Transcript Module 9-Confidentiality & HIPAA

Confidentiality and HIPAA
Learning Objectives



Articulate the basic rules governing
privacy of medical information and
records.
Identify the client’s rights under HIPAA.
Demonstrate the ability to respond
appropriately when faced with
situations involving confidentiality.
The importance of confidentiality

Find a partner.
Discuss your
experiences with
confidentiality.
The Health Insurance Portability
and Accountability Act - HIPAA

This act is about privacy regulations – it
requires that providers protect the privacy
and security of their consumers health
information in new ways.

Allows consumers additional rights to
access, amend and protect their own
health care information.
What is Protected Health Information?
PHI is information that contains
identifiers.
 PHI replaces the phrase “confidential
medical information”
 What are basic identifiers that we use?

Protected Health Information

PHI includes the following:
Treatment Plans
 Medical Records
 Incident Reports
 Outcomes Databases
 Data Collection Sheets
 Treatment Team Meeting Notes

Protected Health Information

PHI also includes:
Treatment information
 Health information (physical or mental)
 Payment information
 It includes past, present or future info
 It includes information that is verbal,
electronic or on paper

Informing Clients
A Privacy Notice is given to each client
upon entry into mental health services
 Each person must sign that he/she has
received this Privacy Notice

Authorization of Disclosure

Releasing of PHI requires authorization from
the consumer, except under very specific
circumstances.
 The request must state the type and amount of
information the consumer is willing to disclose.
 HIPAA authorization forms must be signed
and updated annually.
Basic guidelines
Be conscientious about “need to know” in all
situations
 Outside the team, disclosure should be guided
by





Authorization
Staying within the parameters of the specific
information required
During emergencies, the safety and health of the
consumer permits disclosure of necessary PHI
Let’s look at some examples:
Permitted Disclosures






To the consumer, subject to certain
restrictions.
For treatment, payment or healthcare
operations (I.e., Quality, Risk Management)
within the agency.
Child abuse, elder abuse, Tarasoff warnings
Secret Service
To Guardians of adults
To parents/family member of minors
Permitted Disclosures, cont.

With a valid authorization:
for any reason to a third party
 To family members or other persons
involved with the individual’s care.

Disclosures Usually Permitted
To Public Health Authorities – reports of
death or disease
 In response to a court order or as
permitted by law with regard to litigation
 To avert a serious threat to health or
safety to the individual or others.

Substance Abuse Records

Substance abuse records are highly protected
– the client must make a specific authorization
to disclose this information
 There are three exceptions to the rule
requiring client authorization of substance
abuse records



Child Abuse Reporting
Crime committed at/or threatened at the treatment
facility
Medical emergency
Confidentiality and Teams

HIPAA, California law and W&I Code permit
sharing of healthcare and mental health
information, without authorization, for
treatment purposes.
 If a new team is developing, including nonmedical partners such as probation officers,
law enforcement, teachers or social workers, it
is easiest to get an authorization signed at the
outset.
Sharing substance abuse
information

HOWEVER, authorization is required
when sharing substance abuse
treatment program information with
providers who are “outside of the
program.”
The Designated Record Set

All of the client’s information is contained in
the Designated Record Set


DRS replaces the term “medical record”
A DRS is a group or records maintained by a
provider or for a provider that is the medical
and billing records; case or medical
management records; or information used in
whole or in part to make healthcare decisions
about the individual.
The DRS
The information within the DRS is what
the HIPAA regulations protect.
 Consumers have specific rights under
HIPAA with regard to their DRS.

Consumer Rights Under HIPAA
Right to access DRS
 Right to amend DRS
 Right to restrict sharing of PHI
 Right to accounting of uses and
disclosures of PHI
 Right to file complaints concerning a
providers Privacy Practices

Accountability Under HIPAA

Civil penalties

$100/violation up to $25,000 per calendar
year (Office of Civil Rights)
Accountability Under HIPAA

Criminal penalties (enforced by the Dept. of
Justice)



Up to $50,000 and 1 year of imprisonment for
knowingly obtaining and disclosing PHI
Up to $100,000 and 5 years imprisonment if
committed under false pretenses.
Up to $250,000 and 10 years imprisonment if
committed with intent to sell, transfer, or use for
commercial advantage, personal gain or malicious
harm.
Accountability Under HIPAA
The provider can be sued by consumers
for improper disclosures of PHI
 Disciplinary actions against employees
for failure to follow policies and
procedures regarding consumer privacy.

Protecting the Security of PHI

Each healthcare site
must have
appropriate
administrative,
technical and
physical safeguards
to protect the privacy
of protected health
information.
Protecting the Security of PHI

Agencies must put into place reasonable
safeguards to prevent intentional or
unintentional use or disclosure.
Exercise

Identifying Breaches
of Confidentiality
The Bottom Line
Think confidentiality and privacy.
 Share only what you need to share.
 Always have an authorization before
sharing someone’s confidential
information.

Exercise

Confidentiality Situations