HIPAA-Workbook

Download Report

Transcript HIPAA-Workbook

Pasadena Villa
CONFIDENTIALITY, PRIVACY
AND DATA / INFORMATION
SECURITY TRAINING
Copyright March 2003
Confidentiality / 42 CFR Part 2 / HIPAA
Pasadena Villa is bound to
follow state and federal
regulations governing the
confidentiality and privacy of our
clients. Federal Statute 397,
Title 42 CFR, Part 2 and HIPAA
(Health Information Portability
and Accountability Act of 1996)
45 CFR §Part 160, 162, 164
mandate the ways in which we
can communicate, access, use
or disclose our clients health
information.
These regulations were enacted
to protect an individual’s private
health / clinical information,
which will be referred to PHI
(Personal Health Information)
throughout the remainder of this
training, to reduce healthcare
fraud and abuse and to give
individuals rights towards how
their PHI will be used, disclosed
and how to access their
information.
All employees, volunteers,
business associates and interns
have an obligation to maintain
the confidentiality of all persons
served by Pasadena Villa to the
fullest extent outlined by law.
NOTES
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
Page Two




Here are some examples of
how an individual’s PHI was
exposed;
About 400 pages of detailed
psychological records
concerning visits and
diagnoses of at least 62
children and teenagers were
accidentally posted on the
University of Montana’s Web
site for eight days. The
information included names,
dates of birth, home addresses,
school attended with the results
of the psychological tests.
A doctor’s laptop was stolen at
a medical conference. The
computer contained the names
and histories of his patients in
North Carolina.
Due to a software flaw,
thousands of consumers who
requested pamphlets and
brochures about drug and
alcohol addiction had their
names, address, telephone
numbers and e-mail addresses
exposed on Health.org, a
government health information
Web site.
A Washington D.C. jury
ordered a local hospital to pay
$25,000 for failing to keep a
patient’s medical records
confidential. Coworkers
learned of the victim’s HIV
status after an employee at the
Washington hospital revealed
information in his medical
record.
NOTES
___________________________________
___________________________________
___________________________________
___________________________________
___________________________________
___________________________________
___________________________________
___________________________________
___________________________________
___________________________________
___________________________________
___________________________________
$$$$$$$
_______________________________________
_______________________________________
_______________________________________
_______________________________________
_______________________________________
_______________________________________
_______________________________________
_______________________________________
_______________________________________
_______________________________________
Page Three
These examples represent the
outcome of irresponsibility, lack
of professionalism and not
abiding by the law, as well as,
policies & procedures within an
organization.
Penalties for Privacy violations
under HIPAA include both
criminal and civil penalties.
Failure to comply with HIPAA
requirements may result in civil
monetary penalties of $100 per
violation, which is capped at
$25, 000 for each calendar
year for each requirement or
prohibition that is violated.
Criminal penalties may reach
as high as $50,000 and oneyear in prison, if you knowingly
or wrongfully disclose or
receive PHI. If you attempt or
obtain information under false
pretenses, criminal penalties
can be made up to $100,000
and five years in prison. If you
obtain information with intent to
sell or transfer the information,
use it for commercial
advantage, for your personal
gain or use it for malicious
harm, criminal penalties can
reach up to $250,000 and ten
years in prison.
Under 42 CFR, Part 2, the
violations are not more than
$500 in the case of the first and
not more than $5000 in the
case of each subsequent
event.
NOTES
_____________________________
_____________________________
_____________________________
_____________________________
_____________________________
_____________________________
_____________________________
_____________________________
_____________________________
_____________________________
_____________________________
_____________________________
_____________________________
_____________________________
_____________________________
_____________________________
_____________________________
_____________________________
_____________________________
_____________________________
_____________________________
_____________________________
_____________________________
_____________________________
_____________________________
_____________________________
_____________________________
_____________________________
_____________________________
_____________________________
_____________________________
_____________________________
_____________________________
_____________________________
_____________________________
_____________________________
Page Four
We have taken steps to comply
with the laws by developing
internal policies and
procedures, training program, a
complaint process and an
appointment of a Privacy and
Security Officer. However, it is
your responsibility to curb
human nature (curiosity,
sharing of information), to be
sensitive to the clients
information, to respect the
client’s right to privacy and to
know our policies and
procedures. When we provide
our clients with quality
services, it includes protecting
their confidential information.
As we go through this training,
there will be differences in the
HIPAA regulations as opposed
to the 42 CFR, Part 2 Florida
Statute 397 regulations. 42
CFR, Part 2, is the Code of
Federal Regulations that
governs the Confidentiality of
Alcohol and Drug Abuse
Patient Records. Florida
Statute 397 prohibits disclosure
or use of patient records (any
information that is written or
not) unless permitted by the
patient or regulation.
NOTES
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
42 CFR preempts HIPAA in
some respects because it is
more stringent/restrictive.
Page Five
What is Protected Health Information/Individually Identifiable Health
Information?
NOTES
It is information created or
_________________________
received by a medical/clinical
_________________________
provider, health plan or health
_________________________
care clearinghouse.
_________________________
Information related to the
_________________________
past, present, or future physical
_________________________
or mental health or condition of
the individual
Information related to the
provision of health care/clinical
care to an individual
Information related to the
past, present, or future
payment for the provision of
_________________________
health care/clinical care to an
_________________________
individual
_________________________
Information that identifies
_________________________
the individual or there is
_________________________
reasonable basis to believe
_________________________
that the information can be
_________________________
used to identify the individual
_________________________
_________________________
Information transmitted or
_________________________
maintained in any medium.
_________________________
_________________________
PATIENT IDENTIFYING
_________________________
INFORMATION
_________________________
UNDER 42 CFR PART 2 =

