Confidentiality and HIPAA Learning Objectives Articulate the basic rules governing privacy of medical information and records. Identify the client’s rights under HIPAA. Demonstrate the ability to respond appropriately when faced with situations involving confidentiality. The importance of confidentiality Find a partner. Discuss your experiences with confidentiality. The Health Insurance Portability and Accountability Act - HIPAA This act is about privacy regulations – it requires that providers protect the privacy and security of their consumers health information in new ways. Allows consumers additional rights to access, amend and protect their own health care information. What is Protected Health Information? PHI is information that contains identifiers. PHI replaces the phrase “confidential medical information” What are basic identifiers that we use? Protected Health Information PHI includes the following: Treatment Plans Medical Records Incident Reports Outcomes Databases Data Collection Sheets Treatment Team Meeting Notes Protected Health Information PHI also includes: Treatment information Health information (physical or mental) Payment information It includes past, present or future info It includes information that is verbal, electronic or on paper Informing Clients A Privacy Notice is given to each client upon entry into mental health services Each person must sign that he/she has received this Privacy Notice Authorization of Disclosure Releasing of PHI requires authorization from the consumer, except under very specific circumstances. The request must state the type and amount of information the consumer is willing to disclose. HIPAA authorization forms must be signed and updated annually. Basic guidelines Be conscientious about “need to know” in all situations Outside the team, disclosure should be guided by Authorization Staying within the parameters of the specific information required During emergencies, the safety and health of the consumer permits disclosure of necessary PHI Let’s look at some examples: Permitted Disclosures To the consumer, subject to certain restrictions. For treatment, payment or healthcare operations (I.e., Quality, Risk Management) within the agency. Child abuse, elder abuse, Tarasoff warnings Secret Service To Guardians of adults To parents/family member of minors Permitted Disclosures, cont. With a valid authorization: for any reason to a third party To family members or other persons involved with the individual’s care. Disclosures Usually Permitted To Public Health Authorities – reports of death or disease In response to a court order or as permitted by law with regard to litigation To avert a serious threat to health or safety to the individual or others. Substance Abuse Records Substance abuse records are highly protected – the client must make a specific authorization to disclose this information There are three exceptions to the rule requiring client authorization of substance abuse records Child Abuse Reporting Crime committed at/or threatened at the treatment facility Medical emergency Confidentiality and Teams HIPAA, California law and W&I Code permit sharing of healthcare and mental health information, without authorization, for treatment purposes. If a new team is developing, including nonmedical partners such as probation officers, law enforcement, teachers or social workers, it is easiest to get an authorization signed at the outset. Sharing substance abuse information HOWEVER, authorization is required when sharing substance abuse treatment program information with providers who are “outside of the program.” The Designated Record Set All of the client’s information is contained in the Designated Record Set DRS replaces the term “medical record” A DRS is a group or records maintained by a provider or for a provider that is the medical and billing records; case or medical management records; or information used in whole or in part to make healthcare decisions about the individual. The DRS The information within the DRS is what the HIPAA regulations protect. Consumers have specific rights under HIPAA with regard to their DRS. Consumer Rights Under HIPAA Right to access DRS Right to amend DRS Right to restrict sharing of PHI Right to accounting of uses and disclosures of PHI Right to file complaints concerning a providers Privacy Practices Accountability Under HIPAA Civil penalties $100/violation up to $25,000 per calendar year (Office of Civil Rights) Accountability Under HIPAA Criminal penalties (enforced by the Dept. of Justice) Up to $50,000 and 1 year of imprisonment for knowingly obtaining and disclosing PHI Up to $100,000 and 5 years imprisonment if committed under false pretenses. Up to $250,000 and 10 years imprisonment if committed with intent to sell, transfer, or use for commercial advantage, personal gain or malicious harm. Accountability Under HIPAA The provider can be sued by consumers for improper disclosures of PHI Disciplinary actions against employees for failure to follow policies and procedures regarding consumer privacy. Protecting the Security of PHI Each healthcare site must have appropriate administrative, technical and physical safeguards to protect the privacy of protected health information. Protecting the Security of PHI Agencies must put into place reasonable safeguards to prevent intentional or unintentional use or disclosure. Exercise Identifying Breaches of Confidentiality The Bottom Line Think confidentiality and privacy. Share only what you need to share. Always have an authorization before sharing someone’s confidential information. Exercise Confidentiality Situations