HIPAA for Area 2

1. To HIPAA and BeyondTo HIPAA and Beyond
The Law of ConfidentialityThe Law of Confidentiality
and Securityand Security
Public Health Area IIPublic Health Area II
December, 2010December, 2010
By John R.Wible, General Counsel
Alabama Department of Public Health
1ADPH, 2010

2. DocumentationDocumentation
Substantiates proof of services
Provides continuity of care
Documentation must be objective facts,
not opinions
2ADPH, 2010

3. The “Golden Rule ofThe “Golden Rule of
Documentation”Documentation”
The “Golden Rule of Documentation:”
If it ain’t wrote down it didn’t happen!
“Wible’s corollary”
The way it is wrote down is the way it
happened regardless of the way it happened!
3ADPH, 2010

4. Confidentiality-Confidentiality-
Access to Records GenerallyAccess to Records Generally
All patient information is strictly
confidential
◦ See Employee Handbook 10-02
Some Bad Scenarios
Bad scenarios equal bad liability
4ADPH, 2010

5. Conditions forConditions for
Release of InformationRelease of Information
Conditions for release of information:
◦ Prior written consent of
 Patient,
 parent/guardian
Subpoena in accordance with
Departmental/ institutional policy
Otherwise provided by law
5ADPH, 2010

6. TB/STD/DC RecordsTB/STD/DC Records
Special ConfidentialitySpecial Confidentiality
STD/TB/disease control information not
public.
Not revealed even by subpoena
Not admissible into evidence except for
commitment hearings
ADPH requests for notifiable disease
records to be forwarded to Legal
◦ Call 334.206.5209.
See ADPH Policy 04-02 for specifics
6ADPH, 2010

7. Disease Control GuidelinesDisease Control Guidelines
Information considered not confidential:
Final completed report written in blank,
not identifying any persons
The name of businesses, establishments,
restaurants involved in an investigation
Aggregate statistical information
Any other public records
Regular environmental and daycare
inspection reports
7ADPH, 2010

8. ConfidentialConfidential InformationInformation
(EPI)(EPI)
Epidemiologic interview sheets
Required reports
Work papers, notes and analyses
Actual numbers of cases or IDs
Correspondence on a case
Complaint generated environmental and
other inspection reports
incomplete drafts of reports
Other document received privately
8ADPH, 2010

9. Released With AuthorizationReleased With Authorization
A notifiable disease record generated by
the Department or in the possession of
the Department (such as electronic
laboratory reports or facsimile lab
reports) that concerns the symptoms,
condition or other information specific to
an individual
One patient’s authorization, however
does not release other person’s names or
information
9ADPH, 2010

10. Written AuthorizationWritten Authorization
Not Required:Not Required:
10
Transfer information from one county health
department to another or to the state office
Transfer information to physicians, nurse
practitioners or other health professionals
with contract or other provider arrangements
to provide care
Some practitioners require consents to
transfer out of abundance of caution
ADPH, 2010

11. What Makes a ValidWhat Makes a Valid
Authorization?Authorization?
Description of the info to be released
Name or description of info receiver
Name of patient
Description if the use of the info
Expiration date or continuous
Right of revocation by pt.
Notice of possible re-disclosures
Signature of pt or representative
 See CHR Form 6A and instructions
11ADPH, 2010

12. Note Concerning CertainNote Concerning Certain
InformationInformation
CHR 6A states: pt. is made
aware that s/he is releasing
STD/HIV/AIDS or drug and alcohol
treatment or mental health records
This is NOT required if other
providers’ releases meet the earlier
criteria
ADPH, 2010 12

13. Release of ContactRelease of Contact
Information – Don’t Do It!Information – Don’t Do It!
The medical record or information regarding
STD/TB/disease control cannot be released
without the written consent of the patient
Even with consent, it should not include
contact information.
Don’t write identifying information about how
the patient contracted the disease
13ADPH, 2010

14. Confidentiality – Access toConfidentiality – Access to
Medical Records of MinorsMedical Records of Minors
If a minor is qualified to consent and signs
the “consent for treatment”, only the
minor can sign to release the information
regarding those services
If the parent/guardian signs the consent
for treatment, the parent/guardian or the
minor may consent for the release
14ADPH, 2010

