Transcription
DHS Privacy TrainingHIPAA:It’s the Right Thing to DoDHS Privacy TrainingPrivacy Rules & RegulationsHealthInsurancePortability &AccountabilityActDHS Privacy TrainingPrivacy Rules & RegulationsHIPAA Privacy Rules protectyou & your clients/patients1
DHS Privacy TrainingPrivacy Rules & RegulationsHIPAA will change z How you workz How you use & share informationz Formsz Work siteDHS Privacy TrainingPrivacy Rules & RegulationsHIPAA will change How you workz How you use & share informationz Formsz Work sitezDHS Privacy TrainingTraining will provide overview of zzHIPAA & new DHSprivacy requirementsDefinitions of terms2
DHS Privacy TrainingDefinitionsDHS Privacy TrainingDefinitionsHIPAA applies to allformats:“Portability”Making informationeasier to transfertohealth care providerszzzElectronicWrittenSpokenDHS Privacy ityfor keepinginformation private3
DHS Privacy TrainingDefinitionsIncludes information al & mental healthTreatmentPayments¾ Insurance claims¾ BillingDHS Privacy tionHIPAAprotects “PHI”DHS protects allconfidentialclient/patientinformationDHS Privacy TrainingDefinitions“Covered Entities”People& organizationsthat must complywith HIPAA4
DHS Privacy TrainingSummaryUse your best judgmentRemember that HIPAA is not about z Refusing to share information, orz Whether to work together it’s about privacy protectionDHS Privacy TrainingSummaryDHS Policies & ProceduresDHS Privacy TrainingSummaryDHS Policies & Procedures1.2.3.4.5.6.7.8.9.General PrivacyClient/Patient Privacy RightsUses & DisclosuresMinimum NecessaryAdministrative, Technical & Physical SafeguardsResearch & WaiversDe-IdentificationBusiness AssociatesEnforcement, Sanctions & Compliance5
General PrivacyGeneral PrivacyAs a DHS employee, you zzzHave access to information that must besafeguardedMust understand:¾ How to use information¾ When to use it¾ When not to use itMust sign a “Privacy Program Statement ofUnderstanding,” DHS Form 2091.General PrivacyHIPAA Privacy Rules cover PHI6
General PrivacyHIPAA Privacy Rules cover PHIz See DHS“Notice of Privacy Practices”DHS Privacy Rulescover all informationGeneral PrivacyDHS keeps information about:zDHS Clients/PatientszParticipantszLicensees & ProvidersGeneral PrivacyDHS Clients/Patients7
General PrivacyDHS Clients/PatientszzzzDHS ServicesGuardianshipsOutpatientCommunity ProgramsGeneral PrivacyDHS Clients/PatientsAll clientand patientinformationisconfidentialWhen can you use &disclose information?zzWith authorization ofclient/patient orpersonal/legal repIf permitted by DHS“Uses & Disclosures” policyGeneral PrivacyDHS Clients/PatientsProvide, use & disclose minimum necessary8
General PrivacyDHS Clients/Patients“DHS Notice of Privacy Practices”zzProvide to all clients, patients & applicantsDescribes client/patient rightsre: use & disclosureGeneral PrivacyParticipantsGeneral PrivacyParticipantsMust take“reasonablesteps” tosafeguardinformationIs information“individually identifiable”?If yes, it’s subject to zzFederal & state restrictionsDHS policies9
General PrivacyLicensees & ProvidersNeed to safeguard zzzConfidential informationInformation on client/patient paymentresponsibilityClient/patient information obtained duringoversight activitiesGeneral PrivacyWhen DHS policies conflict with laws,regulations or court orders zzFollow the stricter standardConsult supervisorClient/Patient Privacy RightsClients/Patients can access z Their own informationz Information DHS used to make decisionsSuch as:¾ Drug test results10
Client/Patient Privacy RightsClients/Patients cannot access z Psychotherapy notesClient/Patient Privacy RightsClients/Patients cannot access z Psychotherapy notesz Information used in civil, criminal or administrativeproceedingsClient/Patient Privacy RightsDenial of AccessDHS can deny access if z May result in risk or harm11
Client/Patient Privacy RightsDenial of AccessDoes DHS have to let client/patient review denial?Client/Patient Privacy RightsDenial of AccessDoes DHS have to let client/patient review denial?NO, if z Information obtainedunder confidentialitypromisez Must be someoneother than health careproviderClient/Patient Privacy RightsDenial of AccessDoes DHS have to let client/patient review denial?YES, if z Information mayendanger life orsafety12
