Donna S. Sheperis, PhD, LPC, NCC, CCMHC, ACS Sue Sadik, PhD, LPC, NCC, BC-HSP Carl Sheperis, PhD, LPC, NCC, MAC, ACS

Transcription

1 Donna S. Sheperis, PhD, LPC, NCC, CCMHC, ACS Sue Sadik, PhD, LPC, NCC, BC-HSP Carl Sheperis, PhD, LPC, NCC, MAC, ACS 1

2 DISCLAIMER Please review your own documentation with your attorney. This information is for reference and does not constitute rendering of legal advice. 2

3 Introduction Who are we and why are we here? Who are you and why are you here? 3

4 Protection of Information Confidentiality o Roman times more important to have a safe place to talk ore seek treatment than for the world to know what you talked about or sought treatment for Educational Records o Schools cannot share information without parental consent Medical Records o 1996 Medical records cannot be transmitted electronically without protection 4

5 FAMILY EDUCATIONAL RIGHTS AND PRIVACY ACT (FERPA) FERPA is intended to protect the privacy of educational records. No funds shall be made available to any educational agency which has a policy or practice of permitting the release of educational records without the written consent of parents Access to records by anyone other than a parent is restricted, absent parental consent, except in some circumstances (eg child is over 18). 5

6 FERPA What does it protect? Educational records, files or other documents that are directly related to a student. Examples include: Grades Class list Course schedules Financial records Disciplinary records 6

7 FERPA Who must comply? Any public or private educational institution which is the recipient of funds under any applicable program Organizations and individuals that contract, consult or are employed by an educational institution Any person employed by the agency 7

8 FERPA WHAT IS NOT COVERED BY FERPA Educational records do not include: o Access too other school employees in the same school with legitimate educational interests o Access to appropriate parties in connection with a health or safety emergency if knowledge is necessary to protect the health or safety of the student o Access to child protective serves for law enforcement as part of a child abuse report o Directory information o Oral communications o Student name o Address o Telephone number o Dates of attendance o Alumni records o University law enforcement records o Medical and mental health records 8

9 Where Do FERPA and HIPPA Intersect? When a school provides health care to students in the normal course of business, such as through its health clinic, it is also a health care provider as defined by HIPAA If a school also conducts any covered transactions electronically in connection with that health care, it is then a covered entity under HIPAA Joint Guidance on the Application of the Family Educational Rights and Privacy Act (FERPA) and the Health Insurance Portability and Accountability Act of 1996 (HIPAA) to Student Health Records 9

10 Health Information Portability And Accountability Act (HIPAA) 10

11 Let s Have Some Fun # efb4e2fb111 11

12 HIPAA Do You Need To Be Compliant? Are you a covered entity? Covered entity is an organization any Protected Health Information (PHI) in electronic form. There are two kind of clinicians those who are covered by HIPAA and those who think they aren t but really are. 12

13 HIPAA 13

14 HIPAA Protected Health Information (PHI) Name 5 digit ZIP codes All elements of dates for dates directly related to an individualage Telephone numbers Fax numbers Electronic mail addresses Social Security numbers Medical record numbers Health plan beneficiary numbers Account numbers Certificate/license numbers Vehicle identifiers and serial numbers, including license plate numbers Device identifiers and serial numbers Web Universal Resource Locators (URLs) Internet Protocol address numbers (IPs) Biometric identifiers, including finger and voice prints Full face photographic images and comparable images Any other unique identifying number, characteristic, or code 14

15 Privacy Rule The HIPAA Privacy Rule establishes national standards to protect individuals medical records and other personal health information and applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically. The Rule requires appropriate safeguards to protect the privacy of personal health information, and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization. The Rule also gives patients rights over their health information, including rights to examine and obtain a copy of their health records, and to request corrections. SUMMARY OF THE PRIVACY RULE ary/index.html 15

16 Security Rule The HIPAA Security Rule establishes national standards to protect individuals electronic personal health information that is created, received, used, or maintained by a covered entity. The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information. SUMMARY OF THE SECURITY RULE mary.html 16

17 HIPAA 3 SAFEGUARDS Physical o rative/securityrule/physsafeguards.pdf Administrative o rative/securityrule/adminsafeguards.pdf Information Technology (IT) o nding/special/healthit/ 17

18 Physical Establish reasonable and appropriate physical safeguards Who can access data and who cannot? How is that controlled? Do policies identify controls to prevent unauthorized physical access or theft? Are their policies to validate the person accessing data? How are workstation repairs handled? What happens when a computer is re-issued to another employee? eguards.pdf 18

