Flash Player 9 (or above) is needed to view presentations.
We have detected that you do not have it on your computer. To install it, go here.

Like this presentation? Why not share!

Like this? Share it with your network

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads


Total Views
On Slideshare
From Embeds
Number of Embeds



Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

    No notes for slide


  • 1. To HIPAA and Beyond The Law of Confidentiality and Security Public Health Area II December, 2010 By John R. Wible, General Counsel Alabama Department of Public Health ADPH, 2010
  • 2. Documentation
    • Substantiates proof of services
    • Provides continuity of care
    • Documentation must be objective facts, not opinions
    ADPH, 2010
  • 3. The “Golden Rule of Documentation”
    • The “Golden Rule of Documentation:”
    • If it ain’t wrote down it didn’t happen!
    • “ Wible’s corollary”
    • The way it is wrote down is the way it happened regardless of the way it happened!
    ADPH, 2010
  • 4. Confidentiality- Access to Records Generally
    • All patient information is strictly confidential
      • See Employee Handbook 10-02
    • Some Bad Scenarios
    • Bad scenarios equal bad liability
    ADPH, 2010
  • 5. Conditions for Release of Information
    • Conditions for release of information:
      • Prior written consent of
        • Patient,
        • parent/guardian
    • Subpoena in accordance with Departmental/ institutional policy
    • Otherwise provided by law
    ADPH, 2010
  • 6. TB/STD/DC Records Special Confidentiality
    • STD/TB/disease control information not public.
    • Not revealed even by subpoena
    • Not admissible into evidence except for commitment hearings
    • ADPH requests for notifiable disease records to be forwarded to Legal
      • Call 334.206.5209.
    • See ADPH Policy 04-02 for specifics
    ADPH, 2010
  • 7. Disease Control Guidelines
    • Information considered not confidential:
    • Final completed report written in blank, not identifying any persons
    • The name of businesses, establishments, restaurants involved in an investigation
    • Aggregate statistical information
    • Any other public records
    • Regular environmental and daycare inspection reports
    ADPH, 2010
  • 8. Confidential Information (EPI)
    • Epidemiologic interview sheets
    • Required reports
    • Work papers, notes and analyses
    • Actual numbers of cases or IDs
    • Correspondence on a case
    • Complaint generated environmental and other inspection reports
    • incomplete drafts of reports
    • Other document received privately
    ADPH, 2010
  • 9. Released With Authorization
    • A notifiable disease record generated by the Department or in the possession of the Department (such as electronic laboratory reports or facsimile lab reports) that concerns the symptoms, condition or other information specific to an individual
    • One patient’s authorization, however does not release other person’s names or information
    ADPH, 2010
  • 10. Written Authorization Not Required:
    • Transfer information from one county health department to another or to the state office
    • Transfer information to physicians, nurse practitioners or other health professionals with contract or other provider arrangements to provide care
    • Some practitioners require consents to transfer out of abundance of caution
    ADPH, 2010
  • 11. What Makes a Valid Authorization?
    • Description of the info to be released
    • Name or description of info receiver
    • Name of patient
    • Description if the use of the info
    • Expiration date or continuous
    • Right of revocation by pt.
    • Notice of possible re-disclosures
    • Signature of pt or representative
        • See CHR Form 6A and instructions
    ADPH, 2010
  • 12. Note Concerning Certain Information
    • CHR 6A states: pt. is made aware that s/he is releasing STD/HIV/AIDS or drug and alcohol treatment or mental health records
    • This is NOT required if other providers’ releases meet the earlier criteria
    ADPH, 2010
  • 13. Release of Contact Information – Don’t Do It!
    • The medical record or information regarding STD/TB/disease control cannot be released without the written consent of the patient
    • Even with consent, it should not include contact information.
    • Don’t write identifying information about how the patient contracted the disease
