Satilla Community Services

1
Satilla Community Services
HIPAA Privacy and Security Regulations Staff
Training Presentation
2
What is HIPAA?

• Health Insurance Portability and Accountability
  Act
• Signed into law August 26, 1996

3
What is the intent of HIPAA?

• To make health coverage portable (to help
  people keep coverage when they change jobs).
• To standardize health insurance payment codes
• To keep health information private and
  confidential
• To keep health information secure

4
The Privacy Rule

• Took effect April 14th 2003
• Conveyed new rights to consumers to access their
  own medical records
• Placed new obligations on service providers
  (covered entities) to keep medical records
  private

5
Satilla HIPAA appointments

• Privacy Officer
• Gina Hart
• Contact the Privacy Officer
• 912-449-8617

6
Notice of Privacy Practices

• Contents tightly specified by HIPAA legislation
  -- over 3000 words!
• Every consumer must be given a paper copy
• Must be posted at every site
• Spanish translation available

7
The purpose of the Privacy Notice is to explain
to clients

• How we may use and disclose their medical
  information, with examples
• Their privacy rights under HIPAA
• How to contact the Satilla CS Privacy Officer
  (Gina Hart, tel. 912-449-8617)
• How to file a complaint

8
Three kinds of use and disclosure of confidential
information described in the Notice of Privacy
practices

• Treatment, Payment and other healthcare
  operations (e.g., audits)
• Disclosures required by law (Policy 6.05) --
  these must be recorded on Form 143
• Disclosures with consumer authorization (Policy
  6.06, Form 003)

9
Disclosures for treatment and payment

• Are authorized when consumer signs consent for
  services
• No consent is needed to provide emergency
  treatment (but obtain consent as soon as possible
  afterwards)
• Remember to obtain consent to include family
  members
• Satilla may share client information with another
  provider for the purposes of coordinating
  treatment or in an emergency

10
Disclosures required by law

• Mandated reporting of disease, threats or
  suspected abuse and / or neglect
• Disclosures in legal proceedings
• Disclosures for law enforcement activities
• Information about a deceased consumer to a
  Medical Examiner or Funeral Director

11
Procedures for disclosures required by law

• No consumer authorization is required
• Under Georgia law a subpoena must be backed by a
  court order to justify disclosure of medical
  records without the consumers consent
• All court-ordered disclosures must be logged on
  Form 143, filed under consents tab in the chart
• CASA (Court Appointed Special Advocate )

12
Disclosures with authorization

• Use the Satilla Form (003) or approved
  alternates
• Make sure it is completely filled out -- no
  blanks -- file under the consents tab
• Make sure prohibition on re-disclosure goes with
  the information disclosed
• Any problems, questions or arguments -- ask
  Privacy Officer for advice

13
Disclosures of the entire medical record

• Consult Privacy officer
• Record on Form 143
• (Does not apply when consumer him- or herself
  asks for the entire record)
• Normally, only the minimum necessary information
  should be used or disclosed -- see Policy 6.11

14
The Notice of Privacy Practices also describes
consumers rights

• to inspect and copy their medical record
• to amend their medical record
• to receive an accounting of disclosures required
  by law made without their authorization
• to request restrictions on use and disclosure
• to request confidential communications

15
The Notice of Privacy Practices also describes
the protection already given to the
confidentiality of drug and alcohol abuse
treatment records provided by federal law (42
U.S.C. 290 dd-2) and regulations (42 C.F.R., Part
2) (Under Federal Law a subpoena must be backed
by a court order to justify disclosure of a
substance abuse treatment record)
16
The Privacy Notice explains how to complain
about violations of privacy rights

• offering assistance in preparing a complaint
• indicating where to file complaint (Satilla
  Privacy Officer or HHS - Office of Civil Rights)
• promising no reprisals

17
HIPAA Security Regulations

• Came into effect on April 20th 2005
• Require Satilla to protect medical records so as
  to ensure their
• Availability
• Integrity
• Security

18
Information Security Officer

• Privacy refers to what is protected-Health
  information about an individual and the
  determination of WHO is permitted to use,
  disclose, or access the information.
• Security refers to how private information is
  safeguarded-Insuring privacy by controlling
  access to information and protecting it from
  inappropriate disclosure and accidental or
  intentional destruction or loss
• Becky Chancey (IT Manager)
• If in doubt, report incidents to both PO and SO!

19
Information Security requires

• Physical protection of sites, computers, portable
  media, and chart rooms
• Computer access controls (passwords, firewalls,
  log in monitoring)
• Protection from malicious software
• Precautions when using email, phone or fax to
  transmit confidential information
• Disaster recovery procedures

20
Physical protections

• Keep sites secure (wear name badges, require
  visitors to check in)
• Control access to chart rooms, answering
  machines, faxes and computer facilities
• Request authorization from IT Department to store
  health information on portable media
• Keep charts, computers, portable media secure
  (under lock and key)
• Keep office doors locked (or at least closed)
  when unattended

21
Supervisors and information security

• Notify IT and HR on transfer or termination of
  staff so that access rights can be controlled
• Ensure return of ID badges and agency property
• Ensure that confidential papers are kept secure
  till destroyed by shredding
• Ensure that surplussed computers and computer
  media are returned to IT
• New employees must sign form 222

22
Computer access contols

• Use strong passwords (policy 2.14)
• Do not share passwords
• Log off when you leave your computer
• If you write password down keep it in a secure
  (locked) place

23
Protection from malicious software

• Do not open attachments to suspect emails
• Report all suspicious incidents to IT
• Do not download ANYTHING from the internet
  without IT Depts consent
• Do not access your internet email from Satilla
  computers
• Read policy on internet use (2.24)

24
Telephones and voicemail

• Do not talk about confidential matters on the
  telephone where you can be overheard (take
  special care with speakerphones)
• Never include confidential information in a
  voicemail or answering machine message

25
Emails with confidential information

• Use ID number and consumer initials to identify
  consumer information in emails (DO NOT use their
  full names, DOB, or SS numbers)
• Include confidentiality and disclaimer notice
  (see email policy 2.12)
• Check you have the correct to address

26
Faxing confidential information

• Include a cover sheet on all faxes (policy 2.16)
• Make sure you have the correct fax number
• Phone ahead or otherwise make sure that the
  intended recipient is there to receive the fax or
  that the fax is in a secure area.

27
Information security in clinics

• Mask information on sign-in sheets
• Post notices requesting respect for privacy at
  reception desks
• Use approved badges and number system to call
  consumers from waiting room (Satilla Policy)
• Keep confidential papers and computer screens out
  of public view

28
Immediately report to Privacy and / or Security
Officers any breaches of consumer privacy or
information security.
Thank you for your attention!