II.E.1

APPENDIX A

HEALTH INSURANCE PORTABILITY

ACCOUNTABILITY ACT (HIPAA)

Table of Contents

What Is HIPAA?...... 86

Samaritan Institute Disclaimer...... 86

Four Parts of HIPAA Regulations...... 86

Mandatory Safeguards for Protected Health

Information (PHI)...... 88

Step One: Appoint a Compliance Officer...... 88

Step Two: Create a Compliance Notebook...... 89

Step Three: State Laws and HIPAA Regulations...... 90

Step Four: Do a Security Audit...... 90

Security Audit Checklist...... 91

Psychotherapists Notes...... 94

Step Five: HIPAA Policy and Procedures Statement...... 95

Step Six: Notice of Privacy Practices Statement...... 97

Notice of Privacy Form...... 97

Comments and Instructions...... 101

Step Seven: Business Associate Agreements...... 103

Base Agreements with Business Associates...... 105

Memorandum of Agreement...... 106

Step Eight: Supplementary Forms...... 109

Receipt of Notice of Privacy Practices...... 109

Consent for Use and Disclosure of PHI...... 109

Revocation of Consent...... 110

Staff Review of Policies and Procedures ...... 110

Complaint Form ...... 111

Comments and Instructions ...... 111

Step Nine: Elaborations and Recommendations...... 112

How HIPAA Might Unfold...... 112

Samaritan Institute Recommendations...... 112

Questions and Answers ...... 116

II.E.1 HIPAA

Health Insurance Portability and Accountability Act

What HIPAA is about:

  • Client confidentiality
  • Storage and access to client information
  • Security of electronic information.

DESCRIPTION

HIPAA, also known as the Kennedy Kassebaum Act, was passed in 1996 and was in a rules and regulation writing process in the Department of Health and Human Services for some time after that. The act was intended to improve the efficiency of healthcare delivery by standardizing electronic data interchange, and by protecting the confidentiality and security of health data through setting and enforcing standards. Fully implemented, it results in sweeping changes in most healthcare transactions and administrative information systems.

HIPAA also calls for severe civil and criminal penalties for non-compliance. These will include fines up to $25,000 for multiple violations of the same standard in a calendar year, and fines up to $250,000 and/or imprisonment up to 10 years for knowing misuse of individually identifiable health information.

DISCLAIMER

In what follows, the Samaritan Institute has done its best to give you accurate and complete information for use in HIPAA compliance. However, you should know that there may be no single source of information guaranteed to be both accurate and complete. In reality, the rules and regulations will probably be a work in progress for some time to come. But, this in no way relieves you of the requirements to become HIPAA compliant. As noted above, the fines and penalties for noncompliance are harsh.

One other important consideration: although the HIPAA material in this section is based as accurately as possible on written government documents, the Samaritan Institute does not have the legal standing to authorize this information. For this reason, it is important for Samaritan Centers that use this information to consult with their own attorneys for definitive interpretation.

Please remember: these statements about HIPAA do not constitute legal advice. Your due diligence should include a careful review of other sources, consultation with authoritative sources, and staying current with your professional reading.

FOUR PARTS OF HIPAA REGULATIONS: DEFINITIONS

There are four parts of the act:

  • Electronic Health Transactions Standards
  • Unique Identifiers
  • Security and Electronic Signature Standards
  • Privacy and Confidentiality Standards. Each of these is described below.
  1. Electronic Health Transactions Standards(sometimes referred to as “transactions”). It requires the use of electronic formats developed by the American National Standards Institute. Examples of transactions include, but are not limited to:
  • health plan eligibility inquiries
  • claims status
  • coordination of benefits
  • payments for care provided
  • related transactions.

Virtually all health plans will have adopted these standards, even if the transaction is by FAX, phone, email, or some other form of electronic transmission mechanism. As you do business with third party payers, you should expect that those companies will require your Center’s compliance with the transactions standards.

2. Unique Identifiers for Providers, Employers, Health Plans, and Patients/Clients. Often, this is referred to as the “identifiers” section. The current system is set up for the use of identification numbers when communicating across the health care spectrum. As you do any business with third party payers, you may anticipate that they will provide you with guidelines for implementing this section of the act. In the meantime you can register for a National Provider IdentifierNumber, individually or as a Center, by going to this federal website:

3. Security of Health Information and Electronic Signature Standards. All health information, including billing and scheduling, will be subject to uniform standards as long as that information is:

  • stored electronically;
  • transmitted electronically; and
  • pertinent to an individual.

If any information transmitted about a client requires an electronic signature, the standards will ensure:

  • the transmission integrity of the message;
  • a means to authenticate the user; and
  • a means to determine when to repudiate the electronic signature.

You may anticipate that security standards will address a wide variety of issues related to the physical storage, maintenance, transmission, and access of individual client electronic and paper data.

4. Privacy and Confidentiality. These standards speak to the question of who has the right to access an individual’s electronic and/or paper-based health information. The issues to be addressed include but are not necessarily limited to:

  • non-consensual use and release of private health information;
  • rights giving patients/clients access to their own information;
  • rights giving patients/clients knowledge about who else has accessed their information;
  • civil and criminal penalties for improper use and disclosure of patient/client information;
  • requirements for access to records by researchers and others (e.g., accreditation visitors).

