1 / 45

DPH Privacy and Data Security Policies CBO Program

2. Training Overview. HIPAA and Patient Confidentiality LawsPatient/Client's RightsSharing PHIData SecurityComplianceResourcesPost Test. 3. Governing Entities on Confidentiality. Federal HIPAA Privacy Rule requires that individually-identifiable health information be protected from unlawful access or disclosure. California laws hold institutions and individuals accountable and penalize both for breaches. Some of the disclosures permitted by the HIPAA Privacy Rule are not permitted under s30211

ull
Download Presentation

DPH Privacy and Data Security Policies CBO Program

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

    1. DPH Privacy and Data Security Policies CBO Program/Clinical Staff FY09-10 Annual Review City and County of San Francisco Department of Public Health Revised February 10, 2010

    2. 2 Training Overview HIPAA and Patient Confidentiality Laws Patient/Client’s Rights Sharing PHI Data Security Compliance Resources Post Test

    3. 3 Governing Entities on Confidentiality Federal HIPAA Privacy Rule requires that individually-identifiable health information be protected from unlawful access or disclosure. California laws hold institutions and individuals accountable and penalize both for breaches. Some of the disclosures permitted by the HIPAA Privacy Rule are not permitted under stricter California health and mental health confidentiality laws and Federal substance abuse treatment program confidentiality rules. These stricter laws must be applied. The SF DPH Privacy Policies encompass the above and provide for further protections.

    4. 4 Health Insurance Portability and Accountability Act (HIPAA) 1996 Kennedy/Kassebaum Act

    5. 5

    6. 6 PHI, Protected Health Information Information relating to an individual’s health status, care received, and/or payment for services (including demographics) that can be individually-identified as belonging to a particular person. Protections apply to verbal communications, paper documents, and electronic data sets that include health information.

    7. 7 “Privacy and the Conduct of Research” Policy Research conducted using PHI of DPH patients: must have DPH administrative approval must be approved by a duly-constituted IRB must have the patient’s authorization to use his or her PHI, or an IRB/DPH Waiver Questions? See DPH Privacy Policy, “Conduct of Research” UCSF staff contact Doug Eckman at 206-3195 Community Programs staff contact Deborah Sherwood at 255-3435

    8. 8 Client/Patient Rights under the HIPAA Privacy Rule

    9. 9 Clients/Patients have the right to… Request confidential communications; Access their medical records; Request restrictions on the use and disclosure of their PHI; Revoke authorizations; Request an accounting of disclosures; Authorize disclosure to persons or entities of their choice.

    10. 10 Notice of HIPAA Privacy Practices Every new DPH client must be provided with the “DPH Notice of HIPAA Privacy Practices” (form is available in 5 languages: English, Spanish, Vietnamese, Chinese, and Russian). Document describes how health information may be used and disclosed and patient/client’s rights regarding the use of that information. Signed acknowledgement is kept in the medical record and, in some databases (LCR for example), it is noted when and by whom the Notice was provided.

    11. 11 Additional Notice for DPH Mental Health Programs only… Because DPH administers the County’s Mental Health Insurance Plan, program staff must review the DPH Notice of HIPAA Privacy Practices annually with their clients.

    12. 12 Viewing and Sharing PHI

    13. 13 When sharing PHI with providers (and providers’ staff) for the purpose of treatment, diagnosis, or referrals. Or to coordinate care with any healthcare provider (any discipline) "who has medical or psychological responsibility for the patient." Exceptions are outlined in slide 17 and slide 19. Generally, patient authorizations are not required to share PHI…

    14. 14 “Need to Know” By law, you may only view, disclose, or inquire about PHI for patients/clients who are under your care (unless you have been authorized to otherwise do so by your supervisor). When coordinating care (and as allowed by law), care team members should share the minimum amount of PHI needed to improve outcomes for the client/patient. Prior to making any disclosures permitted, staff shall verify the identity of the person requesting DPH PHI and the authority of any such person to have access to DPH PHI.

    15. 15 If a minor is a dependent (300) or ward (600) of the court – and if the PURPOSE of the disclosure is to coordinate care – the law permits healthcare providers to disclose information to: a county social worker, probation officer, or other person legally authorized to have care of custody of a dependent or ward. Check with your supervisor or Privacy Officer for clarification.

    16. 16 Authorizations are not required for disclosures required by law for purposes of: Reporting victims of abuse, neglect, or domestic violence; Public Health and other activities, such as law enforcement and national security. Contact your supervisor or Privacy Officer if asked for PHI for any of these reasons.

