IntroductionThe information provided in the following training on the HIPAA privacy rule contains essential elements of the rule and of Dungarvin’s privacy policies. Should you have questions or need additional clarification on any material presented in this training, please consult with your supervisor.What is HIPAA?-HIPAA is the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191.-The part of this federal law that applies to direct service staff is the privacy rule, or maintaining the confidentiality of consumer protected health information.-Part of your job is to assure that you are complying with the requirements of the HIPAA privacy rule.Privacy and Confidentiality-Privacy is the quality or condition of belonging to or concerning a particular person; it is a tendency to keep one’s personal matters to oneself.-Confidentiality is entrusting someone with private or personal matters.-Private and confidential issues are often of a sensitive nature, especially when they concern our physical and/or mental health.-Under the HIPAA privacy rule, each of us has a legal right to privacy and confidentiality of our protected health information, or PHI. -For example, your physician is limited in how and with whom s/he can share your PHI. Your medical files must be stored in a secure fashion, and access to these files must be limited. Likewise, persons who work in the physician’s office, such as nurses, billing clerks and receptionists are restricted in the type of PHI to which they have access and with whom they share it. -The persons served by Dungarvin are also protected under the HIPAA privacy rule, and are entitled to the right of privacy and confidentiality of protected health information.-As a direct service staff working with consumers, you are a key person in maintaining the privacy and confidentiality of their protected health information.Protected Health Information-Any health/service information maintained by Dungarvin that is individually identifiable is considered PHI.-Data that makes information individually identifiable include items such as names, addresses, dates of birth, social security numbers, service initiation dates, full face photographs or medical assistance numbers.-Much of the documentation direct service staff use and or maintain is considered protected health information, due to its individual identifiers. Minimum Necessary InformationWhen using or disclosing PHI, Dungarvin staff must make reasonable efforts to imit protected health information to the “minimum necessary”to accomplish the intended purpose of the use or disclosure.Use and Disclosure of PHIHIPAA privacy rule addresses three categories of PHI:-Routine and recurring events that do not require an authorization -Non-routine events that do not require an authorization-Non-routine events that require an authorizationDungarvin has many “routine and recurring” eventsthat involve requests for or disclosure of PHI:Information related to payment for servicesInformation related to provision of health treatment or other servicesInformation related to funding eligibility and service eligibilityAuthorizations are not required in these situations.In addition to “routine and recurring” events being exempt from requiring authorization to use and disclose PHI, there are other defined exceptions, including:Public health activitiesVictims of abuse, neglect or domestic violenceHealth oversight activitiesJudicial and administrative proceedingsLaw enforcement purposesDeathCadaveric organ, eye or tissue donationResearch purposesAverting a serious threat to health or safetySpecialized government functionsWorkers’ compensationSecretary of Health and Human ServicesPrior to the use or disclosure of protected health information in the previously listed exempt situations, you must contact your supervisor. If such a situation occurs after regular business hours, call the on-call supervisor.Documentation of these disclosures must be entered on the Summary of Disclosures of Protected Health Information form.AuthorizationsUnder the HIPAA privacy rule, use and disclosure of some PHI will require authorizations:Check to see if PHI fits in the categories of routine and recurring events or non-routine events not requiring an authorization.If PHI does not fit into either of these categories, check the individual’s primary file for an authorization.If no authorization is present, do not disclose PHI; contact your supervisor. What Would You Do…?You work at a service site with three women. One of these individuals, Barbara, attends a community-based vocational training program; her service coordinator there is Robert. Robert calls you at the site one day to discuss Barbara’s challenging behavior at the vocational program, and he asks if Barbara is having similar problems at home.Under the HIPAA privacy rule, can you respond to Robert’s questions? Do you first need a signed authorization?What You Should Do…In this situation, sharing the requested information with Robert would be considered provision of treatment or services, as you are sharing information with another professional who is providing services to Barbara. Therefore, under the HIPAA privacy rule you may answer Robert’s questions about Barbara. A signed authorization is not required, as this is a “routine and recurring” event.What Would You Do…?Joe, one of the individuals who lives at the service site where you work, has become close friends with Roy, a member of his church congregation. Roy calls and informs you that Joe has asked him to serve as his advocate, and to prepare for Joe’s