Privacy Policies for the Healthcare Professional

HIPAA Limits sharing of Protected Health Information Restricts employers from using Protected Health Information in employment decisions Requires employers & employees to adopt & apply certain procedures to safeguard Protected Health Information

Three HIPAA Rules 1. Privacy Rule protects individuals from discriminatory or wrongful use of their Protected Health Information. 2. Security Rule safeguards PHI through security officers & security measures. 3. Electronic Transactions & Code Set Rule sets standard codes for electronic transactions.

Penalties for Non-Compliance For knowing misuse of PHI: up to 1 year imprisonment, or $50,000 fine, or both For obtaining PHI under false pretenses: up to 5 years imprisonment, or $100,000 fine, or both For using PHI for commercial advantage, personal gain, or malicious harm: up to 10 years imprisonment, or $250,000 fine, or both Civil Penalties: min. $100 per client, max. $25,000 per year per client

Client Rights To have their Protected Health Information protected To inspect & copy their records To request their PHI records be corrected/changed To request limits on how their PHI is used/shared To request the manner in which to be contacted (at home and not at work) To get a list of disclosures made of their PHI

Client’s Right to Access Clients may be charged for the costs of copying, including personnel time, supplies required, & mailing, but not for the cost associated with retrieving information. Copies for individuals other than the client may be charged at whatever rate the covered entities desires. Access may be denied if a licensed provider has determined that access may be dangerous to the client or another person. If access is denied, the covered entity must notify the individual in writing of the reason for the denial & provide the individual with access to all information that is not subject to the denial. Some denials are subject to review at the client’s request.

Client Cannot Amend If the covered entity did not create the information unless the client can show that the originator is unavailable If the information is complete & accurate “as is” If the information is the type of information that would not be available for the client to access

Amendment IS Granted Make the amendment to the client’s records. Notify anyone who has received the information of the amendment. Amendment is NOT Granted Notify the client in writing. Upon client’s request, include a copy of request for amendment in all future disclosures. If the client and/or covered entity adds a rebuttal statement, include that statement in all future disclosures & provide the client with a copy.

Accounting of Disclosures The first accounting in a 12-month period must be free of charge to the client. Account for all disclosures made in the previous 6 years (but after HIPAA 04/14/03). Not required to account for TPO, to client, for national security or intelligence, to correctional institutions, incidental disclosures, or disclosures pursuant to client’s written authorization.

Written Notice of Privacy Practices P roviders are required to give a written Notice of Privacy Practices that explains how they use & share PHI, clients’ rights & entity’s responsibilities regarding PHI, & who to contact for more information.

Written Notice of Privacy Practices Provided at the time of first delivery of services or in an emergency provided as soon as practicable after the emergency passes Posted at each physical site of service Posted on website (if one) Available upon request by anyone at the physical site of service Covered entity must document failed efforts to obtain a written acknowledgement of receipt

Sample Privacy Notice We may use and disclose your PHI to a family member, friend or other person to the extent necessary to help with your healthcare or with payment for your healthcare, but only if you agree that we may do so. If you are present, then prior to use or disclosure of your health information, we will provide you with an opportunity to object to such uses or disclosures. In the event of your incapacity or emergency circumstances, we will disclose health information based on a determination using our professional judgment disclosing only health information that is directly relevant to the person's involvement in your healthcare. We will also use our professional judgment and our experience with common practice to make reasonable inferences of your best interest in allowing a person to pick up filled prescriptions, medical supplies, x ‑ rays, or other similar forms of health information.

NOT Protected Health Information Pre-employment physicals or substance abuse screenings Family Medical Leave Act Request Americans With Disability Act Request Disability retirement or retirement savings plan withdrawals for health

Protected Health Information Names Addresses All dates Telephone/FAX numbers addresses Social Security Numbers Photographs Account numbers Medical record numbers Health plan numbers License & Vehicle Identification Numbers Diagnosis & medications Any other unique identifying number, characteristic, or code

Protected Health Information Use generally refers to how PHI is handled by the provider. Disclosure generally refers to how PHI is shared externally.

