1. All Mental Health and Recovery Services Board (Board) officers, employees, and agents shall preserve the integrity and the confidentiality of individually identifiable health information (IIHI) pertaining to each client. This IIHI is protected health information (PHI) and shall be safeguarded to the highest degree possible in compliance with the requirements of the security rules and standards established under the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
2. The Board shall publish and distribute a Notice of Privacy Practices that informs the client in plain language about the uses and disclosures of PHI the organization will make; client rights in regard to uses and disclosures; and, limitations on the organization in that it could not use or disclose information in a manner not covered in the Notice.
3. The Board and its officers, employees, and agents will not use or disclose an individual’s protected health information for any purpose without the properly documented consent or authorization of the client or his/her authorized representative unless required to do so by federal and or state law or regulation; unless an emergency exists; unless permitted by this or other policies of the agency; or, unless the information has been sufficiently de-identified that the recipient would be unable to link the information to the client.
4. The Board shall take reasonable steps to limit the use and/or disclosure of, and requests for PHI to the minimum necessary to accomplish the intended purpose.
5. The Board shall implement reasonable administrative, technical, and physical safeguards to protect PHI from any intentional or unintentional use or disclosure that is a violation of HIPAA regulations.
6. The Board shall establish and maintain procedures to receive and address client complaints of unauthorized uses or disclosures of their PHI.
7. The Board recognizes certain client’s rights regarding their own protected health information.
- The client and/or his authorized representative shall be granted access to their records subject to reasonable limitations related to the business processes of the organization unless, in the opinion of an appropriate medical professional, such access would be detrimental to the client.
- The client has the right to request restrictions on certain uses and disclosures of PHI.
- The client has the right to request communication of confidential information by the agency by some reasonable alternative means or alternative location.
- The client shall also have the right to request amendment to the records to correct alleged inaccuracies. Such amendments shall be subject to law, professional ethics, and professional judgment and standards.
- The client is entitled to an accounting of disclosures of PHI for uses other than treatment, payment and healthcare operations.
8. The Board shall establish contractual assurances from all business associates to which PHI is disclosed that the information will be used only for the purposes for which they were engaged, will safeguard the information from misuse, and will help the agency comply with its duties to provide clients with access to health information about them and a history of certain disclosures.
9. The Board shall provide adequate training and timely updates related to the policies and procedures for compliance with the HIPAA privacy standards for all current employees, new hires, agents and business associates. Training content and participation will be documented and retained by the Privacy Officer.
10. All officers, employees and agents of the Board shall comply with the standards set forth in this policy. Violation of this policy and unauthorized uses and/or disclosures of protected health information are very serious offenses. Not only is violation of this policy grounds for disciplinary action, up to and including termination of employment, but violations related to unauthorized use and disclosure of protected health information may be subject to civil and criminal penalties including significant monetary costs and incarceration.
11. The Board shall make all reasonable efforts to lessen the harm caused by an improper use or disclosure of protected health information by its workforce or by any business associate.
12. The Board shall maintain policies and procedures to implement HIPAA standards and regulations. The Board shall also maintain documentation in written or electronic form of any communication required by the regulation and documentation of any action, activity or designation that may be required. Such documentation shall be maintained by the organization for a period of six (6) years from the date of its creation or the date when it last was in effect, whichever is later.
All Policies in the Policy and Procedure Manual Subsection Related to HIPAA Privacy Compliance
1.1. Health Insurance Portability and Accountability Act of 1996 (HIPAA). HIPAA is a comprehensive law enacted during the Clinton administration. The law has several subparts providing such benefits as guaranteed portability and renewal of insurance benefits between employers, tax provisions for medical savings accounts and administrative simplification to improve the efficiency and effectiveness of the health care system. During the latter part of the 1990’s, the Secretary of the Department of Health and Human Services drafted regulations for standardizing the electronic interchange of administrative and financial data and protecting the security and privacy of personal health information. HIPAA requires health care providers, health plans and health care clearinghouses to transition to the use of standard code sets and “electronic data interchange (EDI) and to maintain reasonable and appropriate administrative, technical, and physical safeguards to insure the integrity and confidentiality of healthcare information; to protect against reasonably foreseeable threats and hazards to the security or integrity of the information; and, to protect against unauthorized uses or disclosure of the information. Compliance with the first of the HIPAA rules is scheduled for early 2003. HIPAA also provides criminal penalties for failure to comply with the regulations.
