HIPAA Training
What information is considered PHI (Protected Health Information) Dates- Birthdays, Dates of Admission and Discharge, Date of Death. Address, Phone Number, Address, Fax Number. Social Security Number, Medicaid ID, Medicare ID, Health Insurance ID. The individual’s past, present or future medical/mental health diagnosis, treatment or condition. The provision of health care services to the individual The past, present or future payment for the provision of health care to the individual, and that identifies the individual or for which there is reasonable basis to believe can be used to identify the individual.
ePHI- What is it and how do we protect it? ePHI is and protected health information (PHI) that is stored or transmitted electronically. ePHI is stored in our EMR, may be stored on our computer, on JASA servers and may be transmitted via , text or other online portals. ePHI should be transmitted via with extreme caution. When ing ePHI within JASA use as little information as necessary to get the job done (minimum necessary). Ensure that your is addressed to the correct recipient. Any ePHI being ed outside of JASA needs to be encrypted or sent with password protection.
How to Password Protect a Word Document Require a password to open a document Open the document that you want to help protect. On the Word menu, click Preferences. Under Personal Settings, click Security. In the Password to open box, type a password, and then click OK. In the Confirm Password dialog box, type the password again, and then click OK.
How can we protect PHI/ ePHI? Confirm fax numbers before faxing PHI to another provider. Carefully address all PHI being sent in the mail. Password protect and/ or encrypt smart phones and laptops that contain ePHI. Be mindful of where you discuss an individual’s diagnosis, treatment or condition. Keep all PHI out of sight and put away in locked draws or chart rooms. Keep ePHI out of view by positioning monitors in a way that others cannot view information when passing by. Staff should only view client records, when for business purposes, there is “need to know.”
HIPAA Privacy Rule and Sharing Information Related to Mental Health The Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule provides consumers with important privacy rights and protections with respect to their health information, including important controls over how their health information is used and disclosed by health plans and health care providers. Ensuring strong privacy protections is critical to maintaining individuals’ trust in their health care providers and willingness to obtain needed health care services, and these protections are especially important where very sensitive information is concerned, such as mental health information. At the same time, the Privacy Rule recognizes circumstances arise where health information may need to be shared to ensure the patient receives the best treatment and for other important purposes, such as for the health and safety of the patient or others. The Rule is carefully balanced to allow uses and disclosures of information— including mental health information—for treatment and these other purposes with appropriate protections.
The proper way to share PHI is with an authorization What health information will be disclosed Who will disclose the information Who will receive the information The purpose(s) for disclosing the information A statement informing the patient of (1) his or her right to revoke the authorization in writing, (2) how to revoke the authorization, and (3) any exceptions to the right to revoke A statement that JASA cannot require the patient to sign the authorization in order to receive treatment or payment or to enroll or be eligible for benefits A statement that information disclosed pursuant to the authorization may be redisclosed by the recipient and no longer protected by the federal privacy regulations A statement that the authorization will expire: (1) on a specific date, (2) after a specific amount of time (e.g., 5 years), or (3) upon the occurrence of some event related to the patient The signature of the patient and the date. Note: If the patient’s personal representative signs the authorization, the authorization also must include a description of that person’s authority to act for the patient.
When can you share information without an authorization? An authorization is not needed for Treatment, Payment or Operations (TPO) Examples: The billing department needs information about a client’s diagnosis in order to submit a claim. (Payment, Operations) A JASA therapist can share important clinical information about a client they treat with another JASA therapist who is providing back-up coverage or crisis coverage (Treatment, Operations). When sharing information for TPO the information shared should be the minimum necessary to get the job done effectively. Information can also be shared without authorization in case of an emergency where the client or others are in danger.
Minimum Necessary Members of the JASA workforce may not use, request or disclose to others, any PHI that is more than the minimum necessary to accomplish the purpose of the use, request or disclosure; Members of the workforce are required to comply with specific policies and procedures established to limit uses of, requests for, or disclosures of, PHI to the minimum amount necessary; JASA workers may not use, disclose or request an entire medical record except when the entire medical record is specifically justified as the amount that is reasonably necessary to accomplish the purpose of the use, disclosure or request; JASA may rely on a request from a covered entity for PHI as representing the minimum necessary for the stated purpose, if such reliance is reasonable under the circumstances, and if: The information is requested by another covered entity; or, The information is requested by a professional who is a member of the JASA workforce or is a JASA business associate; and The purpose of the request is to provide professional services to the covered entity; and The professional represents that the information requested is the minimum necessary for the stated purpose(s).
Breaches- How do they occur? A breach occurs when information that, by law, must be protected is: Lost, Stolen or Improperly Disposed of (i.e. paper or device upon which the information is recorded cannot be accounted for); “Hacked” into by people or mechanized programs that are not authorized to have access (e.g. the system in which the information is located is compromised through a “worm”), Communicated or Sent to others who have no official need to receive it (e.g. gossip about information learned from a medical record).
How Do Breaches Occur? Most breaches occur by accident- some common ways include: Sending a fax to the incorrect fax number. Mailing individual A’s information to individual B. Placing PHI in the trash rather than in bins for destruction. Losing or leaving PHI that is unsecured in public areas. Losing or having stolen a smart phone or laptop that contains ePHI. Discussing an individual’s diagnosis or treatment in a public place or in place where those not authorized to know the information can overhear. A chart has gone missing and cannot be located after a thorough search.
What Should I do if a breach has or may have occurred? As a JASA employee it is your responsibility to notify the correct people if you become aware of a possible or actual breach of PHI/ ePHI. Notify your supervisor and Notify the JASA Privacy Officer immediately: Carly Borenkind, LCSW (212) or