ACTCM Privacy Training
June 2017
Meet HIPAA Training Requirement
Review HIPAA Standards
Integrate HIPAA Into Everyday Practice
The Health Insurance Portability and Accountability Act
was enacted by Congress in 1996
HIPAA serves three main purposes:
◦ To protect people from losing their health insurance if they change
jobs or have pre-existing health conditions
◦ To reduce the costs and administrative burdens of healthcare by
creating standard electronic formats for many administrative
transactions that were previously carried out on paper
◦ To develop standards and requirements to protect the privacy and
security of personal health information.
Enforced by Department of Health and Human Services
(DHHS) and the Office of Civil Rights (OCR)
Privacy Rule
◦ Mainly impacts employees that use or disclose individually
identifiable health information
◦ Compliance date: April 14, 2003
Transaction and Code Set Standards
◦ Mainly impacts business office and IT staff
◦ Compliance date: October 16, 2003
Security Rule◦ Mainly impact IT Staff and business office
◦ Compliance date: April 21, 2005
Important changes that updated the privacy standards and
strengthened the standards for security to develop national
safeguards to protect the confidentiality of an individual’s
medical information as more private health information
was held and transmitted electronically.
Important changes that granted individuals new rights to
their health information and strengthens the government’s
ability to enforce HIPAA
Updates:
◦ Copies of records in electronic format
◦ When patient’s pay out of pocket for medical services, they can
instruct information to be kept private from their health plan
◦ Limits how patient information is shared for marketing and
fundraising
◦ Prohibits sale of patient information without authorization
◦ Business associates are liable under HIPAA and are accountable to
consumers and DHHS
California has multiple statutes and regulations which require the protection of the
privacy of its residents’ confidential information such as credit cards, social security
numbers, and personal identification numbers (PINs), as well as medical and insurance
information. Major state privacy laws include:
California Health and Safety Code Section 1280.15 mandates that licensed facilities
report any unlawful or unauthorized access, use, or disclosure of a patient’s medical
information no later than 5 business days after the breach has been detected. The
institution is to report to both the Department of Public Health and the affected
patient(s). See also California Health and Safety Code Section 130200.
California Information Practices Act (Civil Code Section 1798) Codifies right to
privacy as a personal and fundamental right protected by Section 1 of Article I of the
Constitution of California and by the United States Constitution and that all individuals
have a right of privacy of information pertaining to them; for example, names, social
security numbers, physical description, home address, home telephone number,
education, financial matters, and medical or employment history.
Confidentiality of Medical Information Act (CMIA) Civil Code Section 56
et seq. requires that:
• Confidentiality of medical information be protected and establishes the
protections against disclosures of individually identifiable medical information
• Health care institutions notify California residents of breaches of electronic
social security number, access codes to financial accounts, and medical and
insurance information
• Health care institutions implement safeguards to protect the privacy and
confidentiality of medical information and define personal liability for breaches
of privacy.
Lanterman-Petris-Short Act (LPS) Welfare and Institutions Code Section
5328 et seq.) provides special confidentiality protections for medical records
containing mental health or developmental disabilities information.
Healthcare Providers
Healthcare Plans
Healthcare Clearinghouses
Business Associates of Covered Entities:
◦ Auditors
◦ Consultants
◦ Attorneys
◦ Data and Billing Firms
◦ Others with whom entities have agreements involving the use
of protected health information
As healthcare providers and clinical staff members, it is
our ethical and legal obligation to maintain the privacy
and confidentiality of our patient’s private health
information
To privacy
To confidential use of all their medical information
To obtain a written notice of privacy practices
To access and amend their own health information upon
request
To request restrictions on the use and disclosure of
Protected Health Information for Treatment, Payment, and
Health Care Operations (TPO)
To refuse to authorize disclosures of Protected Health
Information for purposes other than (TPO)
To withhold name from patient directory or account list
The HIPAA Privacy Rule requires that protected health
information (PHI) must be protected from unlawful
access or disclosure.
45 Code of Federal Regulations Sec 164.514 (2013)
Protected Health Information (PHI) is information that
is created or received by ACTCM Clinic and relates to
the past, present, or future health condition of a patient;
the provision of health care to patient; or the past,
present or future payment for the provision of health
care to a patient; and that identifies the patient or for
which there is reasonable basis to believe the
information can be used to identify the participant. PHI
includes information of persons living or deceased.
