© Copyright 2009 HIPAA COW1 Welcome to the Privacy and Security Training Session! Draft v. 11 03-31-09.

© Copyright 2009 HIPAA COW© Copyright 2009 HIPAA COW 11

Welcome to Welcome to thethePrivacy and Security Privacy and Security Training Session!Training Session!

Draft v. 11

03-31-09


DisclaimersDisclaimers

This HIPAA Privacy & Security Training Session is Copyright 2009 by the HIPAA Collaborative of Wisconsin (“HIPAA COW”). It may be freely redistributed in its entirety provided that this copyright notice is not removed. It may not be sold for profit or used in commercial documents without the written permission of the copyright holder. This HIPAA Privacy & Security Training Session is provided “as is” without any express or implied warranty. This HIPAA Privacy & Security Training Session is for educational purposes only and does not constitute legal advice. If you require legal advice, you should consult with an attorney. HIPAA COW has not yet addressed all state pre-emption issues related to this HIPAA Privacy & Security Training Session. Therefore, this document may need to be modified in order to comply with Wisconsin law.


Disclaimers Disclaimers continued…continued…

This is an example training session containing only some of the Privacy & Security topics which organizations are required to train. It is not legal advice and is not intended to cover all privacy & security laws’ training requirements. It may contain items not required by your organization and/or that need to be tailored to your organization’s P&Ps. It may also be too lengthy to provide in just one session. Slides are provided for informational purposes only.


HIPAA Topics CoveredHIPAA Topics Covered

HIPAA Privacy & HIPAA Privacy & Security ContactsSecurity Contacts

What is HIPAA?What is HIPAA? Why Follow HIPAA?Why Follow HIPAA? HIPAA DefinitionsHIPAA Definitions Who protects PHI?Who protects PHI? Patient RightsPatient Rights SecuritySecurity Audit TrailsAudit Trails ViolationsViolations

Release of InformationRelease of Information Identity VerificationIdentity Verification Documenting DisclosuresDocumenting Disclosures Safeguarding InformationSafeguarding Information BAAs & Other BAAs & Other

AgreementsAgreements Your RoleYour Role Reporting ViolationsReporting Violations


Privacy and SecurityPrivacy and Security and/or and/or Compliance Committee Compliance Committee MembersMembers

Name, title, extension and email addressName, title, extension and email address

Jackie Maurer, Billing Office Supervisor Jackie Maurer, Billing Office Supervisor 715-327-4322, ext 126. 715-327-4322, ext 126. [email protected]

Jeff Raschke, Director IT & Security Jeff Raschke, Director IT & Security OfficerOfficer715-327-4322, ext 125 715-327-4322, ext 125 [email protected]@nwcgc.com

Privacy Officer: Jackie Maurer

Security Officer: Jeff Raschke


What is HIPAA?What is HIPAA?

HIPAA is an acronym for the HIPAA is an acronym for the HHealth ealth IInsurance nsurance PPortability & ortability & AAccountability ccountability AAct of 1996 (45 C.F.R. parts 160 & 164).ct of 1996 (45 C.F.R. parts 160 & 164).

Provides a framework for the Provides a framework for the establishment of a nationwide protection establishment of a nationwide protection of patient confidentiality, security of of patient confidentiality, security of electronic systems, and standards and electronic systems, and standards and requirements for electronic transmission requirements for electronic transmission of health information.of health information.


What is What is HIPAA?HIPAA?

Each part has Each part has separate separate regulations to regulations to comply withcomply with

ELECTRONIC DATA

EXCHANGE SECURITY

PRIVACY

HIPAA Consists of three separate parts: HIPAA Consists of three separate parts:

1) Privacy, 2) Security, and 3) Electronic Data 1) Privacy, 2) Security, and 3) Electronic Data ExchangeExchange

HIPAA mandates accountability HIPAA mandates accountability


Parts of HIPAA: Parts of HIPAA: 1. The Privacy Rule1. The Privacy Rule

The Privacy Regulations went into effect The Privacy Regulations went into effect April 14, April 14, 2003.2003.

Privacy refers to the protection of an individual’s Privacy refers to the protection of an individual’s health care data.health care data.

Defines how patient information is used and Defines how patient information is used and disclosed.disclosed.

Gives patients privacy rights and greater control Gives patients privacy rights and greater control over their own health information.over their own health information.

Outlines ways to safeguard Protected Health Outlines ways to safeguard Protected Health Information (PHI).Information (PHI).

We also need to keep in mind Wisconsin privacy We also need to keep in mind Wisconsin privacy laws, such as WI Chapters 51, 146, 252 and DHS 92, laws, such as WI Chapters 51, 146, 252 and DHS 92, which in some situations continue to protect which in some situations continue to protect patients’ rights more than the HIPAA Regulations.patients’ rights more than the HIPAA Regulations.


Parts of HIPAA: Parts of HIPAA: 2. The Security Rule2. The Security Rule

Security (IT) regulations went Security (IT) regulations went into effect into effect April 21, 2005.April 21, 2005.

Security means controlling:Security means controlling:– The The confidentialityconfidentiality of of

electronic protected health electronic protected health information (ePHI).information (ePHI).

– How patient data is How patient data is electronically electronically stored.stored.

– How patient data is How patient data is electronically electronically accessed.accessed.


Parts of HIPAA: Parts of HIPAA: 3. EDI3. EDI

Electronic Data Exchange (EDI) Electronic Data Exchange (EDI) – defines – defines the format of electronic transfers of the format of electronic transfers of information between providers and information between providers and payers to carry out financial or payers to carry out financial or administrative activities related to administrative activities related to health care.health care.

Information includes coding, billing and Information includes coding, billing and insurance verification.insurance verification.

The goal of using the same formats is to The goal of using the same formats is to ultimately make the billing process ultimately make the billing process more efficient.more efficient.


Why Should Our Why Should Our Organization Comply with Organization Comply with HIPAA?HIPAA?

We must be committed to protecting our patients’ We must be committed to protecting our patients’ privacy.privacy.

Northwest Counseling and Guidance Clinic is Northwest Counseling and Guidance Clinic is placing trust in you to follow the policies. This is placing trust in you to follow the policies. This is not an option, it is required.not an option, it is required.

Choosing not to follow these rules,Choosing not to follow these rules, – Could put you at risk.Could put you at risk.– Could put Northwest Counseling and Guidance Clinic Could put Northwest Counseling and Guidance Clinic

at risk. at risk.


Why Should Our Why Should Our Organization Comply with Organization Comply with HIPAA?HIPAA?

The right thing to do is to:The right thing to do is to:– Protect patient records.Protect patient records.– Protect business data.Protect business data.– Protect patient data and reduce the Protect patient data and reduce the

risk of litigation to organizations.risk of litigation to organizations. There are significant penalties There are significant penalties

associated with non-compliance to associated with non-compliance to organizations organizations andand employees of employees of those organizations.those organizations.


HIPAA RegulationsHIPAA Regulations

The HIPAA Regulations require that we protect The HIPAA Regulations require that we protect our patients’ PHI in all media including, but not our patients’ PHI in all media including, but not limited to, PHI created, stored, or transmitted limited to, PHI created, stored, or transmitted in/on the following media:in/on the following media:

– VerbalVerbal discussions discussions (i.e. in person, on the phone, etc.).(i.e. in person, on the phone, etc.).– WrittenWritten on paper on paper (i.e. chart, progress note, encounter (i.e. chart, progress note, encounter

form, prescription, x-ray order, referral form, explanation of form, prescription, x-ray order, referral form, explanation of benefits (EOBs), scratch paper, etc.).benefits (EOBs), scratch paper, etc.).

– In all of our In all of our computer applications/systemscomputer applications/systems (i.e. electronic health record (EHR), Practice Management, Lab, (i.e. electronic health record (EHR), Practice Management, Lab, X-ray, Microsoft, etc.).X-ray, Microsoft, etc.).

– In all of our In all of our computer hardware/equipmentcomputer hardware/equipment (PCs, laptops, PDAs, pagers, fax machines/servers, (PCs, laptops, PDAs, pagers, fax machines/servers, cell/multifunctional phones, patient care devices,cell/multifunctional phones, patient care devices, servers, etc.).servers, etc.).


This training session This training session provides reminders of provides reminders of Northwest Counseling Northwest Counseling

& Guidance Clinic’s & Guidance Clinic’s policies and of how policies and of how you, an employee or you, an employee or

provider, are required provider, are required to protect PHI. to protect PHI.


Why is Privacy and Why is Privacy and Security Training Security Training Important?Important?

It outlines ways to prevent accidental It outlines ways to prevent accidental and intentional misuse of PHI.and intentional misuse of PHI.

To make PHI secure with minimal impact To make PHI secure with minimal impact to staff and business processes.to staff and business processes.

It’s not just about HIPAA – it’s about It’s not just about HIPAA – it’s about doing the right thing.doing the right thing.

We should treat personal electronic data We should treat personal electronic data with the same care and respect as with the same care and respect as weapons-grade plutonium -- it is weapons-grade plutonium -- it is dangerous, long-lasting and once it has dangerous, long-lasting and once it has leaked, there's no getting it back. -- leaked, there's no getting it back. -- Corey Corey DoctorowDoctorow


This training is designed to educate This training is designed to educate you on the importance of Privacy you on the importance of Privacy and Securityand Security

It is everyoneIt is everyone’’s responsibility to take the s responsibility to take the confidentiality of patient information confidentiality of patient information seriously. Anytime you come in contact seriously. Anytime you come in contact with patient information or any PHI that is with patient information or any PHI that is written, spoken or electronically stored, written, spoken or electronically stored, YOUYOU

become involved with somebecome involved with some facet of the privacy and security facet of the privacy and security

regulations.regulations. The law requires us to train you.The law requires us to train you.


HIPAA DefinitionsHIPAA Definitions

PHIPHI is Individually Identifiable is Individually Identifiable Health Information (IIHI) relating to Health Information (IIHI) relating to information about:information about:

Health/condition of an individual.Health/condition of an individual. Payment for health care of an Payment for health care of an

individual.individual. Reasonably identifies the individual Reasonably identifies the individual

(patient identifiers/demographics).(patient identifiers/demographics).

What is What is PProtected rotected HHealth ealth IInformation nformation ((PHIPHI)?)?


PHI Includes: PHI Includes: Items in the record, such as:Items in the record, such as:

– Encounter/visit documentationEncounter/visit documentation– Lab ResultsLab Results– Appointment dates/timesAppointment dates/times– InvoicesInvoices– Radiology films and reportsRadiology films and reports– History and Physicals (H&Ps), etc.History and Physicals (H&Ps), etc.