NAME




ADDRESS

SOCIAL SECURITY #



FINGERPRINTS
Page Six


PHOTOGRAPH
OTHER SIMILAR
INFORMATION
UNDER HIPAA =
 Same as 42 CFR Part 2 PLUS
 Address is defined more
broadly
 Names of relatives/household
 Name of Employer
 Variety of Dates
 Telephone / Fax Number
 E-mail address / URL/IP
 Client Medical/Clinical Record
number (applicable to group
notes)
 Account/Health Plan Number
 Vehicle or other device serial #
To ensure that PHI, Individually
Identifiable Information is not
disclosed or used improperly,
Renaissance Healthcare Group
has written policies and
procedures to govern these
releases. The next section will
discuss the client’s rights
regarding their PHI and the
process in which individual’s
may request the use and
disclosure or his or her PHI.
NOTES
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
See HIPAA & Confidentiality
Plan!
_________________________
_________________________
_________________________
_________________________
Client Rights & Privacy Notice
First of all, it is important to
recognize and acknowledge the
rights of the client concerning
their PHI. The following will
outline their rights and your
responsibilities for upholding
those rights.
•
Page Seven
NOTES
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
Clients have the right to receive
Pasadena Villa “Notice of
Privacy Practices”.
See next page for
•
Clients have the right to inspect
and copy their medical record.
•
Clients have the right to request
an amendment to their records.
•
Clients have the right to request
restrictions on use and
disclosures of their protected
health information (Clinical
record)
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
•
Clients have the right to
confidential communications
(request alternative channels of
communication)
•
Clients have the right to receive
an accounting of disclosures of
their protected health
information.
•
Clients have a right to file a
complaint if the client feels the
above rights have been violated.
Privacy Notice
To communicate with the
client in a different area, not
by mail or telephone, etc.
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
HIPAA Notice of Privacy Practices
[
Pasadena Villa
This notice describes how medical information about you may be used and
disclosed and how you can get access to this information. Please review it
carefully.
•
•
•
•
•
•
•
•
•
•
This Notice of Privacy Practices describes how we may use and disclose your protected
health information (PHI) to carry out treatment, payment or health care operations (TPO) and
for other purposes that are permitted or required by law. It also describes your rights to
access and control your protected health information. “Protected health information” is
information about you, including demographic information, that may identify you and that
relates to your past, present or future physical or mental health or condition and related
health care services.
1. Uses and Disclosures of Protected Health Information
Uses and Disclosures of Protected Health Information
Your protected health information may be used and disclosed by your physician, our office
staff and others outside of our office that are involved in your care and treatment for the
purpose of providing health care services to you, to pay your health care bills, to support the
operation of the physician’s practice, and any other use required by law .
Treatment: We will use and disclose your protected health information to provide, coordinate,
or manage your health care and any related services. This includes the coordination or
management of your health care with a third party. For example, we would disclose your
protected health information, as necessary, to a home health agency that provides care to
you. For example, your protected health information may be provided to a physician to whom
you have been referred to ensure that the physician has the necessary information to
diagnose or treat you.
Payment: Your protected health information will be used, as needed, to obtain payment for
your health care services. For example, obtaining approval for a hospital stay may require
that your relevant protected health information be disclosed to the health plan to obtain
approval for the hospital admission.
Healthcare Operations: We may use or disclose, as-needed, your protected health
information in order to support the business activities of your physician’s practice. These
activities include, but are not limited to, quality assessment activities, employee review
activities, training of medical students, licensing, and conducting or arranging for other
business activities. For example, we may disclose your protected health information to
medical school students that see patients at our office. In addition, we may use a sign-in
sheet at the registration desk where you will be asked to sign your name and indicate your
physician. We may also call you by name in the waiting room when your physician is ready to
see you. We may use or disclose your protected health information, as necessary, to contact
you to remind you of your appointment.
We may use or disclose your protected health information in the following situations without
your authorization. These situations include: as Required By Law, Public Health issues as
required by law, Communicable Diseases: Health Oversight: Abuse or Neglect: Food and
Drug Administration requirements: Legal Proceedings: Law Enforcement: Coroners, Funeral
Directors, and Organ Donation: Research: Criminal Activity: Military Activity and National
Security: Workers’ Compensation: Inmates: Required Uses and Disclosures: Under the law,
we must make disclosures to you and when required by the Secretary of the Department of
Health and Human Services to investigate or determine our compliance with the requirements
of Section 164.500.
Other Permitted and Required Uses and Disclosures Will Be Made Only With Your Consent,
Authorization or Opportunity to Object unless required by law.
You may revoke this authorization, at any time, in writing, except to the extent that your
physician or the physician’s practice has taken an action in reliance on the use or disclosure
indicated in the authorization.
PAGE 2
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Your Rights
Following is a statement of your rights with respect to your protected health information.
You have the right to inspect and copy your protected health information. Under federal law,
however, you may not inspect or copy the following records; psychotherapy notes; information
compiled in reasonable anticipation of, or use in, a civil, criminal, or administrative action or
proceeding, and protected health information that is subject to law that prohibits access to protected
health information.
You have the right to request a restriction of your protected health information. This means
you may ask us not to use or disclose any part of your protected health information for the purposes
of treatment, payment or healthcare operations. You may also request that any part of your protected
health information not be disclosed to family members or friends who may be involved in your care or
for notification purposes as described in this Notice of Privacy Practices. Your request must state the
specific restriction requested and to whom you want the restriction to apply.
Your physician is not required to agree to a restriction that you may request. If physician believes it is
in your best interest to permit use and disclosure of your protected health information, your protected
health information will not be restricted. You then have the right to use another Healthcare
Professional.
You have the right to request to receive confidential communications from us by alternative
means or at an alternative location. You have the right to obtain a paper copy of this notice
from us, upon request, even if you have agreed to accept this notice alternatively i.e. electronically.
You may have the right to have your physician amend your protected health information. If we
deny your request for amendment, you have the right to file a statement of disagreement with us and
we may prepare a rebuttal to your statement and will provide you with a copy of any such rebuttal.
You have the right to receive an accounting of certain disclosures we have made, if any, of
your protected health information.
We reserve the right to change the terms of this notice and will inform you by mail of any changes.
You then have the right to object or withdraw as provided in this notice.
Complaints
You may complain to us or to the Secretary of Health and Human Services if you believe your
privacy rights have been violated by us. You may file a complaint with us by notifying our privacy
contact of your complaint. We will not retaliate against you for filing a complaint.
This notice was published and becomes effective on/or before April 14, 2003.
We are required by law to maintain the privacy of, and provide individuals with, this notice of our
legal duties and privacy practices with respect to protected health information. If you have any
objections to this form, please ask to speak with our HIPAA Compliance Officer in person or by
phone at our Main Phone Number.
Signature below is only acknowledgement that you have received this Notice of our Privacy
Practices:
Print Name:__________________________ Signature______________________Date_______
Client Access to PHI
So far we have learned the client
rights, violation penalties and the
Privacy Notice. We now will review
the breakdown of the client’s rights
and how you and Pasadena Villa will
carry out these functions.
Clients have the right to inspect or
have access to their records. The
client shall complete a form,
“Individual Request for Access to
Personal Health Information” 

