Confidentiality and HIPAA

1
Confidentiality and HIPAA
2
Learning Objectives

• Articulate the basic rules governing privacy of
  medical information and records.
• Identify the clients rights under HIPAA.
• Demonstrate the ability to respond appropriately
  when faced with situations involving
  confidentiality.

3
The importance of confidentiality

• Find a partner. Discuss your experiences with
  confidentiality.

4
The Health Insurance Portability and
Accountability Act - HIPAA

• This act is about privacy regulations it
  requires that providers protect the privacy and
  security of their consumers health information in
  new ways.
• Allows consumers additional rights to access,
  amend and protect their own health care
  information.

5
What is Protected Health Information?

• PHI is information that contains identifiers.
• PHI replaces the phrase confidential medical
  information
• What are basic identifiers that we use?

6
Protected Health Information

• PHI includes the following
• Treatment Plans
• Medical Records
• Incident Reports
• Outcomes Databases
• Data Collection Sheets
• Treatment Team Meeting Notes

7
Protected Health Information

• PHI also includes
• Treatment information
• Health information (physical or mental)
• Payment information
• It includes past, present or future info
• It includes information that is verbal,
  electronic or on paper

8
Informing Clients

• A Privacy Notice is given to each client upon
  entry into mental health services
• Each person must sign that he/she has received
  this Privacy Notice

9
Authorization of Disclosure

• Releasing of PHI requires authorization from the
  consumer, except under very specific
  circumstances.
• The request must state the type and amount of
  information the consumer is willing to disclose.
• HIPAA authorization forms must be signed and
  updated annually.

10
Basic guidelines

• Be conscientious about need to know in all
  situations
• Outside the team, disclosure should be guided by
• Authorization
• Staying within the parameters of the specific
  information required
• During emergencies, the safety and health of the
  consumer permits disclosure of necessary PHI
• Lets look at some examples

11
Permitted Disclosures

• To the consumer, subject to certain restrictions.
• For treatment, payment or healthcare operations
  (I.e., Quality, Risk Management) within the
  agency.
• Child abuse, elder abuse, Tarasoff warnings
• Secret Service
• To Guardians of adults
• To parents/family member of minors

12
Permitted Disclosures, cont.

• With a valid authorization
• for any reason to a third party
• To family members or other persons involved with
  the individuals care.

13
Disclosures Usually Permitted

• To Public Health Authorities reports of death
  or disease
• In response to a court order or as permitted by
  law with regard to litigation
• To avert a serious threat to health or safety to
  the individual or others.

14
Substance Abuse Records

• Substance abuse records are highly protected
  the client must make a specific authorization to
  disclose this information
• There are three exceptions to the rule requiring
  client authorization of substance abuse records
• Child Abuse Reporting
• Crime committed at/or threatened at the treatment
  facility
• Medical emergency

15
Confidentiality and Teams

• HIPAA, California law and WI Code permit sharing
  of healthcare and mental health information,
  without authorization, for treatment purposes.
• If a new team is developing, including
  non-medical partners such as probation officers,
  law enforcement, teachers or social workers, it
  is easiest to get an authorization signed at the
  outset.

16
Sharing substance abuse information

• HOWEVER, authorization is required when sharing
  substance abuse treatment program information
  with providers who are outside of the program.

17
The Designated Record Set

• All of the clients information is contained in
  the Designated Record Set
• DRS replaces the term medical record
• A DRS is a group or records maintained by a
  provider or for a provider that is the medical
  and billing records case or medical management
  records or information used in whole or in part
  to make healthcare decisions about the individual.

18
The DRS

• The information within the DRS is what the HIPAA
  regulations protect.
• Consumers have specific rights under HIPAA with
  regard to their DRS.

19
Consumer Rights Under HIPAA

• Right to access DRS
• Right to amend DRS
• Right to restrict sharing of PHI
• Right to accounting of uses and disclosures of
  PHI
• Right to file complaints concerning a providers
  Privacy Practices

20
Accountability Under HIPAA

• Civil penalties
• 100/violation up to 25,000 per calendar year
  (Office of Civil Rights)

21
Accountability Under HIPAA

• Criminal penalties (enforced by the Dept. of
  Justice)
• Up to 50,000 and 1 year of imprisonment for
  knowingly obtaining and disclosing PHI
• Up to 100,000 and 5 years imprisonment if
  committed under false pretenses.
• Up to 250,000 and 10 years imprisonment if
  committed with intent to sell, transfer, or use
  for commercial advantage, personal gain or
  malicious harm.

22
Accountability Under HIPAA

• The provider can be sued by consumers for
  improper disclosures of PHI
• Disciplinary actions against employees for
  failure to follow policies and procedures
  regarding consumer privacy.

23
Protecting the Security of PHI

• Each healthcare site must have appropriate
  administrative, technical and physical safeguards
  to protect the privacy of protected health
  information.

24
Protecting the Security of PHI

• Agencies must put into place reasonable
  safeguards to prevent intentional or
  unintentional use or disclosure.

25
Exercise

• Identifying Breaches of Confidentiality

26
The Bottom Line

• Think confidentiality and privacy.
• Share only what you need to share.
• Always have an authorization before sharing
  someones confidential information.

27
Exercise

• Confidentiality Situations