Protected Health Information Electronic: Internet, fax, disks, back-up tapes Paper: written or photo X-Rays: film or electronic Audio or Video Oral Communications: in person or by telephone or voice mail

Protected Health Information Sent or stored in any form Identifies the client or can be used to identify the client Created or received by a covered entity Concerns a client’s past, present or future treatment or payment for services

Minimum Necessary The amount of PHI used, shared, accessed, or requested must be limited to only what is needed. When a billing company bills for a blood test, it does not need the client’s complete medical record.

Minimum Necessary Workers should have ONLY such PHI as their job responsibility requires. Someone who delivers food trays may need PHI about the client’s diet but does not need to know the reason the client is in the hospital.

Covered Entities Healthcare Plans Organized Health Care Arrangements Healthcare Providers including doctors, nurses, therapists, & people who transmit information electronically Healthcare clearinghouses (DENIS, WebMD) Hospitals & clinics

Other Entities Affiliated Entities must be under common ownership or control & must prepare & retain a written designation. Hybrid Entities may have some covered portions & some non- covered. Firewalls are required to prevent unauthorized disclosure by the covered portion to the non-covered portion.

Business Associates Any non-employed vendor providing a service for the covered entity where access to PHI is needed must sign a Business Associate Agreement promising to keep PHI confidential. A company developing entry software must see actual PHI. Employees, volunteers, trainees are NOT considered business associates.

Information Exchange Provider Offices Banks Pharmacies Laboratories Insurance Companies Government Employers Hospitals

Mandated Transaction Standards Healthcare Claims or Encounters Healthcare Claims Status Healthcare Claims Payments & Remittance Advice Healthcare Enrollments & Disenrollments Health Plan Eligibility Health Plan Premium Payments Health Plan Claims Attachments Referral Certification & Authorization First Report of Injury Worker’s Compensation

Treatment, Payment, & Operations Treatment: activities related to client care Payment: activities related to paying for or getting paid for healthcare services Healthcare Operations: day-to-day activities of a covered entity such as planning, management, training, improving quality, providing service and education, but NOT research

KEY TERMS Consent A general document that gives covered entities, which have a direct patient relationship, permission to use and disclose all personal health information (PHI) for treatment, payment & operation (TPO) purposes (Physician to use and disclose medical records and lab results) Authorization A more customized document that gives covered entities permission to use PHI for purposes other than TPO or disclosure to a third party (Follow-up for diabetes counseling once diagnosed)

KEY TERMS Covered Entities Health Plans, Healthcare Clearinghouses Health Care Providers & extensions of provider service (financial & administrative functions) Business Associates A person or entity who provides certain functions & services for or to a covered entity involving protected health information (medical waste vendor)

Prior Written Authorization DO NOT use or disclose PHI for any non-routine purposes without prior written authorization signed by the client. Prior Written Authorization form must include The name of the person or persons authorized to make & receive the disclosure A description of the information to be disclosed The expiration date & a statement that the authorization can be revoked at any time The client’s or legal agent’s signature & date

Prior Written Permission NOT Required To treat a client, to get paid for treatment, or to evaluate the person who provided treatment To share PHI with that client To report births & deaths (public health purposes) For disclosure to vendors for TPO under a written contract

Prior Written Permission NOT Required To report abuse, neglect, or domestic violence For certain law enforcement For organ, eye, or tissue donation To avoid serious threats to health or safety For coroners, medical examiners, or funeral directors

Prior Written Permission REQUIRED For Marketing & Fundraising A doctor cannot give a diaper company the names of pregnant clients without clients’ prior written authorization including how the PHI will be used, for how long, & by whom.

