HIPAA and Mental Health Privacy:

Similar documents
HIPAA Security Rule Compliance

Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc.

Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH)

Introducing the NASW Updated Sample HIPAA Privacy Forms and Policies

Policies and Procedures Audit Checklist for HIPAA Privacy, Security, and Breach Notification

HIPAA Compliance: Are you prepared for the new regulatory changes?

PRIVACY POLICIES AND FORMS FOR BUSINESS ASSOCIATES

Privacy Officer Job Description 4/28/2014. HIPAA Privacy Officer Orientation. Cathy Montgomery, RN. Presented by:

Appendix 4-2: Sample HIPAA Security Risk Assessment For a Small Physician Practice

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics

BEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO

HIPAA Security Alert

HIPAA Compliance The Time is Now Changes on the Horizon: The Final Regulations on Privacy and Security. May 7, 2013

C.T. Hellmuth & Associates, Inc.

HIPAA TRAINING. A training course for Shiawassee County Community Mental Health Authority Employees

12/19/2014. HIPAA More Important Than You Realize. Administrative Simplification Privacy Rule Security Rule

HIPAA Compliance Guide

HIPAA Security COMPLIANCE Checklist For Employers

Understanding HIPAA Privacy and Security Helping Your Practice Select a HIPAA- Compliant IT Provider A White Paper by CMIT Solutions

HIPAA Security. 5 Security Standards: Organizational, Policies. Security Topics. and Procedures and Documentation Requirements

Securing the FOSS VistA Stack HIPAA Baseline Discussion. Jack L. Shaffer, Jr. Chief Operations Officer

COMPLIANCE ALERT 10-12

HIPAA Information Security Overview

Policy Title: HIPAA Security Awareness and Training

HIPAA SECURITY RISK ASSESSMENT SMALL PHYSICIAN PRACTICE

HIPAA/HITECH PRIVACY & SECURITY CHECKLIST SELF ASSESSMENT INSTRUCTIONS

Joseph Suchocki HIPAA Compliance 2015

SECURITY RISK ASSESSMENT SUMMARY

Please Read. Apgar & Associates, LLC apgarandassoc.com P. O. Box Portland, OR Fax

HIPAA PRIVACY AND SECURITY AWARENESS

When HHS Calls, Will Your Plan Be HIPAA Compliant?

STATE OF NEVADA DEPARTMENT OF HEALTH AND HUMAN SERVICES BUSINESS ASSOCIATE ADDENDUM

HIPAA/HITECH: A Guide for IT Service Providers

HIPAA Audits: How to Be Prepared. Lindsey Wiley, MHA, CHTS-IM, CHTS-TS HIT Manager Oklahoma Foundation for Medical Quality

HIPAA Security. 1 Security 101 for Covered Entities. Security Topics

Overview of the HIPAA Security Rule

HIPAA Happenings in Hospital Systems. Donna J Brock, RHIT System HIM Audit & Privacy Coordinator

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

Are You Still HIPAA Compliant? Staying Protected in the Wake of the Omnibus Final Rule Click to edit Master title style.

HIPAA Compliance Guide

Protecting Patient Information in an Electronic Environment- New HIPAA Requirements

HIPAA BUSINESS ASSOCIATE AGREEMENT

The Basics of HIPAA Privacy and Security and HITECH

HIPAA Security. Jeanne Smythe, UNC-CH Jack McCoy, ECU Chad Bebout, UNC-CH Doug Brown, UNC-CH

Data Security and Integrity of e-phi. MLCHC Annual Clinical Conference Worcester, MA Wednesday, November 12, :15pm 3:30pm

HIPAA: Bigger and More Annoying

Authorized. User Agreement

Health Information Privacy Refresher Training. March 2013

My Docs Online HIPAA Compliance

Security Is Everyone s Concern:

The HIPAA Security Rule Primer A Guide For Mental Health Practitioners

SAMPLE HIPAA/HITECH POLICIES AND PROCEDURES MANUAL FOR THE SECURITY OF ELECTRONIC PROTECTED HEALTH INFORMATION

New HIPAA regulations require action. Are you in compliance?

