DIRECTIONS HIPAA Privacy/Security Personal Privacy 1. Read through entire online training presentation 2. Close the presentation and click on Online Trainings on the Intranet home page 3. Click on the HIPAA & Privacy On-line Test 4. Complete the test and submit. 5. Double check that you entered your email address correctly. 2 What is HIPAA? HIPAA PRIVACY HIPAA stands for the Health Insurance Portability and Accountability Act of 1996. Among other things, the law includes the Privacy Rule, which creates national standards to protect the privacy of individuals protected health information (PHI), and the Security Rule, which establishes standards for securing PHI in electronic form. 3 4 1
Catholic Charities and HIPAA Catholic Charities has a Privacy and Security officer for direction and guidance on policy and practice Michele Adams (Privacy Officer) 440-843-5578 Glenda Buzzelli (Security Officer) 216-334-2916 Catholic Charities is required to provide annual HIPAA training to all staff 5 PHI includes all individually identifiable health information relating to the: Past, present or future physical or mental condition of an individual Provision of health care to an individual Past, present or future payment for the provision of health care to an individual What is PHI? Health information is individually identifiable if it contains any of the following: Names Geographic subdivisions smaller than a state Dates directly related to an individual, including birth date, health care service admission or discharge dates Telephone numbers Email addresses Social security numbers Medical record numbers Health plan beneficiary numbers Certificate/Driver s license numbers Full face photographic images and any comparable images Any other unique identifying number, characteristic or code 6 Who is subject to the HIPAA Privacy and Security Rules? Entities covered by HIPAA are: Health care providers Health plans Health care clearing house (e.g., billing agent) Catholic Charities is a covered entity as health care providers. Health information collected and/or used by our staff are PHI and subject to the Privacy and Security Rules 7 What are the limitations on how we can use PHI internally or disclose PHI externally? The Privacy Rule establishes permitted uses and disclosures of PHI by covered entities such as Catholic Charities. When PHI is shared within Catholic Charities it is being used and when PHI is shared outside of Catholic Charities it is being disclosed You could be using or disclosing information: Verbally Via email File or paper Computer Fax Flash drive 8 2
The Privacy Rule allows the use or disclosure of PHI: For treatment For payment For health care operations With authorization by the individual When compelled by law How do I know if I can share PHI? You can determine whether you can use or share PHI by answering the following questions: Is the disclosure for treatment, payment or health care operations purposes? If not, do you have authorization from the client or legal guardian? If not, is there a legal requirement for disclosure? If the answer is yes to any of the above you may share PHI both within and outside Catholic Charities 9 10 Even if use or disclosure of PHI is permitted we must ensure that we are using or disclosing the minimum necessary information permitted under the Privacy Rule The following questions help to determine if it is minimum necessary disclosure: What is the specific purpose for the request, use of disclosure? Exactly what information is required to accomplish the goal? Are you requesting/using/disclosing any information that is not relevant to the stated purpose of the request/use/disclosure? Are you requesting/using/disclosing an entire record without the entire record specifically identified? 11 Take care to protect PHI from accidental disclosure: Never release any item of personal information to anyone (except that individual or their legal representative) without the individual s knowledge and written approval Double check fax number to be sure it is correct and be sure the intended recipient is available to pick up the fax when delivered Don t send PHI by email Keep all files containing PHI locked in file cabinets don t leave papers or files laying out Don t share client names and other identifiers in conversations that others may overhear Place computer screens so they are not readily visible by people passing by Password protect all computer files containing PHI and don t share passwords 12 3
Clients have the following rights in regards to their information Able to see their records Able to make copies of their record Able to correct any inaccuracies in their record Able to request restrictions on confidential information Able to know when, how, why, with whom and by whom their information was used or shared De-Identifying Information PHI cannot be disclosed without consent unless de-identified A group counseling progress note was cited in the last audit due to problems with the documentation. The supervisor made copies of the progress note to pass out at a staff meeting so that the staff could see a noncompliant note that resulted in a payback. The progress note should not have been used/disclosed unless it had been de-identified. What is de-identified information? Information that could not otherwise be used or disclosed without consent can be used if it has been de-identified. To de-identify all elements must be removed that make it possible to identify the individual to who it pertains. Remove names (client/family member), dates related to individual, telephone, email, zip code, social security, etc. 13 14 Definitions Confidential Information any item of personal information that can be associated with an individual and is not readily available to the public Consent for Release of Information form use to obtain information from other individuals or organizations Information Transmittal form used to obtain prior to disclosure the approval/signature of clinical supervisor when valid authorization request has been received Minimum Necessary Disclosure limits the information to the minimum amount necessary to accomplish the intended purpose of the use or disclosure Notice of Privacy Practice program participants receive at the beginning services to ensure they are aware and informed of Catholic Charities privacy practices. Protected Health Information (PHI) individually identifiable information relating to the past, present or future physical or mental or condition of an individual, provision of health care to an individual, payment for health care provided to an individual. PHI includes information in any format paper (written), electronic, oral, photographs, videotapes, and other types of images,. Privacy Officer consulted whenever a situation presents itself that could involve the disclosure of information with the individual s knowledge or approval Security Officer consulted for loss or destruction of electronic protected health information, unauthorized access computer systems, and questions regarding systems security and staff security access to electronic protected health information. 