HIPAA Stuff for Clinicians … because you clinicians are special, and have extra stuff to learn!
Client Rights
Access: Clients have the right to inspect and copy their PHI.
There are, however, PHI examples where access to one’s PHI might be denied, like:
Psychotherapy notes.
PHI compiled for civil, criminal or administrative action or proceedings.
PHI subject to CLIA Act of 1988 when access would be prohibited by law.
Access would endanger a person’s life or safety based upon a professional judgment.
A correctional inmate’s request may jeopardize health and safety of the inmate, other inmates or others at the correctional institution.
A research study has previously secured agreement from the individual to deny access.
Access is protected by the Federal Privacy Act.
PHI was obtained under promise of confidentiality and access would reveal the source of the PHI.
Another right clients have is the right to ask for alternative communications. Examples include:
Right to request to receive communication by alternative means or location.
The client may request a bill be sent directly to him/her instead of to his/her insurance company.
The client may request you contact him/her on his/her cell phone instead of at his/her home telephone number.
Clients have the Right to Request a Restriction on use and disclosure of their PHI (ex. revoke a previous authorization, request to not give to certain providers, request to not provide for research purposes).
For example:
If a client pays for a service out of pocket in full, he/she has the right to ask CCFI not to disclose the information from that service to an insurance company or a disclosure for health care operations.
What should I do if a client requests we always call a family member instead of her?
Request clients complete a release of information form.
Clients have the right to Request an Amendment or Correct PHI.
Situations where a request may be denied include:
CCFI did not create the information.
Record is accurate according to the health care professional that wrote it.
Information is not part of the CCFI record.
Clients have the Right to Request a Restriction on use and disclosure of their PHI (ex. revoke a previous authorization, request to not give to certain providers, request to not provide for research purposes).
We are not required to approve the request, but must make reasonable efforts to approve it, when possible.
Clients also have the Right to an Accounting of Disclosures (AOD).
We Must give information on disclosures of information released except those that were given :
To The Individual.
For TPO.
To Law enforcement officials, correctional institutions or national security.
An individual may request an accounting for disclosures as far back as six years before the time of the request - but to start no earlier than April 14, 2003.
A covered entity must suspend accounting of disclosures to a client if an agency or law enforcement indicate the accounting is likely to impede the agency’s activity.
Do clients need to sign the Notice of Privacy Practices before their first appointment? Yes. Please continue to request they sign the acknowledgment before they see a provider for their first appointment at CCFI.
Client signs the Acknowledgment of Receipt to confirm that he or she has been offered and/or received the Notice.
What is the purpose of the NOPP?
-It Summarizes how CCFI uses and discloses client’s PHI.
-It Details client’s rights in respect to their PHI.
If a client or legal guardian refuses to take a NOPP, this is their right; do not force them to take one.
If a client or legal guardian refuses to sign the acknowledgment form, document this on the form and in the system.
Once the client turns 18 or is able to self-consent, he/she must sign an acknowledgment form.
Host parents of a foreign exchange student may act on behalf of the student’s biological parent(s) and sign the NOPP acknowledgment form.
Clients have the Right to file a privacy complaint.
Direct all requests or complaints regarding these rights to the CCFI Privacy Officer
Document all client complaints
Have the client submit privacy and security complaints in writing.
We are required by law to respond to privacy and security complaints.
CCFI conducts random audits of employee and provider access to determine:
Appropriateness of access, and
If access is in compliance with CCFI policies.
Audit trails show what clients have been accessed, the date and time of the access, what was accessed, etc.
If access appears to be inappropriate, the Privacy Officer works with leaders, Human Resources, and the employee/provider to determine whether or not it was appropriate.
You received a request to release a client’s PHI. What now?
Whether releasing verbally or in writing, you need to determine the following:
Is the requestor legally authorized to receive the PHI? Important Note: when uncertain, ask the CCFI Privacy Officer, or obtain a signed authorization from the client.
Is a signed Authorization required?
If yes, determine if the Authorization is HIPAA compliant
Elements of a valid authorization:
-The Statement, “I acknowledge information authorized for release may include records which may indicate the presence of a communicable or non-communicable disease.”
-Client/client name and date of birth.
-Name of the individual or agency authorized to make the requested disclosure.
-Name of the person or organization to whom the disclosure is to be made.
-Purpose of the disclosure.
-Specific description of the type and amount of information to be released.
-If the release includes mental health, alcohol or drug abuse or test results, or developmental disability records, these must be specified.
-If the release includes HIV test result, AIDS, or AIDS related disease, the statement “HIV test results” is required.
-Statement on possibility of re-disclose by the recipient and that it is no longer protected by CCFI.
-Right to inspect a copy of the records released.
-Statement of the ability or inability to condition treatment, payment, enrollment or eligibility for benefits
-If the release involves marketing and direct or indirect remuneration to CCFI by a third party, include a statement reflecting this.
-A statement of the right to revoke the authorization in writing, exceptions to the right to revoke, and how to request a revocation.
-Expiration date or event.
-Time period during which the authorization is effective.
-Signature of client/client or legal personal representative and date signed.
-If signed by a legal personal representative, a description of his/her authority to sign.
-A copy of the form is required to be given to the client/client.
REMEMBER TO DOCUMENT WHEN YOU RELEASE INFORMATION!!!
Remember, you don’t need authorization for Uses and disclosures of PHI for (TPO):
Treatment
Payment
Health Care Operations
Mandatory disclosures by law.
If use of the information does not fall under one of these categories you must have the client’s signed authorization before sharing that information with anyone.
An individual calls to discuss appointment information with you for a client and states he is the client’s Legal Guardian, can you discuss this with the individual?
Yes, after verifying the individual is the client’s Legal Guardian and has access rights to the type of records being requested. Here’s how to verify:
Must have copy of guardianship papers.
A stepparent calls to discuss her stepchild’s care. May you discuss this with her?
No, unless the step-parent is a legal guardian and we have the guardianship papers on file, or a legal guardian has provided authorization.
Step-parents may call to schedule appointments, but do not have access to their stepchildren’s PHI, without authorization by a legal guardian.
Can foster parents get information on the child they are caring for?
Yes, if they have guardianship, other court papers, or an authorization from the birth parent, allowing them the right of access.
If they don’t have any legal papers and a health care provider is in need of the information, you may release directly to the care provider.
May we Fax PHI?
Yes, we may fax PHI, but only when in the best interest of client care or payment of claims.
It is best practice to test a fax number prior to faxing PHI to it. If this is not done, then complete the following:
Restate the fax number to the individual providing it to you.
Obtain a telephone number to contact the recipient with any questions.
Do not include PHI on the cover sheet.
Verify you are including only the correct client’s information (i.e. check the top and bottom pages).
Double check the fax number prior to “sending” it.
CCFI personnel may send texts or e-mails that contain protected health information to clients once proper written authorization is obtained. Only CCFI equipment should be used in this process.
CCFI personnel may send emails that contain PHI to other personnel, within the realms of HIPAA standards, if using CCFI email system on the CCFI secure network.
If you initiate negotiations to contract with a company to perform, or assist in the performance of a function or activity involving the use or disclosure of PHI, please contact The Operations Director who will work with the CCFI Privacy Officer to obtain Business Associate Agreement (BAA) language. Examples of when to obtain a BAA with a company include:
Claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, billing, benefit management, practice management, and re-pricing; and legal, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services.
Questions? Ask your privacy officer, Rachelle Cook!