15. Access to Medical Records ofAccess to Medical Records of
Minors – Rights of the ParentsMinors – Rights of the Parents
All information pertaining to a child must be
equally available to both parents
However, if the child gave consent for services,
neither parent may have access to the records
without that child’s consent.
◦ Code of Ala, § 30-3-154
15ADPH, 2010

16. HIPAA – In BriefHIPAA – In Brief
HIPAA stands for The Health Insurance
Portability and Accountability Act (1996)
Addresses privacy and security of health data
Includes verbal, written, or electronic data
Privacy Rule, (2003), includes both paper & e-PHI
Security Rule, (2003), includes only e-PHI
HHS makes the rules
Amended (2009) by “the Stimulus Package –
ARRA (HITEC)

17. PHI – What is it?PHI – What is it?
Patient name
Patient address
Patient phone number
Patient date of birth
Patient social security number, Medicaid
number, etc
Diagnosis
Treatment information
Financial information

18. The Privacy Rule:The Privacy Rule:
What and Who IsWhat and Who Is
Covered?Covered?“Protected Health Information” (PHI):
Individually-identifiable health information
used or disclosed by a covered entity in
any form, whether electronically, on
paper, or orally
 45 C.F.R. §160.103
ADPH is a “covered entity”
18ADPH, 2010

19. Releases without WrittenReleases without Written
ConsentConsent
Treatment
Payment
Operations
Where required by law
19ADPH, 2010

20. Business AssociatesBusiness Associates
Business associates follow the same level of
protection in the privacy rule and include:
◦ Claims or data processors;
◦ Billing companies and financial service
providers
◦ Quality assurance providers and utilization
reviewers
◦ Lawyers, accountants & other professionals
45 C.F.R. §160.103
20ADPH, 2010

21. Business Associates and AARABusiness Associates and AARA
Must also adhere to the Security Rule like
CEs and are subject to same penalties
Establish administrative, physical, and
technical safeguards for Protected Health
Information (PHI)
Establish policies and procedures for
safeguards
Only use or disclose PHI in accordance with
HIPAA
“Rat Fink Provision”
21ADPH, 2010

22. HIPPA Privacy Rule:HIPPA Privacy Rule:
Who is Not Covered?Who is Not Covered?
Life insurance companies
Auto insurance companies
Workers’ compensation carriers
Employers
Others who acquire, use, and disclose
vast quantities of health data
AARA may place some requirements -
◦ E.g., PHI cannot be bought and sold
22ADPH, 2010

23. HIPPA Privacy Rule:HIPPA Privacy Rule:
What Is Not Covered?What Is Not Covered?
PHI does not include
◦ Education records covered by FERPA
◦ Employment records held by a covered
entity in its role as employer
◦ Non-identifiable health information
◦ 45 C.F.R. 160.103
23ADPH, 2010

24. HIPAA - What it Doesn’tHIPAA - What it Doesn’t
DoDoDoes not override state laws that provide
more patient privacy than HIPAA
Does not require that all risk of incidental
disclosures of patient information be
eliminated
 Examples:
 Cubicles
 Shield-type dividers
 Sign-in sheets
24ADPH, 2010

25. HIPAA and ADPH PrivacyHIPAA and ADPH Privacy
25
See ADPH HIPAA Privacy
Policy 06-008
◦ “Minimum Necessary”
Concept
◦ Patient Verification
◦ Fax Confidentiality
◦ The “HIPAA Log”
◦ Breach Sanctions
◦ Needs updating
ADPH, 2010
•See also CHR Manual and Employee Handbook

26. How Uses/DisclosuresHow Uses/Disclosures
Are RegulatedAre Regulated
Minimum necessary rule
When using or disclosing PHI, a
covered entity must make reasonable
efforts to limit such information to
the minimum necessary to accomplish
the intended purpose of the use,
disclosure, or request
26ADPH, 2010

27. Permitted DisclosuresPermitted Disclosures
“Minimum” info may be disclosed
To “public officials”
To public health
To law enforcement
To national security
and intelligence agencies
To judicial authorities
To researchers
To DHR for abuse reporting
27ADPH, 2010

