Before reviewing the following presentation click on the links below and print off the documents: NAM-43 The Bair Foundation HIPAA Policy NAM- 89 HIPAA Highlights NAM-43 The Bair Foundation HIPAA Policy NAM- 89 HIPAA Highlights NAM-43 The Bair Foundation HIPAA Policy NAM- 89 HIPAA Highlights

The Bair Foundation Employee Training Presentation H.I.P.A.A. Click with your mouse anywhere on the screen to change slides.

What is H.I.P.A.A.? And how does it affect you?

No, not hippo. H.I.P.A.A. H.I.P.P.O.?

Health Give me an ‘H’!

Insurance Give me an ‘I’!

Portability Give me an ‘P’!

(and) Accountability Give me an ‘A’!

Act Give me an another ‘A’!

Health Insurance Portability and Accountability Act of 1996

So you know what its name is… what is its purpose?

HIPAA established a set of rules governing privacy and confidentiality of health care information for covered entities. The federal government has mandated compliance and employees must complete HIPAA training on privacy and confidentiality by April 13, 2003.

How does it affect you at work?

The Bair Foundation (TBF) has a policy for HIPAA compliance. You can find it on our website. Form # NAM-43 NAM-43

Please refer to it whenever you need to review details of our policy.

Here is a summary of it in plain words: (You’ll see the section numbers of the policy where you can find the details.)

Our policy is: TBF will use and disclose PERSONAL HEALTH INFORMATION (PHI) for treatment, payment, and health care operations. For uses beyond that, TBF must have a signed client authorization unless the law permits or requires TBF to disclose without authorization. The local director will determine what is appropriate in accordance with our policy. (Section III of the Policy.)

How it affects you: The way you handle Personal Health Information (PHI) for our foster children must respect their privacy.

How it affects you: New clients must be given a HIPAA “Notice of Privacy Practices”. You can find it on our website, form # NAM-64. (section I.) New clients must be given a HIPAA “Notice of Privacy Practices”. You can find it on our website, form # NAM-64. (section I.)Notice of Privacy PracticesNotice of Privacy Practices We need a receipt signed by the client or custodial agency that we have given them the notice. They should sign on the last page of the Notice. II. We need a receipt signed by the client or custodial agency that we have given them the notice. They should sign on the last page of the Notice. II. If they refuse or fail to sign the receipt, make note of it on the form. II. B If they refuse or fail to sign the receipt, make note of it on the form. II. B We keep this form on file for 6 years after the case is closed. II. C. We keep this form on file for 6 years after the case is closed. II. C. Notice

How it affects you: The NOTICE needs to be presented no later than the date of first service provision. I.A.1.b. The NOTICE needs to be presented no later than the date of first service provision. I.A.1.b. In an emergency treatment situation, you can wait to get the RECEIPT of notice signed, but make note of it on the form. II. A. In an emergency treatment situation, you can wait to get the RECEIPT of notice signed, but make note of it on the form. II. A.

Violations of Policy - XI. C (two examples of what NOT to do) Misuse or theft of PHI. Misuse or theft of PHI. Discussion of the patient’s conditions and medications in the presence of unrelated third parties. Discussion of the patient’s conditions and medications in the presence of unrelated third parties.

Violations of Policy If you witness or suspect a violation by a TBF employee or a Business Associate, you must report it in writing within 24 hours to the TBF Privacy Officer (Sheila Palonen) NAM-65, “Privacy or Security Violation Report” NAM-65, “Privacy or Security Violation Report” To Sheila

X. Violations of Policy Customer service and privacy are of the utmost importance to us. Customer service and privacy are of the utmost importance to us. If a client complains of improper use or disclosure of a PHI, we will promptly receive, respond to and resolve the complaint. If a client complains of improper use or disclosure of a PHI, we will promptly receive, respond to and resolve the complaint.

X. Violations of Policy If a custodial agency or child complains to you about a possible violation: Tell them to submit it in writing. Only written complaints constitute a formal complaint. Tell them to submit it in writing. Only written complaints constitute a formal complaint. Submit it to the local office director. Submit it to the local office director. They will forward it through proper channels within 24 hours. They will forward it through proper channels within 24 hours. It will be resolved and responded to in writing within 30 days & kept on file for 6 years. It will be resolved and responded to in writing within 30 days & kept on file for 6 years.

Violations of Policy will result in sanctions. These can be: Counseling Counseling Verbal warning Verbal warning Written warning Written warning Probation Probation Suspension Suspension Demotion Demotion Termination of employment Termination of employment Restitution Restitution For details, see section XI. B. of the policy For details, see section XI. B. of the policy

Other things you need to know… More about the Notice More about the Notice What clients can request What clients can request Can others see the PHI? Can others see the PHI? Can the PHI be changed? Can the PHI be changed? What about Business Associates? What about Business Associates?

Other things you need to know… Each of the topics on the following slides are detailed in our Policy statement. The Policy gives specific: Times for responses Times for responses Procedures for denials Procedures for denials Description of responses Description of responses Record retention rules Record retention rules Guidelines for reimbursing our costs Guidelines for reimbursing our costs

Other things you need to know… Please refer to the Policy for these details whenever you are dealing with PHI. The section numbers in the following slides refer to where you will find this topic in the Policy.

