Confidentiality, HIPAA and HITECH
Brought to you by AllCEUs.com
Instructor: Dr. Dawn-Elise Snipes
An on-demand CEU course will be available for this class at allceus.com
Objectives
~ Review HIPAA and HITECH regulations as they pertain to maintaining confidentiality and security of PHI
~ Encourage critical assessment of your work practices for compliance.
~ Get through the presentation with all of you staying awake 
Business Associates
~ A person or entity that performs certain functions or activities that involve the use or disclosure of PHI on behalf of, or provides services to, a covered entity.
~ Business associate functions and activities include:
~ Billing, claims processing, administration, benefit management
~ Data analysis, processing or administration
~ Utilization review & quality assurance
~ ISPs are NOT business associates
~ Software vendors providing EHR systems and providers of virtual offices and email services will clearly qualify as business associates
Requirements for PHI
~ Risk analysis (Required) of the potential risks and vulnerabilities to the confidentiality, integrity, and availability.
~ Risk management (Required). Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with §164.306(a).
~ Sanction policy (Required). Apply appropriate sanctions to workforce members who fail to comply with the security policies.
~ Information system activity review (Required). Regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.
Workforce Security
~ Ensure that all members of its workforce have appropriate access to ePHI, and prevent those who do not from obtaining access to electronic PHI.
~ Implement procedures for the authorization and/or supervision of workforce members who work with ePHI or in locations where it might be accessed.
~ Implement procedures to determine that the access of a workforce member to ePHI is appropriate.
~ Implement procedures for terminating access to ePHI when the employment of, or other arrangement with, a workforce member ends or changes.
Information Access Management
~ Implement written policies and procedures for authorizing access to ePHI
~ Implement policies and procedures for granting access to ePHI, for example, through access to a workstation, transaction, program, process, or other mechanism.
~ Implement policies and procedures that establish, document, review, and modify a user's right of access to a workstation, transaction, program, or process.
~ Virtual workstations
~ Key cards
~ Passwords
Security Awareness and Training
~ Training for all members of its workforce (including management)
~ Periodic security updates.
~ Procedures for guarding against, detecting, and reporting malicious software.
~ Procedures for monitoring log-in attempts and reporting discrepancies.
~ Procedures for creating, changing, and safeguarding passwords.
Contingency Plan
~ Establish (and implement as needed) policies and procedures for responding to a disaster that damages systems that contain electronic PHI.
~ Data backup plan (Required).
~ Disaster recovery plan including procedures to enable continuation of critical business processes for protection of the security of ePHI while operating in emergency mode (Required).
~ Implement procedures for periodic testing and revision of contingency plans.
Facility Access Controls
~ Limit physical access to its electronic information systems and the facility or facilities in which they are housed.
~ Clinic
~ Home office
~ Working on laptop on unsecured wi-fi
~ Workstation use. Specify:
~ The proper functions to be performed
~ The manner in which those functions are to be performed
~ The physical attributes of the surroundings of a specific workstation or class of workstation that can access electronic PHI
Workstation Security
~ Implement physical safeguards for all workstations that access electronic PHI, to restrict access to authorized users.
~ Includes printers and fax machines
~ Output
~ Memory
Device and media controls
~ Implement policies and procedures that govern the receipt and removal of hardware and electronic media (thumb drives, laptops) that contain ePHI into and out of a facility, and the movement of these items within the facility.
~ (i) Disposal (Required). Address the final disposition of electronic PHI, and/or the hardware or electronic media on which it is stored.
~ (ii) Media re-use (Required). Implement procedures for removal of ePHI from electronic media before the media are made available for re-use.
~ (iii) Accountability (Addressable). Maintain a record of the movements of hardware and electronic media and any person responsible therefore.
HIPAA §164.312 Technical safeguards.
~ Implement technical policies and procedures for electronic information systems that maintain ePHI to allow access only to those persons or software programs that have been granted access rights as specified in §164.308(a)(4). (Think LinkedIn or Google)
~ Unique user identification (Required)
~ Emergency access procedure (Required)
~ Access from remote site during natural disaster
~ Access by staff in medical emergencies
~ Automatic logoff (Addressable)
§164.502 Uses and Disclosures
~ A covered entity is permitted to use or disclose PHI as follows:
~ To the individual:
~ For treatment, payment, or health care operations, as permitted by and in compliance with §164.506;
~ When required by the Secretary under subpart C of part 160 of this subchapter to investigate or determine the covered entity's compliance with this subchapter.
Disclosing PHI: Minimum Necessary
~ When using or disclosing to or requesting PHI from another covered entity or business associate, make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended.
~ This requirement does not apply to:
~ Disclosures to or requests by a health care provider for treatment
~ Uses or disclosures made to the individual
~ Uses or disclosures made pursuant to an authorization under §164.508;
~ Uses or disclosures that are required by law, as described by §164.512(a)
~ Uses or disclosures that are required for compliance with applicable requirements of this subchapter.