PHI Includes: PHI Includes: Patient IdentifiersPatient Identifiers PHI includes information by which PHI includes information by which

the identity of a patient can be the identity of a patient can be determined with reasonable determined with reasonable accuracy and speed either accuracy and speed either directly or by reference to other directly or by reference to other publicly available information.publicly available information.



PHI Includes PHI Includes Patient IdentifiersPatient Identifiers Examples include:Examples include:

NamesNames Medical Record NumbersMedical Record Numbers Social Security NumbersSocial Security Numbers Account NumbersAccount Numbers License/Certification License/Certification

numbersnumbers Vehicle Identifiers/Serial Vehicle Identifiers/Serial

numbers/License plate numbers/License plate numbersnumbers

Internet protocol addressesInternet protocol addresses Health plan numbersHealth plan numbers Full face photographic Full face photographic

images and any images and any comparable imagescomparable images

Web universal resource Web universal resource locaters (URLs)locaters (URLs)

Any dates related to any Any dates related to any individual (date of birth)individual (date of birth)

Telephone numbersTelephone numbers Fax numbersFax numbers Email addressesEmail addresses Biometric identifiers Biometric identifiers

including finger and including finger and voice printsvoice prints

Any other unique Any other unique identifying number, identifying number, characteristic or codecharacteristic or code




UseUse: when we review or use PHI : when we review or use PHI internally (audits, training, internally (audits, training, customer service, quality customer service, quality improvement).improvement).

DiscloseDisclose: when we release or : when we release or provide PHI to someone (ex. an provide PHI to someone (ex. an attorney, a patient, faxing records attorney, a patient, faxing records to another provider, etc.).to another provider, etc.).



What does releasing the “minimum What does releasing the “minimum necessary” PHI mean?necessary” PHI mean?– To use or disclose/release only the minimum To use or disclose/release only the minimum

necessary to accomplish the intended purposes of necessary to accomplish the intended purposes of the use, disclosure, or request.the use, disclosure, or request.

– Requests from employees at NWCGC:Requests from employees at NWCGC: Identify each workforce member who needs to access Identify each workforce member who needs to access

PHI.PHI. Limit the PHI provided on a “need-to-know” basis.Limit the PHI provided on a “need-to-know” basis.

– Requests from individuals not employed at Requests from individuals not employed at NWCGC:NWCGC:

Limit the PHI provided to what is needed to accomplish Limit the PHI provided to what is needed to accomplish the purpose for which the request was made.the purpose for which the request was made.


What is TPO?What is TPO? HIPAA allows us to HIPAA allows us to UseUse and/or and/or DiscloseDisclose PHI for the PHI for the

purpose of:purpose of:– TTreatment reatment –– providing care to patients.providing care to patients.

– PPayment ayment –– the provision of benefits and premium payment.the provision of benefits and premium payment.

– OOperations perations –– normal business activities (reporting, quality normal business activities (reporting, quality improvement, training, auditing, customer service and resolution improvement, training, auditing, customer service and resolution of grievances data collection and eligibility checks, accreditation, of grievances data collection and eligibility checks, accreditation, etc.).etc.).

These terms are collectively referred to as These terms are collectively referred to as TPOTPO.. PHI used outside of PHI used outside of TPOTPO is not allowed without a signed is not allowed without a signed

authorization.authorization. TPOTPO must be within the minimum necessary to perform must be within the minimum necessary to perform

your job!your job!

HIPAA HIPAA DefinitionsDefinitions


Why Do We Need to Why Do We Need to Protect PHI?Protect PHI?

It’s the law.It’s the law. To protect our reputation.To protect our reputation. To avoid potential withholding of federal To avoid potential withholding of federal

Medicaid and Medicare funds.Medicaid and Medicare funds. To build trust between providers and To build trust between providers and

patients.patients.– If patients feel that their PHI will be kept If patients feel that their PHI will be kept

confidential, they will be more likely to confidential, they will be more likely to share the information needed for their care.share the information needed for their care.


Who or What Protects Who or What Protects PHI?PHI?

The Federal Government through the laws of HIPAA.The Federal Government through the laws of HIPAA. – Civil penalties up to $25,000 Civil penalties up to $25,000 for Failure to Comply.for Failure to Comply. – Criminal penalties:Criminal penalties:

$50,000 fine and 1 year prison $50,000 fine and 1 year prison for knowingly for knowingly obtaining and wrongfully sharing information.obtaining and wrongfully sharing information.

$100,000 fine and 5 years prison $100,000 fine and 5 years prison for obtaining and for obtaining and disclosing through false pretenses.disclosing through false pretenses.

$250,000 fine and 10 years prison $250,000 fine and 10 years prison for obtaining and for obtaining and disclosing for commercial advantage, personal disclosing for commercial advantage, personal gain, or malicious harm.gain, or malicious harm.

Our organization, through the Notice of Privacy Our organization, through the Notice of Privacy Practices (NOPP).Practices (NOPP).

You, by following our policies and procedures.You, by following our policies and procedures.


EnforcementEnforcement

The Public.The Public. The public will be educated The public will be educated about their privacy rights and will not about their privacy rights and will not tolerate violations to their privacy! They tolerate violations to their privacy! They will take action.will take action.

Office For Civil Rights (OCR).Office For Civil Rights (OCR). This is This is the agency that enforces the privacy the agency that enforces the privacy regulations. They will provide guidance regulations. They will provide guidance and monitor compliance.and monitor compliance.

Department of Justice (DOJ). Department of Justice (DOJ). This This agency is involved in criminal privacy agency is involved in criminal privacy violations. Provides fines, penalties and violations. Provides fines, penalties and imprisonment to offenders.imprisonment to offenders.


HIPAA RegulationsHIPAA Regulations

Brought individual privacy Brought individual privacy rights to patients.rights to patients.

Require that we provide Require that we provide these rights to them.these rights to them.– The following slides explain The following slides explain

patient rights…patient rights…


Patient Rights: AccessPatient Rights: Access

Right to inspect and copy their PHI.Right to inspect and copy their PHI. Situations where access may be denied or delayed:Situations where access may be denied or delayed:

– Psychotherapy notes.Psychotherapy notes.– PHI compiled for civil, criminal or administrative action or PHI compiled for civil, criminal or administrative action or

proceedings.proceedings.– PHI subject to CLIA Act of 1988 when access would be PHI subject to CLIA Act of 1988 when access would be

prohibited by law.prohibited by law.– Access would endanger a person’s life or safety based upon a Access would endanger a person’s life or safety based upon a

professional judgment.professional judgment.– A correctional inmate’s request may jeopardize health and A correctional inmate’s request may jeopardize health and

safety of the inmate, other inmates or others at the safety of the inmate, other inmates or others at the correctional institution.correctional institution.

– A research study has previously secured agreement from the A research study has previously secured agreement from the individual to deny access.individual to deny access.

– Access is protected by the Federal Privacy Act.Access is protected by the Federal Privacy Act.– PHI was obtained under promise of confidentiality and access PHI was obtained under promise of confidentiality and access

would reveal the source of the PHI.would reveal the source of the PHI.


Right to request to receive Right to request to receive communicationcommunication by alternative by alternative means or location. Examples: means or location. Examples: – The patient may request a bill be The patient may request a bill be

sent directly to him instead of to his sent directly to him instead of to his insurance company.insurance company.

– The patient may request we contact The patient may request we contact her on her cell phone instead of at her on her cell phone instead of at her home telephone number.her home telephone number.

Patient Rights: Patient Rights: Alternative Alternative CommunicationsCommunications


Patient Rights: Patient Rights: Special PHI RequestsSpecial PHI Requests

What should I do if a patient What should I do if a patient requests we requests we alwaysalways call a family call a family member instead of her?member instead of her?

– Request patients with permanent Request patients with permanent and special/unique calling and/or and special/unique calling and/or mailing instructions to go to their mailing instructions to go to their primary mental health provider or primary mental health provider or onsite administrator to complete and onsite administrator to complete and sign a release of information.sign a release of information.

Alternative communication

requests


Patient Rights:Patient Rights:Amendment RequestsAmendment Requests Right to Request an Amendment or Correct PHI.Right to Request an Amendment or Correct PHI.

– Situations where a request may be denied.Situations where a request may be denied. Northwest Counseling & Guidance Clinic did not Northwest Counseling & Guidance Clinic did not

create the information.create the information. Record is accurate according to the health care Record is accurate according to the health care

professional that wrote it.professional that wrote it. Information is not part of the Northwest Information is not part of the Northwest

Counseling & Guidance Clinic record.Counseling & Guidance Clinic record. A patient states there is an error in his A patient states there is an error in his

electronic record and wants it corrected. electronic record and wants it corrected. What should I do?What should I do?

– Request the patient contact the onsite Request the patient contact the onsite administrator to request to have the record administrator to request to have the record amended.amended.


Patient Rights: Patient Rights: Restrictions and AODRestrictions and AOD

Right to Request a RestrictionRight to Request a Restriction on use and on use and disclosure of their PHI (ex. revoke a previous disclosure of their PHI (ex. revoke a previous authorization, request to not give to certain authorization, request to not give to certain providers, request to not provide for research providers, request to not provide for research purposes).purposes).– We are not required to approve the request, but must We are not required to approve the request, but must

make reasonable efforts to approve it, when possible.make reasonable efforts to approve it, when possible. Right to an Accounting of Disclosures (AOD).Right to an Accounting of Disclosures (AOD).

– Must give information on disclosures of Must give information on disclosures of information released information released exceptexcept those that were those that were given to:given to:

The Individual.The Individual. TPO.TPO. Law enforcement officials, correction Law enforcement officials, correction

institutions or national security.institutions or national security.


Patient Rights: Right to Receive Patient Rights: Right to Receive an Accounting of Disclosures of an Accounting of Disclosures of PHIPHI

A. An individual may request an accounting for A. An individual may request an accounting for disclosures as far back as six years before the disclosures as far back as six years before the time of the request - but to start no earlier than time of the request - but to start no earlier than April 14, 2003.April 14, 2003.

B. A covered entity must suspend accounting of B. A covered entity must suspend accounting of disclosures to a patient if an agency or law disclosures to a patient if an agency or law enforcement indicate the accounting is likely to enforcement indicate the accounting is likely to impede the agency’s activity.impede the agency’s activity.


