Introducing the NASW Updated Sample HIPAA Privacy Forms and Policies Presenter: Sherri Morgan, JD, MSW Associate Counsel, NASW Legal Defense Fund and Office of Ethics & Professional Review 2013 National Association of Social Workers. All Rights Reserved. 1
Permissions for Use of Forms NASW s sample privacy forms and policies are for use by individual NASW members free of charge. For use by members only Sample forms need to be customized and modified for the specific social work practice setting and according to state law Use does not constitute legal advice Legal consultation or other advice in your state may be needed for full compliance. Each entity subject to HIPAA is responsible for compliance with the regulations. 2013 National Association of Social Workers. All Rights Reserved. 2
Topics Covered Four types of sample NASW HIPAA privacy documents Who must comply with HIPAA Notice of Privacy Practices and modifications The interaction of HIPAA and state privacy laws Written HIPAA office policies and procedures Authorization forms and policies to release health information, drug & alcohol abuse treatment records and psychotherapy notes Sample breach notification documents and office policies Business associates defined; sample policy and contract Client access to electronic health records under HIPAA Key Recommendations Overview of federal and NASW online resources 2013 National Association of Social Workers. All Rights Reserved. 3
Sample HIPAA Privacy Documents www.socialworkers.org/hipaa/sample.asp Four categories of documents: Privacy, Authorizations, Breach Notification, Business Associates Types of documents: Forms, Office Policies, Instructions HIPAA requires written office policies HIPAA requires the Notice of Privacy Practices, compliant authorization forms, documentation of breaches, notification of breaches, business associate agreements, risk assessment, acknowledgement of the NPP, accounting of disclosures and more. 2013 National Association of Social Workers. All Rights Reserved. 4
2013 National Association of Social Workers. All Rights Reserved. 5
HIPAA Regulations Security Standards Breach Notification Privacy Standards HIPAA Administrative Simplification National Provider Identifier Electronic Transactions Standards 2013 National Association of Social Workers. All Rights Reserved. 6
Who Must Comply with HIPAA? Covered Entities Defined: Health care providers and their business associates (and their sub-contractors) who transmit health information in certain electronic transactions Health plans Health care clearinghouses 2013 National Association of Social Workers. All Rights Reserved. 7
Applicability of HIPAA Generally HIPAA applies to a social work practice if that practice submits insurance claims electronically, either directly or through a billing service or clearinghouse. HIPAA does not apply to a health care practice that does not file any insurance claims electronically (i.e. via a computer). 2013 National Association of Social Workers. All Rights Reserved. 8
Notice of Privacy Practices (NPP) Four related NASW sample documents: 1. Notice of Privacy Practices 2. Instructions for Use of the NPP 2013 National Association of Social Workers. All Rights Reserved. 9
Notice of Privacy Practices (NPP) 3. Notice of Privacy Practices Policy 4. Acknowledgement of the NPP 2013National Association of Social Workers. All Rights Reserved. 10
Modifying the Sample NPP Delete the underlined heading Sample Notice of Privacy Practices 2013 National Association of Social Workers. All Rights Reserved. 11
Modifying the Sample NPP Fill in the contact information (address, email, telephone, etc.) for your Privacy Officer in the blank lines on pp. 3 & 4. 2013 National Association of Social Workers. All Rights Reserved. 12
Modifying the Sample NPP Read the NPP in its entirety and consider whether it accurately reflects your office privacy policies & procedures, as consistent with HIPAA, state law and professional ethics. Modify the effective date of the policy as of the date you implement it (not earlier). Retain copies of the NPP for six years. 2013 National Association of Social Workers. All Rights Reserved. 13
HIPAA and State Law HIPAA is a set of federal minimum health privacy standards HIPAA pre-empts state law, unless State law is more protective of client privacy, or State law provides clients with a greater right of access to their protected health information. Practitioners needs to review their state confidentiality rules according to the social worker licensing board and compare to HIPAA s listed disclosures. 2013 National Association of Social Workers. All Rights Reserved. 14
State Law Resources Look at state laws on access to health records and what deadlines apply and specific authorization requirements: See Access to Records by Social Workers Clients (Oct. 2012, LDF Legal Issue of the Month) https://www.socialworkers.org/ldf/legal_issue/2012/oct20 12.asp Look at licensing board confidentiality rules and when client consent is required or any limits on information disclosure: Visit the state social work licensing board website for your state. Links available at http://www.aswb.org/swl/statutesregulations.asp Some areas of possible conflict between HIPAA and state law: Amount of information disclosed to health plans (e.g. NJ) Timeframe for providing records to clients Consent required for disclosures for treatment, payment and healthcare business operations. 2013 National Association of Social Workers. All Rights Reserved. 15