HIPAA and the HITECH Act Privacy and Security of Health Information in 2009

The HIPAA Audit Program

HIPAA and HITECH Compliance for Cloud Applications

HIPAA PRIVACY OVERVIEW

SCHOOL DISTRICT OF BLACK RIVER FALLS HIPAA PRIVACY AND SECURITY POLICY

Healthcare Compliance Solutions

CREATIVE SOLUTIONS IN HEALTHCARE, INC. Privacy Policy

University of Illinois at Chicago Health Sciences Colleges Information Technology Group Security Policies Summary

HIPAA: In Plain English

University Healthcare Physicians Compliance and Privacy Policy

Datto Compliance 101 1

How To Write A Health Care Security Rule For A University

VMware vcloud Air HIPAA Matrix

What Virginia s Free Clinics Need to Know About HIPAA and HITECH

HIPAA Security. assistance with implementation of the. security standards. This series aims to

Bridging the HIPAA/HITECH Compliance Gap

HIPAA in an Omnibus World. Presented by

ACKNOWLEDGMENT OF RECEIPT OF NOTICE OF PRIVACY PRACTICES

HealthStream Regulatory Script

HIPAA Security Training Manual

ACCOUNTABLE HEALTHCARE IPA HIPAA PRIVACY AND SECURITY TRAINING. By: Jerry Jackson Compliance and Privacy Officer

Privacy & Security Matters: Protecting Personal Data. Privacy & Security Project

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) TERMS AND CONDITIONS FOR BUSINESS ASSOCIATES

Unified Security Anywhere HIPAA COMPLIANCE ACHIEVING HIPAA COMPLIANCE WITH MASERGY PROFESSIONAL SERVICES

IBM Internet Security Systems. The IBM Internet Security Systems approach for Health Insurance Portability and Accountability Act compliance overview

Neither You Nor Your Business Associates Can Afford to be Lax About Complying with HIPAA Requirements

CHIS, Inc. Privacy General Guidelines

Metropolitan Living, LLC 151 W. Burnsville Parkway, Suite 101 Burnsville, MN Ph: (952) Fax: (651)

Transcription:

HIPAA and Mental Health Privacy: What Social Workers Need to Know Presenter: Sherri Morgan, JD, MSW Associate Counsel, NASW Legal Defense Fund and Office of Ethics & Professional Review 2010 National Association of Social Workers. All Rights Reserved. 1

HIPAA Regulations Security Standards Privacy Standards HIPAA Administrative Simplification National Provider Identifier Electronic Transactions Standards 2010 National Association of Social Workers. All Rights Reserved. 2

HIPAA s HITECH Act Amendments HITECH is the Health Information Technology for Economic and Clinical Health Act, which was passed as part of the American Recovery and Reinvestment Act (ARRA). Amends the HIPAA privacy regulations. HITECH Act provisions are being phased in on different dates; many became effective in 2010. 2010 National Association of Social Workers. All Rights Reserved. 3

Applicability of HIPAA Generally HIPAA applies to a social work practice if that practice submits insurance claims electronically, either directly or through a billing service or clearinghouse. HIPAA does not apply to a practice that does not file any insurance claims electronically (i.e. via a computer). 2010 National Association of Social Workers. All Rights Reserved. 4

Summary of Federal Privacy Rule A covered entity cannot use or disclose protected health information (PHI) unless it is permitted or required by the HIPAA Privacy Rule Disclose only the minimum necessary Rule creates individual rights Rule sets a federal floor States may provide greater privacy protection. 2010 National Association of Social Workers. All Rights Reserved. 5

Minimum Necessary Standard for Disclosure Covered entities and business associates are to restrict information to the minimum amount necessary to accomplish most purposes Does not apply to disclosures: to other providers for treatment purposes, to the client, or authorized by the client. 2010 National Association of Social Workers. All Rights Reserved. 6

Psychotherapy Notes Provisions Protect clients detailed information from intrusive requests by health plans Protect children s information from inappropriate requests by parents for detailed session notes Require a separate release form to be signed by the client before notes can be disclosed Health plans cannot require patients to sign the separate release form for psychotherapy notes. 2010 National Association of Social Workers. All Rights Reserved. 7

Psychotherapy Notes and Client Records Psychotherapy notes defined by HIPAA as: Notes of a mental health provider documenting or analyzing the conversation during a counseling session that are maintained separately from the client record. Primary client record of PHI is to contain: Medication prescription and monitoring Counseling session start and stop times Modalities and frequencies of treatment Results of clinical tests Summary of diagnosis, functional status, treatment plan, symptoms, prognosis, progress. 2010 National Association of Social Workers. All Rights Reserved. 8