Patient Rights: Right to Receive Patient Rights: Right to Receive an Accounting of Disclosures of an Accounting of Disclosures of PHIPHI

C. Disclosures NOT requiring accounting include C. Disclosures NOT requiring accounting include disclosures made:disclosures made:– For For TTreatment (to persons involved in the reatment (to persons involved in the

individual’s care), individual’s care), PPayment or ayment or OOperations.perations.– To the individual subjects of the PHI.To the individual subjects of the PHI.– Incident to an otherwise permitted disclosure.Incident to an otherwise permitted disclosure.– Based on the individual’s signed authorization.Based on the individual’s signed authorization.– For a facility directory.For a facility directory.– For national security or intelligence purposes.For national security or intelligence purposes.– To correctional facilities or law enforcement on To correctional facilities or law enforcement on

behalf of inmates.behalf of inmates.– As part of a limited data set (see 164.514).As part of a limited data set (see 164.514).– That occur prior to the compliance date of April That occur prior to the compliance date of April

14, 2003.14, 2003.


Patient Rights: Right to Patient Rights: Right to Receive an Accounting of Receive an Accounting of Disclosures of PHIDisclosures of PHI

– Required by lawRequired by law– For public health For public health

activitiesactivities– Victims of abuse, Victims of abuse,

neglect, violence.neglect, violence.– Health oversight Health oversight

activitiesactivities– Judicial/Administrative Judicial/Administrative

proceedingsproceedings– Law enforcement Law enforcement

purposespurposes

– Organ/eye/tissue donationsOrgan/eye/tissue donations– Research purposesResearch purposes– To avert threat to health To avert threat to health

and safetyand safety– For specialized For specialized

government functionsgovernment functions– About decedentsAbout decedents– Workers’ compensationWorkers’ compensation– Releases made in error to Releases made in error to

an incorrect person/entity an incorrect person/entity (i.e. breach)(i.e. breach)

D. Disclosures requiring accounting include:


Patient Rights: NOPPPatient Rights: NOPP Are we still required to request patients sign the Notice of Are we still required to request patients sign the Notice of

Privacy Practices (NOPP) acknowledgment prior to their first Privacy Practices (NOPP) acknowledgment prior to their first visit?visit?

Yes.Yes. Please continue to request they sign the Please continue to request they sign the acknowledgment before they see a provider for their first acknowledgment before they see a provider for their first appointment at Northwest Counseling & Guidance Clinic. appointment at Northwest Counseling & Guidance Clinic. (except in the case of emergency services where staff will (except in the case of emergency services where staff will attempt to provide notification based on the needs of the attempt to provide notification based on the needs of the client).client).

Patient signs the Acknowledgment of Receipt to confirm that Patient signs the Acknowledgment of Receipt to confirm that they have been offered and/or received the Notice.they have been offered and/or received the Notice.

What is the purpose of the NOPP?What is the purpose of the NOPP? Summarizes how Northwest Counseling & Guidance Clinic Summarizes how Northwest Counseling & Guidance Clinic

uses and discloses patient’s PHI.uses and discloses patient’s PHI. Details patient’s rights in respect to their PHI. Details patient’s rights in respect to their PHI.


Patient Rights: Patient Rights: NOPP RemindersNOPP Reminders

If a patient or legal guardian refuses to take a If a patient or legal guardian refuses to take a NOPP, this is their right; do not force them to NOPP, this is their right; do not force them to take one.take one.

If a patient or legal guardian refuses to sign the If a patient or legal guardian refuses to sign the acknowledgment form, document this on the acknowledgment form, document this on the form and in the system.form and in the system.

Once the patient turns 18, he/she must sign an Once the patient turns 18, he/she must sign an acknowledgment form.acknowledgment form.

Host parents of a foreign exchange student may Host parents of a foreign exchange student may act on behalf of the student’s biological parent(s) act on behalf of the student’s biological parent(s) and sign the NOPP acknowledgment form.and sign the NOPP acknowledgment form.


Patient Rights: Patient Rights: Privacy ComplaintsPrivacy Complaints

Right to file a privacy Right to file a privacy complaintcomplaint..– Direct all requests or Direct all requests or

complaints regarding these complaints regarding these rights to the Privacy Officer at rights to the Privacy Officer at 715-327-4322, extension 126.715-327-4322, extension 126.


SecuritySecurity

One key element of protecting our One key element of protecting our patient’s PHI lies in maintaining the patient’s PHI lies in maintaining the security of our systems, which houses security of our systems, which houses and transmits ePHI (electronic protected and transmits ePHI (electronic protected health information).health information).

The HIPAA Security Rule outlines how we The HIPAA Security Rule outlines how we are to do this.are to do this.

How do we protect our computer systems How do we protect our computer systems and our patients’ information in them?and our patients’ information in them?

Read on to explore this…Read on to explore this…


Applying the Security Applying the Security RuleRule

Administrative SafeguardsAdministrative Safeguards– Policies and procedures of the organization are Policies and procedures of the organization are

REQUIRED and must be followed by the REQUIRED and must be followed by the employees to maintain security (i.e. disaster employees to maintain security (i.e. disaster recovery of computer systems, use of the recovery of computer systems, use of the internet, use of email, faxing, use of voicemail, internet, use of email, faxing, use of voicemail, computer hardware and software standards).computer hardware and software standards).

Technical Safeguards Technical Safeguards – Many technical devices are needed to Many technical devices are needed to

maintain security. Examples include maintain security. Examples include different levels of computer passwords, different levels of computer passwords, screen savers and devices to scan ID screen savers and devices to scan ID badges, data backups, disposal of badges, data backups, disposal of media, encryption, audit trails. media, encryption, audit trails. Computer and system processes are Computer and system processes are set up to protect, control and monitor set up to protect, control and monitor information access.information access.


Applying the Security Applying the Security RuleRule

Physical Safeguards. Physical Safeguards. Many physical barriers and devices Many physical barriers and devices are needed to maintain security. Examples include installing are needed to maintain security. Examples include installing locks on doors, securing buildings and rooms, identifying locks on doors, securing buildings and rooms, identifying visitors, locking file cabinets to protect the organization’s visitors, locking file cabinets to protect the organization’s property and the health information.property and the health information.

Personnel Security. Personnel Security. Organizational policies and procedures Organizational policies and procedures manage the assignment of access authority to employees and manage the assignment of access authority to employees and other workforce members. Procedures should address other workforce members. Procedures should address employee transfers, role changes and terminations. Effective employee transfers, role changes and terminations. Effective security and privacy training must be conducted.security and privacy training must be conducted.


Access to ePHI: UNs and Access to ePHI: UNs and PWsPWs

How do we control access to electronic How do we control access to electronic protected health information (ePHI) in our protected health information (ePHI) in our computer systems? computer systems?

– By requiring all users to utilize individually unique By requiring all users to utilize individually unique Usernames (UNs) and Passwords (PWs), we control Usernames (UNs) and Passwords (PWs), we control access to the information in each of our computer access to the information in each of our computer systems and applications.systems and applications.

– UNs and PWs control what users are able to access UNs and PWs control what users are able to access and help us identify what information users and help us identify what information users accessed in our applications.accessed in our applications.


Access to ePHI: UNs and PWs Access to ePHI: UNs and PWs Cont.Cont.

For these reasons, you may not share your UNs For these reasons, you may not share your UNs and PWs with anyone else (the only exception to and PWs with anyone else (the only exception to this is to share a UN and PW with IS, this is to share a UN and PW with IS, ifif necessary, necessary, for troubleshooting a computer problem).for troubleshooting a computer problem).

When leaving a computer, When leaving a computer, ALWAYSALWAYS::– Log off, Log off, OROR– Lock the computer screen (Ctrl-Alt-Del and select Lock the computer screen (Ctrl-Alt-Del and select

lock).lock).

This prevents other users from This prevents other users from using using your applications.your applications.


Access to ePHI: UNs and PWs Access to ePHI: UNs and PWs Cont.Cont.

CreatingCreating strong passwords.strong passwords.– Use at least 6-8 characters.Use at least 6-8 characters.– Use a minimum of 2 letters and 1 number, Use a minimum of 2 letters and 1 number,

and capital and lower case letters.and capital and lower case letters.– Do not use pw’s that may be easily guessed, Do not use pw’s that may be easily guessed,

such as: names (spouse’s, pet’s, child’s, such as: names (spouse’s, pet’s, child’s, etc.), significant dates, words, favorite team etc.), significant dates, words, favorite team names, etc.names, etc.

Note: UN and PW controls are required by Note: UN and PW controls are required by law.law.

TIP: Use a “pass-phrase” to help you rememberyour password such as: MbcFi2yo (My brown cat, Fluffy, is two years old).


Protect Your UNs and Protect Your UNs and PWs PWs

Memorize your PW. Don’t post UNs and Memorize your PW. Don’t post UNs and PWs on your computer, notebook, tablet, PWs on your computer, notebook, tablet, under your keyboard, etcunder your keyboard, etc.. – Lock up your UNs and PWs so they may not Lock up your UNs and PWs so they may not

be accessed by anyone else.be accessed by anyone else. If you believe one of your PWs has been If you believe one of your PWs has been

compromised, request the IT Department to compromised, request the IT Department to change it.change it.– If you think PHI may have been If you think PHI may have been

inappropriately accessed, discuss it with the inappropriately accessed, discuss it with the Privacy Officer.Privacy Officer.


Help Protect Our Help Protect Our Systems/Equipment Systems/Equipment

It is your responsibility to protect Northwest It is your responsibility to protect Northwest Counseling & Guidance Clinic’s systems/ Counseling & Guidance Clinic’s systems/ equipment/computers at all times.equipment/computers at all times.

Do not disable anti-virus software, malware Do not disable anti-virus software, malware protection, or any other security items protection, or any other security items unless directed by the IS Department.unless directed by the IS Department.

If you have access from offsite (remote If you have access from offsite (remote Citrix, Outlook web access, VPN, SSL, URL, Citrix, Outlook web access, VPN, SSL, URL, etc.) and/or a PC, pager, phone, or PDA, this etc.) and/or a PC, pager, phone, or PDA, this is for your use only.is for your use only.

– Family and friends may not utilize it.Family and friends may not utilize it.


Email SecurityEmail Security

It is against Northwest Counseling & It is against Northwest Counseling & Guidance Clinic policy to forward Guidance Clinic policy to forward “joke emails”.“joke emails”.– ““Joke” emails frequently have viruses Joke” emails frequently have viruses

attached to them and they take up a attached to them and they take up a lot of space on our servers.lot of space on our servers.

Refer to the Release of Information Refer to the Release of Information slides for emailing ePHI slides for emailing ePHI requirements. requirements.

Please report it to IT if you receive a Please report it to IT if you receive a suspicious and/or threatening email.suspicious and/or threatening email.


Audit Trails of What I Audit Trails of What I AccessAccess

Northwest Counseling & Guidance Clinic conducts Northwest Counseling & Guidance Clinic conducts random audits of employee and provider access to random audits of employee and provider access to determine:determine:

– Appropriateness of access, andAppropriateness of access, and– If access is in compliance with Northwest Counseling If access is in compliance with Northwest Counseling

& Guidance Clinic policies.& Guidance Clinic policies. Audit trails show what patients have been accessed, Audit trails show what patients have been accessed,

the date and time of the access, what was accessed, the date and time of the access, what was accessed, etc.etc.

