To HIPAA and BeyondTo HIPAA and BeyondThe Law of The Law of

Confidentiality and Confidentiality and SecuritySecurity

December, 2010December, 2010

By John R. Wible, General CounselAlabama Department of Public Health

1ADPH, 2010

DocumentationDocumentationSubstantiates proof of servicesProvides continuity of careDocumentation must be objective

facts, not opinions

2ADPH, 2010

The “Golden Rule of The “Golden Rule of Documentation”Documentation”

The “Golden Rule of Documentation:” If it ain’t wrote down it didn’t happen!

“Wible’s corollary” The way it is wrote down is the way it

happened regardless of the way it happened!

3ADPH, 2010

Confidentiality-Confidentiality- Access to Records Access to Records GenerallyGenerally

All patient information is strictly confidential◦ See Employee Handbook 10-02

Some Bad ScenariosBad scenarios equal bad liability

4ADPH, 2010

Conditions for Conditions for Release of InformationRelease of InformationConditions for release of

information:◦Prior written consent of

Patient, parent/guardian

Subpoena in accordance with Departmental/ institutional policy

Otherwise provided by law

5ADPH, 2010

TB/STD/DC Records TB/STD/DC Records Special Special ConfidentialityConfidentiality

STD/TB/disease control information not public.

Not revealed even by subpoenaNot admissible into evidence

except for commitment hearings ADPH requests for notifiable

disease records to be forwarded to Legal ◦ Call 334.206.5209.

See ADPH Policy 04-02 for specifics

6ADPH, 2010

Disease Control Disease Control GuidelinesGuidelinesInformation considered not

confidential:Final completed report written in

blank, not identifying any personsThe name of businesses,

establishments, restaurants involved in an investigation

Aggregate statistical informationAny other public recordsRegular environmental and

daycare inspection reports 7ADPH, 2010

ConfidentialConfidential Information Information (EPI)(EPI)

Epidemiologic interview sheetsRequired reportsWork papers, notes and analysesActual numbers of cases or IDsCorrespondence on a caseComplaint generated environmental

and other inspection reportsincomplete drafts of reportsOther document received privately

8ADPH, 2010

Released With Released With AuthorizationAuthorization

A notifiable disease record generated by the Department or in the possession of the Department (such as electronic laboratory reports or facsimile lab reports) that concerns the symptoms, condition or other information specific to an individual

One patient’s authorization, however does not release other person’s names or information

9ADPH, 2010

Written Authorization Written Authorization Not Required: Not Required:

10

Transfer information from one county health department to another or to the state office

Transfer information to physicians, nurse practitioners or other health professionals with contract or other provider arrangements to provide care

Some practitioners require consents to transfer out of abundance of caution

ADPH, 2010

What Makes a Valid What Makes a Valid Authorization?Authorization?

Description of the info to be released

Name or description of info receiverName of patientDescription if the use of the infoExpiration date or continuousRight of revocation by pt.Notice of possible re-disclosuresSignature of pt or representative See CHR Form 6A and instructions

11ADPH, 2010

Note Concerning Note Concerning Certain InformationCertain InformationCHR 6A states: pt. is made aware that s/he is releasing STD/HIV/AIDS or drug and alcohol treatment or mental health records

This is NOT required if other providers’ releases meet the earlier criteria

ADPH, 2010 12

Release of Contact Release of Contact Information – Don’t Do Information – Don’t Do It!It!

The medical record or information regarding STD/TB/disease control cannot be released without the written consent of the patient

Even with consent, it should not include contact information.