upcoming ISP team meeting he needs to review Joe’s chart and talk with staff. Under the HIPAA privacy rule, can you share Joe’s chart with Roy and answer Roy’s questions about Joe? If so, do you need a signed authorization?What You Should Do…In this situation, the disclosure of PHI to Roy does not fall under the definition of “routine and recurring event”, nor is this situation covered under the list of exceptions that do not require authorization. Therefore, this disclosure would require a signed authorization. You need to check Joe’s chart to determine if an authorization to disclose PHI to Roy has been completed. If it has, you may disclose PHI to Roy. If there is no signed authorization, you must consult with your supervisor.What Would You Do…?You are working at a service site. A police officer arrives at the door, inquiring about one of the persons who resides at this site. The officer informs you that this individual is suspected of having been involved in a crime an hour ago, and he asks you to reveal where this person works, what the person looks like, what his age is, and for a photograph of him.Under the HIPAA privacy rule, can you disclose this information to the police officer? If so, do you need a signed authorization? What will you do?What You Should Do…In this situation, sharing the requested information with the police officer would be considered a defined exception under the HIPAA privacy rule. This disclosure of protected health information would be for law enforcement purposes, one of the listed exceptions that do not require a signed authorization prior to the disclosure. You would,however, need to contact your supervisor or the supervisor on-call prior to disclosing any information to the police officer.DocumentationDocumentation (along with any required forms) related to the HIPAA privacy rule will be entered into the individual’s primary file, in a separate HIPAA/privacy section of the chart. The primary file is the individual’s principal chart containing personal health information, which may be maintained either at a service site or at a Dungarvin administrative office.The Summary of Disclosures of Protected Health Information form will be completed for all disclosures of PHI, except those related to billing/payment or treatment/provision of services to individuals served.All documentation related to the HIPAA privacy rule will be maintained for a minimum of 6 years.Safeguards for PHIThe HIPAA privacy rule requires that Dungarvin establish safeguards to protect the privacy of protected health information. Dungarvin has developed safeguards in the following areas:ComputersAll computers must have screen savers that activate after a designated period of inactivity. The screen saver must require a password to be deactivated.TrashAll trash that contains PHI must be shredded or torn into small pieces prior to disposal.FilesWhen you are not using consumer files, they should be stored in a secure location to protect confidentiality, such as a file cabinet, closed cupboard or closet. Do not leave consumer files out and accessible to visitors, roommates or other persons not authorized access to protected health information.Verbal CommunicationConversations and/or telephone calls where PHI is being discussed will be conducted in such a manner that the content of the discussion or phone call cannot be overheard by members of the general public or members of Dungarvin’s workforce not authorized access to such PHI, such as co-workers from other sites.Notice of Privacy PracticesDungarvin must maintain a Notice of Privacy Practices that meets the requirements of the HIPAA privacy regulations.Dungarvin must provide a Notice of Privacy Practices to each individual served (or their legal guardian/ conservator) by no later than the first date of service delivery.If an individual served or the legal guardian/conservator requests a copy of the Notice of Privacy Practices, contact your supervisor.Rights of IndividualsIn the HIPAA privacy rule, there are five primary areas of rights afforded to individuals served:Right to request privacy protection (restrict the use and disclosure of PHI)Right of access (inspect and copy PHI)Right to request amendment (modifications to PHI)Right to an accounting of disclosures (record of all PHI disclosures)Right to complainWhenever an individual served or the legal guardian/conservator wishes to exercise any of these rights, contact your supervisor.Administrative RequirementsNew Dungarvin employees will receive training on HIPAA within their first 30 calendar days of employment.Following the initial training completed after hire, employees will annually participate in refresher training on the HIPAA privacy rule.All training will be documented.Privacy Rule SanctionsAny employee who fails to comply with Dungarvin’s privacy policies or the requirements of the HIPAA privacy rule will be subject to sanctions imposed through Policy A-1 Concerning Orientation Periods, Probation, Suspension and Termination.The employee’s supervisor is responsible for documenting sanctions and filing the documentation in the employee personnel record. In Conclusion…The HIPAA privacy rule required the creation of lengthy and detailed privacy policies and procedures, numerous new forms and formalized safeguards to protect the privacy of Protected Health Information for individuals served by Dungarvin.Overall, it does not drastically change our current method of conducting business: to take every measure possible to protect the integrity and confidentiality of the persons we support.