The Health Insurance Portability and Accountability Act - HIPAA Understanding HIPAA’s Privacy Rule
What is HIPAA? HIPAA is a landmark federal law that is being implemented in stages. HIPAA addresses a broad spectrum of health care and impacts both health care providers and health plans. DHHS and its contractors that participate in the HMIS (HMIS participants) are considered health care providers because of the services DHHS provides to its clients and is the owner of the HMIS. HMIS participants must adhere to HIPAA since DHHS is a HIPAA covered entity and is the owner and lead HMIS agency.
Implemented in Stages 1997: HIPAA insurance portability regulations went into effect, protecting individuals in group health plans and permitting participants to keep their health insurance when they change jobs or become unemployed. April 2003: HIPAA’s Privacy Rule went into effect to protect patient medical records and other health information.
Implemented in Stages October 2003: Regulations protecting health information sent electronically to Medicare, Medicaid and other insurers went into effect. April 2005: Security standards went into effect to protect health information maintained in electronic format. These standards apply to IT systems and policies. May 2007: National Provider Identifier regulations will require health care providers, both individuals and organizations, to use one permanent, unique identifier for all health care transactions.
What Does the Privacy Rule Do? Ensures that a uniform level of privacy protections are offered throughout the nation by limiting how health plans, pharmacies, hospitals and other entities can use a client’s personal medical information. Ensures that individuals have access to their medical records and the ability to have any errors in those records amended. Ensures that clients understand how DHHS and the HMIS participants will use their personal health information.
Defining “Health Care” The definition of health care under HIPAA is very broad: Includes any physical health, mental health or substance abuse treatment. Most doctors, dentists, pharmacists, hospitals, nursing homes, public health clinics, mental health or substance abuse clinics are subject to the Privacy Rule. Includes counseling and case management related to health, mental health or substance abuse.
Some Terms to Know… Protected Health Information, often called PHI, is any information held by the HMIS that: Identifies a client -name, address, social security, birth date or other identifying data and: Relates to a client’s past, present or future physical or mental health or which includes information about past, present or future payment for services. Includes information transmitted or maintained in any form – written, electronic or verbal.
Some Terms to Know… Treatment, Payment and Health Care Operations, often called TPO, refers to: Treatment-the provision, coordination or management of health care by providers. Payment-activities to collect premiums, provide benefits or obtain reimbursement. Health Care Operations-activities related to health care administration, such as accreditation, quality assessment and evaluation.
Notice of Privacy Practices (NOPP) Explains to clients how we may use their protected health information. Each HMIS participant provider must develop a Notice of Privacy Practices. Notice must be posted prominently in each HMIS participant’s facilities. One signed copy must be kept in a client’s permanent record, with copies available for the client to take. Notice is available in several languages.
When Can We Use or Disclose Protected Information? For treatment, payment and health care operations only. Most other uses require written authorization from the client or an authorized representative. Protected health information should be released only on a “need to know” basis. All uses must be limited to the minimum amount of information necessary.
How Does This Apply to Me? All members of the HHS and HMIS participant’s workforce - staff members, contractors, interns and volunteers - must take reasonable precautions to ensure that client health information is protected. HIPAA Privacy Rule requirements apply not just to staff who deal directly with clients, but to everyone. This includes staff whose jobs involve fiscal, administrative, technical and other duties.
All of Us May Handle Protected Health Information! For example: An administrative aide at a substance abuse clinic records names of clients in an appointment book. A therapist sends an e-mail to a colleague about a client referral. The e-mail contains a mental health diagnosis and other personal information about the client. A computer programmer accesses client immunization records as part of a database-building project. A fiscal assistant uses client treatment information in order to send a bill to Medicare.
How Do We Make Sure Health Information is Protected? Ask for only the minimum information necessary to do your job! Share with the requesting party only the specific information relevant to the task at hand. Information should be provided based strictly on a legitimate need to know, and not merely based on interest or curiosity. It is rarely appropriate to request an entire record or chart. When handling personal health information, keep the following guidelines in mind…..
Protecting Written Documents Do not leave client records, files and other written documents on your desk where they can be seen by others. Keep records in a locked desk or filing cabinet – or in a locked room - even if you are leaving your office for a very short time. Use a locking briefcase in instances where records or notes are taken out of the office. If you are visiting several locations in a row, take only the records pertaining to each visit inside with you.
Protecting Written Documents Verify the fax number you plan to send protected documents to and use a cover sheet with a confidentiality statement. Keep identifying information on records (file names, etc.) concealed if you carry records through a public area. When disposing of documents that contain any client identifying information, be sure to shred them.
Protecting Electronic Documents Use a screen saver. (Directions are included in your training packet.) If you use a laptop, use a password to protect it. Do not share your password, or leave it on a note attached to your computer.
Protecting Electronic Documents If you must send client information via e-mail, do not include client information in the body of the e-mail. Send the client information in a password protected attachment. Do not remove electronic data from the office – whether on disks, CDs or zip drives without prior supervisor permission. (Password protect if possible.)
Conversations Count! While on the elevator, in a hallway, or on the phone, remember that the Privacy Rule applies to personal health information shared verbally. Don’t discuss client information where it may be overheard. Never leave confidential information on voice mail. Ask instead that the recipient return your call.
Conversations Count! If possible, use an interview room if you need to meet with a client. Keep voices down if you must talk with a client in an open area.
To Sum Up… All members of the DHHS and HMIS participant’s workforce - employee, intern, or volunteer - must adhere to the HIPAA Privacy Rule by ensuring that client health information is protected. The Privacy Rule applies not just to direct service staff, but also to staff whose jobs include fiscal, administrative and technical duties.
Privacy is Every Client’s Right There are other State and federal laws affecting how client information may be used including: The Maryland Medical Records Act, which applies to health and mental health records; Article 88A, the Annotated Code of Maryland, which applies to social service programs, including Adult and Child Protective Services; FERPA which relates to student educational records; COMAR, which includes confidentiality regulations for various programs; and Federal laws (42CFR) related to the confidentiality of substance abuse records.
Privacy is Every Client’s Right Ensuring every client’s privacy is not only respectful of our clients, it is their right. It is your responsibility to know the Privacy Rule and the other confidentiality laws and regulations that apply to your clients. Ignoring the Privacy Rule carries substantial fines and penalties. In extreme cases, criminal charges can be filed.
Where Do We Go From Here? All DHHS and HMIS participant staff members are required by law to report events, situations or practices in the workplace that may be violations of the Privacy Rule. If you have such a concern, please contact your supervisor or the HIPAA Coordinator for your service area. (A list of current coordinators is on the HHS Intranet Website.) You may also call the HIPAA Hotline at 240-777-1210 to anonymously report suspected HIPAA violations.
Where Do We Go From Here? HIPAA is not the only law that DHHS and HMIS participants must follow. Remember, it’s your responsibility to know which other State and federal laws and regulations affect client information. Ask your supervisor if you need further details. Still have questions? Please call Alex Wertheim, Homeless Programs Coordinator at 240-777-4125.