Don’t write identifying information about how the patient contracted the disease

13ADPH, 2010

Confidentiality – Access to Confidentiality – Access to Medical Records of MinorsMedical Records of Minors

If a minor is qualified to consent and signs the “consent for treatment”, only the minor can sign to release the information regarding those services

If the parent/guardian signs the consent for treatment, the parent/guardian or the minor may consent for the release

14ADPH, 2010

Access to Medical Records of Access to Medical Records of Minors – Rights of the Minors – Rights of the ParentsParents

All information pertaining to a child must be equally available to both parents

However, if the child gave consent for services, neither parent may have access to the records without that child’s consent. ◦Code of Ala, § 30-3-154

15ADPH, 2010

HIPAA – In HIPAA – In BriefBrief

HIPAA stands for The Health Insurance Portability and Accountability Act (1996)

Addresses privacy and security of health data

Includes verbal, written, or electronic dataPrivacy Rule, (2003), includes both paper

& e-PHISecurity Rule, (2003), includes only e-PHIHHS makes the rulesAmended (2009) by “the Stimulus Package

– ARRA (HITEC)

PHI – What is PHI – What is it?it?

Patient namePatient addressPatient phone numberPatient date of birthPatient social security number,

Medicaid number, etcDiagnosisTreatment informationFinancial information

The Privacy Rule: The Privacy Rule: What and Who Is What and Who Is Covered?Covered?“Protected Health Information”

(PHI):Individually-identifiable health

information used or disclosed by a covered entity in any form, whether electronically, on paper, or orally

45 C.F.R. §160.103ADPH is a “covered entity”

18ADPH, 2010

Releases without Releases without Written ConsentWritten Consent

TreatmentPaymentOperationsWhere required by law

19ADPH, 2010

Business AssociatesBusiness AssociatesBusiness associates follow the same

level of protection in the privacy rule and include:◦Claims or data processors; ◦Billing companies and financial service providers

◦Quality assurance providers and utilization reviewers

◦Lawyers, accountants & other professionals

45 C.F.R. §160.10320ADPH, 2010

Business Associates and Business Associates and AARAAARA

Must also adhere to the Security Rule like CEs and are subject to same penalties

Establish administrative, physical, and technical safeguards for Protected Health Information (PHI)

Establish policies and procedures for safeguards

Only use or disclose PHI in accordance with HIPAA

“Rat Fink Provision”

21ADPH, 2010

HIPPA Privacy HIPPA Privacy Rule:Rule:

Who is Not Who is Not Covered?Covered?Life insurance companies

Auto insurance companiesWorkers’ compensation carriersEmployersOthers who acquire, use, and disclose vast quantities of health data

AARA may place some requirements -◦E.g., PHI cannot be bought and sold

22ADPH, 2010

HIPPA Privacy Rule: HIPPA Privacy Rule: What Is Not Covered?What Is Not Covered?

PHI does not include

◦Education records covered by FERPA

◦Employment records held by a covered entity in its role as employer

◦Non-identifiable health information

◦45 C.F.R. 160.103

23ADPH, 2010

HIPAA - What it HIPAA - What it Doesn’t DoDoesn’t Do

Does not override state laws that provide more patient privacy than HIPAA

Does not require that all risk of incidental disclosures of patient information be eliminated

Examples: Cubicles Shield-type dividers Sign-in sheets

24ADPH, 2010

HIPAA and ADPH HIPAA and ADPH PrivacyPrivacy

25

See ADPH HIPAA Privacy Policy 06-008◦“Minimum Necessary” Concept

◦Patient Verification◦Fax Confidentiality◦The “HIPAA Log”◦Breach Sanctions◦Needs updating

ADPH, 2010

•See also CHR Manual and Employee Handbook

How How Uses/DisclosuresUses/Disclosures

Are RegulatedAre RegulatedMinimum necessary rule When using or disclosing PHI, a covered entity must make reasonable efforts to limit such information to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request

26ADPH, 2010

Permitted DisclosuresPermitted Disclosures“Minimum” info may be disclosed

To “public officials” To public healthTo law enforcement To national security and intelligence agencies