This form shall be completed by the
client and given to the staff at
admission.
Individuals DO NOT have the right
to access the following types of
information;
 Psychotherapy Notes
 Information compiled in
reasonable anticipation of, or for
use in, a civil, criminal, or
administrative action or
proceeding; and
 Protected health Information
that is: subject to the Clinical
Laboratory Improvements
Amendments of 1988
The Record staff or designee will act
upon the request by informing the
individual of the acceptance of the
request and provide access. If the
request is denied due to the above
circumstances, the Records staff will
provide the individual with a written
denial.  
Page Ten
REQUEST TO INSPECT OR COPY
PROTECTED HEALTH INFORMATION
This form is used by the patient to request an
opportunity to examine or copy
Protected Health Information in the
possession of Pasadena Villa.
Information Requested
Please describe the information that you would
like to examine or copy:
Review Procedures
Your request to inspect or copy your Protected
Health Information will be reviewed by
the Clinical Director, who will determine
if the information requested cm be made
available to you. We may legally
prohibited from making certain
information available to patients or
patient representatives, including:
Psychotherapy Notes
Information related to legal proceedings
Information that federal or state laws prevent us
from disclosing
Information that is related to medical research in
which you have agreed to participate
Information whose disclosure may result in harm
or injury to you or to another person
Information that was obtained under a promise of
confidentiality
Within the limitations of the law, we will make
every effort to accommodate your
request.
We will complete our review of your request and
either arrange for you to inspect your
records within 30 days of your request,
or provide you with a written explanation
of any restriction on the information that
we can provide you.
If we deny your request, in whole or in part, you
may request that we review that
decision.
Obtaining Authorizations for Use and Disclosure
•
Renaissance Healthcare
Group must obtain
authorization from the client
for us to be able to use and
disclose their PHI.
Renaissance Healthcare
Group does not need to
obtain authorization for
treating / providing
services, payment and
organizational operations.
The purpose for obtaining an
authorization is to provide
the individual with an
opportunity to determine how
his or her PHI may be used
or disclosed, and to inform
the individual of his or her
rights under the Privacy rule.
For all uses and disclosures
of an individual’s PHI, RHG
will obtain a signed
authorization from the
individual, unless the use or
disclosure is required, or
otherwise permitted without
an authorization. Prior to all
marketing communications,
we will obtain authorization
from the individuals who
would receive such
communications, except if:
–
the communication is
made face-to-face by an
employee; or
–
the communication is a
promotional gift of
nominal value
Page Eleven
NOTES
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
Authorization continued
Prior to any use or disclosure of
psychotherapy notes, including
for treatment, payment or health
care operations, RHG will obtain
authorization from the individual,
except if the use or disclosure is
for:
– the service activities of the
originator of the
psychotherapy notes;
– Our own training programs
in which mental health
students, interns or
practitioners practice, under
supervision, their skills in
counseling; or
– Pasadena Villa’s own
defense in a legal action or
other proceeding brought
by the individual.
RHG is not required to obtain
authorization for the following
purposes:
– to carry out service,
payment or health care
operations;
– uses and disclosures
required by law
– uses and disclosures for
public health activities
– disclosures about victims of
abuse, neglect or domestic
violence
– uses and disclosures for
health oversight activities
– disclosures for judicial and
administrative proceedings
Page Twelve
NOTES
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
Authorization continued
–
•
•
•
•
•
disclosures for law
enforcement purposes
– disclosing PHI about
decedents
– uses and disclosures for
research purposes
– uses and disclosures to
avert a serious threat to
health or safety
– uses and disclosures for
specialized government
functions and
– disclosures for workers’
compensation
The authorization will be written
in plain language.
The authorization document
will allow individuals to request
that their protected health
information be used or
disclosed for specific purposes.
When RHG initiates an
authorization to use or disclose
protected health information for
its own purposes, RHG will
provide individuals with any
facts they need to make an
informed decision as to
whether to allow release of the
information.
The authorization will not be
combined with another
document to create a
compound authorization,
unless:
the other document is a similar
such authorization;
Page Thirteen
NOTES
_____________________________
_____________________________
_____________________________
_____________________________
_____________________________
_____________________________
_____________________________
_____________________________
_____________________________
_____________________________
_____________________________
_____________________________
_____________________________
_____________________________
_____________________________
_____________________________
_____________________________
_____________________________
_____________________________
_____________________________
_____________________________
_____________________________
_____________________________
_____________________________
_____________________________
_____________________________
_____________________________
_____________________________
_____________________________
_____________________________
_____________________________
_____________________________
_____________________________
_____________________________
_____________________________
_____________________________
_____________________________
_____________________________
_____________________________
_____________________________
_____________________________
_____________________________
_____________________________
_____________________________
_____________________________
Authorization continued