§164.508 Uses and disclosures for which an authorization is required.
~ Authorization required: General rule. Except as otherwise permitted or required by this subchapter, a covered entity may not use or disclose PHI without an authorization that is valid under this section.
~ Authorization required: Psychotherapy notes. Notwithstanding any provision of this subpart…a covered entity must obtain an authorization for any use or disclosure of psychotherapy notes, except:
~ To carry out the following treatment, payment, or health care operations:
~ Use by the originator of the psychotherapy notes for treatment;
~ Use or disclosure by the covered entity for its own training programs
~ Use or disclosure by the covered entity to defend itself in a legal action or other proceeding brought by the individual
Defective & Compound Authorizations
~ An authorization is not valid, if the document submitted has any of the following defects:
~ The expiration date has passed or the expiration event has occurred (i.e. discharge)
~ The authorization has not been filled out completely
~ The authorization is known by the covered entity to have been revoked
~ The authorization violates paragraph (b)(3) or (4) of this section, if applicable
~ Any information in the authorization is known to be false.
~ Compound authorizations. An authorization for use or disclosure of PHI may not be combined with any other document to create a compound authorization, except as follows:
~ An authorization for a use or disclosure of psychotherapy notes may only be combined with another authorization of psychotherapy notes.
Revocation of Authorization
~ An individual may revoke an authorization provided under this section at any time, provided that the revocation is in writing, except to the extent that:
~ The covered entity has taken action in reliance thereon
~ If the authorization was obtained as a condition of obtaining insurance coverage, other law provides the insurer with the right to contest a claim under the policy or the policy itself.
Core Elements of Authorizations
~ A valid authorization under this section must contain at least the following elements:
~ A description of the information to be used or disclosed that identifies the information in a specific and meaningful fashion.
~ The name or other specific identification of the person(s), or class of persons, authorized to make the requested use or disclosure.
~ The name or other specific identification of the person(s), or class of persons, to whom the covered entity may make the requested use or disclosure.
~ A description of each purpose of the requested use or disclosure. The statement “at the request of the individual” is a sufficient description of the purpose when an individual initiates the authorization
~ An expiration date or an expiration event that relates to the individual or the purpose of the use or disclosure.
~ Signature of the individual and date. If the authorization is signed by a personal representative of the individual, a description of such representative's authority to act for the individual must also be provided.
Additional Requirements for Authorizations
~ Required statements. In addition to the core elements, the authorization must contain statements adequate to place the individual on notice of all of the following:
~  The individual's right to revoke the authorization in writing, and the exceptions to the right to revoke and a description of how the individual may revoke the authorization; or
~ The ability or inability to condition treatment, payment, enrollment or eligibility for benefits on the authorization, by stating either:
~ (A) The covered entity may not condition treatment on whether the individual signs the authorization when the prohibition on conditioning of authorizations in paragraph (b)(4) of this section applies; or
~ (B) The consequences to the individual of a refusal to sign the authorization when, in accordance with paragraph (b)(4) of this section, the covered entity can condition treatment on failure to obtain such authorization.  (i.e. court ordered treatment)
~ The potential for information disclosed pursuant to the authorization to be subject to redisclosure by the recipient and no longer be protected by this subpart.
More Requirements for Authorizations
~ Plain language requirement. The authorization must be written in plain language.
~ Copy to the individual. If a covered entity seeks an authorization from an individual for a use or disclosure of PHI, the covered entity must provide the individual with a copy of the signed authorization.
Disclosures
~ HIPAA indicates which situations information may be disclosed under HIPAA; however, many agencies and providers are bound by other regulations such as CFR 42 part 2 as well as state regulations.
~ Seek guidance from a qualified legal professional regarding implementation of HIPAA and confidentiality requirements
~ This presentation reviews highlights from the HIPAA code and is not a comprehensive guide for confidentiality
Summary
~ HIPAA Requires that written and electronic PHI be maintained with reasonable security
~ Providers must implement technical policies and procedures for electronic information systems that maintain ePHI to allow access only to those persons or software programs that have been granted access rights
~ Providers must have policies for emergency access such as in the case of a natural disaster or medical emergency.
~ Providers are required to develop and implement written policies and procedures that establish, document, review, and modify a user's right of access to a workstation, transaction, program, or process.
Summary
~ HIPAA requires that PHI be backed up and stored in a secure location
~ HIPAA requires that electronic PHI be encrypted, wiped from devices before re-issuing them and maintained behind security protocols which limit access to only approved people.
~ A separate consent for release of information must be completed for psychotherapy notes
~ A valid consent for release of information must be completely filled out and contain certain very explicit information or it is invalid, and disclosure based on an invalid release is prohibited.