    17. 17 However, authorizations ARE required… Before sharing PHI for purposes other than treatment, payment or operations. Before a substance abuse treatment program may share PHI outside their own program Before CCSF HIV Health Services providers may share PHI with non-ARIES providers

    18. 18 However, authorizations ARE required… Before sharing PHI with non-treatment service providers. Examples of non-treatment providers are* Tenant’s advocates Property managers Benefits advocates HSA Employment Specialists Lawyers Parole Officers

    19. 19 If authorization is needed and patient/client is a minor … The Parent or Legal Guardian must authorize the disclosure. However, if the minor or the services fall under the DPH Minor Consent Policy, the minor may authorize disclosure. Check with your supervisor or Privacy Officer for further clarification.

    20. 20 DPH Privacy Policy Matrix for Sharing Patient Health Information Between Treatment Programs Sharing PHI outside the parameters described below require the patient/client’s signed authorization prior to its release.

    21. 21 If authorization to release protected health information is required: Individuals have a right to a copy of their signed authorization forms. Individuals have a right to revoke authorizations at any time.

    22. 22 Disclosures to Family, Relatives, Friends No information may be disclosed to a family member, relative, or close personal friend regarding treatment or status of mental health, substance abuse, sexually transmitted disease, HIV/AIDS, or developmental disabilities without the individual’s specific and prior authorization. For all other patients, providers should: Honor the client/patient’s perspective. Limit to information directly relevant to the friend’s or family member’s involvement with the individual’s care or payment for that care Share only what will help the patient’s care. If permission to share information is verbal, make a note in the medical record. If you have doubts, give the patient an opportunity to object to your sharing information with his/her family or friend. If the patient is incapacitated, then share information with family, friends, etc. when it is in the best interest of the patient.

    23. 23 PHI and the Media You must consult the DPH Public Information Officer before speaking to the press (554-2507). Due to the sensitive and legal implications surrounding patient’s rights and their confidentiality, you must also confer with your Privacy Officer before speaking to the press about any client or patient.

    24. 24 PHI and the Media No DPH program may release or publish identifiable photos, videos, or information about (current, past, or deceased) clients who have been diagnosed with or receive services for mental health and substance abuse disorders... even if the client authorizes or requests that you do so. This policy applies to media and inclusion in publications, program brochures, and training materials.

    25. 25 Records of Fellow Employees Employee information in Invision/LCR or other computerized records is also protected. DO NOT access records of employees, even if they ask you to or give you permission to. Databases are routinely audited to assure privacy of DPH/UCSF employees.

    26. 26 Data Security

    27. 27 Data Security Policies Guiding Principle: Each of us is responsible for protecting data/information and workstations/PDAs that are entrusted to us for use in our jobs From LOSS (theft, erasure, copying) From DAMAGE (inaccuracy, error, deception) From MISUSE (unauthorized access, non-mission activities)

    28. 28 User ID / Password Rules No one is allowed to log onto a client/patient information system anonymously; When systems allow it, each user who is assigned a User ID and a Password should change them periodically; Always create and use “complex” passwords containing letters, numbers, symbols; Do NOT tell anyone else your User ID or Password, not even your supervisor or IS staff; Do NOT write them down.

    29. 29 System Access Considerations Each attempt to log-on or read files is monitored and recorded; Do NOT search, open, or view patient PHI unless your are authorized to do so (Is that client/patient verifiably under your care?); Do NOT remove PHI via portable media or devices (or in documents) from the worksite without administrative approval. If approved to take PHI off the worksite, ALWAYS keep PHI in your possession while you are offsite (e.g., do not leave laptop, portable device, or charts in trunk of car).

    30. 30 Workstations/PDAs Devices must be set to “time-out” and be password-protected, including smart phones if they have access to emails with PHI contained in them. Do NOT leave workstations or portable devices unattended; DO log out / disable your device before you leave area; Do NOT place your monitor so it can be read by unauthorized persons; Be present at the fax and printer when documents print-out; Immediately report theft or loss of portable devices to management and, as appropriate, site security staff and/or local law enforcement authorities. If PHI is on portable device, notify Privacy Officer as well.

    31. 31 Storage of PHI PHI & confidential information must be stored such that it cannot be accessed by unauthorized personnel. Store PHI in encrypted form or password-protected when encryption is not available DPH prohibits the storing of patient data on privately-owned portable devices.