Client/Patient Privacy RightsAlternativesClient/Patient Privacy RightsAlternativesCan request DHS to send information:zzBy alternative meansTo alternative locationClient/Patient Privacy RightsAlternativesCan request DHS to send information:zzBy alternative meansTo alternative locationSo it won’t be seen byFamily membersz Abuserz13
Client/Patient Privacy RightsAlternativesRequests for alternatives zMust specify how or whereto receive informationClient/Patient Privacy RightsAccounting of DisclosuresWho received information & PHI fromDHS?Client/Patient Privacy RightsAccounting of DisclosuresLists disclosures for last 6 yearsWill not include requests:z Made before April 14, 2003z Authorized by client/patientz Made for treatment, payment & health careoperations14
Client/Patient Privacy RightsAccounting of DisclosuresDHS can suspend right toreceive accounting If it impedes work ofhealth oversightagencies or lawenforcementClient/Patient Privacy RightsRestrictionsClients/patients can request disclosurerestrictions on information that is:z Required for treatment, payment, orhealth care operationsz Disclosed to person involved in careClient/Patient Privacy RightsRestrictionsDHS canlimitor denyrestriction15
Client/Patient Privacy RightsRestrictionsDHS cannot agree to restrict disclosure if itwould:z Adversely affect carez Limit or prevent payment for servicesOr if:z Client/patient needs emergency treatmentClient/Patient Privacy RightsRestrictionsInformation is confidential under state lawif it concerns:z Mental health treatmentz STDsz Alcohol and Drug treatmentClient/Patient Privacy RightsRestrictionsMust document:z All requests for restrictionz Reasons for denying or grantingrequests16
Client/Patient Privacy RightsAmendmentsClients/patients can requestamendment if information isnot:z Accuratez Timelyz Relevantz CompleteClient/Patient Privacy RightsAmendmentsClients/patients must:z Provide reasonDHS must:z Honor valid requestsClient/Patient Privacy RightsAmendmentsDHScandeny requestsFor example:z If information is accurate & complete17
Client/Patient Privacy RightsComplaintsClients/patients can file complaints about:zzzImproper use & disclosureDHS privacy policiesDHS compliance with policiesClient/Patient Privacy RightsComplaintsDHS must provide informationon how to file complaintsClient/Patient Privacy RightsComplaintsCannot retaliate against complainant18
Client/Patient Privacy RightsComplaintsCannot retaliate against complainantCannot require client/patient to relinquish rights ascondition t/Patient Privacy RightsComplaintsAll complaints & actions must bedocumentedUses & DisclosuresGenerally need signedauthorization torelease information19
Uses & DisclosuresAuthorizations are generally voluntaryCannot make authorization a condition ofzzzzTreatmentPaymentEnrollment inhealth planEligibility forbenefitsUses & DisclosuresAuthorizations are generally voluntaryCannot make authorization a condition ofzzzzTreatmentPaymentEnrollment inhealth planEligibility forbenefitsUnlessProviding researchrelated treatmentz Determining eligibilityz Preparing PHI solely fordisclosurezUses & DisclosuresHow do you get client/patient authorization?zzzAuthorization FormMust be completed jointlyCannot combine voluntary& required authorizations20
Uses & DisclosuresWhen is authorization Required?z Disclosure frombanks for financialqualificationz If not disclosed,client/patientis not eligibleVoluntary?z Exchange ofinformation withtherapistz If not disclosed,client/patientis still eligibleUses & DisclosuresA valid authorization form includes:z Required elementsUses & DisclosuresOnce form is signed zKeep signed copyBefore disclosing information zzVerify identityMake sure person has authority21
Uses & DisclosuresVerbal AuthorizationUse for disclosureto “previouslynamed” personzzDocument oralcommunication inclient/patient’scase fileInform client/patient inadvanceClient/patient mustagree, object, orrestrict disclosureUses & DisclosuresLimited Disclosures without Authorization1. Individual requests PHIUses & DisclosuresLimited Disclosures without Authorization1. Individual requests PHICannot include:z Psychotherapy notesz Information that could cause harmz Documents protected by attorney privilege among other information22