Prior Written Permission REQUIRED For Use & Disclosure of Psychotherapy Notes recorded by mental health professionals about private, group, joint, or family counseling sessions that are separate from the rest of the client’s medical records

Exceptions For a covered entity to train students For the covered entity to defend itself in a legal action brought by the individual who is the subject of the psychotherapy notes For coroners and medical examiners As necessary to prevent a serious and imminent threat to health or safety For health oversight activities Uses and disclosures required by law

Prior Written Permission REQUIRED For Use and Disclosure for Research A researcher cannot enroll a client in a study without prior written authorization that includes how the PHI will be used, by whom, & for how long.

Prior Opportunity to Reject Required Facility directories Friends & family members involved in client care or payment Clergy Disaster relief organizations

Incidental Disclosure Allowed if reasonable steps or safeguards are taken to secure & protect PHI Visitors may hear a client’s name called in a waiting room, over speakers, or overhear a clinical discussion while walking down a hallway.

Incidental Disclosure Sign-in sheets may be used but should NOT ask the reason for the visit. Charts at bedside or outside exam rooms are allowed but should face backwards. Client care signs are allowed, such as for diet needs.

Alternative Communications You must comply with all reasonable request about how & where to contact clients. Messages can be left on answering machines or with those who answer the phone, but the message should be limited to minimum necessary. Do NOT disclose sensitive information.

Incidental Disclosure Prescriptions can be discussed with the client over a drugstore counter or by the healthcare provider or client by telephone. PHI can be shared in group therapy settings for treatment. Clients’ conditions may be discussed in entity’s educational programs.

Incidental Disclosure You may speak to other providers or clients even if you may be overheard. You may orally arrange services at nursing stations. You may discuss a client’s condition with that client, other providers, or family members over the telephone or in a client’s semi-private room with the client’s oral permission.

Reasonable Safeguards Speak in soft tones when discussing PHI. DO NOT discuss PHI in public hallways or elevators. Use but DO NOT share computer passwords. Always lock cabinets that store PHI.

Administrative Requirements Privacy Official is responsible for developing & overseeing privacy for the covered entity. Contact Officer distributes information & receives complaints about privacy practices. (May be conducted by the Privacy Official in smaller organizations.) Must be a written designation. Training required for ALL members of the workforce, must be job-specific, and requires retraining when a change in the law affects a workforce member’s handling of Protected Health Information.

Documentation Covered entities must ADOPT & APPLY policies & document in written or electronic form. Must provide a process for receiving & addressing complaints & complaints must be documented. Retention is required for 6 years from the date the document was created or the date the document was in effect, whichever is later. The Department of Health & Human Services Office of Civil Rights will oversee compliance.

FAQ Q: Is PHI the same as the medical record? A: No, HIPAA protects more than the official medical record. A great deal of other information is also considered PHI, such as billing and demographic data. Even the information that a person is a client is Protected Health Information.

Q: What if I’m accidentally overheard discussing a client’s PHI? A: It is not a violation as long as you were taking reasonable precautions & were discussing the protected health information for a legitimate purpose. The HIPAA privacy rule is not meant to prevent care providers from communicating with each other & their clients during the course of treatment. These "incidental disclosures" are allowed under HIPAA.

Q: If I overhear patient care information in the elevator or in the hallway, how should I handle it? A: If appropriate, remind the speakers of the policy in private. If the conversation clearly violates policies or regulations, report it to the Privacy Officer.

Q: I work in the hospital and don't need to access PHI for my job, but every now & then a client’s family member asks me about a client. What should I do? A: Explain that you do not have access to that information, & refer the individual to the client’s healthcare provider.

Q: What should I do if a government agency or law enforcement person requests information about a client? A: If working with law enforcement is not part of your responsibility, contact your supervisor. If it is your responsibility, provide only the minimum amount necessary to support the investigation after verification of the authority of the individual or organization making the request. Always consult your supervisor or the Privacy Officer if you are unsure what to do. The privacy rules are very specific in this area.