•
•
if the authorization is for the
disclosure of psychotherapy
notes, the other document is
also an authorization for the
disclosure of psychotherapy
notes; or
the authorization is for the use
or disclosure of protected
health information created for a
research study, and is to be
combined with another written
permission for the study.
•
Any authorization for the use or
disclosure of protected health
information requested by the
individual subject of that
information will contain the
following:
•
a description of the information
to be used or disclosed that
identifies the information in a
specific and meaningful
fashion;
•
the name or other specific
identification of the person(s),
or class of persons, authorized
to make the requested use or
disclosure;
•
the name or other specific
identification of the person(s),
or class of persons, to whom
RHG may make the requested
use or disclosure;
Page Fourteen
NOTES
_____________________________
_____________________________
A specific authorization is
required for the disclosure of
psychotherapy notes.
Psychotherapy notes are defined
as primarily of use to the mental
health professional who wrote
them and are not part of the
medical record, and not involved
in the documentation necessary
to carry out treatment, payment,
or health care operations. There
are few reasons why other health
care/clinical entities should need
access to this information. This
excludes diagnosis, medications,
treatment, symptoms, prognosis,
and progress to
date._________________________
_____________________________
_____________________________
_____________________________
_____________________________
_____________________________
_____________________________
_____________________________
_____________________________
_____________________________
_____________________________
_____________________________
_____________________________
_____________________________
_____________________________
_____________________________
_____________________________
_____________________________
_____________________________
_____________________________
_____________________________
_____________________________
_____________________________
_____________________________
_____________________________
_____________________________
_____________________________
_____________________________
Authorization continued
•
an expiration date or an
expiration event that relates to
the individual or the purpose of
the use or disclosure;
•
a statement of the individual’s
right to revoke the authorization
in writing and the exceptions to
the right to revoke;
•
a description of how the
individual may revoke the
authorization; Individuals may
revoke their authorizations at
any time.
•
a statement that the entity will
not condition treatment,
payment, enrollment in a health
plan, or eligibility for benefits on
the provision of an
authorization, except as
permitted by law.
•
a statement that information
used or disclosed pursuant to
the authorization may be
subject to redisclosure by the
recipient and no longer be
protected by 45 C.F.R. Part
164;
•
the signature of the individual
and date.
•
An expiration date, event or
condition
•
In the event that the
authorization is signed by a
personal representative of the
individual, the authorization will
contain a description of the
representative’s authority to act
for the individual.
•
RHG will provide the individual
with a copy of the signed
authorization.
Page Fifteen
NOTES
_____________________________
_____________________________
_____________________________
_____________________________
_____________________________
_____________________________
_____________________________
42 CFR prohibits
redisclosure
A General Authorization for
Mental Health and Substance
Abuse Records is not
acceptable to release
information. To release
these sensitive records
Pasadena Villa must receive
a subpoena accompanied by
a court order, that is issued
by a Judge. This goes for
law enforcement requests as
well. Pasadena Villa may
disclose this information if it
is in relation to reporting a
victim of abuse or neglect, or
in our professional judgment
believes the disclosure is
necessary to prevent serious
harm to an individual or
other potential victim.
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
Authorization continued
•
•
•
•
•
RHG will invalidate the
authorization if:
any material information in the
authorization is known by to be
false;
the requirements of the
authorization have not been
filled out completely;
the expiration date has passed
or the expiration event is
known to have occurred.
We will document and retain
the signed authorization for a
period of at least six years from
the date of its creation or the
date when it last was in effect,
whichever is later.
It is important that each and
every authorization form is
completed accurately and in it’s
entirety. It is imperative all
employees are knowledgeable
of what an authorization must
contain and how to identify a
defective authorization. If you
observe authorizations with
blank spaces or signatures,
dates, etc. are not present, you
must report it to the Privacy
Officer immediately!
Page Sixteen
NOTES
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
Client Rights to Amend their Records
Clients have the right to
request an amendment
(clarification or challenge) to
their medical/clinical file.
*Remember psychotherapy
notes are not disclosed.
However, the remaining parts
of their file, group notes, daily
progress notes, medication
records, demographic
information are subject to their
review. If the client does not
agree with certain
documentation in their records,
they may request for the entry
to amended. The client must
put the request in writing.
Pasadena Villa will review and
determine if they agree or
disagree with the requested
amendment. The Privacy
Officer will appoint an individual
not involved in the client’s care
to review the request. If the
request is denied, the Privacy
Officer shall notify the client in
writing. These requests for
amendments are to be placed
in the client file and are
considered a permanent form
in the file. The amendment
request form is outlined on the
following page.
Page Seventeen
NOTES
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________