    ADPH, 2010
  • 14. Confidentiality – Access to Medical Records of Minors
    • If a minor is qualified to consent and signs the “consent for treatment”, only the minor can sign to release the information regarding those services
    • If the parent/guardian signs the consent for treatment, the parent/guardian or the minor may consent for the release
    ADPH, 2010
  • 15. Access to Medical Records of Minors – Rights of the Parents
    • All information pertaining to a child must be equally available to both parents
    • However, if the child gave consent for services, neither parent may have access to the records without that child’s consent.
      • Code of Ala , § 30-3-154
    ADPH, 2010
  • 16. HIPAA – In Brief
    • HIPAA stands for The Health Insurance Portability and Accountability Act (1996)
    • Addresses privacy and security of health data
    • Includes verbal, written, or electronic data
    • Privacy Rule, (2003), includes both paper & e-PHI
    • Security Rule, (2003), includes only e-PHI
    • HHS makes the rules
    • Amended (2009) by “the Stimulus Package – ARRA (HITEC)
  • 17. PHI – What is it?
    • Patient name
    • Patient address
    • Patient phone number
    • Patient date of birth
    • Patient social security number, Medicaid number, etc
    • Diagnosis
    • Treatment information
    • Financial information
  • 18. The Privacy Rule: What and Who Is Covered?
    • “ Protected Health Information” (PHI):
    • Individually-identifiable health information used or disclosed by a covered entity in any form, whether electronically, on paper, or orally
        • 45 C.F.R. §160.103
    • ADPH is a “covered entity”
    ADPH, 2010
  • 19. Releases without Written Consent
    • Treatment
    • Payment
    • Operations
    • Where required by law
    ADPH, 2010
  • 20. Business Associates
    • Business associates follow the same level of protection in the privacy rule and include:
      • Claims or data processors;
      • Billing companies and financial service providers
      • Quality assurance providers and utilization reviewers
      • Lawyers, accountants & other professionals
          • 45 C.F.R. §160.103
    ADPH, 2010
  • 21. Business Associates and AARA
    • Must also adhere to the Security Rule like CEs and are subject to same penalties
    • Establish administrative, physical, and technical safeguards for Protected Health Information (PHI)
    • Establish policies and procedures for safeguards
    • Only use or disclose PHI in accordance with HIPAA
    • “ Rat Fink Provision”
    ADPH, 2010
  • 22. HIPPA Privacy Rule: Who is Not Covered?
    • Life insurance companies
    • Auto insurance companies
    • Workers’ compensation carriers
    • Employers
    • Others who acquire, use, and disclose vast quantities of health data
    • AARA may place some requirements -
      • E.g., PHI cannot be bought and sold
    ADPH, 2010
  • 23. HIPPA Privacy Rule: What Is Not Covered?
    • PHI does not include
      • Education records covered by FERPA
      • Employment records held by a covered entity in its role as employer
      • Non-identifiable health information
      • 45 C.F.R. 160.103
    ADPH, 2010
  • 24. HIPAA - What it Doesn’t Do
    • Does not override state laws that provide more patient privacy than HIPAA
    • Does not require that all risk of incidental disclosures of patient information be eliminated
    • Examples:
        • Cubicles
        • Shield-type dividers
        • Sign-in sheets
    ADPH, 2010
  • 25. HIPAA and ADPH Privacy
    • See ADPH HIPAA Privacy Policy 06-008
      • “ Minimum Necessary” Concept
      • Patient Verification
      • Fax Confidentiality
      • The “HIPAA Log”
      • Breach Sanctions
      • Needs updating
    ADPH, 2010
    • See also CHR Manual and Employee Handbook
  • 26. How Uses/Disclosures Are Regulated
    • Minimum necessary rule
    • When using or disclosing PHI, a covered entity must make reasonable efforts to limit such information to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request
    ADPH, 2010
  • 27. Permitted Disclosures
    • “ Minimum” info may be disclosed
    • To “public officials”
    • To public health
    • To law enforcement
    • To national security and intelligence agencies
    • To judicial authorities
    • To researchers
    • To DHR for abuse reporting
    ADPH, 2010
  • 28. Disclosure to Police
    • Pursuant to subpoenas or by verbal request