No matter what form it takes:
◦ Notes on a patient’s medical charts
◦ Health information or personal information entered into a
computer
◦ Discussions about a patient’s condition
◦ Any verbal or written patient information
Any identifiable health information becomes protected
health information (PHI) under HIPAA
A covered entity may not use or disclose protected
health information except:◦ As the individual authorizes in writing
◦ As the HIPAA Privacy Rule permits or requires
1. Name * 11. Certification/License Number(s)
2. Address 12. Vehicle ID/ License Plate
3. Birth Date * 13. Device ID
4. Telephone Number(s) 14. URL
5. Fax Number(s) 15. IP Address
6. Email Address 16. Biometric ID
7. Social Security Number * 17. Face Photo
8. Medical Record Number 18. Any other unique identifying
9. Credit Card Number number, characteristic or code
10. Account Number
1. Appoint a Privacy and Security Officer
The Clinic Operations Director is the designated Privacy and
Security Officer and is responsible for:
◦ Train staff in HIPAA compliance
◦ Assure that HIPAA-related policies and procedures are instituted and
followed
◦ Review activity that takes place in the Clinic to detect security risks
◦ Serve as the contact person for patients who have questions,
concerns, or complaints about the privacy of their PHI.
◦ Investigate and respond to security incidents and take appropriate
action in the event of a breach in security, and eliminate or mitigate
any damaging effects
2. Privacy Incident Response Team (PIRT)
Comprised of the Privacy/Security Officer (Clinic
Operations Director), Associate Academic Dean, Assistant
Director of Clinical Education, and additional members
deemed appropriate.
Because customer service and privacy are of utmost
importance to ACTCM, it is our policy to promptly
receive, respond, and resolve patient complaints regarding
allegations of improper use or disclosure of PHI by
ACTCM or our business associates.
ACTCM is prohibited from intimidating patients who wish
to register a complaint about privacy
3. Policy and Procedure to Process Privacy Complaints
Formal Patient Complaints: An individual may submit a written
formal complaint about ACTCM Clinic’s privacy practices,
including but not limited to complaints regarding:
◦ The privacy and security of PHI;
◦ Use and disclosure of PHI;
◦ Patients’ access to, or amendment of, their PHI;
◦ Practices or actions of ACTCM’s business associates;
◦ ACTCM’s marketing practices; or
◦ Any other complaint relating to ACTCM’s privacy policies and
procedures.
All individuals can also direct complaints to DHHS/OCR
3. Processing Privacy Complaints
The Privacy Officer receives the complaint and fills out the
ACTCM Incident Form attaching the written formal complaint and
forward it to the members of PIRT to review and take appropriate
actions to prevent further inappropriate incidents. ACTCM must
maintain complete documentation of the complaint and PIRT’s
review and disposition of the matter, including a record of any
changes to policies or procedures or the imposition of actions
against members of its staff, faculty or students, if any. ACTCM
must retain all documents relating to the complaint and the
investigation for a period of at least seven (7) years from the date
of the incident.
3. Processing Privacy Complaints
Internal Privacy Violation Reviews: ACTCM staff, faculty and
students are encouraged to report violations of federal and state
privacy laws and ACTCM’s privacy policies (Privacy Violations) to
ACTCM’s Privacy Officer. Whenever possible Privacy Violations
arise, the Privacy Officer along with PIRT will conduct an
investigation and determine whether a violation has occurred. If
PIRT determines that staff , faculty, student or business associate has
committed a Privacy Violation, that person shall be subject to
appropriate actions as determined by PIRT, Director of Human
Resources, or any appropriate manager or supervisor.
It is the policy of ACTCM not to retaliate against or intimidate
anyone who has knowledge of any privacy violations
4. HIPAA Compliance Training
It is ACTCM’s policy to provide training to all staff, faculty,
and students who have access to PHI on its privacy policies and
procedures and to ensure that education curriculum and
materials are created and maintained to provide adequate
training to students to properly handle PHI during their clinical
hours. Privacy training will review ACTCM’s privacy policies
and procedures and will discuss any changes in these policies
and procedures. The training program will focus on federal
laws and regulations governing the privacy, confidentiality, and
security of PHI, as well as any important and relevant state
laws
The American College of Traditional Chinese Medicine
Confidentiality of Patient, Employee and Agency
Business Information Form
◦ Faculty
◦ Staff
◦ Students
◦ Volunteers
◦ Visiting Medical Professionals
◦ Business Associates
Statement of Policy:
It is the legal and ethical responsibility of all ACTCM ……to use personal and
confidential patient, employee and agency business information (referred to here
collectively as “confidential information”) in accordance with the law and ACTCM
policy, and to preserve and protect the privacy rights of the subject of the
information as they perform their duties.