Practice Pointer: Psychotherapy Notes Separating psychotherapy notes from the primary client file is not mandatory; however, it increases the options for protecting clients privacy. Example: Insurance company audit Ins. Co. A requests from social workers access to the entire files of 5 clients for an audit Provider - PPO contract permits audits With separate psychotherapy notes, Co. A cannot request access to the notes, only the primary file. 2010 National Association of Social Workers. All Rights Reserved. 9

Clients HIPAA Rights Right to written notice of information practices from providers and health plans Right to inspect and copy protected health information in their records (excluding separately maintained psychotherapy notes) Right to amend information in their records Right to an accounting of disclosures Right to request restrictions on uses and disclosures Right to have reasonable requests for confidential communications accommodated Right to file a HIPAA complaint 2010 National Association of Social Workers. All Rights Reserved. 10

HIPAA Administrative Requirements Covered entities are required to: 1. Designate a privacy official and a security official 2. Develop written HIPAA policies and procedures (including one for receiving HIPAA complaints) 3. Provide privacy and security training to its workforce 4. Develop a system of sanctions for employees who violate the entity s HIPAA policies 5. Implement safeguards to protect PHI 6. Meet documentation requirements 7. Sign agreements with business associates. 2010 National Association of Social Workers. All Rights Reserved. 11

Compliance Documentation Keep documentation of the following in written or electronic form for 6 years: Designated privacy officer Contact person for receiving privacy complaints Policies and procedures Training of workforce on policies and procedures Complaints received and the outcome Employee sanctions applied, if any Accounting of disclosures Name and title of person responsible for handling requests for accounting of disclosures. 2010 National Association of Social Workers. All Rights Reserved. 12

HIPAA Security Standards Applicable only to information in electronic form ephi = electronic PHI = individually identifiable health information that is electronically received, created, stored or transmitted by a HIPAA covered entity 2010 National Association of Social Workers. All Rights Reserved. 13

Security Standards and Implementation Specifications Three categories of HIPAA security standards: administrative, physical, and technical Total of 39 different requirements 2010 National Association of Social Workers. All Rights Reserved. 14

Security Requirements Conduct and analysis of the threats and vulnerabilities to ephi Develop a written Risk Management Plan how will you address system vulnerabilities? Create an employee sanction policy that addressing HIPAA violations Perform periodic computer audits (features are built in to some operating systems, such as MS XP) Develop a policy for how employees with be authorized to access ephi or supervised when they are near ephi Develop a policy for vetting potential employees/volunteers (e.g. checking references, checking for criminal history, etc.) Create termination procedures password termination, etc. Provide security reminders for employees Utilize virus protection software Log-in Monitoring Password Management (prohibit sharing, use good passwords, etc.) 2010 National Association of Social Workers. All Rights Reserved. 15

Security Requirements II Train staff in responding to and reporting security incidents Ask business associates to sign HIPAA compliance contracts Appoint a HIPAA security officer Evaluate your security plan Create a Data Backup Plan (duplicate files, etc.) Develop a Disaster Recovery Plan (how will you get needed data and computer systems?) Create an Emergency Mode Operation Plan (Where will you operate during an emergency? How will ephi be secured?) Test and revise your contingency plan List software and hardware and prioritize for emergency use How will you control access to your facility and validate employee identity? Maintain maintenance records 2010 National Association of Social Workers. All Rights Reserved. 16

Security Requirements III Inventory all electronic devices and electronic media that contain ephi (e.g. laptops, handheld computers, smart phones, desktop PCs) Create policies for how these devices will be disposed of, re-used (if at all), accounted for (log-out procedure), and how will data be backed up and stored? How will use of individual workstations be authorized and secured? Develop an emergency access procedure for ephi Use settings to activate automatic logoff from systems containing ephi Evaluate the feasibility of using encryption. 2010 National Association of Social Workers. All Rights Reserved. 17

Practice Pointer: Computer Security Consider hiring an information technology contractor to assist with HIPAA security. Find a local professional with HIPAA experience. Have the consultant sign a HIPAA confidentiality agreement (see NASW sample documents). Ask the consultant to identify threats and vulnerabilities to your electronic system and install encryption, virus protection and a firewall. Obtain computer training on how to use your systems audit, log-in, and other functions. 2010 National Association of Social Workers. All Rights Reserved. 18