    • As “otherwise required by law
    • For ID and location purposes
    • Do not give disease information
    • Individual is a victim of a crime
    • To alert about a suspicious death
    • When criminal conduct occurs on premises
    • In emergency setting, to alert regarding information pertaining to crime
    ADPH, 2010
  • 29. Disclosure to National Security Agencies
    • CEs may disclose PHI to authorized federal officials for the conduct of intelligence, counter-intelligence, and other national security activities
    ADPH, 2010
  • 30. Disclosure To Public Health
    • D isclosure permitted to:
    • “ public health authority that is authorized by law to collect and receive such information for the purpose of preventing and controlling disease, injury, or disability, including… reporting of disease… and the conduct of public health surveillance….”
    ADPH, 2010
  • 31. Child or Elder Abuse Notice
    • Examples of specific public health-based exceptions include disclosures
      • About victims of abuse, neglect, or domestic violence
      • To prevent serious threats to persons or the public
    ADPH, 2010
  • 32. Information on Decedents
    • May be released to:
    • Law enforcement
    • Transporting emergency medical personnel
    • Coroners and their personnel
    • Mortuary personnel
    • Bureau of Health Statistics
    ADPH, 2010
  • 33. Maintenance of Documentation
    • Maintain documentation of policies and procedures for 6 years
    • Make documentation available to workforce who administer the policy
    • Review and documentation periodically
    • Ensure the confidentiality, integrity, and availability of ePHI
    ADPH, 2010
  • 34. HIPAA - The Security Rule
    • Primary objective: protect the confidentiality, integrity, and availability of ePHI when it is stored, maintained, or transmitted.
    • Applies to identifiable electronic protected health information (ePHI) related to:
      • Past, present or future medical or mental condition
      • The individual’s health care
      • Payment records
    ADPH, 2010
  • 35. What about e-PHI?
    • Same as PHI, but created, received, or maintained electronically
    • Does not include telephone calls, copy machines, fax machines, most voice mail
    • Does not include de-identified information
  • 36. Security of the Premises
    • HIPAA requires security of the premises, i.e., door locks. See ADPH Security Policy No. 05-16.
    • HIPAA also requires security of the electronic records (computer security)
    • HIPAA requires security of the paper
    • HIPAA requires security of your mouth
    ADPH, 2010
  • 37. Building Security
    • Post the Department’s Notice of Privacy Practices where clients can see it
    • Maintain visitor sign-in logs and have visitors sign in and out (this includes repair persons)
    • Use ADPH and Visitor ID badges
    • Keep back doors locked or monitored during business hours
    • Keep server rooms locked
    • Keep PHI storage areas locked when unattended
  • 38. Paper Security
    • Clean Desk
      • Keep patient records covered or in folders
      • Lock records up at end of day or when away from desk
    • Fax/Copy Machines
      • Put fax & copiers in secure area away from traffic
      • Remove faxes/copies promptly
    • File Cabinets
      • Keep locked when unattended
      • Locate in secure area
      • Limit access
    • Shred it!
  • 39. Use of Department Computers
    • Use ADPH furnished equipment/software
    • CSC/Tech Support will purchase and install all network-connected devices
    • Use strong password protection & disclaimer
      • Don’t give out your password
    • CSC/Tech Support will install updates
    • Connect laptops to the network once a month for audit
    • Back up critical data
      • See Policy 2005-016 and Security Manual
    ADPH, 2010
  • 40. Use of Computers
    • Change password every 60 days
    • Use only for lawful activity
    • Report suspected viruses and attacks
    • Supervisors notify CSC on new employee starting work or leaving employ service
    • Appropriately salvage computers
    • Limit access to Department workspace
    • Be careful with portable storage devices
    ADPH, 2010
  • 41. Email and Internet Security
    • Email
      • Do not open email from an unknown source; especially unknown attachments
      • Verify email recipients; make sure email is going to intended recipient