28. Disclosure to PoliceDisclosure to Police
Pursuant to subpoenas or by verbal request
As “otherwise required by law
For ID and location purposes
Do not give disease information
Individual is a victim of a crime
To alert about a suspicious death
When criminal conduct occurs on premises
In emergency setting, to alert regarding
information pertaining to crime
28ADPH, 2010

29. Disclosure to NationalDisclosure to National
Security AgenciesSecurity Agencies
CEs may disclose PHI to authorized federal
officials for the conduct of intelligence,
counter-intelligence, and other national
security activities
29ADPH, 2010

30. DisclosureDisclosure ToTo Public HealthPublic Health
Disclosure permitted to:
“public health authority that is
authorized by law to collect and receive
such information for the purpose of
preventing and controlling disease, injury,
or disability, including… reporting of
disease… and the conduct of public
health surveillance….”
30ADPH, 2010

31. Child or Elder Abuse NoticeChild or Elder Abuse Notice
Examples of specific public health-based
exceptions include disclosures
◦ About victims of abuse, neglect, or
domestic violence
◦ To prevent serious threats to persons
or the public
31ADPH, 2010

32. Information on DecedentsInformation on Decedents
May be released to:
Law enforcement
Transporting emergency medical
personnel
Coroners and their personnel
Mortuary personnel
Bureau of Health Statistics
32ADPH, 2010

33. Maintenance of DocumentationMaintenance of Documentation
Maintain documentation of policies and
procedures for 6 years
Make documentation available to
workforce who administer the policy
Review and documentation periodically
Ensure the confidentiality, integrity, and
availability of ePHI
33ADPH, 2010

34. HIPAA - The Security RuleHIPAA - The Security Rule
Primary objective: protect the
confidentiality, integrity, and
availability of ePHI when it is stored,
maintained, or transmitted.
Applies to identifiable electronic
protected health information (ePHI)
related to:
◦ Past, present or future medical or mental
condition
◦ The individual’s health care
◦ Payment records
34ADPH, 2010

35. What about e-PHI?What about e-PHI?
Same as PHI, but created, received,
or maintained electronically
Does not include telephone calls,
copy machines, fax machines, most
voice mail
Does not include de-identified
information

36. Security of the PremisesSecurity of the Premises
HIPAA requires security of the
premises, i.e., door locks. See ADPH
Security Policy No. 05-16.
HIPAA also requires security of the
electronic records (computer
security)
HIPAA requires security of the paper
HIPAA requires security of your
mouth
36ADPH, 2010

37. Building SecurityBuilding Security
Post the Department’s Notice of Privacy
Practices where clients can see it
Maintain visitor sign-in logs and have visitors sign
in and out (this includes repair persons)
Use ADPH and Visitor ID badges
Keep back doors locked or
monitored during business hours
Keep server rooms locked
Keep PHI storage areas locked when unattended

38. Paper SecurityPaper Security
Clean Desk
◦ Keep patient records covered or in folders
◦ Lock records up at end of day or when away from desk
Fax/Copy Machines
◦ Put fax & copiers in secure area away from traffic
◦ Remove faxes/copies promptly
File Cabinets
◦ Keep locked when unattended
◦ Locate in secure area
◦ Limit access
Shred it!

39. Use of Department ComputersUse of Department Computers
Use ADPH furnished equipment/software
CSC/Tech Support will purchase and install all
network-connected devices
Use strong password protection & disclaimer
◦ Don’t give out your password
CSC/Tech Support will install updates
Connect laptops to the network once a month
for audit
Back up critical data
◦ See Policy 2005-016 and Security Manual
39ADPH, 2010

40. Use of ComputersUse of Computers
Change password every 60 days
Use only for lawful activity
Report suspected viruses and attacks
Supervisors notify CSC on new employee
starting work or leaving employ service
Appropriately salvage computers
Limit access to Department workspace
Be careful with portable storage devices
40ADPH, 2010

41. Email and Internet SecurityEmail and Internet Security
Email
◦ Do not open email from an unknown
source; especially unknown attachments
◦ Verify email recipients; make sure email is
going to intended recipient
◦ Always encrypt email and attachments
containing protected information
◦ Read security reminders
Avoid risky internet sites

