HIPAA the HIPPO

HIPAA the HIPPO
Odyssey House of Utah
June, 2011
Why do I care?
HIPAA often seems hard to get your head around because it has
complicated requirements associated with it. However there are
some simple ways to protect our clients, yourself, and Odyssey
House.
Why do I care?
The reason for HIPAA might best be explained by one of many stories:
“After suffering a work related injury to her wrist, a woman authorized her
insurance company to release information pertaining to her wrist ailment
to her employer. When she had the opportunity to review her medical
record, her file contained her entire medical history including records on
recent fertility treatment and pregnancy loss.” (Health Privacy Project,
Georgetown University, 1999)
Due to incidents similar to this, one in five American adults believes that
a health care provider, insurance plan, government agency or employer
has improperly disclosed personal medical information.
Two out of three U.S. adults say they don’t trust health plans and
government programs such as Medicare to maintain confidentiality all or
most of the time.
Why do I care?
There are serious consequences for not protecting the
health information of our clients:
• Client could suffer personal or legal consequences
• The agency could be sued or fined
• You could personally pay fines or receive a jail
sentence for a breach
What is HIPAA?
Health Information Portability & Accountability Act of 1996
Addresses:
• Privacy of Protected Health Information
• Security of Protected Health Information
• Potential consequences and enforcement activities
What is protected?
Protected Health Information (PHI):
• Demographics
• Mental & physical health info
• Anything related to services provided
How do I protect myself?
Minimum Necessary: In short…only disclose what is absolutely necessary!
When can I release information?
•
•
•
•
•
Internal care coordination
Based on a completed authorization
Mandatory reporting
Law enforcement warrants & court orders
Treatment, payment, & health care operations
Can I chat with my co‐workers?
Internal Disclosures:
• While care coordination is encouraged, all other information is on a NEED TO KNOW BASIS!
• This means that sharing a story about a client with a well‐known parent to a co‐
worker for laughs is a breach. Who else wants to know?
External Disclosures:
• Collateral Supports
• Requests for our records
See pg. 6 in Policy & Procedure for specific steps
• Law enforcement & Court Orders
See pg. 8 in P&P for additional info
• Waived Confidentiality Situations
• Mandatory Reporting & Others
What do I do when law enforcement shows up?
If law enforcement arrives to arrest a client:
Ask if they have a court order. If so, ask politely if you can see it. As soon as you see a court order, cooperate with the apprehension.
• If they do not have a court order: “In the absence of a judicial order, I cannot confirm or deny anything. You can, however, contact our Privacy Officer” • Additional help in the Policy & Procedure, along with Privacy Officer contact information.
•
•
What do I have to document?
Waived Confidentiality Situations:
•
•
•
Attempt to obtain an authorization first
Attempt to get the client to self‐report, if applicable
Miscellaneous Note, entitled “Accounting of PHI Disclosure”
External Requests for Our Records:
•
•
•
•
Original request for records form
Attach any information disclosed (how?)
Document disclosure on the release form
Place in client’s file
Where is PHI hiding?
•
•
•
•
•
•
On your computer
Jump drives
At your desk
Client files
Stuff you take home
Your brain
How do I keep it safe?
•
•
•
•
•
•
Lock your computer when you step away
NO PERSONAL JUMPDRIVES!
Agency jumpdrives must be processed by IT
Keep client files or documents out of sight
Put client files away immediately after use
Get supervisor permission before you take any physical PHI home (laptop, agency jump drive, documents, files, etc)
What’s an Authorization?
• Forms are located on the L drive
• Refer to pg. 4 in the P&P for required components
What is 42 CFR Part 2?
•
•
•
42 CFR Part 2 specifies privacy regulations specific to alcohol and drug abuse patient records
There is a conflict between 42 CFR and HIPAA Privacy Rule where the Privacy Rule states that an authorization can be revoked by the client at any time and 42 CFR allows authorizations to remain in effect for the criminal justice system, acknowledging the need for judges and P.O.s to know what their legally mandated client is up to
Therefore, legally mandated clients must sign a Criminal Justice Authorization that documents this conflict and explains the consequences of revoking the authorization What is unique to minors?
• Parents, case workers, or personal representatives with legal custody have full access to client PHI
• The burden is on the disclosing staff member to be sure that the parent has custody or is otherwise authorized to have access by the custodial parent
When do I get help?
Go to the Privacy Officer when:
• You know about or suspect a breach
• You receive a court order, subpoena or discovery request
• Law enforcement requests PHI without a warrant or court order
• You need to report a crime involving a client
Where’s the information?
• “Client Confidentiality” Policy & Procedure
• Privacy Officer: Emily Capito x3475
• Release Forms: • L:/Forms/Client/Releases of Information
• Access to this Training: • L:/Staff Resources/HIPAA
Don’t be a Big Mouth! Questions?
Hear No Evil
See No Evil
Speak No Evil
References
• 45 CFR Parts 160, 162, 164 (HIPAA)
• 42 CFR Part 2 • U.S. Department of Health & Human Services: http://www.hhs.gov/ocr/privacy/
Self‐Directed Training Documentation
• Make sure to complete the quiz and sign the training acknowledgement for credit
• This training accounts for 1 hour
• You should also read the Policy & Procedure before signing the training form