      • Always encrypt email and attachments containing protected information
      • Read security reminders
    • Avoid risky internet sites
  • 42. Laptop Security
    • Keep laptop out of view when traveling
    • Do not leave in hot vehicle for long time
    • Do not check with luggage when flying
    • Password protect
    • Set screen saver to require password
    • Log on to network once a month to update virus protection software
    • Encrypt protected information
  • 43. Patient Accounting
    • Patients may ask for listing of disclosures of their PHI up to six (6) years prior in paper or electronic form
    • The following disclosures are NOT required to be accounted for:
      • T reatment, P ayment, Healthcare O perations (TPO)
      • Disclosures to the patient or persons involved with their care
      • Disclosures authorized by the patient or authorized representative
    ADPH, 2010
  • 44. Patient Accounting
    • Other disclosures which are not required to be accounted for:
    • National security or intelligence purposes
    • Correctional institutions or law enforcement
    • Incidental disclosures
    • Limited Data Sets used for research purposes
    ADPH, 2010
  • 45. HIPAA Log
    • A single file which relates to pt. files
    • Kept with medical records
    • Documents “non-routine” disclosures:
      • date of the disclosure;
      • the name/address of receiver
      • brief description of the PHI disclosed
      • brief statement of the purpose of the disclosure
    ADPH, 2010
  • 46. Required Logged Items
    • Unauthorized releases on the AIR Form
    • Releases required by law
    • Releases based upon subpoena
    • Releases to law enforcement for ID
    • Requests to limit releases
    • Requests to amend or correct PHI
    • Requests by the patient for accounting
    • Reports about victims of abuse, neglect, or domestic violence
    ADPH, 2010
  • 47. Disclosures Not Logged
    • TPO disclosures
    • Disclosures made to the patient or rep.
    • Pursuant to a valid authorization
    • National security or intelligence purposes;
    • To a correctional institution or law enforcement official that has custody of a patient;
    • To a health oversight official
    ADPH, 2010
  • 48. HIPAA Breaches
    • When there is a breach of phi or e-PHI You have a duty to report on an ARIA
    • Call if it is serious!
    • ADPH as a duty to:
    • To report to or notify clients
    • To report to HHS and the media if >500
    • To mitigate the damage
    • To examine employees, policies, equipment and facilities to prevent it happening again
    “ Teton Dam Breach” ADPH, 2010
    • Breach may subject employees and the Covered Entity:
    • To criminal penalties (up to $250,000)
    • You are NOT covered by the Fund
    • To HHS civil penalties or lawsuits
    • To adverse employment action, IE.,
    ADPH, 2010
  • 50. Program Management
    • The HIPAA program and certain other similar programs are under the management of the Risk Management Committee
    • Committee proposes HIPAA policy changes
    • Committee receives and processes all ARIA reports including possible HIPAA breaches
    • The Committee oversees Red Flags instances
    ADPH, 2010
  • 51. Red Flag Regulations
    • Federal Trade Commission Regulations designed to protect against identity theft
    • As a “creditor”, ADPH has “covered transactions” with clients/patients
    • ADHP has a duty to be on the lookout for certain red flags
    ADPH, 2010
  • 52. Categories of “Red Flags”
    • Alerts, notifications, or warnings from a consumer reporting agency;
    • Suspicious documents;
    • Suspicious personally identifying information, such as a suspicious address;
    • Unusual use of – or suspicious activity relating to – a covered account; and
    • Notices from customers, victims, law enforcement authorities, or businesses about possible identity theft
    ADPH, 2010
  • 53. See Also Policy Documents
    • 98-07 Fax Policy
    • 03-10 Notice of Privacy Practices (NOPP)
      • Under Revision
    • 03-30 Vital Records Policies
    • 04-02 Receipt of Legal Documents
    • 05-16 HIPAA Security Policy/Manual
    • 06-08 HIPAA Privacy Policy
    • 10-04 Contract Employee Handbook
    • Online ARIA Form
    ADPH, 2010
  • 54. For A Copy of the Presentation
    • See “HIPAA For Area 2” a download on Slideshare 7
    • http://www.slideshare.net/jwible
    7 Slideshare ADPH, 2011