19 Administrative Includes security measures to protect electronic protected health information and to manage the conduct of the covered entity s workforce in relation to the protection of that information Comprise over one-half of the HIPAA Security requirements How does EPHI flow through the organization and where are the risks? Do employees sign and adhere to a statement of security? Who can access what information and how are audits conducted? uards.pdf 19

20 Information Technology Privacy and Security Toolkit published by Health and Human Services Correction: the right to have their protected health information (PHI) amended Openness and Transparency: in the system Individual Choice: right to make medical decisions Collection, Use, and Disclosure Limitations Safeguarding of EPHI Accountability: measures in place to audit and report compliance 20

21 A Technology Case: WellPoint Medical (1) Beginning on October 23, 2009, until March 7, 2010, WellPoint did not adequately implement policies and procedures for authorizing access to ephi maintained in its web-based application database consistent with the applicable requirements of the Security Rule. (2) WellPoint did not perform an adequate technical evaluation in response to a software upgrade, an operational change affecting the security of ephi maintained in its web-based application database that would establish the extent to which the configuration of the software providing authentication safeguards for its web-based application met the requirements of the Security Rule. (3) Beginning on October 23, 2009, until March 7, 2010, WellPoint did not adequately implement technology to verify that a person or entity seeking access to ephi maintained in its web-based application database is the one claimed. (4) Beginning on October 23, 2009, until March 7, 2010, WellPoint impermissibly disclosed the ephi, including the names, dates of birth, addresses, Social Security Numbers, telephone numbers and health information, of approximately 612,000 individuals whose ephi was maintained in the web-based application database. Payment WellPoint agrees to pay HHS the amount of $1,700, ( Resolution Amount ) by electronic funds transfer on or before July 11, 2013, pursuant to written instructions to be provided by HHS. 21

22 HIPAA Compliance Gain general knowledge of HIPAA regulations. 75% of HIPAA compliance issues are human error/theft/data loss Visit for more information 22

23 23

24 HIPAA BUSINESS ASSOCIATES Counselors must enter into, or update, their Business Associate (BA) contracts. BA s are third party providers who receive PHI Examples of BA include contractors, subcontractors, billing services, document storage companies, cleaning/ maintenance companies business associates, etc. Visit the below for BA provisions: ing/coveredentities/contractprov.html 24

25 HIPAA NOTICE OF PRIVACY PRACTICES (NPP) This notice describes how medical information about clients may be used and disclosed and how clients can get access to this information. Effective date date you started your practice or the mandated date of compliance for an existing practice. Use and disclosure of Protected Health Information for the purposes of providing services. Providing treatment services, collecting payment and conducting healthcare operations are necessary activities for quality care. State and federal laws allow the entity to use and disclose health information for these purposes. 25

26 HIPAA NOTICE OF PRIVACY PRACTICES (NPP) TREATMENT: o Provide, manage and coordinate care o Consultants o Referral sources PAYMENT: o Verify insurance coverage o Process claims and collect fees HEALTHCARE OPERATIONS: o Review of treatment procedures o Review of business activities o Certification o Staff training o Compliance and licensing activities OTHER USE AND DISCLOSURES WITHOUT YOUR CONSENT: o Mandated reporting o Emergencies o Criminal damage o Appointment scheduling o Treatment alternatives o As required by law 26

27 HIPAA NPP CLIENT RIGHTS Right to request where we contact you Right to release medical records Right to inspect and copy medical billing records Right to add information or amend medical records Right to accounting of disclosures Right to request restrictions on uses and disclosures of healthcare information Right to complain Right to receive changes in policy 27

28 HIPAA NOTICE OF PRIVACY PRACTICES (NPP) You must give the NPP to a client before the initial session. You and the client keep the signed copies. You are required by HIPAA to provide a document that explains to potential clients how you and your practice will handle the release of confidential information. 28

29 29

30 HIPAA SAMPLE NPP Model Notices of Privacy Practices 30

31 Shasta Regional Medical Center (SRMC) A Case of NO Privacy Practices On January 6, 2012, HHS notified SRMC of its initiation of a compliance review of its facility to determine whether there was a failure to comply with the requirements of the Privacy Rule. HHS s compliance review was prompted by an article in the Los Angeles Times published on January 4, The article indicated that two of SRMC s senior leaders met with the media to discuss the medical services provided to a patient (the Affected Party) without a valid written authorization. a) From December 13 20, 2011, SRMC failed to safeguard the Affected Party s PHI from any impermissible intentional or unintentional disclosure on multiple occasions as described below. This failure was evidenced by the following facts: i) On December 13, 2011, SRMC sent a letter, through its parent company, to California Watch, responding to a story concerning Medicare fraud. The letter described the Affected Party s medical treatment and provided specifics about her lab results. SRMC did not have a written authorization from the Affected Party to disclose this information to this news outlet. ii) On December 16, 2011, two of SRMC s senior leaders met with The Record Searchlight s editor to discuss the Affected Party s medical record in detail. SRMC did not have a written authorization from the Affected Party to disclose this information to this newspaper. iii) On December 20, 2011, SRMC sent a letter to The Los Angeles Times, which contained detailed information about the treatment the Affected Party received. SRMC did not have a written authorization from the Affected Party to disclose this information to this newspaper. 31