Confidentiality, HIPAA and HITECH
Objectives
~ Review HIPAA and HITECH regulations as they pertain to maintaining confidentiality and security of PHI
~ Encourage critical assessment of your work practices for compliance.
~ Get through the presentation with all of you staying awake 
Disclosures
~ HIPAA indicates which situations information may be disclosed under HIPAA; however, many agencies and providers are bound by other regulations such as CFR 42 part 2 as well as state regulations.
~ Seek guidance from a qualified legal professional regarding implementation of HIPAA and confidentiality requirements
~ This presentation reviews highlights from the HIPAA code and is not a comprehensive guide for confidentiality
Permitted Uses and Disclosures
~ A covered entity may use or disclose PHI for the public health activities and purposes described in this paragraph to:
~ A public health authority that is authorized by law to collect or receive such information for the purpose of preventing or controlling disease, injury, or disability,
~ A public health authority or other appropriate government authority authorized by law to receive reports of child abuse or neglect;
~ A person subject to the jurisdiction of the Food and Drug Administration (FDA) with respect to an FDA-regulated product or activity to collect or report adverse events, or to track FDA-regulated products; and enable product recalls
~ A person who may have been exposed to a communicable disease or may otherwise be at risk of contracting or spreading a disease or condition, if the covered entity or public health authority is authorized by law to notify such person
Permitted Uses and Disclosures cont…
~ A covered entity may use or disclose PHI to:
~ An employer, about an individual who is a member of the workforce of the employer, if:
~ (A) The covered entity is a covered health care provider who provides health care to the individual at the request of the employer:
~ (1) To conduct an evaluation relating to medical surveillance of the workplace (injury and or illness rates, workplace safety enhancement)
~ (2) To evaluate whether the individual has a work-related illness or injury
~ (B) The PHI that is disclosed consists of findings concerning a work-related illness or injury or a workplace-related medical surveillance
Permitted Uses and Disclosures cont…
~ A covered entity may use or disclose PHI to:
~ An employer, about an individual who is a member of the workforce of the employer, if:
~ The employer needs such findings in order to comply with its obligations, under the law; and
~ The covered health care provider provides written notice to the individual that PHI relating to the medical surveillance of the workplace and work-related illnesses and injuries is disclosed to the employer at the time the health care is provided
Permitted Disclosures cont…
~ A covered entity may disclose PHI about an individual whom the covered entity reasonably believes to be a victim of abuse, neglect, or domestic violence to a government authority authorized by law to receive reports of such abuse, neglect, or domestic violence:
~ To the extent the disclosure is required by law and the disclosure complies with and is limited to the relevant requirements of such law
~ If the individual agrees to the disclosure
~ To the extent the disclosure is expressly authorized by statute or regulation and is believed to be necessary to prevent serious harm to the individual or potential victims
Permitted Disclosures cont…
~ A covered entity may disclose…
~ If the individual is unable to agree because of incapacity,
~ a law enforcement or other public official authorized to receive the report represents that the information which is sought is not intended to be used against the individual (i.e. client under the influence of illicit drugs) and
~ that an immediate enforcement activity that depends upon the disclosure would be materially and adversely affected by waiting until the individual is able to agree to the disclosure. (Need for Narcan; appropriate medical treatment; wellbeing check)
Informing the Individual
~ A covered entity that makes a disclosure permitted by paragraph (c)(1) of this section must promptly inform the individual that such a report has been or will be made, except if:
~ The covered entity, in the exercise of professional judgment, believes informing the individual would place the individual at risk of serious harm
~ Flight before EMS arrives
~ The covered entity would be informing a personal representative, and the covered entity reasonably believes the personal representative is responsible for the abuse, neglect, or other injury, and that informing such person would not be in the best interests of the individual.
~ Informing parent of child patient who is believed to be abused
Uses and disclosures for health oversight activities
~ A covered entity may disclose PHI to a health oversight agency for oversight activities authorized by law, including audits; civil, administrative, or criminal investigations; inspections; licensure or disciplinary actions; civil, administrative, or criminal proceedings or actions; or other activities necessary for appropriate oversight of:
~ The health care system
~ Government benefit programs for which health information is relevant to beneficiary eligibility
~ Entities subject to government regulatory programs for which health information is necessary for determining compliance with program standards
~ Entities subject to civil rights laws for which health information is necessary for determining compliance.
Disclosures for judicial and administrative proceedings.
~ A covered entity may disclose PHI in the course of any judicial or administrative proceeding:
~ In response to an order of a court or administrative tribunal, provided that the covered entity discloses only the PHI expressly authorized by such order
~ In response to a subpoena, discovery request, or other lawful process, that is not accompanied by an order of a court or administrative tribunal, if:
~ (A) The covered entity receives satisfactory assurance, as described in paragraph (e)(1)(iii) of this section, from the party seeking the information that reasonable efforts have been made to ensure that the individual who is the subject of the PHI  has been given notice of the request; or
~ (B) The covered entity receives satisfactory assurance, as described in paragraph (e)(1)(iv) of this section, from the party seeking the information that reasonable efforts have been made by such party to secure a qualified protective order
Disclosures for judicial and administrative proceedings.