You may also wish to check the following for additional information:

  • The United States Health and Human Services web pages
  • professional organizations to which you may belong
  • legal counsel available to your board of directors.

MANDATORY STEPS TO SAFEGUARD

PROTECTED HEALTH INFORMATION

This section will begin to cover the steps to safeguard compliance with these standards. Theyare based on government sources and are listed here in the order usually found. These steps address the question: How can Samaritan Centers avoid HIPAA non-compliance problems?

STEP ONE

Appoint a Compliance Officer

This individual should be someone who operates your Center’s “clearinghouse” on all HIPAA matters. Take the following into consideration in making this appointment:

  1. The HIPAA Compliance Officer (HCO) will be a clinician or, at least, very conversant with clinical concepts and procedures.
  1. If the HCOis not the Executive Director (E.D.), he or she will be someone who reports directly to the E.D.
  1. The HCOwill have high credibility with clinical and support staff.
  1. The HCOwill be capable of designing and delivering on-going in-service training programs for the Board of Directors and Staff.
  1. The HCO will be the person responsible for keeping all HIPAA procedures current.
  1. The HCO will function as the “point of entry” for all HIPAA-related complaints and grievances.
  2. The HCO will empower the Board, clinical staff, and support staff to recognize and resolve privacy-related issues.
  1. If possible, the HCOwill have an “understudy” ready to carry on in the HCO’s absence or departure. Failure to comply is not excused by the HCO having left the Center or having been on vacation.

STEP TWO

Create a Compliance Notebook

This should look at least as professional as the best example of anything your Center puts out. That does not mean that it needs to be professionally printed with high-end graphic arts. It does mean that it should be well organized with something like divider tabs and a work-in-progress table of contents or index.

The HIPAA Compliance Notebook should include the following:

  1. A copy of all HIPAA information received from the Institute.
  1. A copy of the electronic confirmation number you received if you initially complied with the October 15, 2002 deadline. If you did not meet the deadline, this is now moot.
  1. A listing of Board meeting minutes that document ongoing discussions about HIPAA with your Board. Be certain that you can back up the listing with the actual minutes if you don’t want the minutes in your compliance notebook. The more Board minutes you can cite, the better you can demonstrate your good intentions about compliance.
  1. A listing of staff meeting minutes that document the ongoing discussion about HIPAA with your staff. If you don’t keep minutes of staff meetings, at least start keeping something like “HIPAA Minutes” and include those in the notebook.
  1. References to any written materials you and your staff have read about HIPAA.
  1. Reference to any presentations and workshops about HIPAA you and your staff have attended.
  1. The name and resume of your HIPAA Compliance Officer (HCO) together with the name and resume of the “understudy” if any.
  1. Other items as you think appropriate. For example, the Samaritan Institute will make additional suggestions about the contents of the notebook.

CAUTION! Since some attorneys might suggest that less detail is better than more on some of these points, you may wish to consult with your Board’s attorney on this matter. For now the Institute is erring on the side that more is better. If we discover good reasons for changing our thinking on this, we will let you know.

STEPTHREE

Recognizehow state laws and HIPAAdovetail

If your state’s laws, rules, and/or regulations are in any way more stringent than HIPAA, you must follow those mandated by your state. Said another way, you can exceed HIPAA mandates by complying with state mandates but you cannot fall below HIPAA’s mandates. Carefully document the appropriate state laws and put them in your Compliance Notebook. Since each state’s statutes are unique, the Institute is not in a position to give detailed references to state laws.

You should be thoroughly familiar with your state’s existing laws governing client records, privacy, confidentiality, and all related issues. If not, you may wish to enlist the services of an attorney to update your information. Pay particular attention to any of the following potentials in your state.

Can clients access their own records and those of dependent children, and under what circumstances?

Can clients submit amendments to any of their records and under what circumstances?

Can clients see an accounting of disclosures you have made of the information that you have about them, including those they have given permission to disclose? (HIPAA is thought to exempt disclosures made as part of the treatment plan to third party payers.)

What about disclosures related to involuntary hospitalization, child abuse, elder abuse, potentially violent sexual predators, certain information required by law enforcement agencies, etc.?

STEP FOUR

Do a Security Audit

This step will involve completion of a security inventory, sometimes called a security audit, or gap analysis. Once completed, you should put this in your HIPAA Compliance Notebook. Again, this checklist does not guarantee compliance with HIPAA, nor does it constitute legal advice.

The Security Audit is in the form of a checklist. It starts on the next page.