Q: Do I need to record the fact that I’ve made these disclosures? A: For the most part, yes. You need to document most disclosures made without prior authorizations except disclosures made for TPO purposes. Contact the Privacy Officer for details about which disclosures do not require documentation.

Q: When I am speaking to a client & friends or family members are in the treatment room, do I assume the client has given me permission to speak of the PHI in front of these people or do I need to ask them to leave? A: It is proper to speak, unless the client objects. If you are uncertain, you can ask the client if it is okay to discuss his/her PHI in front of the person or persons in the room.

Q: Can someone else pick up a client's x-rays, prescriptions, or medical supplies? A: Yes, if in the care provider's professional judgment it is okay to give the prescriptions, x-rays, or medical supplies to that individual.

Q: What if someone from a government agency asks for protected health information ? A: First determine if this is part of your job responsibility to provide such information, verify who the person is asking for such information, & then contact your supervisor.

Q: What if I get a phone call looking for information, & the caller says he/she’s the client? What should I do? A: If the request is made by phone & the requester identifies him/herself as the client, you can ask him/her to provide personal information for verification, such as his/her birth date or Social Security Number.

Q: I know that clients have a right to their PHI, but what about parents/guardians of incompetent clients? A: If someone other than the client has the legal right to make healthcare decisions for the client, that person is the client's personal representative & has the right to access the client's PHI. However, if you have good reason to believe that informing the personal representative could result in harm to the client or others, then you do not have to disclose the PHI.

Q: When the law requires me to make a disclosure, such as reporting HIV infection, do I need to tell the client that I disclosed the information? A: You need to tell the client only if he/she asks for an accounting of disclosures, & the disclosure was made without an authorization. If there is good reason to believe that informing the client could result in harm to that individual, then you may not be required to tell him/her. In some cases, government agencies can also require that the client not be informed. If you are in doubt, contact the Privacy Officer.

Q: As part of my job, I have access to a client’s PHI. How do I know which family & friends can be told this information? A: Always ask the client who can receive this information & document the client’s response in the medical record.

Q: If the client is not conscious, to whom can we disclose the PHI? A: You will have to decide this on a case-by-case basis. If you know the client's preferences, as in “you can tell my spouse, but not my sister,” then document the request & follow it. Otherwise, use your professional judgment. Always use the Minimum Necessary standard--disclose only information that is directly relevant to the person's involvement with the client's healthcare. Once a client has regained consciousness, he/she will determine when & how to share protected health information.

Q: If a client asks for his/her PHI, do I need any special identification from the client? A: If the client is asking for his/her own information, you need only to verify his/her identity.

Q: What if I get approached by an someone who just says he’s a friend of a client? A: Check to see if this individual has been approved by the client for disclosure of PHI. If so, ask for one or more pieces of identification, including a picture ID.

Q: What about requests to leave protected information on voice mail, an answering machine, or FAX machine? A: If you are asked to send or leave messages, verify with the client or other approved individual that it is okay to leave messages. Make sure you confirm the number & leave only the minimum information necessary. Use a cover sheet identifying the proper recipient. Avoid leaving sensitive information in this manner.

Q: What do I do if I receive a request for PHI by FAX? A: Most often, faxed requests for PHI will come from other healthcare providers or payers, like billing agencies or insurance companies although clients may occasionally ask to have information faxed to them. If a client, health provider, or payer requests that you fax PHI, get a specific fax number from them & double-check the number before sending.

Q: What if someone from a government agency sends a FAX asking me for information? A: Ask for the request to be on official agency letterhead & call back the indicated number to verify the request is legitimate.

Q: What if I find a FAX went to a wrong number? A: In the event that a fax went to a wrong number, try to retrieve the communication containing the PHI that was faxed to the wrong number or ensure that the information has been destroyed in a secure fashion.