Laws controlling the privacy of, access to and maintenance of confidential
information include, but are not limited to, the federal Health Insurance Portability
and Accountability Act (HIPAA), the California Information Practices Act (IPA),
the California Confidentiality of Medical Information Act (COMIA)…..
Confidential information includes information that identifies or describes an
individual and individual and the disclosure of which would constitute an
unwarranted invasion of personal privacy…..
The term “medical information” includes the following: medical and psychiatric
records, including paper printouts, photos, videotapes, diagnostic and therapeutic
reports, x-rays, scans, laboratory and pathology samples; patient business records,
such as bills for service or insurance information whether stored externally or on
campus; electronically stored or transmitted patient information; visual observation
of receiving medical care or accessing; verbal information provide by or about a
patient; peer review/risk management information and activities; or information the
disclosure of which would constitute an unwarranted invasion of privacy.
Acknowledgement of Responsibility I understand and acknowledge
that:
It is my legal and ethical responsibility to preserve and protect the
privacy, confidentiality and security of all medical records, proprietary
and other confidential information relating to ACTCM, its patients,
activities and affiliates, in accordance with the law and agency policy.
I agree to access, use or disclose confidential information only in the
performance of my duties, where required by or permitted by law and
only to persons who have the right to receive that information. When
using or disclosing confidential information, I will use or disclose only
the minimum information necessary.
I agree to discuss confidential information only in my workplace and
for ACTCM- related purposes. I will not knowingly discuss any
confidential information within the hearing of other persons who do
not have the right to receive the information. I agree to protect the
confidentiality of any medical, proprietary or other confidential
information which is incidentally disclosed to me in the course of my
relationship with ACTCM.
Acknowledgement of Responsibility I understand and acknowledge
that:
I understand that psychiatric records, drug abuse records, and all
references to HIV testing, such as clinical tests, laboratory or
otherwise, used to identify HIV, or antibodies or antigens to HIV, are
specially protected by law.
I understand that my access to all ACTCM electronic information
systems is subject to audit in accordance with ACTCM policy.
I understand that violation of any of ACTCM policies and procedures
related to confidential information or of any state or federal laws or
regulations governing a patient’s right to privacy may subject me to
legal and/or disciplinary action up to and including immediate
termination from my employment/professional relationship with
ACTCM.
I understand that I may be personally liable for harm resulting from my
breach of this agreement and that I may also be held criminally liable
under the HIPAA privacy regulations for an intentional and/or
malicious release of protected health information.
ACTCM provides each new patient with a Notice of Privacy
Practice (NPP) and requires them to read and sign the document
upon their first visit. In addition, the Clinic will post the NPP in
plain view of the Clinic waiting room and will make the NPP
available to all patients upon request.
The NPP must be written in plain language.
Patients have the right to adequate notice of:
◦ the uses and disclosures of PHI that may be made by ACTCM;
◦ the patient’s rights with respect to PHI; and
◦ ACTCM’s legal obligations regarding PHI.
The NPP will also provide a description of ACTCM’s
complaint procedures in regards to privacy issues, the name
and phone number of the Privacy Officer, and the date of the
notice
Our Pledge Regarding Medical Information:
The privacy of your medical information is important to us.
We understand that your medical information is personal and
we are committed to protecting it. We create a record of the
care and services you receive at our clinic. We need this
record to provide you with quality care and to comply with
certain legal requirements. This notice will tell you about the
ways we may use and share medical information about you.
We also describe your rights and certain duties we have
regarding the use and disclosure of medical information. This
notice will remain in effect until it is replaced or amended by
changes in law.
Use and Disclosure of Your Medical Information
We gather personal health information in several ways. This information comes
from you, from other healthcare providers, and from third party payers. This
section describes different ways that we use and disclose medical information.