Uses & DisclosuresLimited Disclosures without Authorization2. Information for payment,treatment & health care operationsUses & DisclosuresLimited Disclosures without Authorization3. Psychotherapy notes for limited purposeszzzzTo provide treatmentTo train mental health practitionersFor health oversight activitiesTo defend DHS in legal actionUses & DisclosuresLimited Disclosures without Authorization4. Adult abuse or neglect23
Uses & DisclosuresLimited Disclosures without Authorization4. Adult abuse or neglectCan disclose PHI if:z Serious harm mayresult without itz Required by lawz Person agrees todisclosureUses & DisclosuresLimited Disclosures without Authorization4. Adult abuse or neglectCan disclose PHI if:z Serious harm mayresult without itz Required by lawz Person agrees todisclosureWhat if victim is incapacitated?Can disclose to public officialif:z Information won’t be usedagainst victimz Waiting would affect lawenforcementUses & DisclosuresLimited Disclosures without Authorization5. Health oversight24
Uses & DisclosuresLimited Disclosures without Authorization5. Health oversightCan make disclosures to:z Government agencies &benefit programsz Entities seeking complianceinformationUses & DisclosuresLimited Disclosures without Authorization6. Judicial & administrative proceedingsUses & DisclosuresLimited Disclosures without Authorization6. Judicial & administrative proceedingszzzProvide only PHI specified in the Court OrderRequires subpoena, discovery request, other legalprocessRecipient must make reasonable attempts to notifyindividual or secure protective order25
Uses & DisclosuresLimited Disclosures without Authorization6. Judicial & administrative proceedingsException:z Special court order required for PHI about:¾ Alcohol or drug treatment client/patientUses & DisclosuresLimited Disclosures without Authorization7. Law enforcementUses & DisclosuresLimited Disclosures without Authorization7. Law enforcementzzzCan report wounds & injuriesCan disclose PHI to complywith legal ordersCan disclose to help identifyor locate someone26
Uses & DisclosuresLimited Disclosures without Authorization7. Law enforcementCannot disclose PHIrelated to:z DNA or DNA analysisz Dental recordsz Bodily fluids or tissuesUses & DisclosuresLimited Disclosures without Authorization7. Law enforcementCrime victims must agree to disclosure orally orin writingUses & DisclosuresLimited Disclosures without Authorization7. Law enforcementIn cases of incapacitation or emergency,you can disclose PHI if:z Someone other than victim broke the lawz Information will not be used against victimz Law enforcement cannot waitz DHS determines it is in the person’s best interests27
Uses & DisclosuresLimited Disclosures without Authorization8. Specialized government functionsUses & DisclosuresLimited Disclosures without Authorization8. Specialized government functionsCan disclose to:Military commandauthorities re: ArmedForces personnelz Federal officials engaged innational security activitieszUses & DisclosuresLimited Disclosures without Authorization9. Correctional institution & law enforcement officials28
Uses & DisclosuresLimited Disclosures without Authorization9. Correctional institution & law enforcement officialszzTo provide inmate health careTo protect health & safety of inmatesUses & DisclosuresLimited Disclosures without Authorization10. For DHS internal communicationsDisclose“minimum necessary”onlyUses & DisclosuresLimited Disclosures without Authorization11.12.13.14.15.16.Coroners & medical examinersFuneral directorsOrgan procurement organizationsResearch purposesTo avert serious threat to health or safetyIn case of emergency29
Uses & DisclosuresReRe-DisclosureUses & DisclosuresReRe-DisclosureRecipient may disclose PHI to third partyOnce PHI leaves DHS,it’s no longer protected by DHSpolicyUses & DisclosuresReRe-DisclosureRecipient may disclose PHI to third partyLaws prohibit re-disclosure about:z HIV/AIDSz Geneticsz Mental health or developmentallydisabled clients/patientsz Alcohol & drug treatmentz Vocational rehabilitation30
Uses & DisclosuresRevocationWritten authorizations can be revokedzzMust be in writingMust be signedUses & DisclosuresRevocationWritten authorizations can be revokedException:z Drug & alcohol treatment clients/patientscan give oral revocation unless courtordered to treatmentz Revocation cannot apply to informationalready releasedMinimum NecessaryDisclose & use leastamount of informationneeded to accomplishpurpose31