~ A covered entity receives satisfactory assurances from a party seeking PHI if the covered entity receives from such party a written statement and accompanying documentation demonstrating that:
~ The party requesting such information has made a good faith attempt to provide written notice to the individual
~ The notice included sufficient information about the [case in which PHI] is requested to permit the individual to [object]
~ The time for the individual to raise objections … has elapsed, and no objections were filed; or all objections filed have been resolved
More Disclosures
~ Crime on premises. A covered entity may disclose to a law enforcement official PHI that the covered entity believes in good faith constitutes evidence of criminal conduct that occurred on the premises of the covered entity.
Disclosures to Law Enforcement and Correctional Institutions
~ A covered entity may disclose to a correctional institution or a law enforcement official having lawful custody of an inmate or other individual PHI about such person, if the correctional institution or such law enforcement official represents that such PHI is necessary for:
~ The provision of health care to such individuals
~ The health and safety of such individual, other inmates or law enforcement officers on the premises
~ The health and safety of the officers or employees of or others at the correctional institution (This likely does not include HIV status or progress notes)
~ The administration and maintenance of the safety, security, and good order of the correctional institution.
Providing Client’s Access to Records
~ The covered entity must provide the access requested by individuals, including inspection or obtaining a copy, or both, of the PHI about them in designated record sets within 30 days
~ The covered entity may provide the individual with a summary of the PHI requested, in lieu of providing access to the PHI or may provide an explanation of the PHI to which access has been provided, if:
~ The individual agrees in advance to such a summary or explanation; and
~ The individual agrees in advance to the fees imposed
Client Access
~ The individual's request must be in writing, signed by the individual, and clearly identify the designated person and where to send the copy of PHI.
~ Fees. The covered entity may impose a reasonable, cost-based fee, provided that the fee includes only the cost of:
~ Labor for copying the PHI requested by the individual, whether in paper or electronic form;
~ Supplies for creating the paper copy or electronic media if the individual requests that the electronic copy be provided on portable media;
~ Postage, when the individual has requested the copy, or the summary or explanation, be mailed; and
~ Preparing an explanation or summary of the PHI, if agreed to by the individual
§164.526 Amendment of PHI
~ An individual has the right to have a covered entity amend PHI or a record about the individual in a designated record set for as long as the PHI is maintained.
~ A covered entity may deny an individual's request for amendment, if it determines that the PHI or record that is the subject of the request:
~ Was not created by the covered entity, unless the individual provides a reasonable basis to believe that the originator of PHI is no longer available to act on the requested amendment;
~ Is not part of the designated record set;
~ Would not be available for inspection under §164.524; or
~ Is accurate and complete.
§164.526 Amendment of PHI
~ If the covered entity grants the requested amendment, in whole or in part, it must take the action
~ If the covered entity denies the requested amendment, in whole or in part, it must provide the individual with a written denial.
Accounting of Disclosures
~ An individual has a right to receive an accounting of disclosures of PHI made by a covered entity in the six years prior to the date on which the accounting is requested, except for disclosures:
~ To carry out treatment, payment and health care operations
~ To individuals of PHI about themselves
~ Incident to a use or disclosure otherwise permitted or required by this statute including general operations, law enforcement, national security, part of a limited data set
~ Pursuant to an signed authorization
Accounting of Disclosures
~ The accounting must include for each disclosure:
~ The date of the disclosure;
~ The name of the entity or person who received the PHI and, if known, the address of such entity or person;
~ A brief description of the PHI disclosed; and
~ A brief statement of the purpose of the disclosure that reasonably informs the individual of the basis for the disclosure or, in lieu of such statement, a copy of a written request for a disclosure under §§164.502(a)(2)(ii) or 164.512, if any.
Summary
~ HIPAA and HITECH impact every aspect of handling client information (verbal, written, electronic)
~ There are many reasons for disclosure of PHI that are exempted from requiring a written authorization including crime, incapacity (limited), court order and mandatory reporting
~ Information transmitted on the internet must be encrypted point to point.
~ If it is able to be accessed by someone other than intended, it is a violation of security.
~ Sitting down at an unmanned desk
~ Unauthorized personnel accessing records (electronic or physical)
~ Using an email provider or virtual office without a business associate agreement
Summary
~ When in doubt, refer to the guidelines and seek qualified counsel
~ Talking to parents of unemancipated minors
~ Upon law enforcement request
~ With regard to reporting communicable diseases
~ Upon receipt of a subpoena in a legal or criminal case
~ Ability to amend PHI
~ Etc…