– If access appears to be inappropriate, the Privacy If access appears to be inappropriate, the Privacy Officer works with leaders, Human Resources and the Officer works with leaders, Human Resources and the employee/provider to determine whether or not it employee/provider to determine whether or not it was appropriate.was appropriate.

The Security regulations require this.


Audit Trails and HIPAA Audit Trails and HIPAA ViolationsViolations

What are some common What are some common types of HIPAA privacy and types of HIPAA privacy and security violations found in security violations found in

these audit trails and/or these audit trails and/or reported? Following are a reported? Following are a

few examples from which to few examples from which to learn… learn…


Audit Trails: Audit Trails: Access to Own ePHI Access to Own ePHI

An employee viewed his own An employee viewed his own appointment list. Another appointment list. Another employee accessed her own lab employee accessed her own lab results from her own workstation results from her own workstation (using her own password). Is (using her own password). Is this against Northwest this against Northwest Counseling & Guidance Clinic Counseling & Guidance Clinic policies?policies?


Audit Trails: Audit Trails: Access to Own ePHIAccess to Own ePHI

YesYes, it is Northwest Counseling & Guidance Clinic , it is Northwest Counseling & Guidance Clinic policy that you may not directly access your own policy that you may not directly access your own medical record, using your own password in any medical record, using your own password in any system/application.system/application.

PHI in the electronic medical record, scheduling/billing PHI in the electronic medical record, scheduling/billing system, etc. are considered a part of your medical system, etc. are considered a part of your medical record. In fact, PHI in all Northwest Counseling & record. In fact, PHI in all Northwest Counseling & Guidance Clinic systems make up your medical record.Guidance Clinic systems make up your medical record.– To view your medical record, contact the NWCGC Privacy To view your medical record, contact the NWCGC Privacy

Officer at 715-327-4322.Officer at 715-327-4322.– To view your appointment list, contact a receptionist in the To view your appointment list, contact a receptionist in the

department in which you schedule appointments.department in which you schedule appointments.– To view your billing information, contact the billing office at To view your billing information, contact the billing office at

715-327-4322.715-327-4322.


Audit Trails: Access to a Audit Trails: Access to a Family Member’s PHI and Family Member’s PHI and Unassigned Tasks Unassigned Tasks

A receptionist scheduled A receptionist scheduled an appointment for her an appointment for her child in a different child in a different department/site than she department/site than she works. Is this against works. Is this against Northwest Counseling & Northwest Counseling & Guidance Clinic policies?Guidance Clinic policies?


Audit Trails: Access to a Audit Trails: Access to a Family Member’s PHI and Family Member’s PHI and Unassigned Tasks Unassigned Tasks

Yes.Yes. Only schedule appointments as assigned in Only schedule appointments as assigned in the departments in which you work. If you don’t the departments in which you work. If you don’t work in that department, call the receptionist in that work in that department, call the receptionist in that department and request him/her to schedule the department and request him/her to schedule the appointment.appointment.

Note: while scheduling this appointment, the Note: while scheduling this appointment, the employee may have viewed appointment employee may have viewed appointment information which she did not have the right to see.information which she did not have the right to see.

Don’t schedule appointments for or otherwise view, Don’t schedule appointments for or otherwise view, access, edit, etc. access, edit, etc. family members’ PHIfamily members’ PHI, unless it is , unless it is a part of your assigned duties, it is an urgent a part of your assigned duties, it is an urgent matter, matter, ANDAND nobody else is available to do the job nobody else is available to do the job at that time.at that time.


Audit Trails: Audit Trails: Access to PHI by a Access to PHI by a Coworker Coworker

An employee requested a coworker to An employee requested a coworker to view his/her appointment list to find the view his/her appointment list to find the last time the employee had a physical last time the employee had a physical in Internal Medicine. Her coworker does in Internal Medicine. Her coworker does not work in the Internal Medicine not work in the Internal Medicine department. Is this against Northwest department. Is this against Northwest Counseling & Guidance Clinic policies?Counseling & Guidance Clinic policies?


Audit Trails: Audit Trails: Access to PHI by a Access to PHI by a Coworker Coworker

Yes.Yes. It is inappropriate to It is inappropriate to ask your coworkers to do ask your coworkers to do this if it is not part of their this if it is not part of their regular assigned job regular assigned job responsibilities.responsibilities.

If you need to know when If you need to know when you had your last physical, you had your last physical, call the department in which call the department in which you had this appointment (or you had this appointment (or will be scheduling your next will be scheduling your next appointment).appointment).

© Copyright 2009 HIPAA COW© Copyright 2009 HIPAA COW5656

Audit Trails: Audit Trails: Securing Systems Securing Systems

When leaving his/her computer, an employee When leaving his/her computer, an employee didn’t log off the electronic medical record; didn’t log off the electronic medical record; another employee then utilized it to look up her another employee then utilized it to look up her own and her family members’ transcriptions, own and her family members’ transcriptions, appointment lists, medications, etc.appointment lists, medications, etc. – Important Note: in this situation, both Important Note: in this situation, both

employees did not follow Northwest Counseling employees did not follow Northwest Counseling & Guidance Clinic P&Ps which require:& Guidance Clinic P&Ps which require: Logging off/securing all applications when Logging off/securing all applications when

unattended.unattended. Using the password protected screensaver Using the password protected screensaver

when leaving it unattended.when leaving it unattended. Not using another person’s login, unless they Not using another person’s login, unless they

are training you and directly observing what are training you and directly observing what you do.you do.


Audit Trails: Accessing Audit Trails: Accessing More Than the Minimum More Than the Minimum NecessaryNecessary

A clinical staff employee is assigned to A clinical staff employee is assigned to routinely view and update medications, routinely view and update medications, blood pressure, pulse, and weight for each blood pressure, pulse, and weight for each patient being seen by the provider with patient being seen by the provider with whom she works. She was curious and whom she works. She was curious and concerned about a particular patient’s concerned about a particular patient’s health, and therefore viewed several other health, and therefore viewed several other records, such as lab results, and specialist records, such as lab results, and specialist transcriptions. transcriptions.

– Note: It was determined this was a breach Note: It was determined this was a breach of confidentiality as she was not requested of confidentiality as she was not requested by her provider and/or supervisor to by her provider and/or supervisor to access this patient’s additional records.access this patient’s additional records.


Audit Trails: Accessing Audit Trails: Accessing More Than the Minimum More Than the Minimum NecessaryNecessary

We may only access the minimum We may only access the minimum necessary to complete our assigned necessary to complete our assigned job responsibilities. This means we job responsibilities. This means we may not access information out of may not access information out of curiosity and/or concern about a curiosity and/or concern about a patient’s health.patient’s health.


The following slides The following slides provide examples of provide examples of Privacy and Security Privacy and Security violations to help you violations to help you

better understand how better understand how they occur so that you may they occur so that you may

help prevent them.help prevent them.


Security Violations: Security Violations: Downloading Onto PCs Downloading Onto PCs

Users have downloaded software onto Users have downloaded software onto Northwest Counseling & Guidance Clinic Northwest Counseling & Guidance Clinic computer/laptop/tablet. Is this ok?computer/laptop/tablet. Is this ok?


Security Violations: Security Violations: Downloading Onto PCs Downloading Onto PCs

NoNo. We may not download anything onto our . We may not download anything onto our computers, laptops, notebooks, PDAs, etc. computers, laptops, notebooks, PDAs, etc. without the permission from the IT without the permission from the IT Administrator or Security Officer.Administrator or Security Officer.

– This includes not downloading from the Internet, CD, This includes not downloading from the Internet, CD, flash drive, DVD, disc, software, etc.flash drive, DVD, disc, software, etc.

– Why not? The IT Department or Security Officer Why not? The IT Department or Security Officer verifies we have appropriate licenses verifies we have appropriate licenses andand virus virus protection in place.protection in place.

Did you know that downloading may slow down our Did you know that downloading may slow down our systems?systems?

Some downloads have interfered with the appropriate Some downloads have interfered with the appropriate functioning of web based EHRs!functioning of web based EHRs!


Security Violations: Security Violations: Downloading From PCs Downloading From PCs

If it is absolutely necessary to copy or save files If it is absolutely necessary to copy or save files onto removable media, obtain approval from onto removable media, obtain approval from your Supervisor and encrypt the file so that it your Supervisor and encrypt the file so that it may only be accessed by utilizing the password may only be accessed by utilizing the password (ask the IT Department how to encrypt a file). (ask the IT Department how to encrypt a file).

– This includes downloading anything off our This includes downloading anything off our computers onto media such as a flash drive, USB, computers onto media such as a flash drive, USB, disc, CD, etc.disc, CD, etc.

– Safeguard this removable media, and the Safeguard this removable media, and the password to access the information, at all times so password to access the information, at all times so that the information may not be inappropriately that the information may not be inappropriately accessed.accessed.

– Immediately contact the IT Department and Immediately contact the IT Department and Security Officer if a device is lost or stolen.Security Officer if a device is lost or stolen.


Other Types of Security Other Types of Security Issues and IncidentsIssues and Incidents

Theft (or loss) of a computer, laptop, Theft (or loss) of a computer, laptop, PDAPDA..

Inappropriate usage of Northwest Inappropriate usage of Northwest Counseling & Guidance Clinic computers.Counseling & Guidance Clinic computers.

A technology-related situation which A technology-related situation which results in a significant adverse effect on results in a significant adverse effect on people, process, technology, facilities, people, process, technology, facilities, etc., such as:etc., such as:– A system “glitch” which results in ePHI A system “glitch” which results in ePHI

being accessed and/or sent to an being accessed and/or sent to an inappropriate recipient.inappropriate recipient.

– A virus that prevents users from being able A virus that prevents users from being able to access PHI.to access PHI.


What is Misuse of PHI?What is Misuse of PHI?

U n a u t h o r i z e dU n a u t h o r i z e d:: Access to…Access to… Using…Using… Taking…Taking… Possession of…Possession of… Release of…Release of… Edit of…Edit of… Destruction of…Destruction of…

Patient PHIPatient PHI Without AuthorizationWithout Authorization..


Privacy Violations: Privacy Violations: How Do They Happen? How Do They Happen?

What are some common ways What are some common ways breaches of confidentiality occur?breaches of confidentiality occur?

– Many incident reports happen due Many incident reports happen due to common human errors, such as to common human errors, such as the following:the following:


Privacy Violations: Privacy Violations: How Do They Happen?How Do They Happen?