Human Services Associates, Inc.
MEDICAL/CLINICAL RECORD CORRECTION/AMENDMENT FORM
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
REQUEST TO AMEND PROTECTED HEALTH INFORMATION
This form is to be used by patients who wish to request that information kept in the records of Pasadena Villa be amended.
The following summarizes our policies and procedures with respect to amending patient information:
Requests to amend information must be submitted in writing.
Your request will be reviewed by the Clinical Director and other staff members as appropriate.
If the Clinical Director determines that the amendment you have requested should be made, the records will be updated as
required by federal regulations.
If the Clinical Director determines that the information in our records is complete and accurate, you request will be denied. A
written notice of this decision will be sent to you as required by federal regulations. You will have an opportunity to send us
a written statement explaining your disagreement with this decision. That statement will be included in your records, along
with any response that we believe is necessary to help future users of the information understand that information. You will
be given a copy of any response that we include in the record.
Information to be Amended
Please identify the information that you believe needs to be amended in the spaces provided below. Identify the source of
the information (for example, your medical records or billing records), the specific information that you believe to be incorrect
and the reason you believe the information to be incorrect. If no reason is given, your request will be denied.
If you need help with this form, please contact:
Dr. George Kachmarik, Clinical Director
(407) 246-5250
Item to be changed:____________________________________________
Data Source:_________________________________________________
Change:_____________________________________________________
Reason:_____________________________________________________
____________________________________________________________
___________________________________________________________
*Response___________________________________________________
____________________________________________________________
Item to be changed:____________________________________________
Data Source:_________________________________________________
Change:_____________________________________________________
Reason:_____________________________________________________
____________________________________________________________
*Response:__________________________________________________
____________________________________________________________
Attach additional copies of this page as needed.
Patient Signature
Please sign and date this form:
Name of Patient ________________________________________________
Signature of Patient______________________________________________
___________
Date
Signature of Patient Representative_________________________________
Relationship of Patient Representative to Patient_______________________
Decision
Approved amendments
The following requests for amendment of information have been approved:
This information will be corrected and other organizations to which this information has been disclosed will be notified as
required by federal regulations.
Requests for Amendment That Have Been Denied
The following requests for amendment of information have been denied for the reasons given section describing the
information you have requested:
This information will not be amended in our records. If you disagree with this decision, you may submit a written statement
of disagreement. Your statement must be limited to one standard letter-sized page (8 inches X 11 inches) per correction.
Your disagreement will be included in our records and it, or an accurate summary of it that we will prepare, will be
transmitted to any entity to whom the affected information is disclosed in the future. We also may include own comments on
your statements. If we do include such a statement, you will be sent a copy of the statement.
Title of Privacy Official____________________________________
Signature _____________________________________________
Date
Accounting of Disclosures
•
HIPAA provides that
individuals have a right to
receive an accounting of
certain instances when
protected health
information about them is
disclosed by a covered
entity. This requirement
is subject to exceptions
for disclosures made to
the individual; for
treatment, payment and
health care operations;
or authorized by the
individual; as well as
certain time-limited
exceptions for
disclosures to law
enforcement and
oversight agencies. RHG
has developed
procedures to address
instances when an
accounting of disclosures
of protected health
information must be
provided.
RHG will allow an
individual to obtain an
accounting of instances
when their protected
health information has
been disclosed.
Page Nineteen
NOTES
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
Accounting Continued
RHG
will allow an individual to
receive an accounting of
disclosures of protected health
information in the seven years
prior to the date on which the
accounting is requested,
beginning April 14, 2003.
•
The accounting will be in
writing and will include
disclosures made to or by
business associates.
Each accounting of a
disclosure will include the
following:
the date of disclosure;
the name of the entity or
person who received the
protected health information
and, if known, the address of
such entity or person;
 a brief description of the
protected health information
disclosed;
 a brief statement of the
purpose of the disclosure that
reasonably informs the
individual of the basis for the
disclosure; or in lieu of such
statement:
 a copy of the individual’s
written authorization to use or
disclose the protected health
information, or
Page Twenty
NOTES
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________