To judicial authoritiesTo researchersTo DHR for abuse reporting

27ADPH, 2010

Disclosure to PoliceDisclosure to PolicePursuant to subpoenas or by verbal

request As “otherwise required by lawFor ID and location purposesDo not give disease information Individual is a victim of a crimeTo alert about a suspicious death When criminal conduct occurs on

premises In emergency setting, to alert

regarding information pertaining to crime

28ADPH, 2010

Disclosure to National Disclosure to National Security AgenciesSecurity Agencies

CEs may disclose PHI to authorized federal officials for the conduct of intelligence, counter-intelligence, and other national security activities

29ADPH, 2010

Disclosure Disclosure To To Public Public HealthHealth

Disclosure permitted to: “public health authority that is

authorized by law to collect and receive such information for the purpose of preventing and controlling disease, injury, or disability, including… reporting of disease… and the conduct of public health surveillance….”

30ADPH, 2010

Child or Elder Abuse Child or Elder Abuse NoticeNotice

Examples of specific public health-based exceptions include disclosures

◦About victims of abuse, neglect, or domestic violence

◦To prevent serious threats to persons or the public

31ADPH, 2010

Information on Information on DecedentsDecedents

May be released to:Law enforcementTransporting emergency medical personnel

Coroners and their personnelMortuary personnelBureau of Health Statistics

32ADPH, 2010

Maintenance of Maintenance of DocumentationDocumentation

Maintain documentation of policies and procedures for 6 years

Make documentation available to workforce who administer the policy

Review and documentation periodically

Ensure the confidentiality, integrity, and availability of ePHI

33ADPH, 2010

HIPAA - The Security HIPAA - The Security RuleRule

Primary objective: protect the confidentiality, integrity, and availability of ePHI when it is stored, maintained, or transmitted.

Applies to identifiable electronic protected health information (ePHI) related to:◦Past, present or future medical or

mental condition◦The individual’s health care◦Payment records

34ADPH, 2010

What about e-PHI?What about e-PHI?Same as PHI, but created, received, or maintained electronically

Does not include telephone calls, copy machines, fax machines, most voice mail

Does not include de-identified information

Security of the Security of the PremisesPremisesHIPAA requires security of the

premises, i.e., door locks. See ADPH Security Policy No. 05-16.

HIPAA also requires security of the electronic records (computer security)

HIPAA requires security of the paper

HIPAA requires security of your mouth

36ADPH, 2010

Building SecurityBuilding SecurityPost the Department’s Notice of Privacy

Practices where clients can see itMaintain visitor sign-in logs and have

visitors sign in and out (this includes repair persons)

Use ADPH and Visitor ID badgesKeep back doors locked or

monitored during business hoursKeep server rooms lockedKeep PHI storage areas locked when

unattended

Paper SecurityPaper SecurityClean Desk

◦ Keep patient records covered or in folders◦ Lock records up at end of day or when away

from deskFax/Copy Machines

◦ Put fax & copiers in secure area away from traffic

◦ Remove faxes/copies promptlyFile Cabinets

◦ Keep locked when unattended◦ Locate in secure area◦ Limit access

Shred it!

Use of Department Use of Department ComputersComputersUse ADPH furnished equipment/softwareCSC/Tech Support will purchase and

install all network-connected devicesUse strong password protection &

disclaimer◦ Don’t give out your password

CSC/Tech Support will install updatesConnect laptops to the network once a

month for auditBack up critical data

◦See Policy 2005-016 and Security Manual

39ADPH, 2010

Use of ComputersUse of ComputersChange password every 60 daysUse only for lawful activityReport suspected viruses and attacksSupervisors notify CSC on new

employee starting work or leaving employ service

Appropriately salvage computersLimit access to Department

workspaceBe careful with portable storage

devices

40ADPH, 2010

Email and Internet Email and Internet SecuritySecurity

Email◦Do not open email from an unknown source; especially unknown attachments

◦Verify email recipients; make sure email is going to intended recipient

◦Always encrypt email and attachments containing protected information

◦Read security remindersAvoid risky internet sites

Laptop SecurityLaptop SecurityKeep laptop out of view when travelingDo not leave in hot vehicle for long timeDo not check with luggage when flyingPassword protectSet screen saver to require passwordLog on to network once a month to update virus protection software