Faxing to the wrong individual/location.Faxing to the wrong individual/location. When searching for a patient’s address, When searching for a patient’s address,

her name is typed, her date of birth is her name is typed, her date of birth is not validated, and a patient with the not validated, and a patient with the same name is selected instead.same name is selected instead.

These can be prevented by double These can be prevented by double checking you have the right checking you have the right patient’s records prior to releasing patient’s records prior to releasing PHI. PHI.


Privacy Violations: Privacy Violations: Incorrect Patient on a Incorrect Patient on a FormForm

Jane Doe’s name, medical record number, Jane Doe’s name, medical record number, and date of birth was placed on a and date of birth was placed on a prescription and handed to Molly Sue. Is prescription and handed to Molly Sue. Is this considered a breach of confidentiality?this considered a breach of confidentiality?

– YesYes.. If Molly Sue reads Jane Doe’s name on If Molly Sue reads Jane Doe’s name on this form, or any other document, it is a this form, or any other document, it is a breach of confidentiality.breach of confidentiality.

Request Molly Sue to return the incorrect Request Molly Sue to return the incorrect prescription and contact the Privacy prescription and contact the Privacy Officer to walk through the reporting Officer to walk through the reporting process. process.


Privacy Violations: Privacy Violations: Incorrect Records Incorrect Records Released Released

A patient requested we send 2006 A patient requested we send 2006 mental health diagnosis to her non-mental health diagnosis to her non-Northwest Counseling & Guidance Northwest Counseling & Guidance Clinic provider. In addition to the Clinic provider. In addition to the 2006 mental health diagnosis, we 2006 mental health diagnosis, we also released 2004 and 2005 also released 2004 and 2005 mental health diagnosis. Is this a mental health diagnosis. Is this a breach of confidentiality?breach of confidentiality?


Privacy Violations: Privacy Violations: Incorrect Records Incorrect Records Released Released

Yes.Yes. This is a breach of confidentiality as This is a breach of confidentiality as more information than was requested by the more information than was requested by the patient was released (the 2004 and 2005 test patient was released (the 2004 and 2005 test results).results).

Always keep in mind we may only release the Always keep in mind we may only release the minimum necessary PHI to accomplish the minimum necessary PHI to accomplish the purpose of the request – even when releasing purpose of the request – even when releasing to another treating provider, insurance to another treating provider, insurance company, etc.company, etc.

– Request the provider to return the 2004 and 2005 test Request the provider to return the 2004 and 2005 test results, and contact the Privacy Officerresults, and contact the Privacy Officer..


Privacy Violations: Incorrect Privacy Violations: Incorrect Patient’s Results MailedPatient’s Results Mailed

Treatment plan of one patient was mailed Treatment plan of one patient was mailed to a different patient. Is this a breach of to a different patient. Is this a breach of confidentiality? confidentiality?

– Yes.Yes. It is a breach of confidentiality if the It is a breach of confidentiality if the treatment plan includes a different patient’s treatment plan includes a different patient’s name.name.

Request the patient to return the incorrect Request the patient to return the incorrect treatment plan, document the disclosure, treatment plan, document the disclosure, and contact the Privacy Officer. and contact the Privacy Officer.


Privacy Violations: Patient’s Privacy Violations: Patient’s Records Sent to Wrong Records Sent to Wrong CompanyCompany

Patient records were sent to the Patient records were sent to the wrong insurance company. Is this wrong insurance company. Is this a breach of confidentiality? a breach of confidentiality?

– YesYes,, because this insurance company because this insurance company does not provide coverage for this does not provide coverage for this patient, they did not have a need to patient, they did not have a need to know anything about him/her.know anything about him/her.

Request the company return the incorrect Request the company return the incorrect records, document the disclosure, and records, document the disclosure, and contact the Privacy Officer.contact the Privacy Officer.


Release of InformationRelease of Information(ROI)(ROI)

What PHI may I release?What PHI may I release?– What WI Laws and Federal Regulations apply?What WI Laws and Federal Regulations apply?

What information can be released without an What information can be released without an authorization?authorization?

What are the steps in releasing information?What are the steps in releasing information? When is an authorization required?When is an authorization required? How do I verify the authority and identify the How do I verify the authority and identify the

requestor?requestor? Are there any restrictions which do not allow this Are there any restrictions which do not allow this

release?release? Do I need to document the release?Do I need to document the release? Why do I need to be doing all this?Why do I need to be doing all this? What are some practical release of information What are some practical release of information

examples?examples?

Please proceed to learn more about how to

correctly release PHI


ROI: Applying the StepsROI: Applying the Steps I received a request to release a patient’s I received a request to release a patient’s

PHI. What now? PHI. What now? Whether releasing verbally or in writing, Whether releasing verbally or in writing,

determine the following:determine the following:– Is the requestor legally authorized to Is the requestor legally authorized to

receive the PHI? receive the PHI? Important Note:Important Note: when when uncertain, ask the onsite administrator, uncertain, ask the onsite administrator, Privacy Officer, or obtain a signed Privacy Officer, or obtain a signed authorization from the patient.authorization from the patient.

– Is a signed Authorization required? Is a signed Authorization required? If yes, determine if the Authorization is If yes, determine if the Authorization is

HIPAA and WI compliant (refer to next HIPAA and WI compliant (refer to next slide).slide).


ROI: Valid ROI: Valid AuthorizationsAuthorizations

Elements of a valid authorization:Elements of a valid authorization:1.1. Client/Patient Name and date of birth.Client/Patient Name and date of birth.2.2. Name of the individual or agency authorized to make Name of the individual or agency authorized to make

the requested disclosure.the requested disclosure.3.3. Name of the person or organization to whom the Name of the person or organization to whom the

disclosure is to be made.disclosure is to be made.4.4. Purpose of the disclosure.Purpose of the disclosure.5.5. Specific description of the type and amount of Specific description of the type and amount of

information to be released.information to be released.A.A. If the release includes mental health, alcohol or drug abuse or If the release includes mental health, alcohol or drug abuse or

test results, or developmental disability records, these must be test results, or developmental disability records, these must be specified.specified.

B.B. If the release includes HIV test result, AIDS, or AIDS related If the release includes HIV test result, AIDS, or AIDS related disease, the statement “HIV test results” is required.disease, the statement “HIV test results” is required.

6.6. Statement on possibility of re-disclose by the Statement on possibility of re-disclose by the recipient and that it is no longer protected by recipient and that it is no longer protected by Northwest Counseling & Guidance Clinic.Northwest Counseling & Guidance Clinic.

7.7. Right to inspect a copy of the records released Right to inspect a copy of the records released (required only for WI DHS 92 records).(required only for WI DHS 92 records).


ROI: Valid AuthorizationsROI: Valid Authorizations

Elements of a valid authorization Elements of a valid authorization Cont.:Cont.:

8.8. Statement of the ability or inability to condition Statement of the ability or inability to condition treatment, payment, enrollment or eligibility for treatment, payment, enrollment or eligibility for benefits .benefits .

9.9. If the release involves marketing and direct or indirect If the release involves marketing and direct or indirect remuneration to Northwest Counseling & Guidance remuneration to Northwest Counseling & Guidance Clinic by a third party, include a statement reflecting Clinic by a third party, include a statement reflecting this.this.

10.10. A statement of the right to revoke the authorization in A statement of the right to revoke the authorization in writing, exceptions to the right to revoke, and how to writing, exceptions to the right to revoke, and how to request a revocation.request a revocation.

11.11. Expiration date or event.Expiration date or event.12.12. Time period during which the authorization is Time period during which the authorization is

effective.effective.13.13. Signature of client/patient or legal personal Signature of client/patient or legal personal

representative and date signed.representative and date signed.A.A. If signed by a legal personal representative, a description If signed by a legal personal representative, a description

of his/her authority to sign.of his/her authority to sign.14.14. A copy of the form is required to be given to the A copy of the form is required to be given to the

client/patient.client/patient.

Refer to the HIPAA COW Authorization Form located at http://hipaacow.org/home/PrivacyDocs.aspx


ROI: Authorization ROI: Authorization NotNot RequiredRequired There are times when an There are times when an

authorization is not needed.authorization is not needed.

Read on to find out when Read on to find out when authorizations are not required…authorizations are not required…


ROI: ROI: PermittedPermitted Uses and Uses and Disclosures of PHI Disclosures of PHI Without an Without an AuthorizationAuthorization

Uses and disclosures of PHI for (Uses and disclosures of PHI for (TPOTPO):):– TTreatmentreatment– PPaymentayment– Health Care Health Care OOperationsperations

Mandatory disclosures by law.Mandatory disclosures by law. If use of the information does not fall under one If use of the information does not fall under one

of these categories you must have the patient’s of these categories you must have the patient’s signed authorization (written permission) signed authorization (written permission) before sharing that information with anyone.before sharing that information with anyone.


ROI: When is an ROI: When is an Authorization Authorization Required?Required?

Authorization Required

Authorization Not Required


ROI: General ROI: General Wisconsin Wisconsin “Confidentiality” Laws“Confidentiality” Laws WI laws may require

authorizations, even though HIPAA doesn’t require them. The next few slides summarize a few of the more commonly utilized WI laws…


ROI: General ROI: General Wisconsin Wisconsin “Confidentiality” Laws“Confidentiality” LawsStatuteStatute SummarySummary

146.82, 146.82, Wis. Stat.Wis. Stat.

Covers general medical health care PHI Covers general medical health care PHI and authorization requirements.and authorization requirements.

51.30, 51.30, Wis. Stat.Wis. Stat.

Covers PHI relating to mental health, Covers PHI relating to mental health, AODA, and developmentally disabled AODA, and developmentally disabled treatment, authorization requirements, treatment, authorization requirements, and penalties.and penalties.

DHS 92 DHS 92 Adm. Adm. CodeCode

Further covers confidentiality of mental Further covers confidentiality of mental health treatment records (with 51.30).health treatment records (with 51.30).

DHS 144, DHS 144, Adm. Adm. CodeCode

Covers release of immunizations Covers release of immunizations between vaccine providers, and to between vaccine providers, and to schools specifically for minors.schools specifically for minors.


ROI: General ROI: General Wisconsin Wisconsin “Confidentiality” Laws“Confidentiality” LawsStatuteStatute SummarySummary

102.13 & 102.13 & 102.33 102.33

Wis. Stat.Wis. Stat.

Covers records reasonably related to Covers records reasonably related to a worker’s compensation claim and a worker’s compensation claim and release to the employee (patient), release to the employee (patient), employer, worker’s compensation employer, worker’s compensation insurer, or Department with a written insurer, or Department with a written request.request.

610.70 610.70 Wis. Stat.Wis. Stat.

