Privacy Laws, Practices and YOU The Mental Health Association April 2009.
45
Privacy Laws, Practices and YOU The Mental Health Association April 2009
-
Upload
victor-tomkins -
Category
Documents
-
view
214 -
download
0
Transcript of Privacy Laws, Practices and YOU The Mental Health Association April 2009.
Privacy Laws, Practices and YOU
The Mental Health Association
April 2009
The Health Insurance Portability and
Accountability Act of 1996
“The Privacy Rule”Standards for Privacy of Individually Identifiable
Health Information
Implemented and enforced by the Office for Civil Rights
HIPAA Helps Us Know What Information Should Be Kept Confidential.
What does the Privacy Rule do?
It defines and limits the circumstances in which an
individual’s protected health information may be used or
disclosed.
What is “Protected Health Information”?
All individually identifiable health information
maintained in any form.
Types of Protected Health Information
Past, present, or future physical or mental health.
Conversations your provider has with others in their agency about your care
or treatment.Information about you in your health
insurer’s computer system.
Billing information about you at your provider’s office.
Common IdentifiersName
Address
Birth Date
Social Security Number
Protected Health Information must be kept confidential, and shared or accessed only as the
law allows.
Who Has to Comply with The Privacy Rule?
Providers who transmit health information electronically.
All “providers of medical or health services” as defined by Medicare.
Any person or organization that provides or is paid for health care.
What Information is Not Protected by HIPAA?
Employment records of the agency.
Family Educational Rights and Privacy Act (FERPA) records.
Keep in mind:
What do you think?
Sally left the completed referral form of a person who wants to participate in the Peer-To-Peer program on her desk while she took a phone call in the library.
Did this violate confidentiality standards for Protected Health Information?
Some of the Exceptions
The provider who generated the notes may use them for treatment, training, or to defend itself in court.
To determine compliance with the Privacy Rules.
To avert a serious and imminent threat to public health or safety.
What are “Serious Threats to Health or Safety?”
Telling someone they are, or
someone else is, the target of a
threat. It is also lawful to disclose PHI to law enforcement
if it will help them to identify or apprehend an
escapee or violent criminal.
When Can Protected Health Information be Shared?
For treatment and care coordination.To pay providers for health care or help them
run their businesses.With family, relatives, friends, and others you
identify, unless you object.For health and safety compliance checks on
providers.For public health protection.For required police reports.
Your Permission Must be Obtained to:
Give health information to your employer.
Share or use your information for marketing or advertising.
Share private notes about your mental health counseling sessions.
Written Authorization is NOT Needed for
Treatment
Payment
Health Care Operations (i.e.,
satisfaction surveys)
You Have the Right to:•Get a copy of your own health record.•Have corrections added to the health record.•Have an accounting of how, when, and why health information has been used and shared.•File a complaint with the provider and/or the U.S. Government.
Additional Confidentiality for Substance Abuse Treatment
Substance abuse treatment providers must obtain written consent from a patient before disclosing any information about that person. Disclosure must meet the “minimum necessary” requirement.
Consents must be retained in the patient’s treatment file and a copy given to the patient and to the requesting program, such as IFST.
What About Minors Receiving Substance Abuse Treatment?
A minor must always sign a substance abuse treatment consent form for a program to release information even to parents or guardians.
The “Minimum Necessary”
Providers must make reasonable efforts to use, disclose, and request
only the minimum amount of protected health information needed to accomplish the intended purpose.
What Do You Think?Bob Smith called a person on his survey
list to do a survey. When they began talking, he thought he recognized the
person’s voice, and said, “Didn’t I meet you at the Doctor’s office last
week? Do you see Dr. Jones?”
Does this meet the “minimum necessary” principle?
Keeping Information Private
Shred documents with protected health information before throwing them away.
Use a locked filing cabinet for all files with protected health information.
Use pass codes for computer access.
What do you think?
Lynn had to go to a meeting. She turned over the call list she was working on so the names didn’t show, and left. No one was in the area.