_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
Accounting continued
•
•
•
•
•
•
We will act on the
individual’s request for an
accounting not later than 60
days after receipt of the
request by:
providing the individual with
the accounting requested, or
extending the time to provide
the accounting by no more
than 30 days.
In the event that RHG
extends the time to provide
the accounting, within 60
days after receipt of the
request, it will provide the
individual with a written
statement of the reasons for
the delay and the date by
which the covered entity will
provide the accounting.
We will not extend the time
to provide the accounting
more than once.
The first accounting to an
individual in any 12-month
period will be without charge.
Page Twenty-One
NOTES
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________


_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
Accounting continued
•
Upon imposing a fee RHG will
inform the individual in advance
of the fee and provide the
individual with an opportunity to
withdraw or modify the request
for a subsequent accounting in
order to avoid or reduce the
fee.
•
We will document and retain
the following for a period of at
least 7 years, or from the date
of its creation or the date when
it last was in effect, whichever
is later:
the information required to be
included in an accounting;
•
•
the written accounting that is
provided to the individual;
•
the title of the persons or officer
responsible for receiving and
processing requests for an
accounting by individual.
•
The Privacy Officer is
responsible for responding to a
request from an individual for
an audit trail of instances when
their protected health
information has been disclosed
for purposes other than
treatment, payment, or health
care operations.
Page Twenty-two
NOTES
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
Page Twenty-three
•
•
•
•
•
•
•
•
•
•
•
•
•
REQUEST FOR ACCOUNTING OF PROTECTED HEALTH INFORMATION
DISCLOSURES
Consistent with federal regulations, we will provide you with an accounting of certain
disclosures of your protected health information. You will not receive an accounting
for the following:
Disclosures of your Protected Health Information for the purposes of treatment,
payment, or the day-to-day operation of the medical practice
Disclosures to law enforcement, correctional institutions, or for any other legally
required or permitted disclosure listed on our Notice of Privacy Practices
Disclosures that occurred prior to April 14, 2003, the effective date of the federal
privacy rules
Disclosures that occurred six or more years prior to the date of this request
We will contact you when the information you have requested is available, generally
within 60 days of your request.
Name of Patient (Type or Print)__________________________________
Signature of Patient __________________________________________
Date
Telephone Number____________________________________________
Street Address_______________________________________________
City, State, Zip Code__________________________________________
Disclosures
Now that we’ve explained how
the client has the right to see
the types of disclosures and
when those disclosures were
made, we need to examine the
general rules of disclosures. It
is expected under HIPAA and
42CFR Part 2, that we only
disclose the minimum
necessary information. This
requires us to make
“reasonable efforts” to limit PHI
to the minimum necessary to
accomplish the intended
purpose of the use, disclosure,
or request. This “minimum
necessary” rule applies in three
circumstances;
 when using PHI internally
 when disclosing PHI to an
external party in response to a
request or
 when requesting PHI from
another covered entity
/organization.
Under 42 CFR Part 2, there is
a “General Non-disclosure
Rule” – an alcohol and/or
drug program may not
disclose any information
about any patient. However,
this rule (42CFR) has nine
exceptions to the Nondisclosure Rule, where
information can be disclosed
without proper authorization;
1. No patient-identifying
information
Page Twenty-four
NOTES
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
Disclosures continued
2.
3.
4.
5.
6.
7.
8.
9.
Disclosure permitted with
proper consent
For Internal communications
For a Qualified Service
Agreement with another
organization performing
services for our agency
For a medical emergency
For reporting of suspected
abuse and neglect
For when a crime is committed
on facility premises or against
program personnel
For Research and auditing
With a Court Order (with a
good cause hearing)
Internal Communications – that
don’t disclose client identifying
information. You and your coworker in the normal operations
of your work day can discuss
clients, as long as it pertains to
your job.
HIPAA does allow some room
for allowances; if a physician
has a discussion with a client in
a semi-private room, this is
permitted.
Page Twenty-five
NOTES
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
Disclosures and Security continued
However, the physician must
use a low tone of voice and
only discuss the minimum
necessary to ensure the client
possesses his or her health
information.
Our employees must
reasonably safeguard
protected health information
from any intentional or
unintentional use or disclosure
that is in violation of the
Privacy Rule (HIPAA / 42
CFR).
We must have in place
appropriate administrative,
technical and physical
safeguards to protect the
privacy of PHI. This includes
client sign-in sheets laying at
the main desk, client records
laying out on top of a table or
desk when performing
individual session with another
client (clean desk protocol),
talking on the cell phone about
a client (cell phones are not
secure), releasing information
without verifying the caller,
faxing any document.
Faxing should only be
performed when it is absolutely
necessary. The information to
be faxed should be very
limited.
Mailing information is preferred.
Page Twenty-six
NOTES
_____________________________
_____________________________
_____________________________
_____________________________
_____________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
Disclosures and Security continued
When sending a fax, you will
call the individual to receive the
fax and let them know it is
coming and then call upon
completion to verify receipt. All
Pasadena Villa fax machines
are on dedicated lines. All Fax
machines need to be located in
an area not accessible to the
public.
If you have a computer at your
work station and the screen
contains PHI, you must sign-off
once you leave your area.
Making unnecessary copies of
client information, think twice
before making copies.
Use the clean desk protocol;
staff need to clear their
desk/area of all paperwork and
files prior to leaving, this may
prevent other persons who
leave later or arrive earlier from
viewing PHI they have no right
to access.
During the workday, paper files
and records with PHI should
not be piled on desks or left
unattended in the open. They
should be kept in drawers or
cabinets to reduce exposure.
When transporting documents /
files from location to location,
make sure they are in sleeves,
bags or envelopes that make
them inaccessible to those
transporting them.
Page Twenty-seven
NOTES
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
Disclosure and Security continued
Paper that contains PHI should
be shredded when it is
obsolete, not reused, recycled
not discarded in the trash.
Incoming correspondence
should be funneled a through
distinct channel that involves
the smallest number of viewers
as possible.
It is imperative to minimize
telephone conversations when
other clients or visitors are
within earshot. While there is
no full proof way to identify
clients over the phone, the goal
should always be to increase
the degree of certainty. This is
also applicable to third parties
who call to discuss clients or
be requesting PHI. You must
verify the caller (call back, ask
for supervisor) by asking the
caller for their telephone
number, address of business
and then call back to confirm.
This will be another
cumbersome task compared to
the past, but that is what it is,
and the law is how we need to
conduct business now.
Caution yourself to leave PHI
in voice mail messages, these
messages could easily be
received by someone other
than you intended. You should
never make telephone
announcements that reveal the
nature of the client’s condition
or the type of provider he or
she may be seeing. “Ms.
Brown, the psychiatrist will see
you now”!
Page Twenty-eight
NOTES
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________