1.2. Individually Identifiable Health Information (IIHI). A subset of health information, including demographic information collected from an individual and that is created or received by a health care provider and relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present or future payment for the provision of health care to an individual, and which identifies the individual, or with respect to which there is a reasonable basis to believe that the information can be used to identify the individual.
1.3. Protected Health Information (PHI). The final rule defines PHI as individually identifiable health information that is transmitted by electronic media; maintained in any electronic medium such as magnetic tape, disc, optical file; or transmitted or maintained in any other form or medium (i.e. paper, voice, Internet, fax etc.).
1.4. Treatment, Payment, Health Care Operations (TPO). A healthcare provider, health plan or healthcare clearinghouse may use and disclose PHI (with certain limitations) within and outside the organization for client treatment, to facilitate the payment of the client’s bills, and for business and clinical operations of the organization. The following definitions apply:
1.41 Treatment: provision, coordination or management of health care (care, services or supplies related to the health of an individual) and related services by or among providers, providers and third parties, and referrals from one provider to another provider.
1.42 Payment: activities undertaken by a health plan to obtain premiums or determine responsibility for coverage, or activities of a health care provider or health plan to obtain reimbursement for the provision of health care. Payment activities include billing, claims management, collection activities, eligibility determination and utilization review.
1.43 Health Care Operations: activities of a covered entity to the extent such activities are related to covered functions including quality assessment and improvement activities; credentialing health care professionals; insurance rating and other insurance activities related to the creation or renewal of a contract for insurance; conducting or arranging for medical review, legal services and auditing functions (including compliance programs); business planning such as conducting cost-management and planning analyses for managing and operating the entity including formulary development and administration, development or improvement of methods of payment or coverage policies; business management and general administrative activities; due diligence in connection with the sale or transfer of assets to a potential successor in interest, if the potential successor is a covered entity or will become a covered entity; consistent with privacy requirements, creating de-identified health information, fundraising for the benefits of the covered entity, and marketing for which an individual authorization is not required.
1.5. De-identified PHI. A covered entity may use PHI to create de-identified information, whether or not the de-identified information is to be used by the entity. In order to be exempt from the privacy rule the information must not include any of the following identifiers for clients, relatives, household members, employers: names; geographic subdivisions smaller than a state (some specific exceptions); all elements of dates except the year, for all under 89, and all elements of dates for those over 89; telephone or fax numbers, e-mail or IP addresses and URLs; social security number; medical record number; health plan beneficiary (UCI) number; account numbers; certificate or license numbers; vehicle identifiers; device identifiers; biometric identifiers (finger, retinal, voice prints); full face photographic images and the like; any other unique characteristic or code. With statistical expertise and documentation it is determined that the risk is very small that information could be used alone or in combination with other reasonably available information, by an anticipated recipient to identify an individual.
1.6 Minimum Necessary Standard. The organization shall make all reasonable efforts not to use or disclose more than the minimum amount of protected health information necessary to accomplish the intended purpose of the use or disclosure.
1.7 Business Associate. A business associate is a person or entity that provides certain functions, activities, or services for, or to a covered entity (healthcare provider, health plan, healthcare clearinghouse), involving the use and/or disclosure of PHI. A covered entity may be a business associate of another covered entity.
2. Responsibility for Privacy of Protected Health Information. Everyone in the organization as well as associated covered entities and business associates shares a responsibility to ensure the integrity and confidentiality of clients’ protected health information and to protect against any unauthorized use or disclosure of such information.
2.1 Privacy Officer. The chief executive shall designate a privacy officer for the organization who will oversee all ongoing activities related to the development, implementation, maintenance and adherence to the organization’s policies and procedures related to the privacy and security of PHI in all forms. The privacy officer will work closely with others in the organization to assure compliance with all federal and state laws and regulations related to information privacy and security.