Encrypt protected information

Patient AccountingPatient AccountingPatients may ask for listing of

disclosures of their PHI up to six (6) years prior in paper or electronic form

The following disclosures are NOT required to be accounted for: ◦Treatment, Payment, Healthcare Operations (TPO)

◦Disclosures to the patient or persons involved with their care

◦Disclosures authorized by the patient or authorized representative

43ADPH, 2010

Patient AccountingPatient AccountingOther disclosures which are not required to be accounted for:National security or intelligence purposesCorrectional institutions or law enforcementIncidental disclosures Limited Data Sets used for research purposes

44ADPH, 2010

HIPAA LogHIPAA Log

45

A single file which relates to pt. files

Kept with medical recordsDocuments “non-routine”

disclosures:◦date of the disclosure;◦the name/address of receiver◦brief description of the PHI disclosed

◦brief statement of the purpose of the disclosure

ADPH, 2010

Required Logged Required Logged ItemsItemsUnauthorized releases on the AIR

FormReleases required by lawReleases based upon subpoenaReleases to law enforcement for ID Requests to limit releasesRequests to amend or correct PHIRequests by the patient for

accountingReports about victims of abuse,

neglect, or domestic violence

46ADPH, 2010

Disclosures Disclosures Not Not LoggedLogged

TPO disclosuresDisclosures made to the patient

or rep.Pursuant to a valid authorizationNational security or intelligence

purposes;To a correctional institution or law

enforcement official that has custody of a patient;

To a health oversight official

47ADPH, 2010

HIPAA BreachesHIPAA Breaches

When there is a breach of phi or e-PHI You have a duty to report on an ARIA

Call if it is serious!ADPH as a duty to:To report to or notify clientsTo report to HHS and the media if

>500To mitigate the damageTo examine employees, policies,

equipment and facilities to prevent it happening again

48

“Teton Dam Breach”

ADPH, 2010

BREACHES - BREACHES - PENALTIESPENALTIESBreach may subject employees and

the Covered Entity:To criminal penalties (up to

$250,000)You are NOT covered by the FundTo HHS civil penalties or lawsuitsTo adverse employment action,

IE.,

49ADPH, 2010

Program ManagementProgram ManagementThe HIPAA program and certain

other similar programs are under the management of the Risk Management Committee

Committee proposes HIPAA policy changes

Committee receives and processes all ARIA reports including possible HIPAA breaches

The Committee oversees Red Flags instances

50ADPH, 2010

Red Flag Regulations Red Flag Regulations Federal Trade Commission

Regulations designed to protect against identity theft

As a “creditor”, ADPH has “covered transactions” with clients/patients

ADHP has a duty to be on the lookout for certain red flags

51ADPH, 2010

Categories of “Red Categories of “Red Flags”Flags”Alerts, notifications, or warnings from

a consumer reporting agency; Suspicious documents; Suspicious personally identifying

information, such as a suspicious address;

Unusual use of – or suspicious activity relating to – a covered account; and

Notices from customers, victims, law enforcement authorities, or businesses about possible identity theft

52ADPH, 2010

See Also Policy See Also Policy DocumentsDocuments

98-07 Fax Policy03-10 Notice of Privacy Practices

(NOPP)◦ Under Revision

03-30 Vital Records Policies04-02 Receipt of Legal Documents05-16 HIPAA Security Policy/Manual06-08 HIPAA Privacy Policy10-04 Contract Employee HandbookOnline ARIA Form

53ADPH, 2010

For A Copy of the For A Copy of the PresentationPresentationSee “HIPAA For Area 2” a download on Slideshare 7

http://www.slideshare.net/jwible

54

7Slideshare

ADPH, 2011