Covers disclosure of personal medical Covers disclosure of personal medical information by insurers.information by insurers.

252.15, 252.15, Wis. Stat.Wis. Stat.

Covers health care information Covers health care information relating to HIV testing and relating to HIV testing and authorization requirements.authorization requirements.


ROI: Other Regulations ROI: Other Regulations to Considerto ConsiderStatuteStatute SummarySummary

42 CFR, 42 CFR, Part 2Part 2

Federal Alcohol and Drug Federal Alcohol and Drug Regulations which covers use Regulations which covers use and release of a patient’s drug and release of a patient’s drug and alcohol abuse records in a and alcohol abuse records in a federally assisted program.federally assisted program.


ROI: Identity ROI: Identity VerificationVerification

Prior to releasing PHI, ask the individual to Prior to releasing PHI, ask the individual to provide youprovide you with enough information to identify the patient, such as:with enough information to identify the patient, such as:– NameName– Date of BirthDate of Birth– AddressAddress– Other identifiers: Other identifiers: Social security number, mother’s maiden

name Identify someone other than the patient by requesting heIdentify someone other than the patient by requesting he

provide youprovide you with all the above information, as well as his with all the above information, as well as his relationship to the patient.relationship to the patient.

– Check a physical signature against a known one on file– Make a call-back to a known number– Ask for a photo ID– Ask for a business card

Provide only the minimum necessary to safeguard PHI.Provide only the minimum necessary to safeguard PHI.

Refer to the HIPAA COW Identity Verification Policy located at

http://hipaacow.org/home/PrivacyDocs.aspx


ROI: Authority ROI: Authority VerificationVerification

Who are you?

Once you know who the requestor is, be sure he or she has the right to access this information.

Routine requests from employees you know in our organization who have a need to know information for business reasons, are ok.

Unusual requests from individuals you don’t know can be risky, so before sharing PHI:– Ask your supervisor.– And/or check your procedure.


ROI: Individual Needs to ROI: Individual Needs to Find Patient In Any Find Patient In Any SettingSetting

If an individual would like to find If an individual would like to find out if a patient is in our facility.out if a patient is in our facility.– Do not confirm or deny the patient is Do not confirm or deny the patient is

here, and politely end the phone call.here, and politely end the phone call.– After ending the call, notify the client After ending the call, notify the client

and/ or parent/guardian in the case of and/ or parent/guardian in the case of a minor client that the individual a minor client that the individual inquired about them and ask them inquired about them and ask them how they would like to proceed for how they would like to proceed for future contacts with this person.future contacts with this person.


ROI: ROI: Minimum NecessaryMinimum Necessary Release only the requested PHI, and only Release only the requested PHI, and only

include sensitive PHI (mental health, HIV/AIDS, include sensitive PHI (mental health, HIV/AIDS, STDs, etc.) if specifically authorized.STDs, etc.) if specifically authorized.

Release the minimum necessary (note, this Release the minimum necessary (note, this may be less than what was requested).may be less than what was requested).– Limit access to what is needed to accomplish Limit access to what is needed to accomplish

the purpose for which the request was made the purpose for which the request was made (or that which was authorized).(or that which was authorized).

– May not disclose an entire medical record May not disclose an entire medical record unless it is specifically justified as the amount unless it is specifically justified as the amount of PHI that is reasonably needed to accomplish of PHI that is reasonably needed to accomplish the purpose for the use or disclosure.the purpose for the use or disclosure.


ROI: DocumentationROI: Documentation

Document the release, when required Document the release, when required by law, and our organization’s policies. by law, and our organization’s policies. See “Accounting of disclosures” policy See “Accounting of disclosures” policy in the HIPAA policy manual. in the HIPAA policy manual.

Effective April 1, 2008, Wisconsin Effective April 1, 2008, Wisconsin Statute 146 no longer requires Statute 146 no longer requires documentation of disclosures for documentation of disclosures for purposes relating to treatment purposes relating to treatment (providing and coordinating care); (providing and coordinating care); payment (billing for services payment (billing for services rendered); and health care operation rendered); and health care operation (internal business).(internal business).


ROI: Documentation ROI: Documentation (Continued)(Continued)

Document the release, per WI Statute, Document the release, per WI Statute, HIPAA and our organization policies. HIPAA and our organization policies. See “Accounting of disclosures” policy See “Accounting of disclosures” policy in the HIPAA policy manual. in the HIPAA policy manual.

For example, HIPAA requires For example, HIPAA requires documentation of breaches, public documentation of breaches, public health reporting, etc.) This health reporting, etc.) This documentation would be made directly documentation would be made directly into the clients file.into the clients file.


ROI: Documentation ROI: Documentation (Continued)(Continued)

What are we required to document?What are we required to document?– Date of the disclosure– The name of the person the PHI was

released to (and address if known)– A brief description of the PHI disclosed– The purpose of the releaseOther suggested items but not required:– Received dateReceived date– Who released the informationWho released the information– How the information was disclosed * How the information was disclosed *

* Also required if information is from a 51.30 * Also required if information is from a 51.30 treatment record.treatment record.


ROI: DocumentationROI: Documentation

Why do we have to document Why do we have to document when we release PHI (when when we release PHI (when required by law)?required by law)?

– Patients have the right to request Patients have the right to request from us a record of what PHI was from us a record of what PHI was released and to whom (Accounting released and to whom (Accounting of Disclosures).of Disclosures).


ROI:ROI:

Wow! That’s a lot to know! Were you aware you Wow! That’s a lot to know! Were you aware you can ask the onsite administrator/and or the can ask the onsite administrator/and or the Privacy Officer if you have questions or concerns Privacy Officer if you have questions or concerns related to the release of information. related to the release of information.

That’s right! If you aren’t absolutely 100% That’s right! If you aren’t absolutely 100% certain on whether or not you can (or how to) certain on whether or not you can (or how to) release information, release information, STOPSTOP and ask for help and ask for help by calling 715-327-4322, extension 126.by calling 715-327-4322, extension 126.

Following are some examples of release Following are some examples of release situations …situations …

Note: those steps must be followed each time you release information verbally and in writing.


ROI: Family andROI: Family and FriendsFriends

Patient present and alert – patient decides.Patient present and alert – patient decides. Patient incapable to make wishes known – Patient incapable to make wishes known –

inferred permission to discuss current inferred permission to discuss current care.care.

Care or payment.Care or payment.– Information needed for patient’s care.Information needed for patient’s care.– Must clearly be involved in payment for care Must clearly be involved in payment for care

(involvement is obvious, patient stated so).(involvement is obvious, patient stated so). Notify family or friend(s):Notify family or friend(s):

– When involved in their care.When involved in their care.– Of patient’s general condition.Of patient’s general condition.– Of patient’s location.Of patient’s location.– When patient’s ready for discharge.When patient’s ready for discharge.– Of patient’s death.Of patient’s death.

Note: paper copies may not be released under these examples


ROI: Divorced ParentsROI: Divorced Parents

A parent calls to get information on their A parent calls to get information on their child. Can you release it?child. Can you release it?– If the parents are divorced, either parent may get If the parents are divorced, either parent may get

access to the records with a proper release. Assume access to the records with a proper release. Assume that they can get records unless told otherwise.that they can get records unless told otherwise.

– In the case where parental rights of one parent have In the case where parental rights of one parent have been terminated, the parent with sole right is been terminated, the parent with sole right is responsible to provide the information.responsible to provide the information.

– When in doubt, call the parent who has physical When in doubt, call the parent who has physical placement to ask if the other parent is allowed to placement to ask if the other parent is allowed to obtain records. If they say no, then they would be obtain records. If they say no, then they would be required to present the corresponding court required to present the corresponding court documents. If they say “yes”, obtain permission and documents. If they say “yes”, obtain permission and document what was provided.document what was provided.

© Copyright 2009 HIPAA COW© Copyright 2009 HIPAA COW

9494

ROI: Legal GuardiansROI: Legal Guardians An individual calls to discuss appointment An individual calls to discuss appointment

information with you for a patient and states he is information with you for a patient and states he is the patient’s Legal Guardian, may I discuss this the patient’s Legal Guardian, may I discuss this with the individual?with the individual?– YesYes,, after verifying the individual is the patient’s Legal after verifying the individual is the patient’s Legal

Guardian and has access rights to the type of records Guardian and has access rights to the type of records being requested. Here’s how to verify:being requested. Here’s how to verify:

Prior to releasing PHI, ask the individual to Prior to releasing PHI, ask the individual to provide youprovide you with enough information to identify with enough information to identify the patient, such as:the patient, such as:– NameName– Date of BirthDate of Birth– AddressAddress– Other identifiers: Ask them to verify other Other identifiers: Ask them to verify other

identifying information that we would have in identifying information that we would have in the client file. S.S.# etc..the client file. S.S.# etc..


ROI: Step-ParentsROI: Step-Parents

A step-parent calls to discuss her A step-parent calls to discuss her stepchild’s care. May you discuss this stepchild’s care. May you discuss this with her?with her?

– NoNo, unless the step-parent is a legal guardian , unless the step-parent is a legal guardian and we have the guardianship papers on file, and we have the guardianship papers on file, or a legal guardian has provided authorization. or a legal guardian has provided authorization.

– Step-parents may call to schedule Step-parents may call to schedule appointments, but do not have access to their appointments, but do not have access to their step-children’s PHI, without authorization by a step-children’s PHI, without authorization by a legal guardian.legal guardian.


ROI: Foster ParentsROI: Foster Parents

Can foster parents get information on the child they are caring for?– Yes, if they have guardianship, other court

papers, or an authorization from the birth parent, allowing them the right of access.

– If they don’t have any legal papers and a health care provider is in need of the information, you may release directly to the care provider.


ROI: Workers’ ROI: Workers’ Compensation PHI to an Compensation PHI to an EmployerEmployer

When releasing workers’ compensation records to When releasing workers’ compensation records to an employer and/or work comp carrier, may I an employer and/or work comp carrier, may I release the rest of the patient’s medical history release the rest of the patient’s medical history (not related to the work comp claim with that (not related to the work comp claim with that employer)?employer)? – NoNo.. The patient’s employer and work comp The patient’s employer and work comp

insurance carrier have the right to only those insurance carrier have the right to only those records reasonably related to the workers’ records reasonably related to the workers’ compensation claim/condition without an compensation claim/condition without an authorization.authorization.

– Request the patient to sign an authorization form Request the patient to sign an authorization form to release additional types of records.to release additional types of records.


ROI: Leaving MessagesROI: Leaving Messages A spouse answers the phone, or the voice mail picks up. A spouse answers the phone, or the voice mail picks up.