42. Laptop SecurityLaptop Security
Keep laptop out of view when traveling
Do not leave in hot vehicle for long time
Do not check with luggage when flying
Password protect
Set screen saver to require password
Log on to network once a month to
update virus protection software
Encrypt protected information

43. Patient AccountingPatient Accounting
Patients may ask for listing of disclosures
of their PHI up to six (6) years prior in
paper or electronic form
The following disclosures are NOT
required to be accounted for:
◦ Treatment, Payment, Healthcare
Operations (TPO)
◦ Disclosures to the patient or persons
involved with their care
◦ Disclosures authorized by the patient or
authorized representative
43ADPH, 2010

44. Patient AccountingPatient Accounting
Other disclosures which are not
required to be accounted for:
National security or intelligence purposes
Correctional institutions or law
enforcement
Incidental disclosures
Limited Data Sets used for research
purposes
44ADPH, 2010

45. HIPAA LogHIPAA Log
45
A single file which relates to pt. files
Kept with medical records
Documents “non-routine”
disclosures:
◦ date of the disclosure;
◦ the name/address of receiver
◦ brief description of the PHI
disclosed
◦ brief statement of the purpose of
the disclosure
ADPH, 2010

46. Required Logged ItemsRequired Logged Items
Unauthorized releases on the AIR Form
Releases required by law
Releases based upon subpoena
Releases to law enforcement for ID
Requests to limit releases
Requests to amend or correct PHI
Requests by the patient for accounting
Reports about victims of abuse, neglect,
or domestic violence
46ADPH, 2010

47. DisclosuresDisclosures NotNot LoggedLogged
TPO disclosures
Disclosures made to the patient or rep.
Pursuant to a valid authorization
National security or intelligence
purposes;
To a correctional institution or law
enforcement official that has custody of a
patient;
To a health oversight official
47ADPH, 2010

48. HIPAA BreachesHIPAA Breaches
When there is a breach of phi or e-PHI
You have a duty to report on an ARIA
Call if it is serious!
ADPH as a duty to:
To report to or notify clients
To report to HHS and the media if >500
To mitigate the damage
To examine employees, policies,
equipment and facilities to prevent it
happening again
48
“Teton Dam
Breach”
ADPH, 2010

49. BREACHES - PENALTIESBREACHES - PENALTIES
Breach may subject employees and the
Covered Entity:
To criminal penalties (up to $250,000)
You are NOT covered by the Fund
To HHS civil penalties or lawsuits
To adverse employment action, IE.,
49ADPH, 2010

50. Program ManagementProgram Management
The HIPAA program and certain
other similar programs are under the
management of the Risk Management
Committee
Committee proposes HIPAA policy changes
Committee receives and processes all ARIA
reports including possible HIPAA breaches
The Committee oversees Red Flags
instances
50ADPH, 2010

51. Red Flag RegulationsRed Flag Regulations
Federal Trade Commission Regulations
designed to protect against identity theft
As a “creditor”, ADPH has “covered
transactions” with clients/patients
ADHP has a duty to be on the lookout for
certain red flags
51ADPH, 2010

52. Categories of “Red Flags”Categories of “Red Flags”
Alerts, notifications, or warnings from a
consumer reporting agency;
Suspicious documents;
Suspicious personally identifying
information, such as a suspicious address;
Unusual use of – or suspicious activity
relating to – a covered account; and
Notices from customers, victims, law
enforcement authorities, or businesses
about possible identity theft
52ADPH, 2010

53. See Also Policy DocumentsSee Also Policy Documents
98-07 Fax Policy
03-10 Notice of Privacy Practices (NOPP)
◦ Under Revision
03-30 Vital Records Policies
04-02 Receipt of Legal Documents
05-16 HIPAA Security Policy/Manual
06-08 HIPAA Privacy Policy
10-04 Contract Employee Handbook
Online ARIA Form
53ADPH, 2010

54. For A Copy of the PresentationFor A Copy of the Presentation
See “HIPAA For Area 2” a
download on Slideshare 7
http://www.slideshare.net/jwible
54
7Slideshare
ADPH, 2011