32 A Case of NO Privacy Practices b) SRMC impermissibly used the affected party s PHI. This failure was evidenced by the following facts: i) On December 20, 2011, SRMC sent an to its entire workforce and medical staff, approximately individuals, describing, in detail, the Affected Party s medical condition, diagnosis and treatment. SRMC did not have a written authorization from the Affected Party to share this information with SRMC s entire workforce and medical staff. Payment Covered Entities agree to pay HHS the amount of Two Hundred and Seventy Five Thousand Dollars ($275,000.00) as the Resolution Amount. Covered Entities have entered into and agree to comply with the Corrective Action Plan (CAP), attached. 32

33 HIPAA Steps Toward Compliance 33

34 HIPAA Steps Toward Compliance Gain general knowledge of HIPAA regulations. Visit for more information 34

35 HIPAA Steps Toward Compliance Create a HIPAA Check List Designate a "Privacy Officer Create a general HIPAA computer file for your documentation i.e., HIPAA forms, logs, documentation of compliance activities, etc. 35

36 HIPAA Steps Toward Compliance Secure records by locking and securing file cabinets and offices. Monitor who has access to them. Provide basic (need not be expensive) computer security, such as virus protection, firewalls, backup, passwords (changed regularly), encryptions, log out, access log, and who has access to records 36

37 HIPAA Steps Toward Compliance Keep answering machines, fax machines and computer screens confidential and away from unauthorized people. Post public notices regarding the Privacy Officer and the Notice of Privacy Practices in the waiting room and, when appropriate, on your website. 37

38 HIPAA Steps Toward Compliance Obtain, if relevant, from your "Business Associates" (i.e., clearinghouses, answering services) a HIPAA Business Associate contract. Train your employees or staff (if you have any) in HIPAA compliance. Document the training and retraining as necessary. Disclosures and disclosure spreadsheets 38

39 Let s Have Some Fun # efb4e2fb111 39

40 SECURITY AND PRIVACY REMINDERS 40

41 Workstation Use and Security Access of PHI without subscriber authorization must be limited to purposes permitted Do not load unauthorized software, programs, or files onto their workstations. Do not copy records onto personal devices. Monitors should be positioned such that unauthorized persons cannot view information. 41

42 Workstation Use and Security Do not share your password with anyone. This includes IT and your supervisor. Additionally, do not write your password on sticky notes or other paper and leave it around or near your computer. Lock your workstation when leaving work area for extended periods. 42

43 and Malicious Software Do not open s unless you know the sender. If you receive from an unknown sender, contact IT. Please inspect addresses carefully to ensure they are from a legitimate source. Do not open links in s without confirming with the sender the validity of the links. Do not give your work address for any personal s. 43

44 and Malicious Software Never download files from the Internet. Never install any personal software on your computer. Do not make illegal copies of any software. Notify your supervisor if you suspect your password has been compromised. 44

45 Log-ins Do not log in if your screen suddenly looks different Don t log in from a free wi-fi connection 45

46 Transmissions Any documents to be sent via fax should be sent via electronic fax, if possible. If not possible, the sender should remain at the machine until the transmission is complete to remove material from the machine. Fax machines and copiers should also be regularly checked for, and cleared of, material containing PHI. s containing PHI should be sent using the encrypted secure function. Avoid full SSN whenever possible especially if you don t have encrypted . 46

47 Transmissions Documents containing PHI must be placed in the locked shred bins. No materials containing PHI should be left on photocopiers, fax machines or exposed on any work area. Telephones, voic and answering machines are not secure. Do not discuss PHI over speakerphone and do not leave messages containing PHI on an answering machine. 47

48 Copiers Disable the hard drive and/or save feature of a copier Did you even know your copier had a hard drive?! Most of us don t! Get this in writing from your copier salesperson 48

49 Shredding Hire a shred company, if you are able, to dispose of your PHI Keep a log documenting the shred visits Keep PHI in a locked shred bin 49

50 Resources HIPAA For Dummies: A Practitioner s Guide Understanding HIPAA HIPAA FAQs Enforcement Data 50