More about the PRIVACY NOTICE See Section I. A. PRIVACY NOTICEPRIVACY NOTICE In addition to giving it to each client on first receipt of service: Post it in a conspicuous place Post it in a conspicuous place Clients can request additional copies Clients can request additional copies It’s available on our website It’s available on our website

What clients can request: Additional restrictions. VI. A. Additional restrictions. VI. A. Alternative communications. VI. B. Alternative communications. VI. B. Access to inspect and get a copy of their own PHI. VII. Access to inspect and get a copy of their own PHI. VII. A copy of their PHI for an Authorized Representative. VII. A. A copy of their PHI for an Authorized Representative. VII. A. Changes to their PHI. VIII. Changes to their PHI. VIII. To know who their PHI has been disclosed to. IX. To know who their PHI has been disclosed to. IX.

Can others see a PHI? III. We can only disclose PHI for treatment, payment, or health care operations without signed permission We can only disclose PHI for treatment, payment, or health care operations without signed permission Local directors will determine appropriate disclosure. Local directors will determine appropriate disclosure. The Privacy Officer can be consulted if there is uncertainty. The Privacy Officer can be consulted if there is uncertainty.

Can the PHI be changed? Clients can request an amendment. See VIII. Clients can request an amendment. See VIII. Other health care providers can notify us of amendments they have made to our client’s PHI. We will add it to our records. VIII. A. 4. Other health care providers can notify us of amendments they have made to our client’s PHI. We will add it to our records. VIII. A. 4.

XII. Business Associates We have a written contract with individuals or companies which provide services to TBF if this relationship involves sharing PHI. See section XII. We have a written contract with individuals or companies which provide services to TBF if this relationship involves sharing PHI. See section XII. The local office director keeps the copies of all signed ‘Business Associate Agreements’ The local office director keeps the copies of all signed ‘Business Associate Agreements’Business Associate AgreementsBusiness Associate Agreements Business Associates may only use PHI lawfully and per our contract with them. Business Associates may only use PHI lawfully and per our contract with them.

SECURITY RULE Guidelines for safeguarding PHI include, but are not limited to: The HIPAA Security Rule ensures the security of PHI by specifying how PHI is stored, transmitted, and accessed. The HIPAA Security Rule ensures the security of PHI by specifying how PHI is stored, transmitted, and accessed.

PHI will be discussed with the client or foster parent only in private areas PHI will be discussed with the client or foster parent only in private areas PHI will be discussed with staff members on a need-to-know basis and in non-public areas only PHI will be discussed with staff members on a need-to-know basis and in non-public areas only telephone calls regarding PHI will be held in areas in which the conversation cannot be overheard telephone calls regarding PHI will be held in areas in which the conversation cannot be overheard

PHI will not be discussed on cell phones PHI will not be discussed on cell phones computer monitors will be positioned in a way that does not permit observation by an unauthorized person. computer monitors will be positioned in a way that does not permit observation by an unauthorized person.

computer screens will be password-locked when the user leaves the area. Press (windows key) + l to lock screen. Log back on upon return. The desktop will be as it was left. Locking is automatic after a time period set by the I.T. Dept. computer screens will be password-locked when the user leaves the area. Press (windows key) + l to lock screen. Log back on upon return. The desktop will be as it was left. Locking is automatic after a time period set by the I.T. Dept. any computers that are accessible to people attending trainings should be turned off any computers that are accessible to people attending trainings should be turned off computer passwords will not be shared with unauthorized persons and will be recorded only in secure locations computer passwords will not be shared with unauthorized persons and will be recorded only in secure locations

PHI will be disclosed only by those staff members authorized to do so PHI will be disclosed only by those staff members authorized to do so access to fax machines will be limited to authorized staff. Fax cover sheets will include a Privacy Notice. access to fax machines will be limited to authorized staff. Fax cover sheets will include a Privacy Notice. case records, mail, documentation, and other materials containing PHI will be maintained in locked or otherwise secure locations, away from the general public case records, mail, documentation, and other materials containing PHI will be maintained in locked or otherwise secure locations, away from the general public

PHI will be discarded in appropriate secure containers or shredded. PHI will be discarded in appropriate secure containers or shredded. Non-employees who need to go beyond the reception area of any Non-employees who need to go beyond the reception area of any Bair office will be escorted Bair office will be escorted

Bair will maintain compliance with HIPAA Security Rule administrative requirements including, but not limited to: development and enforcement of information access control development and enforcement of information access control completion of internal security audits completion of internal security audits enforcement of physical safeguards including workstation/office guidelines enforcement of physical safeguards including workstation/office guidelines enforcement of appropriate sanctions for failure to comply with HIPAA regulations enforcement of appropriate sanctions for failure to comply with HIPAA regulations development, implementation, and documentation of security awareness training. development, implementation, and documentation of security awareness training.

To report a security violation, use form NAM-65, “Privacy or Security Violation Report“Privacy or Security Violation Report” “Privacy or Security Violation Report

Any questions or concerns regarding the security of EPHI can be addressed to the Trend Helpdesk at or

Summary HIPAA protects the privacy of personally identifiable health care records. HIPAA protects the privacy of personally identifiable health care records. TBF has a specific policy in place to protect records of our foster children. TBF has a specific policy in place to protect records of our foster children. TBF will review the Privacy Policy with the client and the custodial agency. TBF will review the Privacy Policy with the client and the custodial agency. All TBF employees must protect the privacy of our clients’ PHI. All TBF employees must protect the privacy of our clients’ PHI. For details, please read the Policy available to you on our website. For details, please read the Policy available to you on our website. If you have questions, check with your local director or Sheila Palonen, Privacy Officer If you have questions, check with your local director or Sheila Palonen, Privacy Officer