HIPAA the HIPPO
Odyssey House of UtahJune, 2011
Why do I care?
HIPAA often seems hard to get your head around because it has complicated requirements associated with it. However there are some simple ways to protect our clients, yourself, and Odyssey House.
Why do I care?
The reason for HIPAA might best be explained by one of many stories:
“After suffering a work related injury to her wrist, a woman authorized her insurance company to release information pertaining to her wrist ailment to her employer. When she had the opportunity to review her medical record, her file contained her entire medical history including records on recent fertility treatment and pregnancy loss.” (Health Privacy Project, Georgetown University, 1999)
Due to incidents similar to this, one in five American adults believes that a health care provider, insurance plan, government agency or employer has improperly disclosed personal medical information.
Two out of three U.S. adults say they don’t trust health plans and government programs such as Medicare to maintain confidentiality all or most of the time.
Why do I care?
There are serious consequences for not protecting the health information of our clients:
• Client could suffer personal or legal consequences
• The agency could be sued or fined
• You could personally pay fines or receive a jail sentence for a breach
What is HIPAA?
Health Information Portability & Accountability Act of 1996
Addresses:• Privacy of Protected Health Information• Security of Protected Health Information• Potential consequences and
enforcement activities
What is protected?
Protected Health Information (PHI):• Demographics• Mental & physical health info• Anything related to services provided
How do I protect myself?
Minimum Necessary: In short…only disclose what is absolutely necessary!
When can I release information?
• Internal care coordination• Based on a completed authorization• Mandatory reporting• Law enforcement warrants & court orders• Treatment, payment, & health care
operations
Can I chat with my co‐workers?
Internal Disclosures:• While care coordination is encouraged,
all other information is on a NEED TO KNOW BASIS!
• This means that sharing a story about a client with a well‐known parent to a co‐worker for laughs is a breach.
Who else wants to know?
External Disclosures:• Collateral Supports• Requests for our records
See pg. 6 in Policy & Procedure for specific steps• Law enforcement & Court Orders
See pg. 8 in P&P for additional info• Waived Confidentiality Situations
• Mandatory Reporting & Others
What do I do when law enforcement shows up?
If law enforcement arrives to arrest a client:• Ask if they have a court order. If so, ask politely if you can see it. • As soon as you see a court order, cooperate with the
apprehension.• If they do not have a court order: “In the absence of a judicial order, I cannot confirm or deny anything. You can, however, contact our Privacy Officer”
• Additional help in the Policy & Procedure, along with Privacy Officer contact information.
What do I have to document?
Waived Confidentiality Situations:• Attempt to obtain an authorization first• Attempt to get the client to self‐report, if applicable• Miscellaneous Note, entitled “Accounting of PHI
Disclosure”
External Requests for Our Records:• Original request for records form• Attach any information disclosed (how?)• Document disclosure on the release form• Place in client’s file
Where is PHI hiding?
• On your computer• Jump drives• At your desk• Client files• Stuff you take home• Your brain
How do I keep it safe?
• Lock your computer when you step away• NO PERSONAL JUMPDRIVES!• Agency jumpdrives must be processed by IT• Keep client files or documents out of sight• Put client files away immediately after use• Get supervisor permission before you take
any physical PHI home (laptop, agency jump drive, documents, files, etc)
What’s an Authorization?
• Forms are located on the L drive• Refer to pg. 4 in the P&P for required
components
What is 42 CFR Part 2?
• 42 CFR Part 2 specifies privacy regulations specific to alcohol and drug abuse patient records
• There is a conflict between 42 CFR and HIPAA Privacy Rule where the Privacy Rule states that an authorization can be revoked by the client at any time and 42 CFR allows authorizations to remain in effect for the criminal justice system, acknowledging the need for judges and P.O.s to know what their legally mandated client is up to
• Therefore, legally mandated clients must sign a Criminal Justice Authorization that documents this conflict and explains the consequences of revoking the authorization
What is unique to minors?
• Parents, case workers, or personal representatives with legal custody have full access to client PHI
• The burden is on the disclosing staff member to be sure that the parent has custody or is otherwise authorized to have access by the custodial parent
When do I get help?
Go to the Privacy Officer when:• You know about or suspect a breach• You receive a court order, subpoena or
discovery request• Law enforcement requests PHI without a
warrant or court order• You need to report a crime involving a
client
Where’s the information?
• “Client Confidentiality” Policy & Procedure• Privacy Officer: Emily Capito x3475• Release Forms:
• L:/Forms/Client/Releases of Information• Access to this Training:
• L:/Staff Resources/HIPAA
Don’t be a Big Mouth!
Questions?
Hear No Evil See No Evil Speak No Evil
References
• 45 CFR Parts 160, 162, 164 (HIPAA)• 42 CFR Part 2 • U.S. Department of Health & Human
Services: http://www.hhs.gov/ocr/privacy/
Self‐Directed Training Documentation
• Make sure to complete the quiz and sign the training acknowledgement for credit
• This training accounts for 1 hour• You should also read the Policy &
Procedure before signing the training form