Minimum NecessaryDisclose & use leastamount of informationneeded to accomplishpurposezzMake reasonable effort to limitdisclosures & requests while having enoughinformation to do your jobMinimum NecessaryDisclosing InformationDisclosure is “minimum necessary” if:Minimum NecessaryDisclosing InformationDisclosure is “minimum necessary” if:zzzzAuthorized public official requests “minimumnecessary” & has client/patient permissionRequester is “covered entity” under HIPAADHS employee or business associate uses informationfor DHS purposes & requests “minimum necessary”For qualified research purposes32
Minimum NecessaryDisclosing InformationCannot disclose entire record unless justifiedMinimum NecessaryDisclosing InformationRefer to“Uses & Disclosures” for disclosure guidelinesMinimum NecessaryDisclosing InformationRoutine & Recurring33
Minimum NecessaryDisclosing InformationRoutine & RecurringDHS will identify:z What type of information todisclosez Who can receive itz Conditions of accessDecisionsapply to allsubsequentdisclosuresMinimum NecessaryDisclosing InformationCan access & useinformation to doyour job only whileat workMinimum NecessaryDisclosing InformationNot RoutineNot compatiblewith originalpurpose.34
Minimum NecessaryDisclosing InformationIs disclosure routine or not?Minimum NecessaryDisclosing InformationIs disclosure routine or not?zzWho is requesting information?Purpose of request?zHandle non-routine disclosures oncase-by-case basiszLimit disclosures to “minimum necessary”Minimum NecessaryDisclosing InformationNon-routine disclosures are not common35
Minimum NecessaryDisclosing InformationIf disclosure is routine:zzzMake sure DHS policies & rules permit requested useIdentify what kind of information is neededIdentify how much information is neededMinimum NecessaryAccessing & Using InformationHow do you know if it’s “minimum necessary”?Minimum NecessaryAccessing & Using InformationHow do you know if it’s “minimum necessary”?z Depends on jobz Is information needed to answer questions?If uncertain, check with:z Supervisor or HIPAA Privacy contact36
Minimum NecessaryAccessing & Using InformationDo not request entire record without justificationMinimum NecessaryAccessing & Using InformationDo not request entire record without justificationFor routine & recurring requests:z Limit information requested to “minimum necessary”Minimum NecessaryAccessing & Using InformationDo not request entire record without justificationFor non-routine requests:z Limit information requested to “minimum necessary”z Handle on case-by-case basisz Document request & disclosure37
Minimum NecessaryDoes not apply to requests & disclosures:zzzzzzTo health care providers involved inclient/patient’s treatmentTo Secretary of Health& Human ServicesTo client/patientAuthorized by client/patientRequired by lawRequired by HIPAA for electronictransactionsAdministrative, Technical & Physical SafeguardsMust take reasonable steps tosafeguard information against privacyviolationsAdministrative, Technical & Physical SafeguardsMust take reasonable steps to safeguardinformation against privacy violationsWhether violation is z Intentional or unintentionalz On paper, electronic, oral or visual38
Administrative, Technical & Physical Safeguards“Reasonable safeguards”Cannot guarantee privacy from“any & all potential risks”Administrative, Technical & Physical Safeguards“Reasonable safeguards”Cannot guarantee privacyfrom“any & all potentialrisks”Must take workplacecircumstances intoaccount, including:z Effects on carez Expensez Administrative burdenAdministrative, Technical & Physical Safeguards“Safeguards Assessment Tool”“Safeguards Assessment Tool” will help you:z Assess security of PHIz Improve privacy protection39
Administrative, Technical & Physical Safeguards“Safeguards Assessment Tool”“Safeguards Assessment Tool” will help you:z Assess security of PHIz Improve privacy protectionAdministrators or Directors will determine“reasonable safeguards”for each office or facilityAdministrative, Technical & Physical SafeguardsEmployees can help each otherHelp each other by:zPointing out potential problemsAdministrative, Technical & Physical SafeguardsWorkplace PracticesConfidential information40