Use of the Finalized NPP Post your finalized NPP on your website Post the NPP in a common area of the office (i.e. waiting room) Provide individual copies of the NPP to all new clients/patients Attempt to gain client s written acknowledgement of receipt of the NPP or social worker must independently document the good faith attempt to provide the NPP (individual acknowledgement forms to be kept with client chart for six years). 2013 National Association of Social Workers. All Rights Reserved. 16
NPP Office Policy This is a HIPAA internal office policy document, required regardless of the size of the social work practice. It should be tailored to the actual privacy practices and procedures adopted by your office, as consistent with state law, social work ethics and HIPAA requirements. The day-to-day office privacy practices should be consistent with your written Notice of Privacy Practices Policy. Violations of your privacy policies are considered HIPAA violations. 2013 National Association of Social Workers. All Rights Reserved. 17
HIPAA Office Policy Documents Must be maintained for six years (including prior versions of the policies) This time period may be longer or shorter than the required time for maintaining client records under state law and is independent of that requirement. Effective date cannot be earlier than the date on the written document. Need to insert the name of the actual social work practice to replace the bracketed title on the NASW sample documents. 2013 National Association of Social Workers. All Rights Reserved. 18
Authorization to Release PHI Three related sample HIPAA documents: Authorization Policy 2013 National Association of Social Workers. All Rights Reserved. 19
Authorization to Release PHI Authorization to Release Substance Abuse Treatment Information 2013 National Association of Social Workers. All Rights Reserved. 20
Authorization to Release PHI Authorization to Release Mental Health Treatment Information 2013 National Association of Social Workers. All Rights Reserved. 21
Use of Authorization Forms Drug & Alcohol Treatment vs. Mental Health: Drug & alcohol abuse treatment records cannot be rereleased by the individual who receives them; however, health and mental health information may be re-released by the receiving party and the authorization must state that, depending on the type of records being released. Psychotherapy Notes vs. Patient Chart: Authorizations to release HIPAA-compliant psychotherapy notes (e.g. clinician s separate, private notes) cannot be combined with an authorization of any other type of information. Use the check-off on the Mental Health Authorization or write in psychotherapy notes in Other on the Drug & Alcohol Abuse Authorization). 2013 National Association of Social Workers. All Rights Reserved. 22
Resources for Authorizations LDF Legal Issue of the Month articles (www.socialworkers.org/ldf/legal_issue) Confidentiality of Drug & Alcohol Abuse Treatment Information in an Electronic Age (February 2011) Social Workers and Psychotherapy Notes (June 2006) Health Insurance, HIPAA and Client Privacy (July 2011) 2013National Association of Social Workers. All Rights Reserved. 23
Authorization to Notify Patient of Breach via Email/Phone In the event of a privacy breach, HIPAA permits notification to clients by email or telephone, if the client has given prior agreement. This should be to enable faster notification to clients, not for the convenience of the social worker. A sample form to document this agreement is provided and may be best to discuss with clients at the initiation of treatment when other consent forms are signed. 2013 National Association of Social Workers. All Rights Reserved. 24
Breach Notification Policy Replace the header [INSERT NAME OF SOCIAL WORK ORGANIZATION] with the name of your social work practice/organization. Write in the effective date of the policy. Keep this with other HIPAA office policy documents. Most breach notifications to HHS are conducted online, rather than by mail: http://www.hhs.gov/ocr/privacy/hipaa/administrative/ breachnotificationrule/brinstruction.html 2013National Association of Social Workers. All Rights Reserved. 25
Breach Notification Pointers Less than 500 affected clients (small breaches): Notify clients quickly (within 60 days) Notify HHS within 60 days after the end of the calendar year in a combined report with all breaches. 500 or more affected clients (large breaches): Notify clients quickly (within 60 days) Notify HHS when you notify clients Notify the media (within 60 days) 2013 National Association of Social Workers. All Rights Reserved. 26
Breach Notification to Clients Conduct investigation, assess risk of harm to clients, write breach incident report, document in breach incident log, contact authorities as appropriate. Send client s notification by U.S. mail unless you document an agreement to notify by email or telephone. 2013 National Association of Social Workers. All Rights Reserved. 27
Breach Notification to Clients Sample notification letter The text in brackets needs to be revised specifically for the social work organization, affected client, and specific breach incident. 2013 National Association of Social Workers. All Rights Reserved. 28
