1 / 16

Protecting Client Data HIPAA, HITECH and PIPA Part 1B

Protecting Client Data HIPAA, HITECH and PIPA Part 1B. When You Can Use or Disclose Information. Release of Information ( ROI). T his term is used to explain when DHS can disclose PHI. F or example, you can always disclose when PHI will be used for the following purposes:

keiji
Download Presentation

Protecting Client Data HIPAA, HITECH and PIPA Part 1B

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Protecting Client DataHIPAA, HITECH and PIPAPart 1B

  2. When You Can Use or Disclose Information • Release of Information (ROI). This term is used to explain when DHS can disclose PHI. For example, you can always disclose when PHI will be used for the following purposes: • Treatment - The provisions, coordination, or management of health care and related services. • Payment - Activities undertaken to reimburse for health care. • Operations - Functions such as quality assessment and improvement activities. 2014 DHS IT Security & Privacy Training

  3. TPO Disclosures • Do not require any documentation • May be made without accounting for the disclosure 2014 DHS IT Security & Privacy Training

  4. Permissible Disclosures • If disclosure is not TPO, you may not need an Authorization to Disclose if the disclosure is a permissible disclosure found at Section 164.512 of the Privacy Standards. • Examples include: mandatory state laws, information required to be reported for public health purposes, child abuse reporting. • If you are not sure, then obtain a signed Authorization to Disclose using DHS form 4000. The Authorization to Disclose can be found on DHS Share under Forms. 2014 DHS IT Security & Privacy Training

  5. (ROI): DHS Form 4000 Is AValid Authorization • If you cannot use the Form 4000 for some reason, be certain the authorization is HIPAA compliant by ensuring it contains: • Client/Patient name and date of birth. • Name of the individual or agency authorized to make the requested disclosure. • Name of the person or organization to whom the disclosure is to be made. • Purpose of the disclosure. • Specific description of the type and amount of information to be released. 2014 DHS IT Security & Privacy Training

  6. Valid Authorization Continued…. • For more information on the form you can use to obtain a valid authorization, use the Authorization to Disclose DHS form 4000 that can be found on DHS Share here: http://dhsshare/DHS%20Forms/Forms/AllItems.aspx 2014 DHS IT Security & Privacy Training

  7. ROI: Identify Verification • Prior to releasing PHI for a permissible purpose, you must determine if the requester is a valid recipient of the PHI. Ask the requester to provide you with enough information to identify the client including the name, DOB, address, and SSN. • Provide only the minimum necessary information in order to safeguard the PHI. 2014 DHS IT Security & Privacy Training

  8. ROI: You May Disclose to Personal Representatives or Guardians if… • The client is an incapacitated adult who is 18 years of age or older; • A minor and you have a Letter of Guardianship from the court naming the requester as Guardian; or • You have reasonable basis to believe the person is the parent of a minor child after verifying this by obtaining sufficient information, i.e. the child’s SSN. 2014 DHS IT Security & Privacy Training

  9. Example Scenario • You receive a call at work from an individual that wants to discuss medical information of a client and states that he/she is the Legal Guardian of a client. May you discuss the PHI of the client with this individual? 2014 DHS IT Security & Privacy Training

  10. Yes!! • But, before you disclose the information, you need to obtain a copy of the Letters of Guardianship authorizing the individual to access the medical information and records being requested. 2014 DHS IT Security & Privacy Training

  11. ROI: Disclosures to Family Members • You may disclose to family members: • If the client is present and alert and the client decides. • That is, if the client does not object or you can reasonably infer that the client would not object. • If the client is incapable of making his/her wishes known. For example, in an emergency circumstance, using your professional judgment, you can determine it would be in the client’s best interest. For example, you may discuss an incapacitated client’s condition with family members over the phone. 2014 DHS IT Security & Privacy Training

  12. ROI: Divorced Parents & Step-Parents • Unless the parental rights of the client have been terminated, either parent may have access to the records. • When in doubt, consult the divorce decree or contact the physical custodian and ask if the other parent is allowed to see the records. If he/she declines, ask to see the supporting documents. • Unless the step-parent is a legal guardian and has the guardianship papers to verify it, no access to the health records may be permitted. 2014 DHS IT Security & Privacy Training

  13. ROI: Foster Parents • Foster parents of a client contact DHS and want to know if they can obtain information on the child they have in their care. • Can DHS disclose the information? 2014 DHS IT Security & Privacy Training

  14. Yes! • Yes, the foster parents can obtain information on the child or children in their care, but the foster parents cannot receive information on the parents, guardians or any siblings not in their custody. 2014 DHS IT Security & Privacy Training

  15. ROI: Deceased Clients • DHS can disclose information about a deceased client to the executor of the estate or someone who is legally authorized to act on behalf of the deceased individual or his/her estate. • DHS may disclose information about a deceased client to a health care provider who is treating a surviving relative for treatment purposes. • DHS may disclose information about a deceased individual to the coroner as required by Arkansas law. 2014 DHS IT Security & Privacy Training

  16. ROI: Requester Seeks Client Presence at Facility • Clients have a right to opt in or out of a facility directory. Therefore, if a request is made to determine if someone is present at your facility or health care setting, and the client is not listed in the Facility Directory, you may not confirm or deny the client’s presence until you obtain the client’s authorization to do so. 2014 DHS IT Security & Privacy Training

More Related