Privacy ACT (FERPA)

• “Education Records” covered by FERPA includes health information included in education records

• Intended to protect the privacy of educational records & assure parental access to records

• Education Records are Excluded from definition of “protected health information” in HIPAA privacy rule

• Educational Records do not include oral communications


Who Are Business Associates?

• HIPAA defines business associates as entities outside of The SBC that perform or assist SBC in performing activities that require the use or disclosure of PHI. The information includes claims processing, data analysis, billing, or practice management’

• Business associates can include lawyers, actuarial professionals, accountants, health care consultants, transcription agencies, computer support, and billing companies.

• Business associates are covered entities under HIPAA and are directly accountable for compliance with regulations.

• SBC business associates are Pat Neska, Fairview Lab, pending for NexGen, Gateway clearinghouse

• Disclosure of PHI to a business associate requires an executed Business Associate Agreement.


HIPAA Compliance

• Compliance is no longer voluntary• State Attorneys General are authorized to conduct independent

investigations• Office of Civil Rights is named the enforcement agency for both privacy &

security breaches• Breach Notification Rule covers both covered entities and Business

Associates• Covered Entities must report all unsecured security breaches to HHS


Complaints and Breaches

• All violations and breaches, including lost or stolen PHI must be reported immediately to SBC Privacy Coordinator

• Complaints regarding privacy may be referred to City Privacy Officer• Staff are prohibited from intimidating clients who wish to make a

compliant• You may also anonymously report violations to the US Department of

Health and Human Services.


Sanctions

Violations of SBC privacy or security policies may result in• Disciplinary action including termination• Revocation by licensing boards• Fines and/or criminal prosecution


Penalties for Noncompliance: Civil

HIPAA's enforcement provisions authorize the Secretary of Health and Human Services to impose penalties to non-complying entities.

Definitions

Reasonable cause: circumstances that would make it unreasonable for the covered entity, despite the exercise of ordinary business care and prudence, to comply with the administrative simplification provision violated.

Reasonable diligence: the business care and prudence expected from a person seeking to satisfy a legal requirement under similar circumstances

Willful neglect: conscious, intentional failure or reckless indifference to the obligation to comply with the administrative simplification provision violated.

Violation Category Each Violation All Such Violations of an Identical Provision in a Calendar Year

Did Not Know $11-$50,000 $1,500,000

Reasonable Cause $1,000-50,000 $1,500,000

Willful Neglect-Corrected $10,000-50,000 $1,500,000

Willful Neglect-Not Corrected $50,000 $1,500,000


Penalties for Noncompliance: Criminal

• Covered entities and specified individuals, as explained below, whom "knowingly" obtain or disclose individually identifiable health information in violation of the Administrative Simplification Regulations face a fine of up to $50,000, as well as imprisonment up to one year.

• Offenses committed under false pretenses allow penalties to be increased to a $100,000 fine, with up to five years in prison.

• Finally, offenses committed with the intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain or malicious harm permit fines of $250,000, and imprisonment for up to ten years.

Covered Entity and Specified IndividualsThe DOJ concluded that the criminal penalties for a violation of HIPAA are directly applicable to covered entities—including health plans, health care clearinghouses, health care providers who transmit claims in electronic form, and Medicare prescription drug card sponsors. Individuals such as directors, employees, or officers of the covered entity, may also be directly criminally liable under HIPAA in accordance with principles of "corporate criminal liability." Where an individual of a covered entity is not directly liable under HIPAA, they can still be charged with conspiracy or aiding and abetting.

KnowinglyThe DOJ interpreted the "knowingly" element of the HIPAA statute for criminal liability as requiring only knowledge of the actions that offense action being in constitute an offense. Specific knowledge of an Violation of the HIPAA statute is not required.


HIPAA Contacts and Links

• U.S. Department of Health & Human Services Office of Civil Rights (OCR)www.hhs.gov/ocr/hipaa/privacy.html

• Approved HIPAA policies and forms will be on the new SBC web pagewww.minneapolismn.gov/dhfs/sbc_clinicsource


SBC HIPAA Compliance Policy: Privacy

Minneapolis School Based ClinicsHIPAA Privacy Policy Training

August 23, 2011

minneapolis school based clinics hipaa privacy policy training august 23, 2011

Documents

hipaa assessment

hipaa security rule

privacy officer sbc

hipaa security officer

hipaa rule impact

health care plans

health care providers

sbc notice of privacy