NAMI EASTSIDE - 13 POLICY: Privacy and Security of Protected Health Information (HIPAA Policies and Procedures) DATE APPROVED: Pending INTENT: (At present, none of the activities that NAMI Eastside provides fall under HIPAA as no files are maintained on anyone beyond their contact info, see privacy policy 12). If for any reason that should be changed or be defined otherwise, NAMI Eastside will adhere to the policy as outlined below. To ensure that all communications involving Protected Health Information (PHI) comply with the federal regulations outlined in the Health Insurance Portability and Accountability Act of 1996 (HIPAA), Washington State Administrative Code (WAC), the Revised Code of Washington (RCW), and all other laws and regulations protecting personal information. ACRONYMS: HIPAA: Health Insurance Portability and Accountability Act PHI: Protected Health Information PROCEDURE:
1. Protected Health Information (PHI). 1. Definition. 2. Penalties. 3. Access. 1. Any information, whether oral or recorded, in any form or medium, that is created or received by NAMI Eastside; relates to the past, present, or future physical or mental health or condition of an individual; or the provision of health care to an individual. 2. Any information that identifies the individual or can be used to identify the individual is protected. 3. PHI includes any number or code issued by a government entity for the purpose of personal identification that is protected and is not available to the public. Examples of such information include, but is not limited to, the following: 1. Personal Identification Numbers such as tax identification number, social security number, driver's license number, state identification card number. 2. Financial and Health Information such as account numbers or access codes, credit card numbers, medical history, medical status, donor status. 1. Violations of HIPAA regulations and of this policy may result in disciplinary action. 2. HIPAA also holds violators accountable, with civil and criminal penalties that can be imposed for violations of patients privacy rights. 1. Civil penalties range from $100 per incident up to $25,000 per person, per year, per standard. 2. Federal criminal penalties, including additional monetary penalties and imprisonment, may be imposed for more abusive and egregious violations. These may include knowingly violating patient privacy by improperly obtaining or disclosing PHI; obtaining PHI under false pretenses ; or obtaining or disclosing PHI with the intent to sell, transfer or use it for commercial advantage, personal gain or malicious harm. 1. NAMI Eastside makes internal practices, books and records, including policies and procedures and PHI, relating to the use
and disclosure of PHI received from, or created or received by NAMI Eastside on behalf of King County, available to King County to determine compliance with the privacy rule. 2. The agency shall maintain a list (Access by Job Function) specifying the job categories within the agency having access to PHI necessary to carry out their job duties, the categories or types of PHI needed, and the conditions appropriate to such access. Employees are prohibited access to PHI beyond that specified. (See also NAMI Eastside policy Confidentiality of Mental Health Information and Records, Disclosing Information). 4. Confidentiality/Disclosures. 2. Restricted Areas. 1. Confidentiality requirements apply to all information, oral and recorded, which is compiled, obtained or maintained in the course of providing service, establishing membership or receiving financial support. 2. Oral communications include, but are not limited to, face- to- face conversations, telephone conversations, and discussions in a group setting. Additionally, 1. Caution should be taken when retrieving voice mail messages from your telephone when the speaker is on. 2. Cell phone conversations are subject to interception and should not be regarded as confidential. 3. Employees and volunteers may disclose protected information only if it is appropriate and necessary to the performance of their job responsibilities and/or an exception, as allowed by law, to the confidentiality requirements. All disclosures must limit the PHI disclosed to the minimum necessary to accomplish the purpose of the disclosure. All disclosures must be documented. (See Confidentiality policies.). 1. Rooms/offices are considered to be restricted if they can be locked, with access limited to employees and volunteers with a need to know. Documents containing PHI that are maintained in restricted areas may be considered to be secure, subject to the following: 1. Restricted areas must be kept locked when not occupied or monitored. 2. Non- NAMI Eastside employees and volunteers without a need- to- know must always be accompanied when in restricted areas.
3. Non- restricted Areas. 4. Computers. 1. Non- restricted areas include areas that are accessible by the public, or are regularly used for purposes that involve non- NAMI Eastside employees/volunteers or those with limited need to know. Such areas may include conference rooms, waiting areas, reception areas, copy areas, rooms used for group meetings, shared offices, all off- site locations where services are provided, etc. Materials containing PHI must never be left or stored in non- restricted areas unless in locked cabinets with keys available only to those designated. 1. Information should never be left lying out in the open in plain view.. 2. Internally created documents and lists, created for the purpose of operational necessity, must contain information limited to the purpose for which it is created, must be limited in distribution to those who have a need for the information, must be maintained in secure places, and must be archived in a secure place or destroyed once the purpose has been satisfied. 3. Care should be taken to ensure that oral communications are not overheard in adjacent areas, or by persons without a need to know. 4. Cover sheets or other means of concealment must be used for PHI when left in employee or volunteer mailboxes. 5. PHI may be requested via fax machine only when the recipient who has a need to know is available to accept the information as it is received. PHI should only be sent if the designated recipient will be present to pick up the information as received, verified via real- time telephone contact. 6. Fax copies that contains PHI and are picked up by a person other than the specific person to whom it is addressed must be handled in such a way as to protect the information. If the recipient is identified, the material should be given directly to that person. If the intended recipient is not available, cover sheets or other means of concealment must be used when leaving the information in employee or volunteer mailboxes. If no specific recipient is identified on the fax, the material will be given to the Program Coordinator for assignment. 1. It is acceptable to retain PHI on a local computer hard drive providing the computer is either maintained in a restricted area or is password protected and there is operational need for having access to the information. Once there is no longer operational need, the information
must be deleted from the hard drive, although it may be saved to disk for storage in a locked cabinet/desk if desired for archiving. 2. Hard drive data backed up onto disk must be kept in a locked cabinet/desk. 3. PHI must not be left displayed on a screen when the computer is not in use. Additionally, screens should not display PHI where there is a chance that anyone without a need to know can see it. 5. Handling PHI Off- site 6. Disposal of PHI. 1. Documents containing PHI should never be removed from the worksite unless absolutely necessary to fulfill a job function. When necessary, or when PHI is created off- site, all reasonable precautions shall be made to safeguard the information against potential disclosure, and shall be returned to a secure area as soon as possible when no longer needed to complete a specific job function. 1. Destruction. Careless disposal of PHI poses a significant threat to identity theft, putting an individual's privacy, financial security, and other interests at risk. It is unlawful in the State of Washington to dispose of personal information without making reasonable efforts to destroy that information. The statute requires shredding of the document, or erasing or otherwise modifying this personal information to make it unreadable before discarding the document. Utilize the shredder/shredding bins when possible. At the end of each work day or shift, each employee or volunteer is required to have either destroyed, deposited in the designated shredding container or store in compliance with NAMI Eastside policies and procedures PHI received during that period.