Administrative, Technical & Physical SafeguardsWorkplace PracticesConfidential informationz Paper¾ Must be in lockedstorage ¾ or otherwisesafeguarded by“reasonableefforts”Administrative, Technical & Physical SafeguardsWorkplace PracticesConfidential informationz Paper¾¾ Must be in lockedstorage ¾¾ or otherwisesafeguarded by“reasonableefforts”Before disposal z Retain records forrequired timez Store in containerslabeled “confidential”z Secure after businesshoursAdministrative, Technical & Physical SafeguardsWorkplace PracticesConfidential informationz PaperIf no lockable storageis available,use reasonableprocedures tominimize access41
Administrative, Technical & Physical SafeguardsWorkplace PracticesConfidential informationz Paper¾ Shred on regular basisAdministrative, Technical & Physical SafeguardsWorkplace PracticesConfidential informationz Oral¾ Make sure you’re notoverheard¾ Use designated roomsOR ¾ Use “reasonable safeguards”Administrative, Technical & Physical SafeguardsWorkplace PracticesWhat are“reasonablesafeguards”?Confidential informationz Oral42
Administrative, Technical & Physical SafeguardsWorkplace PracticesConfidential informationz Oral– Low-risk locations(enclosed rooms)– Medium-risk locations(individual cubicles)Depends on location– High-risk locationsof conversation(public areas)What are“reasonablesafeguards”?In part Administrative, Technical & Physical SafeguardsWorkplace PracticesConfidential informationz VisualAdministrative, Technical & Physical SafeguardsWorkplace PracticesConfidential informationz Visual–––Computer screensPaper documents on faxes,copiers & printersPaper documents left incommon areas43
Administrative, Technical & Physical SafeguardsWorkplace PracticesConfidential informationz Visual¾ Computer screens¾ Paper documents on faxes,copiers & printers¾ Paper documents left incommon areasSafeguardpaperdocumentsUse “minimumnecessary”Research & WaiversWhat is research?Research & WaiversWhat is research?zzzContributes toknowledge ofpopulation as a wholeBased on sampleIncludes development,testing & evaluation44
Research & WaiversWhen can you disclose information?zzWith client/patient’s written authorizationWithout client/patient’s written authorization¾ Requires waiver approved by: Institutional Review Board (IRB) DHS Privacy BoardResearch & WaiversDisclosure Without Authorization or WaiverRequests for PHI before research beginszDoes research fall under HIPAA exceptions?ORzDo other laws permit disclosure?Research & WaiversDisclosure Without Authorization or WaiverRequests for PHI before research beginsResearcher must agree tocertain conditionsin writingIn case of doubt,request review & waiver45
Research & WaiversDisclosure Without Authorization or WaiverRequests for PHI about deceasedzDoes research fall under HIPAA exceptions?ORzDo other laws permit disclosure?Research & WaiversDisclosure Without Authorization or WaiverRequests for PHI about deceasedCheckpolicies oraskHIPAAPrivacyContactResearch & WaiversDisclosure Without Authorization or WaiverRequests for PHI about deceased Disclosure may be inappropriate46
Research & WaiversDisclosure Without Authorization or WaiverRequests for PHI about deceasedIn case of doubt,requestreview & waiverDe-IdentificationDeDe-identified information zzzDoes not specifically identify peopleDoesn’t need privacy protectionCan be used by anybody for any purposeDe-IdentificationHow do you know if information isproperly dede-identified?47
De-IdentificationHow do you know if information isproperly dede-identified?1. Statistician (or other professional) de-identifiesinformationDe-IdentificationHow do you know if information isproperly dede-identified?2. DHS removes identifiers for individual, relatives,A.B.C.D.employers & household members:NamesGeographic information (smaller than state)All specific dates except yearTelephone numbersDe-IdentificationHow do you know if information isproperly dede-identified?2. DHS removes identifiers for individual, relatives,E.F.G.H.employers & household members:Social Security numbersMedical record numbersHealth plan beneficiary numbersUnique characteristic, number or code48