Did this violate confidentiality standards for Protected Health Information?
Yes!
She should have put the information in the filing cabinet.
She should have locked the cabinet before leaving the room.
Computer Safety
While checking her email at work, Josie notices she keeps getting obvious “spam” from a particular company and decides to respond to the company’s offer to “unsubscribe” so that she won’t receive anymore emails from them. She clicks on the link and completes the process outlined there.
What did she do wrong? How could this affect confidentiality?
More Computer Safety
NEVER email an MHA client’s name, date of birth, address, phone number, social security number, MA number, etc.
Why not?
Computer Safety
Andrew was online at work and an ad popped up offering him a free program. Since it was free, he figured the agency wouldn’t mind, and downloaded it to his
computer.
What did he do wrong? How could this affect confidentiality?
More Computer SafetyDo not respond to “spam.” Discard and delete it.Do not unsubscribe to spam. It confirms your
address.Do not open email attachments if the message
looks even a little bit suspicious.Make sure every person has a password protected
account to ensure that only those who are supposed to have access to records gain access.
Make sure you password protect your PDA in case it is stolen.
Your ResponsibilitiesAccess information only in support of your
job duties.
Report lost information promptly to your supervisor.
Comply with all security and privacy policies.
Remember, YOU will be held accountable for the security of protected information.
MHA Employees FollowHIPAA Privacy Laws
MHA policies and procedures concerning confidentiality
Program contractual obligations
Practice Time at MHA!
Janice answered the phone at MHA, and the caller asked if she could confirm that Lynn Davis was an employee of MHA. Janice said, “Oh sure! She works with IFST.”
Did she follow MHA policies and procedures in releasing that
information?
No!
She should have answered only that “It is not our policy to give out that information.”
More PracticeMary Jones is a Peer Specialist. One of her peers is in the hospital. When she goes to the clubhouse, a member there says, “Is your peer ok? I’m really worried about her and I haven’t seen her.”
What could Mary say? How does this pertain to HIPAA?
About Disclosure . . .
During a survey, the individual discloses that they are in recovery from drug addiction. The surveyor says, “I am too.”
Was the surveyor’s disclosure appropriate? What do MHA policies and
procedures say about this?
More Disclosure . . .
During a survey, the individual discloses that he is struggling with thoughts of self-harm. The surveyor says, “Me too. It’s a struggle just to keep going. I have OCD as well.”
Was the surveyor’s disclosure appropriate?
More Disclosure . . .
The IFST supervisor stops in to visit with Helpline staff over the weekend. She says, “Did Fred Smith call tonight?”
What should the Helpline staff say? Does HIPAA pertain to this?
The Need to Know
MHA’s policy is that information about program participants is shared only with the supervisor of the program, the mental health professional, or the Executive Director. No one else really needs to know.
More Disclosure . . .
Jenny and Pam are Peer Specialists. Jenny says to Pam, “How is your peer coming along with his anxiety issues?”
What should Pam say?
The Need to Know
MHA’s policy is that information about peers is shared only with the supervisor of the program, the mental health professional, or the Executive Director. No one else really needs to know.
Disclosure In a Public Area
Cassie sees the case manager of a peer at the hospital. They are in the waiting room, and the case manager begins talking to Cassie about the peer.
What should Cassie do?
Disposal of InformationJonathan has finished his shift on the helpline and is cleaning up his workspace. He tears off the papers from his notepad where he has written notes about callers and throws them away.
What should Jonathan have done with the notes?
Penalties for Non-Compliance with HIPAA
$100 per failure to comply up to $25,000/year for the agency.
$50,000 and up to one year imprisonment for a person who knowingly obtains or discloses individually identifiable health information in violation of HIPAA law.
Privacy and confidentiality is a priority at our agency.
When in doubt, ask your supervisor.
For More Information
http://hhs.gov/ocr/hipaa
http://www.hipaa.samhsa.gov