HITECH HIPAA Highlights HIPAA breach notification requirements: Applies to protected health information (including confidential client records) that is not secured with encryption technology, such as paper records or unprotected electronic information. Notification of a breach no more than 60 days Develop a breach notice policy. See NASW s sample HIPAA forms and policies at: www.socialworkers.org/hipaa 2010 National Association of Social Workers. All Rights Reserved. 19

Practice Pointer: Privacy Breaches Notify the police and file a report Identify the scope of the breach Prepare an internal breach incident report Review the potential for misuse of the information Review your state s consumer notification law Obtain NASW s sample notification forms Determine what is needed to mitigate harm Prepare and send notifications to affected clients Carry out appropriate employee sanctions Prepare notifications for government agencies 2010 National Association of Social Workers. All Rights Reserved. 20

Self-Paying Clients Privacy Clients who entirely self-pay for services may request that their provider not inform their health plan, and the provider is obligated to comply with such a request. 2010 National Association of Social Workers. All Rights Reserved. 21

Clients Access to ephi HIPAA does not require health care providers to maintain an electronic health record for clients; however, Providers who maintain an electronic client record are now obligated to provide access to this information in electronic format, upon request of the client. Access to the PHI is a mandatory client right, regardless of whether it is maintained electronically or in paper form. Social workers should review all client-related electronic data, files and communications. 2010 National Association of Social Workers. All Rights Reserved. 22

Practice Pointer: Children s Privacy 3 HIPAA Mechanisms to Protect Minors Privacy: 1. Ask both parents to sign a voluntary confidentiality agreement. 2. Keep sensitive information in separate psychotherapy notes. 3. Deny access to parents who are abusive. 2010 National Association of Social Workers. All Rights Reserved. 23

Social Workers Business Associates HIPAA business associates = contracting entities that assist in operating a social work practice + have access to PHI (attorneys, accountants, billing services, information technology contractors, etc.). Business associates are directly responsible for HIPAA compliance under the HITECH Act. Clinical social workers should review and revise HIPAA business associate contracts. Sample forms and suggestions from NASW LDF: www.socialworkers.org/hipaa/sample.asp 2010 National Association of Social Workers. All Rights Reserved. 24

Increased Penalties for HIPAA Violations Tier A: Offender did not know, and by exercising reasonable diligence, would not have known, that the law was violated ($100 to $25,000 per year) Tier B: Violation due to reasonable cause and not willful neglect ($1,000 to $100,000) Tier C: Violation due to willful neglect, but later corrected ($10,000 to $250,000) Tier D: Uncorrected violation due to willful neglect ($50,000 to $1.5 million). Mandatory investigations and penalties to be phased in over the coming months. States may also enforce HIPAA violations and individual criminal liability for wrongdoing is authorized in some cases. 2010 National Association of Social Workers. All Rights Reserved. 25

Baseline HIPAA Compliance Steps Secure electronic systems with virus protection and a firewall Secure electronic health records with encryption Utilize separate psychotherapy notes Distribute a Notice of Privacy Practices to clients Don t release client information to business associates without a HIPAA agreement. 2010 National Association of Social Workers. All Rights Reserved. 26

NASW Legal Defense Fund HIPAA Resources HIPAA Highlights for Social Workers : www.socialworkers.org/hipaa Online HIPAA training courses: http://www.hipaaprof.com/nasw Sample HIPAA privacy forms and policies: https://www.socialworkers.org/hipaa/sample.asp Legal Defense Fund Legal Issue of the Month Articles: www.socialworkers.org/ldf NASW Code of Ethics LDF Legal Issue of the Month Articles Children s Treatment Records: Parental Access and Denial (June 2010) Disclosing Confidential Information to Social Workers Business Associates (March 2010) HIPAA Amendments for a New Decade: 2010 and Beyond (February 2010) HITECH HIPAA for Social Workers (March 2009) Social Workers and the National Provider Identifier (May 2007) Social Workers and Psychotherapy Notes (June 2006) Children s Rights to Confidentiality (May 2006) 2010 National Association of Social Workers. All Rights Reserved. 27

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information