What information may I provide? Unless client has What information may I provide? Unless client has requested we not call their home or leave them messages:requested we not call their home or leave them messages:– State your first name and that you are calling from State your first name and that you are calling from

Northwest.Northwest.– Ask the patient to return your call, and provide your Ask the patient to return your call, and provide your

direct phone number.direct phone number.– Do not provide detailed information, other than an Do not provide detailed information, other than an

appointment reminder.appointment reminder.– Example: “This is Sally from Northwest calling for Example: “This is Sally from Northwest calling for

Johnny Doe. Please call me back at your earliest Johnny Doe. Please call me back at your earliest convenience at (the phone number where you can be convenience at (the phone number where you can be reached). Thank you.”reached). Thank you.”

– Double check you ended the call.Double check you ended the call.


ROI: Faxing PHIROI: Faxing PHI May we Fax PHI?May we Fax PHI?

– YesYes,, we may fax PHI, but only when in the best we may fax PHI, but only when in the best interest of patient care or payment of claims.interest of patient care or payment of claims.

– We may We may notnot fax sensitive PHI (HIV, mental health, fax sensitive PHI (HIV, mental health, AODA,AODA, STDs, etc.), unless approval is given on the ROI.STDs, etc.), unless approval is given on the ROI.

– It is best practice to test a fax number prior to faxing It is best practice to test a fax number prior to faxing PHI to it. If this is not done, then complete the PHI to it. If this is not done, then complete the following:following: Restate the fax number to the individual providing it to Restate the fax number to the individual providing it to

you.you. Obtain a telephone number to contact the recipient with Obtain a telephone number to contact the recipient with

any questions.any questions. Do not include PHI on the cover sheet.Do not include PHI on the cover sheet. Verify you are including only the correct patient’s Verify you are including only the correct patient’s

information (i.e. check the top and bottom pages).information (i.e. check the top and bottom pages). Double check the fax number prior to “sending” it.Double check the fax number prior to “sending” it.


ROI: EmailROI: Email

When sending ePHI to anyone for When sending ePHI to anyone for treatment, payment or healthcare treatment, payment or healthcare operations, encrypt the email and operations, encrypt the email and verify that the organization’s verify that the organization’s confidentiality email disclaimer is confidentiality email disclaimer is included on the email.included on the email.


And now, for some And now, for some general safeguarding general safeguarding tips…tips…

How else can I protect our patients’ How else can I protect our patients’ PHI?PHI?


Safeguarding: Discussing Safeguarding: Discussing PHIPHI

You never know who may overhear You never know who may overhear you discussing a patient. The patient you discussing a patient. The patient or coworker could be the patient’s or coworker could be the patient’s neighbor, best friend, cousin, etc…neighbor, best friend, cousin, etc…– Remember to talk quietly.Remember to talk quietly.– When possible, discuss PHI privately, When possible, discuss PHI privately,

such as behind a closed door.such as behind a closed door.– Avoid having discussions in patient Avoid having discussions in patient

waiting rooms, elevators, cafeteria, waiting rooms, elevators, cafeteria, etc.etc.


Safeguarding PHI: Safeguarding PHI: Approaching a Co-Approaching a Co-workerworker You need to talk with a co-worker, You need to talk with a co-worker,

but she is talking with a different but she is talking with a different patient to schedule his patient to schedule his appointment. What should you appointment. What should you do?do?– Provide your co-worker with the Provide your co-worker with the

privacy to finish working with that privacy to finish working with that patient and approach her when she patient and approach her when she is done.is done.


Safeguarding: Seeing a Safeguarding: Seeing a Patient Outside Patient Outside [Organization][Organization]

You’re walking through the grocery You’re walking through the grocery store one day, and see a Northwest store one day, and see a Northwest Counseling & Guidance Clinic patient. Counseling & Guidance Clinic patient. What should you do? What should you do?– It’s ok to say hello but don’t ask the It’s ok to say hello but don’t ask the

patient “how she’s doing” or questions patient “how she’s doing” or questions about her health. It’s ok to listen if about her health. It’s ok to listen if she offers to update you on her health.she offers to update you on her health.

– Let the patient approach you first, but Let the patient approach you first, but don’t make it seem like you are trying don’t make it seem like you are trying to avoid her.to avoid her.


Safeguarding: Talking Safeguarding: Talking with Friends About with Friends About Work Work

You had a negative encounter with a patient You had a negative encounter with a patient and really need to vent to a friend after work. and really need to vent to a friend after work. What can you discuss?What can you discuss?– Working in health care isn’t easy and patient Working in health care isn’t easy and patient

confidentiality MUST be maintained at all times: confidentiality MUST be maintained at all times: – at work, during non-work hours and after your – at work, during non-work hours and after your employment ends with the organization. employment ends with the organization.

Here are some helpful tips…


Safeguarding: Talking Safeguarding: Talking with Friends About with Friends About WorkWork

Do not share with family, friends, or anyone Do not share with family, friends, or anyone else a patient’s name, or any other else a patient’s name, or any other information that may identify him/her, for information that may identify him/her, for instance:instance:– It would It would notnot be a good idea to tell your friend be a good idea to tell your friend

that a patient came in to be seen after a severe that a patient came in to be seen after a severe domestic dispute incident. domestic dispute incident. Why? Your friend may hear about the domestic Why? Your friend may hear about the domestic

dispute on the news and know the person involved.dispute on the news and know the person involved.

Do Do notnot inform anyone that you know a famous inform anyone that you know a famous person, or their family members, were seen at person, or their family members, were seen at this organization.this organization.


Safeguarding PHI: Safeguarding PHI: MediaMedia If I am contacted by the media, If I am contacted by the media,

may I release PHI to them? If I am may I release PHI to them? If I am contacted by an individual offering contacted by an individual offering to pay me for PHI, may I release it to pay me for PHI, may I release it to them?to them?– No!No! You may not release PHI under You may not release PHI under

either of these circumstances. Both either of these circumstances. Both are grounds for disciplinary action.are grounds for disciplinary action.

– Refer the requestor to the Privacy Refer the requestor to the Privacy Officer.Officer.


Safeguarding PHI: Safeguarding PHI: DeliveryDelivery

I need to transport paper records/PHI to I need to transport paper records/PHI to another department. Is it ok for me to do this?another department. Is it ok for me to do this?– Yes,Yes, you may transport documents to you may transport documents to

another department, another department, – Secure them so you don’t drop them:Secure them so you don’t drop them:

Carry them close to your person.Carry them close to your person. Carry them in a facility designated bag, box, Carry them in a facility designated bag, box,

or container.or container. Ensure no names are visible.Ensure no names are visible. Ensure that no records are left unattended.Ensure that no records are left unattended.


Safeguarding PHI: Safeguarding PHI: Transporting OffsiteTransporting Offsite

When necessary to transport PHI externally:When necessary to transport PHI externally:– Place in a Place in a lockedlocked briefcase, closed container, briefcase, closed container,

sealed self-addressed interoffice envelope;sealed self-addressed interoffice envelope;– Place PHI in the trunk of your vehicle, if Place PHI in the trunk of your vehicle, if

available, or on the floor behind the front seat;available, or on the floor behind the front seat;– Lock vehicles when PHI is left unattendedLock vehicles when PHI is left unattended ..

You may You may notnot transport patient charts transport patient charts between departments or offsite – unless between departments or offsite – unless authorized by the onsite administrator.authorized by the onsite administrator.


Safeguarding PHI: Safeguarding PHI: Interoffice MailInteroffice Mail

Send all PHI in sealed interoffice Send all PHI in sealed interoffice envelopes.envelopes.– Verify all PHI was removed from the Verify all PHI was removed from the

envelope before stuffing it.envelope before stuffing it.– Address them to the correct Address them to the correct

individual and department.individual and department.– Mark the envelope “confidential”.Mark the envelope “confidential”.– Confirm you are sending the correct Confirm you are sending the correct

PHI.PHI.


Safeguarding PHI: Safeguarding PHI: PaperPaper

Turn over/cover PHI when you Turn over/cover PHI when you leave your desk/cubicle so others leave your desk/cubicle so others cannot read it. cannot read it. – If you have an office, you have the If you have an office, you have the

option of closing your door instead.option of closing your door instead. Turn over/cover PHI when a Turn over/cover PHI when a

coworker approaches you to coworker approaches you to discuss something other than that discuss something other than that PHI.PHI.


Safeguarding PHI: Safeguarding PHI: Paper ContinuedPaper Continued

Don’t leave documents containing Don’t leave documents containing PHI unattended in fax machines, PHI unattended in fax machines, printers, or copiers.printers, or copiers.

Check your fax machine Check your fax machine frequently so documents are not frequently so documents are not left on the machine.left on the machine.


Safeguarding PHI: Safeguarding PHI: DisposalDisposal

How should I dispose of confidential paper?How should I dispose of confidential paper?– Shred or place all confidential paper in the designated Shred or place all confidential paper in the designated

confidential paper bins.confidential paper bins. Does this include Post-it notes, scratch paper, envelopes, Does this include Post-it notes, scratch paper, envelopes,

and old non-confidential documents we no longer need?and old non-confidential documents we no longer need?– No.No. Please put these in the recycling paper bins! Please put these in the recycling paper bins!

Does this include tissue, paper plates, cardboard, and Does this include tissue, paper plates, cardboard, and pizza boxes?pizza boxes?– No. No. Please put these items in the regular trash or Please put these items in the regular trash or

other appropriate recycling container!other appropriate recycling container! How should I dispose of electronic media (floppy How should I dispose of electronic media (floppy

disk, CD, USB Drive, etc.)?disk, CD, USB Drive, etc.)?– Provide electronic media to the IT Department to Provide electronic media to the IT Department to

dispose itdispose it


Facility SecurityFacility Security

How can I help protect our facilities? How can I help protect our facilities? – Wear your ID Badge at all times, if provided Wear your ID Badge at all times, if provided

(it helps identify you as a Northwest (it helps identify you as a Northwest Counseling & Guidance Clinic Counseling & Guidance Clinic employee/provider).employee/provider).

– Only let employees enter through employee Only let employees enter through employee entrances with you.entrances with you.

– Keep hallway doors that lead to patient care Keep hallway doors that lead to patient care areas closed.areas closed.

– Request vendors and contracted individuals Request vendors and contracted individuals to sign-in.to sign-in.


What are Restricted What are Restricted Areas?Areas?