HIPAA Business Associates HIPAA business associates = contracting entities that assist in operating a social work practice + have access to PHI (attorneys, accountants, billing services, information technology contractors, cloud computing vendors, etc.). Business associates (and subcontractors) are directly responsible for HIPAA compliance. Clinical social workers should require all business associates, including health information data vendors to sign a business associate contract. Sample forms from NASW LDF and HHS: www.socialworkers.org/hipaa/sample.asp http://www.hhs.gov/ocr/privacy/hipaa/understanding/covered entities/contractprov.html 2013 National Association of Social Workers. All Rights Reserved. 29
Business Associate (BA) Agreement Policy Review relationships with outside entities and put BA agreements in place. Review timing of existing agreements for compliance deadlines. Timeline for updated agreements under the Omnibus HIPAA Rule: For agreements in place prior to 1/25/13 and not renewed between 3/26/13 and 9/23/13: September 22, 2014 Compliance Deadline For new agreements or those modified/renewed between 3/26/13 and 9/23/13: September 23, 2013 Compliance Deadline 2013 National Association of Social Workers. All Rights Reserved. 30
Sample BA Agreement Delete the word Sample in the document title. Enter the effective date of the agreement. Enter the business name of the social work practice in the spaces designated for the covered entity. Enter the name of the business associate in the spaces designated. Delete or cross out inapplicable provisions relating to: drug and alcohol abuse treatment programs and/or Qualified Service Organizations. 2013 National Association of Social Workers. All Rights Reserved. 31
Sample BA Agreement, cont. Section 2.1 Check the first box to specify the purpose for the business associate s access to clients protected health information and enter the specific purpose in the blank space OR check the second box if a separate services agreement is attached which details the purpose of the business associates use of protected health information and enter the name of that document in the blank space. Section 2.2 Check all options that apply. Section 2.6 Review with the business associate how state social worker confidentiality laws are also applicable and may restrict disclosure of PHI more than HIPAA. Have each party sign and date the agreement. Make a copy and store the agreement with HIPAA compliance documents. Provide a copy of your Notice of Privacy Practices Policy to the business associate. Review with business associates their use of subcontractors to perform functions under the BA agreement. 2013 National Association of Social Workers. All Rights Reserved. 32
Clients Requests for Restrictions Clients are permitted to ask for restrictions to disclosures of their information that are usually permitted by HIPAA without consent (e.g. for purposes of treatment, payment and healthcare business operations). If clients ask that their health plan not be notified, the provider is required to comply if the client has self-paid for services. 2013 National Association of Social Workers. All Rights Reserved. 33
Clients Requests for Restrictions Sample form is limited to client-initiated requests for restrictions. 2013 National Association of Social Workers. All Rights Reserved. 34
Clients Access to ephi HIPAA does not require health care providers to maintain an electronic health record for clients; however, Providers who maintain an electronic client record are now obligated to provide access to this information in electronic format, upon request of the client. Access to the PHI is a mandatory client right, regardless of whether it is maintained electronically or in paper form. Social workers should review all client-related electronic data, files and communications in response to a client s request for access. 2013 National Association of Social Workers. All Rights Reserved. 35
Key Recommendations Install encryption, firewalls and virus protection for all electronic media, software and communications Read your current state social work laws Get training/consultation for new technologies and practice modalities Become fully HIPAA compliant: written policies, privacy notices, authorization forms, training, business associate contracts Become proficient in the use of technology Use NASW and HHS resources. 2013 National Association of Social Workers. All Rights Reserved. 36
Federal Health IT Privacy and Security Resources Cybersecure: security training module Security risk assessment tool Guide for physicians on evaluating security practices Cyber-security checklist HIPAA summary and guide Available at: http://www.healthit.gov/providers-professionals/privacysecurity-training-games http://www.healthit.gov/providers-professionals/ehrprivacy-security/resources 2013 National Association of Social Workers. All Rights Reserved. 37
NASW Legal Defense Fund Resources NASW HIPAA Information, Articles and Links: www.socialworkers.org/hipaa NASW Online HIPAA training courses: Sample HIPAA privacy forms and policies: https://www.socialworkers.org/hipaa/sample.asp Legal Defense Fund Legal Issue of the Month Articles: www.socialworkers.org/ldf Law Note Series: www.socialworkers.org/ldf www.naswpress.org 2013 National Association of Social Workers. All Rights Reserved. 38
Like us on Facebook www.facebook.com/socialworkethicslaw 2013 National Association of Social Workers. All Rights Reserved. 39
Celebrate LDF s 40 th Anniversary Give $40 for the 40 th! LDF depends on member contributions: Call 800-742-4089 Visit www.socialworkers.org/ldf 2013 National Association of Social Workers. All Rights Reserved. 40