3. Privacy Standards.
3.1 Notice of Privacy Practices. Under HIPAA, each client has the right to receive notice of the organization’s policies regarding its uses and disclosures of PHI, the individual’s rights under the Privacy Standards, and the organization’s legal obligations regarding PHI. The organization shall prepare and distribute a Notice of Privacy Practices, written in plain language, to each client. The organization shall also document that the client has received such notice.
3.2 Uses and Disclosures of Protected Health Information for Treatment, Payment and Health Care Operations. The agency may use and disclose PHI without client consent or authorization for the purposes of treatment, payment and health care operations. Such uses and disclosures are subject to:
a. The limitations set forth in the regulation’s definitions of treatment, payment and health care operations
b. The doctrine of minimum necessary
c. The statements contained in the entity’s Notice of Privacy Practices
d. Any agreed-to restrictions requested by the individual
3.3 Uses and Disclosures of PHI When the Individual Has the Opportunity to Agree or Object. The individual shall be granted the opportunity to agree or object to use and disclosure of limited information for a facility directory (if one exists) and for use and disclosure to a significant other involved in the client’s care or as a potential recipient of notification of the client’s status in the event of an emergency or disaster. The individual’s agreement or objection in these circumstances may be verbal and does not require documentation. (Although documentation of a person to notify in an emergency or disaster might be a good idea.)
3.4 Uses and Disclosures for Which Consent, Authorization or Opportunity to Object is Not Required. The organization may use and disclose PHI without the consent or authorization of the client for the following:
a. As required by law
b. For public health activities
c. About victims of abuse, neglect or domestic violence
d. To health oversight agencies for health oversight activities
e. For judicial and administrative proceedings
f. For law enforcement purposes
g. Regarding decedents, to coroners, medical examiners and funeral directors
h. For research if a waiver of authorization has been obtained by the IRB or a Privacy Board
i. To prevent serious and imminent harm to health or safety of a person or the public
j. Military and veterans activities
k. National security and intelligence
l. Protective services for the President and others
m. To the Department of State to make medical suitability determinations
n. To correctional institutions and law enforcement officials regarding an inmate
o. Worker’s compensation if necessary to comply with the laws relating to worker’s compensation or other similar programs.
3.41 Disclosures by Whistleblowers and Workforce Member Crime Victims. Subject to some limitations, the agency may not be held in violation of the Privacy Rule because a member of its workforce or a person associated with a business associate of the agency used or disclosed PHI that such person believed was evidence of a civil or criminal violation; or, to a report of a breach of professional standards or problems with quality of care. Likewise, the agency will not be held in violation if a worker who is the victim of a crime discloses PHI to law enforcement officials. The agency’s sanctions for unauthorized use or disclosure of PHI will not apply to whistleblowers or crime victims as long as the actions were performed in good faith and the amount of information disclosed was consistent with HIPAA implementation standards.
3.5 Uses and Disclosures Requiring Authorization. Except as specified in paragraphs 3.2, 3.3 and 3.4 above, the organization may not use or disclose protected health information without a valid authorization. The authorization is a document signed by the client that gives the organization permission to use specified health information for a specified purpose and time frame.
3.6 Minimum Necessary. The agency shall make reasonable efforts not to use or disclose more than the minimum amount of PHI necessary to accomplish the intended purpose of the use or disclosure. The organization shall take steps to determine the extent to which various classifications of workers need access to client PHI and shall limit use and disclosure of PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure or request. The organization shall also maintain policies governing both routine and non-routine use of PHI.
3.7 Business Associates. A business associate is a person who, on behalf of the organization, performs a function or activity involving the use or disclosure of PHI including claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, billing, benefit management, practice management; or, provide legal, actuarial, accounting, consulting, data aggregation, management, administrative or financial services to or for the organization where the service involves the disclosure of PHI. The organization may disclose PHI to a business associate and may allow a business associate to create or receive PHI on its behalf if the organization obtains satisfactory contractual assurance that the business associate will appropriately safeguard the information.