We will not use or disclose your medical information for any purpose not listed
below, without your specific written authorization. Any specific written
authorization you provide may be revoked at any time by writing to us. We may
use and disclose your medical information in the following ways:
For treatment
For payment
For healthcare operations
When required by law this office will not use your health information for
marketing communications without your written authorization. However, this
office may send birthday cards, newsletters and appointment reminders, by
telephone calls or mail.
Patient Rights
Upon written request, you have the right to access, review or
receive copies of your health care records. There is a copy fee of
$15 and with 10 working days to process it.
Upon written request you have the right to receive a list of items
this office disclosed about your healthcare information.
You have the right to request that this office place additional
restrictions on disclosure of your protected health information.
You have the right to request that we amend your protected health
information; the request must be in writing.
You have the right to receive all notices in writing.
If you have questions, complaints or want more information about
ACTCM’s privacy policies and procedures, please contact this office.
Contact: Tracy Tognetti, Clinic Operations Director/Privacy Officer
Telephone 415-282-9603, Ext. 32
Address: 455 Arkansas Street, San Francisco CA 94107
You many also send written complaints to the U.S. Department of
Health and Human Services. For more information, please visit
http://www.hhs.gov/hipaa
Patient’s Consent for the Purposes of Treatment, Payment, and Healthcare
Operations
I, __ , give consent to ACTCM Community Clinic to use and disclose my individual
identifiable health information or Protected Health Information for the specific
purposes of: providing treatment to me, relating to the payment of services this
office has rendered to me, and the general administrative operation this practice
provides to me.
Protected Health Information includes:
Demographic information
Information gathered by this practice as it relates to my past, present and future
physical or mental health or condition
Information gathered by this office for past, present or future payments of healthcare
services.
Information used for healthcare operations purposes, including quality assessment
activities, credentialing, business management and other general operations
procedures or activities.
Patient’s Consent for the Purposes of Treatment, Payment, and Healthcare
Operations
I understand I have the right to request a restriction on the use and disclosure of my
protected health information for the purposes of treatment, payment, and healthcare
operations of the clinic, but the clinic is not required to agree to these restrictions.
However, if the clinic agrees to a restriction that I request, the restriction is binding
to the clinic.
I understand I have the right to read and discuss the Notice of Privacy Practices
form before I sign this consent form, regarding the use and disclosures of my
protected health information.
I have the right to revoke this consent, in writing, at any time except to the extent
that ACTCM Community Clinic has acted in reliance on this consent.
CONSENT TO USE AND PUBLICATION OF CLINICAL DATA AND
CONTENTS OF PATIENT RECORDS FOR STATISTICAL PURPOSES,
RESEARCH AND PUBLICATION
I, __________________(print patient's name) authorize The American College of
Traditional Chinese Medicine and members of its Clinic Medical Staff, faculty and
students to review my records for the purpose of collecting statistical data or
pertinent clinical information for the purposes of research, publication, education
and case review. I give my permission and consent to the publication of statistical
and/or clinical data obtained from by records. I understand that all patient records
are protected by clinic protocols and confidentiality agreements. I also understand
that I will never be identified as the source of this information and that if any
particulars of my case are used for the purposes of publication all possible clues to
my identity will be disguised or altered. I understand that there is the remote
possibility of being accidentally identified as the source of the clinical data but that
the way this information is handled makes the risk very small.
To the individual or their authorized representative
(personal representatives, parents of minors, and others
legally authorized to make healthcare decisions on
behalf of patients)
Covered entities may impose reasonable, cost-based
fees for PHI requests.
If patients request a copy of their charts, they must fill
out a copy request form and ACTCM’s copy fee is $15.
For treatment (providing, coordinating or managing a patient’s
care, include patient education and training, consultations
between providers and referrals),
For payment (activities related to being paid for services
rendered, including eligibility determinations, billing, claims
management, utilization review and debt collection)
For healthcare operations (activities such as quality assessment,
student training, contracting for health care services, medical
review, legal services, auditing, business planning and
development, licensing and accreditations, business management
and general administrative activities)
When the individual has the opportunity to agree or
object, such as when the patient brings another person
into the treatment room for their office visit
For the purpose of public health or mandated by law
ACTCM will use and disclose PHI only as permitted under
HIPAA. The terms “use” and “disclose” are defined as
follows:
◦ Use- The sharing, employment, application, utilization,
examination, or analysis of individually identifiable health
information by any ACTCM staff, faculty or student or ACTCM
Business Associate; and
◦ Disclose- For information that is PHI, disclosure means any
release, transfer, provision or access to, or divulging in any other
manner of individually identifiable health information to persons
not an ACTCM staff, faculty or student with a business or
educational need to know PHI.