Q: Is there any way I can make the process more secure? A: It’s a good idea to program commonly used FAX and telephone numbers to diminish potential dialing errors. If possible, ask the person to whom you’ve sent a FAX to confirm it was received.

Q: What if I receive a request for PHI on my pager? A: When communicating by alpha pagers, send only the minimum amount of information necessary & delete received messages once no longer needed.

Q: What if I’m not supposed to leave a message? A: If you are asked not to leave voice messages, do NOT do so. This is especially important with clients who may not want to share PHI with family members, roommates, or coworkers.

Q: What if a client requests that I communicate with him/her by ? A: If your unit has specific policies regarding requests, follow them. Otherwise, here are some things you can do…

1. Inform client not to use for time sensitive matters, as you may be out of the office or busy taking care of other clients. 2. Make sure clients understand that is not secure. 3. Verify the client's identity. Ask clients if they have an address when you see them face-to-face. You may want them to complete a form authorizing contact. 4. Do not initiate with clients without first getting their permission & use only the address they provided unless they notify you of a change.

5. If you receive any request by , do not assume the sender is the person he/she claims to be, especially if the request is unexpected. If you have not previously verified an address with the client, contact either the client to verify the sender’s identity & address, or contact the person making the request by another method for verification of the address. If in doubt, talk to your supervisor. In general, be careful about sending PHI in response to s because of the difficulty in identifying senders accurately. 6. Minimize the amount of information disclosed in an .

Q: What if clients disclose their PHI in an ? A: If clients disclose their own PHI in an to you, you can discuss it. However, you should avoid disclosing additional PHI in return.

Q: Can I look up my own records online? A: Yes, healthcare employees may look up their own records if they have access to the systems containing this information.

Q: Can I look up information about my spouse or other family members? A: It depends. You may access a spouse’s PHI only if you have your spouse's prior written permission. Otherwise, it is a serious violation. The same policy applies looking up family, friends, or co-workers. You must get their prior permission in writing.

Q: Can I look up my children’s records? A: It depends. Healthcare employees are allowed to look up the records of children in their custody who are under 11 years old. If your children are 11 years or older, you do not have the right to look up their records & using the computer to access information inappropriately is a serious violation. You may, however, request information from your children's care providers.

Q: What are the access policies for students? A: Students working within a healthcare system must follow the same regulations and policies as regular employees.

Q: I work with temporary staff who will be here only a short time. They need computer access to do their work. Can I give them my password or log them on as me? A: No, it is against policy to allow any staff, including temporary staff, to use another healthcare employee's computer access. If you allow someone to use your access, you will be held responsible for what they do. Your department's authorized signer can make the request for new accounts.

Q: What’s the first thing to do to protect PHI on a laptop or PDA? A: Start by installing a hard-to-break password, using a variety of letters and numbers, & consider having a serial number engraved on the PDA or laptop to help deter theft.

Q: What else can I do for security? A: Do NOT allow others, such as family members, to use computer equipment. They might accidentally access confidential information.

Q: I’m going to dispose of my laptop or PDA. Are there special precautions I should take? A: Use a secure erase program to remove PHI from all personally owned PDAs, laptops, or computers BEFORE selling or otherwise disposing of them.

Q: What’s the safest way to dispose of PHI in the office? A: Paper records containing PHI should be disposed of in designated confidential recycling receptacles, such as the blue bins in many healthcare facilities--not in the regular trash. Ask for assistance with secure disposal of non-paper records containing PHI, like disks, radiographs & other types of storage media. Never put them in the regular trash. In general, follow your department's secure disposal procedures for using secure disposal bins or shredding documents.

Q: What will happen if the PHI regulations have been violated? A: The healthcare system may face civil or criminal penalties and be substantially fined. Further, employees who knowingly misuse protected health information may be subject to prosecution, fines, & imprisonment up to ten years, in addition to any disciplinary actions by their employer.

U.S. Department of Health & Human Services If you have questions or need additional information, visit the official website to take advantage of frequently updated resources there.