HIPAA

1
HIPAA
HOPWA
STATE of GEORGIA
2
HIPAA

• Health Insurance Portability and Accountability
  Act of 1996
• Final Rule deadline was April, 2003
• Congress passed law to protect patient medical
  records and information, how and when it could be
  released shared

3
HIPAA

• As required by the HIPAA law itself, federal
  state laws that provide greater privacy
  protection (which may be those covering mental
  health, HIV infection, and AIDS information)
  continue to apply.
• HIPAA sets a national floor or minimum standard
  of privacy.
• More restrictive state HIV standards continue to
  apply.

4
Which Privacy Law is More Constrictive Concerning
HIV Privacy of Information, HIPAA or Georgia?

• Georgia, hands down. Georgia has some of the
  most restrictive privacy laws concerning HIV in
  the country however they have been relaxed
  somewhat over the years.

5
What Information is Protected?

• All medical records and other individually
  identifiable health information used or disclosed
  by a covered entity in any form, whether
  electronically, on paper, or orally, are covered
  by the final rule.

6
Are You a Covered Entity or a Business Associate?

• Generally, you should be considered a Business
  Associate since you do not provide medical care,
  keep medical records on your clients or share
  client information with other entities.
• A Business Associate relationship is an official
  contract signed by you with the Covered Entity.

7
Covered Entity Cont.

• Requirements of a Business Associate are much
  less than a Covered Entity under HIPAA but
  Georgia Code concerning HIV confidentiality draws
  no difference in the entity. So, you do not need
  to worry so much about HIPPA but your Stae
  requirements are quite clear and should be
  considered.

8
Why is HIPAA so Important to Pathways?

• Pathways electronically shares medical and other
  data. Electronic data transmission was the major
  force behind the HIPAA legislation forcing
  privacy of electronic patient information. Since
  so many types of data are shared by Pathways,
  they must use max precaution to insure their
  safety and your own.

9
Policy Procedures

• Should be written and posted in your office.
• Staff should be trained on Policies.
• Each client should receive a copy of your Privacy
  Policy Procedures.
• You should always receive a signed Release of
  Information before sharing any client data.

10
Policy Procedures Cont.

• Each client should receive an explanation of who
  will have access to their information and
  signatures of whom can review the information and
  whom is not allowed to review their information.
• Each client must receive Informed Consent of what
  happens if they do or do not agree with the
  information sharing Procedures.

11
Policy Procedures Cont.

• Good policy not to share your information with
  other entities unless required to by government
  agency or a Covered Entity.
• Be a Business Associate whenever possible leaving
  the burden of privacy for HIPAA on the Covered
  Entity

12
DUE DILLIGENCE

• Always do the maximum you can think of even if it
  is overkill. Document what you do. Do the best
  you can and prove it. The HIPAA legislation will
  be litigated and change over time. The Georgia
  Code, however, has been litigated, is what you
  have to worry about and will stand the test of
  time.

13
Can a client have their medical record or chart?

• With a few very limited exceptions, the client
  has the right to inspect and obtain a copy of
  medical information you hold about them.
• While the information you have collected about
  the client is their information, the actual file
  materials belong to you.

14
Can a client have their medical record or chart?
Cont.

• You do not have to share information related to
  others in the record.
• You do not have to share information you
  purchased, i.e. credit or collection information
  other than where you received the information.
• You do not have to share any information
  furnished to you by a legal entity, i.e.
  warrants, etc.

15
Can you share the information you have with other
entities?

• Yes, with the proper Release of Information
  (ROI). You may use your own form, the DHR form,
  your health Districts approved form or other.

16
Can you share the information you have with other
entities?

• Again, I recommend that as a practice you do not
  share information with others except in rare
  circumstances release the information only to
  your client and let them disseminate it.
• Also, be aware that the client can call back or
  rescind their ROI and you can not share data
  related to that ROI after that point.

17
Now

• Q A

18
May you leave messages for clients at their
homes, either on an answering machine or with a
family member, to remind them of appointments or
to inform them that a prescription is ready? May
providers continue to mail appointment or
precription refill reminders to patients' homes?
19
HIPAA YES

• Georgia HIV privacy statute
• probably not.
• Anything you do to release client HIV information
  must be specifically cleared by the client to an
  individual except under special circumstances
  such as a spouse or criminal investigation when
  ordered by a court to do so.

20
Can you fax client information?
21
HIPPA Yes

• Georgia HIV privacy statute
• probably not.
• Need ROI
• Need to verify fax number
• As discussed previously best to let Covered
  Entity take the risk.

22
Heres a Good One!

• May you use client sign-in sheets or call out the
  names of your clients in your waiting rooms?
• HIPAA?
• Georgia?

23
Can you leave client charts out in plain view on
your desk?

• HIPAA Yes
• Georgia - No

24
YOUR QA

• Lets Talk

25
HANDOUTS

• Sample DHR ROI.
• Sample Public Posting for a Covered Entity.
• Sample Business Associate document.
• Hardcopy of Slideshow.

26
THE ENDThank YouLoud Applause