3.8 Client Rights Related to Protected Health Information. The HIPAA regulations contain standards that not only control the inappropriate use of PHI, but also protect and enhance the rights of individuals to access their information. The regulations provide the following rights to individuals with respect to their personal health information.
3.81 Inspect and Copy. Clients shall have the right to access their own protected health information that is maintained in record sets of the organization and its business associates. The organization may deny access to records under certain specified circumstances and shall establish and maintain a process for appeal of the denial.
3.82 Restrictions. Clients shall have the right to request restrictions on how the organization will use or disclosure their own protected health information for treatment, payment or health care operations and how their information will be disclosed or not disclosed to family members or others involved in their care.
3.83 Amendment. Clients shall have the right to amend erroneous or incomplete PHI unless the information:
a. Was not created by the covered entity
b. Is not in a designated record set or is not otherwise available to inspection
c. Is accurate and complete
d. Would not be subject to the right of access.
The organization shall maintain a procedure for appeal if the client’s request to amend is denied. The organization shall follow the medical practice model for amending medical records in order to retain the integrity of the original entry while appending the correction.
3.84 Accounting. Clients shall have the right to an accounting of disclosures of their own protected health information that is maintained in record sets of the organization and its business associates. Such accounting shall include a period of six years prior to the request, beginning on the first date on which the organization was required to be in compliance with the HIPAA Privacy Standards (April 14, 2003).
3.85 Confidential Communications. The agency shall permit individuals to request communications of PHI at locations and by means that assure confidentiality. The request shall include a statement by the individual that the alternate means and/or alternate location for such communications are necessary to ensure his/her safety. The agency shall accommodate reasonable requests.
3.86 Request and Receive a Copy of the Privacy Notice. The individual shall be provided with a process to request and receive a written copy of the agency’s Notice of Privacy Practices.
3.87 Deceased Individuals. Subject to some limitations, the privacy protections for PHI extend to the PHI of a deceased individual and the protections remain effective until person is deceased 50 years. Disclosures are permitted to decedent’s family members/others if:
- PHI directly relevant to person’s involvement in care or payment of care AND disclosure not inconsistent with wishes expressed prior to death.
- Generally, the right to control a deceased individual’s PHI would be granted to an executor or administrator, or other person (i.e. next of kin) authorized under applicable law to act on behalf of the decedent’s estate.
3.88 Personal Representative. Broadly, a personal representative is someone authorized to act on behalf of another person who is the subject of the PHI.
3.881 Adults and Emancipated Minors. The agency must treat a person as a personal representative of an individual if such person is, under applicable law, authorized to act on behalf of the individual in making decisions related to health care. Authority of the representative is limited to the extent to which PHI is relevant to the matters on which the personal representative is authorized to represent the individual.
3.882 Un-emancipated Minors. Unless state law grants otherwise, a parent or legally appointed personal representative may act on behalf of an un-emancipated minor in making decisions related to health care and PHI.
3.9 De-identification and Re-identification of PHI. PHI that is de-identified according the specifications of the regulation is no longer considered PHI and is thus exempt from the other provisions of the regulation. The regulation describes two methods for de-identification of PHI. The standards also provide for the re-identification of PHI subject to some limitations.
4. Agency Administrative Requirements. The agency shall comply with all administrative requirements identified in the HIPAA regulations.
4.1 General Policy Related to HIPAA Compliance. The agency shall develop a policy specifying the general requirements of the HIPAA Privacy Rule including appropriate use and disclosure of PHI; the rights of the individual in respect to their own PHI; and, the agency’s responsibilities to the individual and for the protection of personal health information.
4.2 Designation of Privacy Official and Contact Person. The agency shall designate and document the designation of a privacy official and a contact person to whom individuals can direct questions regarding policy, procedures and compliance with the HIPAA regulations. The privacy official and the contact may be the same person.
4.3 Training Workforce Members. All individuals of the organization’s workforce and business associates shall receive training about the entities privacy policies and procedures as necessary and appropriate to carry out their job duties. Training shall also be provided to new employees and when there is a material change in the organization’s privacy practices.