Restricted areas are those areas within our Restricted areas are those areas within our facilities where PHI and/or organizationally facilities where PHI and/or organizationally sensitive information is stored or utilized.sensitive information is stored or utilized.– Receptionist stationsReceptionist stations– Business office windowsBusiness office windows– Records DepartmentRecords Department– Patient care hallways/treatment areasPatient care hallways/treatment areas– OfficesOffices– Storage closets and cabinetsStorage closets and cabinets– Accounting, Human Resources, Administration Accounting, Human Resources, Administration

Offices, IT Department, etc.Offices, IT Department, etc.– Employee meeting/rooms/kitchens in the Employee meeting/rooms/kitchens in the

departmentsdepartments– Areas containing potential safety hazards (ex. Areas containing potential safety hazards (ex.

medical imaging, lab, nuclear medicine, etc.medical imaging, lab, nuclear medicine, etc.


Facility Security Facility Security Continued…Continued…

– If you see someone in a restricted If you see someone in a restricted area and you do not recognize area and you do not recognize them, kindly ask “May I help you?”them, kindly ask “May I help you?” Escort the individual out of the Escort the individual out of the

restricted area and to the restricted area and to the individual/area he/she is visiting.individual/area he/she is visiting.


Business Associate Business Associate AgreementsAgreements If you initiate negotiations to contract with a If you initiate negotiations to contract with a

company to perform, or assist in the company to perform, or assist in the performance of a function or activity involving performance of a function or activity involving the use or disclosure of PHI, please contact the the use or disclosure of PHI, please contact the Northwest Counseling & Guidance Clinic Northwest Counseling & Guidance Clinic Privacy Officer to obtain a Business Associate Privacy Officer to obtain a Business Associate Agreement (BAA). Examples of when to obtain Agreement (BAA). Examples of when to obtain a BAA with a company include:a BAA with a company include:– Claims processing or administration, data analysis, Claims processing or administration, data analysis,

processing or administration, utilization review, processing or administration, utilization review, quality assurance, billing, benefit management, quality assurance, billing, benefit management, practice management, and re-pricing; and practice management, and re-pricing; and

– Legal, actuarial, accounting, consulting, data Legal, actuarial, accounting, consulting, data aggregation, management, administrative, aggregation, management, administrative, accreditation, or financial services.accreditation, or financial services.


Other Confidentiality Other Confidentiality AgreementsAgreements When initiating a contract with a When initiating a contract with a

company to perform work for company to perform work for Northwest Counseling & Guidance Northwest Counseling & Guidance Clinic which will Clinic which will notnot have direct have direct access to PHI, request that they access to PHI, request that they sign a Confidentiality Agreement.sign a Confidentiality Agreement.


HIPAA and Your Role HIPAA and Your Role

Remember, it is your responsibility, as a Northwest Remember, it is your responsibility, as a Northwest Counseling & Guidance Clinic employee or provider, Counseling & Guidance Clinic employee or provider, to comply with all privacy and security laws, to comply with all privacy and security laws, regulations, and Northwest Counseling & Guidance regulations, and Northwest Counseling & Guidance Clinic policies pertaining to them.Clinic policies pertaining to them.

Employees and providers suspected of violating a Employees and providers suspected of violating a privacy or security law, regulation, or Northwest privacy or security law, regulation, or Northwest Counseling & Guidance Clinic policy are provided Counseling & Guidance Clinic policy are provided reasonable opportunity to explain their actions.reasonable opportunity to explain their actions.

Violations of any law, regulation, and/or Northwest Violations of any law, regulation, and/or Northwest Counseling & Guidance Clinic policy will result in Counseling & Guidance Clinic policy will result in disciplinary action, up to and including termination.disciplinary action, up to and including termination.


HIPAA Violations:HIPAA Violations:

-How Much is Enough? -How Much is Enough?

-How Much is too -How Much is too Much?Much? There are three types of There are three types of

violations:violations:– IncidentalIncidental– AccidentalAccidental– IntentionalIntentional


Incidental ViolationsIncidental Violations

If reasonable steps are taken to safeguard a If reasonable steps are taken to safeguard a patient’s information and a visitor happens to patient’s information and a visitor happens to overhear or see PHI that you are using, you overhear or see PHI that you are using, you will not be liable for that disclosure.will not be liable for that disclosure.

Incidental disclosures are going to happen…Incidental disclosures are going to happen…even in the best of circumstances.even in the best of circumstances.

An incidental disclosure is not a privacy An incidental disclosure is not a privacy incident. This type of disclosure is not incident. This type of disclosure is not required to be documented.required to be documented.


Accidental ViolationsAccidental Violations

Mistakes happen. If you mistakenly Mistakes happen. If you mistakenly disclose PHI or provide confidential disclose PHI or provide confidential information to an unauthorized person or if information to an unauthorized person or if you breach the security of confidential you breach the security of confidential datadata::– Acknowledge the mistake and notify your supervisor Acknowledge the mistake and notify your supervisor

and the Privacy Officer immediately.and the Privacy Officer immediately.– Learn from the error and help revise procedures Learn from the error and help revise procedures

(when necessary) to prevent it from happening (when necessary) to prevent it from happening again.again.

– Assist in correcting the error only as requested by Assist in correcting the error only as requested by your leader or the Privacy Officer. Don’t cover up or your leader or the Privacy Officer. Don’t cover up or try to make it “right” by yourself.try to make it “right” by yourself.

Accidental disclosures are Privacy Incidents and must be Accidental disclosures are Privacy Incidents and must be reported to your Privacy Officer immediately! It is reported to your Privacy Officer immediately! It is required to document this disclosure.required to document this disclosure.


Intentional ViolationsIntentional Violations

If you ignore the rules and carelessly or If you ignore the rules and carelessly or deliberately use or disclose protected health or deliberately use or disclose protected health or confidential information, you can expect:confidential information, you can expect:– Disciplinary action, up to and including termination.Disciplinary action, up to and including termination.– Civil and/or criminal charges.Civil and/or criminal charges.

Examples include: Examples include: – Accessing PHI for purposes other than assigned job Accessing PHI for purposes other than assigned job

responsibilities.responsibilities.– Attempting to learn or use another person’s access Attempting to learn or use another person’s access

information.information.If you’re not sure about a use or disclosure, If you’re not sure about a use or disclosure, check with your Supervisor or the Privacy check with your Supervisor or the Privacy OfficerOfficer


Reporting HIPAA Reporting HIPAA ViolationsViolations

If you are aware or suspicious of an If you are aware or suspicious of an accidental or intentional HIPAA violation, accidental or intentional HIPAA violation, it is your responsibility to report it.it is your responsibility to report it.

– Northwest Counseling & Guidance Clinic Northwest Counseling & Guidance Clinic may not intimidate, threaten, coerce, may not intimidate, threaten, coerce, discriminate against, or take other discriminate against, or take other retaliatory action against anyone who in retaliatory action against anyone who in good faith reports a violation (whistle-good faith reports a violation (whistle-blowing).blowing).

– Refer to the office of Civil Rights web page Refer to the office of Civil Rights web page http://www.hhs.gov/ocr/privacy/hipaa/complaints/indexhttp://www.hhs.gov/ocr/privacy/hipaa/complaints/index.html.html for more examples of what and how for more examples of what and how to report.to report.


It’s Important to Report It’s Important to Report HIPAA Violations…HIPAA Violations…

So they can be investigated, managed, and So they can be investigated, managed, and documented.documented.

So they can be prevented from happening So they can be prevented from happening again in the future.again in the future.

So damages can be kept to a minimum.So damages can be kept to a minimum. To minimize your personal risk.To minimize your personal risk. In some instances, management may have to In some instances, management may have to

notify affected parties of lost, stolen, or notify affected parties of lost, stolen, or compromised data.compromised data.

Incidental disclosures need not be reported, Incidental disclosures need not be reported, but if you’re not sure, report them anyway.but if you’re not sure, report them anyway.


Patient ComplaintsPatient Complaints

Report all patient complaints. Report all patient complaints. We are required by law to We are required by law to

respond to privacy and security respond to privacy and security complaints. complaints.


How May I Report a How May I Report a HIPAA HIPAA PrivacyPrivacy Violation?Violation?

Directly to your Supervisor, who in Directly to your Supervisor, who in turn reports it to the Privacy Officer.turn reports it to the Privacy Officer.

Call or email the Privacy Officer.Call or email the Privacy Officer.


If it involves a breach of patient If it involves a breach of patient confidentiality, report it through the confidentiality, report it through the same methods listed for Privacy same methods listed for Privacy Violations.Violations.

If it does not involve a breach of If it does not involve a breach of confidentiality, report it through one of confidentiality, report it through one of the following methods:the following methods:– The same methods listed for Privacy The same methods listed for Privacy

ViolationsViolations– Call or email the Security Officer.Call or email the Security Officer.

How May I Report a How May I Report a HIPAA HIPAA SecuritySecurity Violation?Violation?


Questions, Comments, Questions, Comments, Concerns…Concerns…

Please contact your Please contact your Privacy Officer, atPrivacy Officer, at

715-327-4322715-327-4322 Extension 126Extension [email protected]@nwcgc.com

Please contact your Please contact your Security Officer, atSecurity Officer, at

715-327-4322715-327-4322 Extension 126Extension 126 [email protected]@nwcgc.com

Not sure which way to go?


Remember to Remember to complete your complete your training training documentation and documentation and turn it into your turn it into your supervisor.supervisor.


Thank you, from....Thank you, from....The Privacy and The Privacy and Security CommitteesSecurity Committees

Hand In - hand Protecting AllAccounts!

Refer to the HIPAA COW website for privacy, security, and EDI reference

materials http://hipaacow.org/home/home.aspx


HIPAA COW AuthorsHIPAA COW Authors

Primary author: Holly Schlenvogt, MSH, ProHealth Care Medical Associates, Privacy Officer

Contributing authors: – Cami Beaulieu, Red Cedar Medical Center, ROI Supervisor and Privacy

Assistant– Jane Duerst Reid, RHIA, Clear Medical Solutions, HIM Consultant – Linda Huenink, MS, RHIA, Wk Co. Dept. of Health & Human Services,

Records Supervisor– Carla Jones, Senior Staff Attorney/Privacy Officer, Marshfield Clinic

Legal Service– Kathy Johnson, Privacy & Compliance Officer, Wisconsin Dept. of

Health Services – Melissa Meier, ProHealth Care Medical Associates, Corporate

Compliance Coordinator– Kim Pemble, Executive Director, WI Health Information Exchange

(WHIE)– LaVonne Smith, Information Services Director, Tomah Memorial

Hospital Reviewed by: HIPAA COW Privacy & Security Networking Groups

© Copyright 2009 HIPAA COW1 Welcome to the Privacy and Security Training Session! Draft v. 11 03-31-09.

Documents

hipaa regulations

hipaa cow8 parts of

hipaa cow9 parts of

hipaa cow5 privacy

hipaa cow4 hipaa topics

hipaa cow6

hipaa cow7

security rule security