15 Policies and Procedures Number Policies and Procedures HIPAA 001.00 HIPAA Privacy Policy HIPAA 002.00 HIPAA Security Policy 001.0 012.00 Information Services Policies 16 4
HIPAA Security HIPAA SECURITY A second component of the Health Insurance Portability and Accountability Act of 1996 Established a national set of security standards for protecting certain health information that is held or transferred in electronic form The Security Rule operationalizes the protections contained in the Privacy Rule by addressing the technical and non-technical safeguards that organizations must put in place 17 18 HIPAA Security The Basics The Security Rule applies to electronic protected health information (EPHI) that contains information that would allow someone to identify an individual. Protects confidentiality, integrity and availability of EPHI Example: An intake form with client name and address A billing transmission with social security number and a diagnosis HIPAA Security The Basics Catholic Charities must have reasonable safeguards in place to protect Electronic Protected Health Information against risks. These safeguards are in three categories: Administrative Physical Technical 19 20 5
Administrative Safeguards Some examples of administrative safeguards are as follows: Having a named HIPAA Security Officer Having a plan for security incidents and a disaster recovery plan for IT Training staff on security practices Having policies to describe and enforce safe practices in protecting information Physical Safeguards Below are some examples of physical safeguards in use by Catholic Charities: Locks on server doors and records rooms Locking computers with passwords No use of personal computers for work No writing passwords on sticky notes and leaving on monitors! 21 22 Technical Safeguards Here are some examples of technical safeguards related to HIPAA Security: Limiting users on the network to only access what they need to access Ensuring that activity on the network is logged and reviewed to monitor network activity Locking network ports to use by a single machine Using secure transfer methods for transmitting client data Other Safeguards It is important for staff to understand where EPHI is stored and how it is accessed. An inventory should be developed to catalog where this information is stored and how it is accessed to assess for vulnerabilities. Reduce the number of locations where PHI is stored; move to single data sources to improve control 23 24 6
Other Safeguards It is a good practice to walk through your site to see where information may be accidentally discoverable. What information is on your sign in sheet? How are the computer screens hidden from view? Are programs left open with client data on the screen? PERSONAL PRIVACY 25 26 Catholic Charities collects, maintains and uses employee personal information to satisfy business needs and conform to applicable legal requirements. Catholic Charities preserve privacy for the employee, by limiting access only to those who have a legitimate need to know. 7
Personnel files are continually reviewed and updated. Examples of personal information which may be in personnel files include, but are not limited to: Hiring Information: employment applications, résumés, employment offer letters, acceptance letters, commendations, verification (copies) of credentials, employment references, verification of employment eligibility (I-9), criminal records check information and/or notification of charge(s)/conviction(s) of criminal offense(s). Wage or salary information: compensation change documentation. Work-related information: performance evaluations, hire dates, disciplinary warnings, layoff notices, documentation pertaining to leaves of absences, attendance records. 8
Educational information: documentation from high schools, colleges, technical schools, training courses and workshops, system and site orientations, acknowledgement of receipt of employee handbook. A separate employee benefit file is retained for each employee. This file is separate from the personnel file. Benefits information may include: Birth date, medical records, authorization to pay deductions and withholdings and retirement records. This information is only released on a strict need to know basis. An employee must authorize, in writing, the release of information from his/her personnel file if the request is from an external source. 9
Information is released in response to authorized requests from law enforcement agencies, including investigations, summonses, subpoenas and judicial orders. Catholic Charities does not need to inform an employee that personal information has been disclosed to law enforcement agencies if it concerns an investigation of the employee s conduct, especially when the employee s actions endanger other employees, security and/or property. The information discussed above references the paper personnel files maintained by the Human Resources Department. Please note the same rules regarding the confidentiality of employees personal information applies to electronic files. 10
Additionally, the requirement to maintain the confidentiality of employees personal information extends beyond employees of the HR department and applies to employees of the Finance department and also employees of the Information Services department. More broadly, Catholic Charities expects that any employee who may gain knowledge of employee personal information in the course of his or her work, will maintain the confidentiality of that information. 11