    32. 32 PHI Disposal / Destruction of PHI Never throw PHI into the trash can. Put it in confidential shredding bins. Data storage devices that may contain PHI must be rendered unreadable by IT personnel before being recycled or discarded.

    33. 33 PHI via E-mail Transmission PHI may be sent as regular text within e-mails sent between users with addresses ending in /DPH/SFGOV, @sfdph.org, or the UCSF directory (do not put client’s name in subject line) For all other addresses, PHI may only be sent in password-protected documents as attachments. Exceptions must be approved by the Privacy Officer. Unprotected PHI should not be sent to, or transmitted from personal email accounts (aol, yahoo, earthlink, etc). A confidentiality statement is to be appended to emails, faxes, or paper documents that include PHI or personal/confidential information. Prior to transmission, E-mail addresses, fax numbers, phone numbers, URLs, etc. are to be confirmed as correct and valid.

    34. 34 E-mailing Protected Health Information between treatment providers and patients/clients: E-mail communication regarding "care, treatment and services" may be done if the client is an adult and both the client and the provider agree to this form of communication. Behavioral Health Programs must obtain written consent to do so from the patient, using the form Authorization to Share Protected Health Information Via E-mail Between Provider and Client E-mails must be included in the patient's medical record or chart. A printed copy of the e-mail with the patient's name, date of birth, and medical record number on the e-mail must be sent to the MR Department for inclusion in the patient's chart. You must always follow the following security precautions: Do not use your personal e-mail account (AOL, hotmail, etc.) Do not use e-mail for urgent matters Never forward e-mail that contains Protected Health Information to a third party Until further notice, include a Confidentiality Statement similar to the following: This e-mail is not a secured data transmission for Protected Health Information (PHI) as defined by the Healthcare Portability and Accountability Act (HIPAA), and it is the responsibility of all parties involved to take all reasonable actions to protect this message from non-authorized disclosure. This e-mail is intended for the recipient only. If you receive this e-mail in error, you should notify the sender and destroy the e-mail immediately. Disclosure of the information contained herein could subject to discloser to civil or criminal penalties under state and federal privacy laws.

    35. 35 Communicating with Clients by Phone Be sure clients have not restricted communication before telephoning or attempting to contact. Do not leave results on voicemail. Maintain clinical roles you would as if conversing in person, follow the client’s lead in terms of extent of PHI discussed, and keep to the “minimum necessary.”

    36. 36 Compliance

    37. 37 Sanctions Violations of DPH privacy or security policies may result in: disciplinary action; disciplinary action / revocation by licensing boards; fines; criminal prosecution; and/or termination. Reminder: “Snooping” is illegal.

    38. 38 Complaints and Breaches All violations and breaches, including lost or stolen PHI, must be reported to your Privacy Officer immediately. Complaints regarding privacy may be referred to your DPH Privacy Officer. DPH is required to document all complaints. DPH is prohibited from intimidating patients who wish to register a complaint. DPH has a non-retaliation policy for employees that register complaints. You may also anonymously call the DPH Privacy Hotline at 415-206-2354. Or you may call the Secretary of the US Department of Health and Human Services at 415-437-8310.

    39. 39 Resources

    40. 40 Questions? Please take time to read and review the policy documents located at your worksite or at the following websites: DPH staff (intranet): http://dphnet/ (go to DPH Privacy & Data Security Policies) Outside the DPH (public website): http://www.sfdph.org/dph/comupg/oservices/medSvs/HIPAA/default.asp (go to “Knowledge Sharing and Collaboration” then “Privacy Policies”) Or contact your CBO Privacy Officer.

    41. 41 DPH Privacy Officers Name, Representing Phone Deborah Sherwood, Community Programs (Research) 255-3435 Cheryl Austin, Laguna Honda Hospital 759-2349 Frank Kuziel, SFGH Campus 206-6210 Dan Kelly, Human Services Agency 557-5871 Pat Skala, Information Systems Department 206-8945 Doug Eckman, SFGH/UCSF Dean's Office 206-3195 Joe Goldenson, Jail Medical Services 995-1701 Maria X Martinez 255-3706 Community Programs, Community Health Services, EMS, and all DPH affiliate/contractor programs not covered above.

    42. 42 Post Test (CBO Privacy Officers may obtain a copy of the test answers by contacting maria.x.martinez@sfdph.org)

    43. 43

    44. 44

    45. 45

More Related