Disclosures and Security continued
Our company utilizes an e-mail
system to assist in the
communication of daily
operations. This tool has it’s
positives and negatives. Email permits us to
communicate effortlessly and
at great speed, and to copy
and distribute documents as
never before. The flip side of
these enormous opportunities
for more effective
communications are equally
enormous risks that PHI will be
distributed improperly. If you
can, at all cost, conduct
business without using the
client’s PHI in your e-mails, do
it. Once an e-mail that
contains PHI is sent, the
information is in a format that
can be reissued over and over
again, equally effortlessly
whether it is a harmless
communication or a psychiatric
assessment. If a client asked
you to e-mail them, don’t do it.
Using e-mail to communicate
between the client and provider
is burdened with incredible risk.
The comfortable, informal
nature of the mode, coupled
with the liability issues
accompanying the provision of
care, make for an unfortunate
mix. You must have a client’s
written consent and they must
agree to accept the risks of this
type of communication.
Page twenty-nine
NOTES
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
Security continued
Privacy versus Security
Privacy under HIPAA is the
control of access to protected
health information (PHI).
Individuals are given the right
(within limitations) to grant or
deny the disclosure of
information about themselves
or minor children. Security is
the employment of
mechanisms to control access
and protect PHI from accidental
or unauthorized disclosure,
destruction, modification, or
loss. Also, under HIPAA,
security includes ensuring the
availability of PHI as part of our
business continuation plan
through emergency operations
and disaster recovery. HIPAA
requires the appointment of a
Security Officer and a Privacy
Officer.
The Security Officer is
responsible for ensuring the
company maintains;
administrative procedures to
guard data integrity,
confidentiality and availability
physical safeguards to guard
data integrity, confidentiality
and availability
 technical security services to
guard data integrity,
confidentiality and availability
 technical security
mechanisms to guard against
unauthorized access to data
that is transmitted over a
communications network
Page Thirty
NOTES
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
Security continued
The Administrative section for
data integrity involves;
 security management
processes, i.e., data back-up,
testing and revision, disaster
recovery plan, emergency
mode operations plan, risk
analysis, security policy
 security configurations, i.e.,
personnel clearance
procedures, system users,
personnel security procedures,
virus checking, hardware and
software installation and
maintenance, inventory
 security incident procedures
and response procedures
 termination procedures
 training, user education,
periodic security reminders,
password management
The Physical safeguards for
data integrity involves;
 Assigned security
responsibility, access control,
accountability, data storage,
disposal
 physical access controls,
disaster recovery, equipment
control, facility security plan,
procedures for verifying access
authorizations prior to physical
access
 policy/guidelines on work
station use, security awareness
training
Page Thirty-one
NOTES
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________