The Privacy Rules does allow for “incidental”
disclosure of PHI as long as the covered entity used
reasonable safeguards
ACTCM will apply the “Minimum Necessary” rule to
the release of client information
ACTCM health care worker’s disclosure of and access
to Protected Health Information is based on the scope
of their job and the information they need to perform
that job
Under certain conditions, ACTCM may release PHI without patient
knowledge or authorization such as:
◦ For treatment, payment, and health care operations
◦ For public health activities that involve safety or communicable disease
◦ About victims of abuse, neglect, or domestic violence
◦ For judicial and administrative proceedings
◦ For law enforcement purposes
◦ Organ and tissue donations
◦ To avert a serious threat to health or safety
◦ For specialized government functions
◦ For workers’ compensation
◦ To the Department of Health and Human Services or Attorney General for
enforcement of the privacy rules
Personal (legal) representatives are entitled to receive
the same information you would share with the patient
If consent is verbal, make a note in the medical record
If you have doubts, give the patient an opportunity to
object to sharing information with a person
Disclosures of PHI when the patient is not present: When a patient is not
present or when ACTCM cannot practically give the patient an opportunity
to agree or object to the use or disclosure, ACTCM may, in the exercise of
professional judgment, determine whether the disclosure is in the patient’s
best interests and if so, disclose only the PHI that is directly relevant to the
person’s involvement with the patient’s health care. The clinic must follow
these guidelines when deciding whether to disclose PHI when the patient is
not present:
◦ Only disclose PHI that is directly related to the patient’s current
condition.
◦ Consider the patient’s best interests and construe this opportunity
narrowly, allowing disclosures only to those persons with close
relationships with the patient, such as family members.
◦ Take into account whether the disclosure is likely to put the patient at
risk of serious harm.
In the State of California it is against the law AND
authorization is required to disclose certain kinds of
health information about mental health, substance
abuse, STDs and HIV/AIDS, and minors
Generally, authorization by the patient is required to
disclose mental health information to parties outside of
the ACTCM Safety Net
For treatment purposes, it is permissible to disclose
mental health information to parties within the ACTCM
Safety Net without patient authorization
➢ Other examples where Mental Health information can
be shared:
• with ACTCM Safety Net professionals providing patient
care
• for training purposes
• as required by Homeland Security Act
• with coroner or medical examiner
• to avert public health or safety threat
• when required by law
If State or Federal funds subsidize all or part of an
ACTCM Safety Net substance abuse program and/or
agency, then federal and state laws will require you to
obtain written patient authorization before disclosing
substance abuse information
For treatment purposes, patient authorization is NOT
needed to disclose substance abuse information
within the ACTCM Safety Net if a program and/or
agency does not receive federal or state funding
It is against the law to disclose HIV test results and
Protected Health Information related to treatment of
STDs when the treatment was rendered within the
Municipal STD clinic without specific written patient
authorization.
Consent is necessary to disclose the Protected Health
Information of minors
◦ If a minor is emancipated they may consent to the disclosure of
their own Protected Health Information
◦ Otherwise, a parent or assigned guardian must consent to
disclosure of Protected Health Information
ACTCM must reasonably safeguard PHI, including verbal information, from
any intentional or unintentional use or disclosures. Measures that ACTCM
takes to protect patients’ privacy include:
◦ Making available treatment rooms where the clinicians can counsel patients
regarding treatment of their medical conditions including use of herbs.
◦ Do not discuss cases in the hallways, waiting area, patio area or front desk
◦ Speaking quietly or asking that waiting patients stand a few feet back from the
counter when speaking to patients from behind the front desk counter.
◦ Telephone calls made in the reception area should generally be for routine
appointment reminders and appointment clarification, and only first names
should be used.