De-IdentificationHow do you know if information isproperly dede-identified?If individual cannot be identified basedon information:zzProvided, orCombined with other informationDe-IdentificationLimited Data SetsDe-IdentificationLimited Data SetszzDo not contain direct identifiersCan contain “potentially identifying”information49
De-IdentificationLimited Data SetsCan be used De-IdentificationLimited Data SetsCan be used 1. By DHS (for its own work)2. For research &non-governmental public healthpurposes–Requires data use agreementDe-IdentificationzzDHS is not obligated to discloseinformationOther disclosure policies may apply50
De-IdentificationReRe-Identifying InformationzzzEnables you to check originalrecordsRe-identification process doneat DHSProcess cannot be disclosedBusiness AssociatesNew category ofbusinessrelationshipBusiness Associates are zzzzNot DHS employeesContractors or business partnersWork on behalf of DHSRequire disclosure of PHI51
DHS Business AssociatesExamples:z Food managementz Psychiatric servicesz Computer servicesz Legal servicesz Medical servicesz Financial servicesSummaryA Business AssociatezzzProvides specific services on behalf of DHS that require use or disclosure of PHI.Business AssociatesMust havezzLegal contract, orMemorandum of UnderstandingMust requirezSafeguards52
Business AssociateszzzGovernment Agency?Provides specificservices on behalf of DHS that require use ordisclosure of PHI.Can You Disclose PHI toGovernment Agencies?Can You Disclose PHI toGovernment Agencies?Only if they are involved in:zPaying for health care serviceszProviding health care servicesProcessing claimsz53
Business AssociatesGovernment Agency?DHSshould haveMemorandum ofUnderstandingwithgovernmentagenciesSummaryA Business Associate requireszzContract orMemorandum of Understanding.to establish good-faith assuranceof privacyBusiness AssociatesNO Business Associate relationship neededwhen:zzzClient/patient authorizes PHI releaseDHS does not need to release PHIClient/patient cannot be identified54
SummarySummaryBefore you execute a BusinessAssociate contract.zzzIs entity doing business on behalf of DHS?Will PHI be exchanged?Is entity an “exception”?If you don’t need it, don’t do it !Enforcement, Sanctions & PenaltiesEmployees have to:zzSafeguard PHIKnow responsibilities under DHS policiesEnforcement, Sanctions & PenaltiesWhat happens if you violate policies?Subject to penalties & disciplinary action?55
Enforcement, Sanctions & PenaltiesWhat happens if you violate policies?Subject to penalties & disciplinary action?zzYou can lose your jobDid you knowingly & willfullyviolate law?If so, subject to:¾ Criminal investigation& prosecution¾ Civil penaltiesEnforcement, Sanctions & PenaltiesWhat happens if you violate policies?Subject to penalties & disciplinary action?zzYou can lose your jobDid you knowingly & willfullyviolate law?If so, subject to:¾ Criminal investigation& prosecution¾ Civil penaltiesDHS can beheldresponsibleEnforcement, Sanctions & PenaltiesRetaliation is prohibited56
Enforcement, Sanctions & PenaltiesRetaliation is prohibitedCannot retaliate in any way againstsomeone who:zzzFiles a complaintTestifies or participates in an investigationOpposes practice they believe is unlawfulEnforcement, Sanctions & PenaltiesRetaliation is prohibitedCannot retaliate in any way againstsomeone who:zzzFiles a complaintTestifies or participates in an investigationOpposes practice they believe is unlawfulPenalties include disciplinary & legal actionsEnforcement, Sanctions & PenaltiesWhistle Blowers & Workforce Crime Victims57
Enforcement, Sanctions & PenaltiesWhistle BlowersA Whistle Blowerdiscloses:zzEvidence of DHSviolations of lawOn behalf of publicinterestEnforcement, Sanctions & PenaltiesWorkforce Crime VictimsA Workforce Crime Victim:zzVictim of criminal act while on the jobCan disclose suspect’s information to lawenforcement officerEnforcement, Sanctions & PenaltiesWorkforce Crime VictimsMust limit information to:z Suspect’s name & addressz Date & place of birthz Social Security numberz ABO blood type & RH factorz Type of injury receivedz Date & time of treatmentz Date & time of suspect’s death58
3 DHS Privacy Training Definitions DHS Privacy Training Definitions "Portability" Making information easier to transfer to health care providers