_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
Security continued
The technical security
mechanisms for data integrity,
to guard against unauthorized
access to data that is
transmitted over a
communications network;
 message authentication,
access controls, encryption,
event reporting, entity
authentication
 use of electronic signatures,
multiple signatures,
transportability, independent
verifiability
As you can see, the Security
side of this law is a little more
in-depth and may or may not
involve you. However, it is
important to know the main
areas of data security. We
talked about it a little earlier,
with the fax machine, your work
station and leaving your
monitor on with PHI accessible.
Along with the above, the
facility relies on you to do the
right thing and report any
instance of computer problems
to your supervisor. Water
damage, dust and dirt,
temperature of equipment, are
all reportable incidents. Make
sure doors are closed, your
computer is not faced towards
the windows or the public can
see in plain sight. Make sure
nobody else is using your
computer. Just a few examples
to give you a heads-up.
Page Thirty-two
NOTES
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
Doing your Part
Here we are, at the end of the
training. There is a lot of
information you are responsible
for knowing and practicing
beginning today. Pasadena
Villa only asks you to do your
part and we’ll do ours. To wrap
it up a few last things to
review………..only access
confidential information if you
have a need to know to do your
job……………….protect your
computer
passwords………understand
the law and our policies and
procedures that show you and
explain to you how to follow the
law………….attend training
and education programs for
updates and last of all and
most important….. REPORT
any problems to the Privacy
Officer.
Treat your client’s information
the way you would want your
personal information treated.
Quality of care is compromised
when our client’s don’t trust us.
We need to make sure we
make them feel comfortable
about these new privacy laws
and we are here to abide by
the laws and help them as well.
If you feel unsure of how to
follow a request for information,
please review the policies and
procedures, ask your
supervisor or call the Privacy
Officer.
Page Thirty-three
NOTES
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________
_________________________