4.4 Establish Safeguards for PHI. The agency shall perform a risk assessment related to the potential misuse and/or unauthorized disclosure of PHI. Based on the assessment, reasonable and appropriate administrative, technical and physical safeguards shall be implemented to protect the privacy of personal health information.
4.5 Receive and Document Complaints. The agency shall implement a process to receive and document individual complaints related to the agency’s policies and procedures to protect privacy and to the agency’s compliance with the privacy standards. The agency shall include the disposition of complaints, if any, in the documentation.
4.6 Maintain Process for Sanctions and Mitigation. The organization shall establish and apply appropriate sanctions against workers who fail to comply with privacy policies and procedures. The organization shall do all that it can to mitigate any potential harmful results of an improper use or disclosure of PHI (in violation of the HIPAA Privacy Standards) by the organization, its workforce or its business associates.
4.7 Refrain from Intimidation and Retaliation. The agency shall establish and enforce policies to prevent intimidation or retaliatory acts against any individual exercising rights or duties under HIPAA. This protection is extended to whistleblowers, participants in investigations of the agency’s compliance with regulations, individuals who complain to the agency or the Secretary about compliance issues and other similar situations.
4.8 Protect Client Rights (Waiver of Rights). The agency shall not condition the provision of or eligibility for services or benefits on an individual’s waiver of rights under the HIPAA regulations.
4.9 Maintain Required Documentation. Documentation shall be required in support of policies and procedures and all other subparts of the privacy regulations that directly list documentation as a requirement. Documentation must be kept current to reflect changes in regulatory requirements and the organization’s privacy processes.
4.91 Retention of Documentation. Documentation required under the privacy regulations shall be kept in written or electronic form for a period of six (6) years from the date of creation or from the date when it last was in effect, whichever is later.
4.10 Effect of Prior Consents and Authorizations. The agency may continue to use consents, authorizations, or other legal permissions for the use and disclosure of PHI that were in force prior to the HIPAA compliance date (April 14, 2003). If the prior consent or authorizations related to a research project, the agency may use PHI received or created either before or after the compliance date for the research purpose. However, anyone entering the project after the compliance date would be subject to the HIPAA standards for uses and disclosures related to research.
4.11 State Preemption of HIPAA Rules. Any provision of State law contrary to HIPAA is preempted unless the State laws provide more protection to health information or greater rights to the individual subject of the health information.
4.12 Develop and Implement Policies and Procedures. The agency shall develop and implement policies and procedures to comply with the HIPAA regulations to protect personal health information. The policies and procedures shall be designed to comply with the standards, implementation specifications or other requirements of the regulation and shall reflect a reasonable assessment of the agency’s needs based upon its size and the type of activities that relate to PHI.
4.121 Changes to Policies and Procedures. When a change in law affects the agency’s policies and procedures related to HIPAA regulations, the policies and procedures shall be changed consistent with the new law. If the entity reserved the right to change policies and procedures in the Notice of Privacy Practices, any change to policy and procedures would apply to PHI acquired prior to the change. If the right to change was not included in the Notice, the agency must apply old policies and procedures to the PHI acquired during the period when those policies were in effect and apply new policies and procedures to PHI acquired after the effective date of the new policies. The agency shall also provide staff and business associate training with respect to the change in policies and procedures.
5. Failure to Comply with HIPAA Regulations. The U. S. Department of Health and Human Services shall be responsible for compliance and enforcement of the HIPAA provisions. The Secretary shall seek the cooperation of covered entities in obtaining compliance with the requirements of the regulations. The Department may provide technical assistance to entities to help them comply.
5.1 Enforcement. Enforcement of the regulations shall be through investigation of complaints filed with the Secretary. Any person who believes a covered entity is not complying with the privacy regulations may file a complaint.
5.2 Penalties for Non-compliance. The agency and/or individuals may be subject to civil penalties of up to $25,000 prior to 2/18/2009. The agency and/or individuals may be subject to civil penalties of up to $1,500,000 after 2/18/2009 and criminal penalties, including prison, for knowingly and improperly disclosing or obtaining confidential healthcare information. Tougher penalties are in place for situations where personal gain, commercial advantage, or malicious harm is involved.