◦ Keep the volume at an appropriate level over the phone so conversations cannot
be overheard. Telephone calls requiring sensitive information or more
disclosure should be made from the Faculty Office or Herbal Dispensary.
◦ Avoid leaving any PHI or other sensitive information on voicemail messages.
ACTCM’s general policy is to mail PHI whenever possible. If faxing, only the PHI
actually needed is sent and is only permitted if the sender first calls the recipient and
confirms that the recipient or his or her designee will be waiting at the fax machine, and
then calls the sender to confirm receipt of the document.
◦ Each fax must use an ACTCM fax cover sheet containing the following
confidentiality statement: Confidentiality Notice: This communication and any
attachments are for the sole use of the intended recipient and may contain
information that is confidential and privileged under state and federal privacy laws.
If you received this fax in error, be aware that any unauthorized use, disclosure,
copying, or distribution is strictly prohibited. If you have received this fax in error,
please contact the sender immediately and destroy all copies of this message.
◦ If a fax containing PHI is transmitted to the wrong recipient:
Fax a request to the incorrect fax number explaining that the information has been
misdirected, and ask that the materials be returned or destroyed.
Obtain written attestation that the recipient destroyed all copies and did not
disclose the information
Fill out an incident report and submit it to the Privacy Officer.
Emailing patient’s PHI is discouraged, and do not send confidential information unless
absolutely necessary.
◦ De-identify the information if possible
◦ Warn patients who communicate with email that their confidentiality cannot be
ensured
◦ Add the following confidentiality notice footer to your message: Confidentiality
Notice: This email communication and any attachments are for the sole use of the
intended recipient and may contain information that is confidential and privileged
under state and federal privacy laws. If you received this email in error, be aware
that any unauthorized use, disclosure, copying or distribution is strictly prohibited.
If you received this email in error, please contact the sender immediately and
destroy/delete all copies of this message.
d. If an email containing PHI is transmitted to the wrong recipient:
Send an email to the incorrect recipient explaining that the information has been
misdirected, and ask that the materials be returned or destroyed.
Obtain written attestation that the recipient destroyed all copies and did not
disclose the information
Fill out an incident report and submit it to the Privacy Officer.
Use of PHI in electronic medical records system: ACTCM staff,
faculty and students are currently not using an electronic medical
records system, but ACTCM uses MediSoft software for
accounting and billing purposes
MediSoft can only be accessed by clinic staff, each of which has
a unique user name and password. The reception computers are
turned off after business hours, and patients and non-essential
staff, faculty and students are restricted from the computer area.
MediSoft has audit controls to record and examine our records
activities
Controls to help ensure that health data has not been altered in an
unauthorized manner
The Security Rule requires a number of physical steps to ensure
that PHI contained in paper files and computers is protected:
Controls to ensure that access to sensitive information is available
on a need-to-know basis
Paper PHI files are stored and locked in file cabinets each night
ACTCM’s Clinic has a dedicated server located downstairs in a
locked room
ACTCM Clinic computers are protected by a firewall and
malware protection
ACTCM Clinic files are backed up every night
Failure to comply with the HIPAA Privacy and Security
Rules can lead to significant financial and other
penalties.
Required to report breaches of PHI disclosure
violations to DHHS
Civil and criminal penalties, to both individuals and
companies may be enforced and includes fines up to
$1.5 million and ten years of imprisonment.
18 month HIPAA audit ($50K to $150K)
ACTCM Clinic has ongoing internal auditing and
proactive identification for potential violations
AVOID:
◦ Discussing cases where other patients or visitors may
hear you- hallways, waiting area, front desk, patio
◦ Discussing herbal formulas with patients at the front
desk
◦ Leaving charts or records where other people can see
◦ Sharing medical information with family and friends
◦ Removing charts from the Clinic- Charts should be
returned to the front desk as soon as possible
It is essential that everyone providing care and
services to our patients be aware of their
surroundings to ensure confidentiality. Be aware
of where you are, who is around you, and what
information can been seen or heard by someone
else. Try to minimize the chances of accidental
disclosure.
All Medical Information that clearly identifies an
individual is confidential
You should only use patient information to perform
your specific job task
EVERYONE is accountable for:
◦ Protecting patient privacy
◦ Knowing and following policies and procedures
◦ Asking questions when unsure about processes
◦ Reporting potential privacy violations to the Privacy and
Security Officer