SECURITY AUDIT CHECKLIST

  1. Is all client Protected Health Information (PHI) of any kind ( e.g. paper, electronic, dry erase boards, data bases, appointment schedules, palm pilots, etc.) stored under lock and key in a space dedicated exclusively to client information? If not, how will you remedy?
  1. Are all telephones over which a client might in any way be referenced well out of the hearing range of any person not authorized to hear those references? If not, how will you remedy?(Reminder: Some staff may not have authorization.)
  1. When client records are out of storage and in use, are their contents protected from unauthorized viewers at all times? If not, how will you remedy? (Reminder: Some staff may not have authorization.)
  1. Is any reference to a client – e.g., appearing on a computer screen, paper document, chalk/dry erase board, telephone message form, task list, appointment books, “palm pilots” – protected from unauthorized viewers at all times? If not, how will you remedy? (Reminder: Some staff may not have authorization.)
  1. Do you refrain from making any reference to a client over a cell phone or other wireless technology without taking suitable precautions to protect the client’s PHI? If not, how will you remedy?
  1. Are all voice mails, or any recorded messages referencing client’s PHI protected from unauthorized listeners at all times? If not, how will you remedy? (Reminder: Some staff may not have authorization.)
  1. Is the fax machine, through which a client’s PHI may be referenced, protected from unauthorized viewers at both ends at all times? If not, how will you remedy? (Reminder: Some staff may not have authorization.)
  1. Do all out-going faxes referencing clients have a cover sheet with a confidentiality statement directed to unauthorized viewers? If not, how will you remedy?
  1. Does every room in which client information is kept (even for brief periods of time) have a lock on the door? If not, how will you remedy?
  1. Does every computer in which any reference to a client might be found have a password to access its files? If not, how will you remedy?
  1. Are individual computer passwords known only to the person(s) authorized to see/access any client information in that computer? (Note: this applies to any client information, including databases of all kinds – even those for routine Center mailings such as newsletters, workshop announcements, etc.) If not, how will you remedy?
  1. Is all electronic PHI accessed by a password unique to each person with a “need to know” the PHI? If not, how will you remedy?
  1. Does the HCO have a master password to access all PHI? If not, how will you remedy?
  1. Can the HCO obtain a system-generated report showing the history of which passwords accessed the PHI and at what time? If not, how will you remedy?
  1. Does the HCO audit these reports at least quarterly to determine appropriate usage? If not, how will you remedy?
  1. Whenever a password-assigned employee changes to a non password-assigned job or leaves the Center’s employment is their password vacated? If not, how will you remedy?
  1. Are all passwords routinely changed at least quarterly? If not, how will you remedy?
  1. Are all electronic device passwords written on a sheet of paper, sealed in an individual envelope and stored in a secure, locked, disaster proof place to be accessed only by the HCO and Executive Director in the event of a HIPAA complaint and the authorized person’s unavailability? If not, how will you remedy? (Note: This is one of the “fine tensions” internal to HIPAA, that is, the tension between confidential information and the authorized person’s [e.g. clinician’s] unavailability in the event of a HIPAA complaint.)
  1. Is all information about a client kept secure by the authorized person even when being used, and especially when left unattended momentarily? If not, how will you remedy?
  1. Does any information about a client in any form (paper, electronic, and even appointment books, palm pilots, etc.) conform to all security procedures when that information is off site? (This includes information being transported to and from the Center to a satellite office or other location. It also includes information stored at a satellite office or any other location. And, it includes information in a vehicle.) If not, how will you remedy?
  1. When transporting any information about a client, is it stored in a secure, locked container dedicated only to client information that also has information inside warning unauthorized viewers of the confidential nature of the material and instructions for its return? If not, how will you remedy?
  1. Does any computer with any of the following characteristics and containing any client information have appropriate security measures (firewalls and possibly encryption/decryption) to guard against “hacking” or any other form of unauthorized access? If not, how will you remedy?
  • The internet/world wide web can be accessed with this computer.
  • The computer can send/receive email.
  • The computer is networked (wired or wireless) to another computer(s) and a server with internet/email capacity.
  • The computer has an internal/external modem.
  1. Are all paper documents containing any client information immediately shredded after they are no longer needed? (This includes telephone message slips, schedules, task lists, etc.) If not, how will you remedy?
  1. Are all electronic records (including “palm pilots” and the like) containing any client information immediately eliminated from the hard drive (or its equivalent memory device, e.g. SIM card) after they are no longer needed? If not, how will you remedy?
  1. Have all of your software vendors attested in some written format that your computer software packages are HIPAA compliant? If not, how will you remedy? (Note: place these assurances in your Compliance Notebook.)
  1. Have all of your soft/hardware application service providers (ASP’s) attested in some written format that they meet HIPAA security standards? If not, how will you remedy? (Note: place these assurances in your HIPAA Compliance Notebook.)
  1. Have all of your third party payers (insurance, managed care, employee assistance, congregational assistance, etc.) attested in some written format that they are HIPAA compliant? If not, how will you remedy? (Note: place these assurances in your HIPAA Compliance Notebook.)
  1. If you send or receive any email containing client information (including to or from the client), is the email encrypted/decrypted or similarly protected? If not, how will you remedy?
  1. When you provide any information about a client to anyone, do you determine whether they are authorized to have that information and do you keep a log of each authorized provision? If not, how will you remedy?
  1. Do you have a Business Associate (BA) agreement with each appropriate entity that is limited to one year and updated (when necessary)? If not, how will you remedy? (Note: this includes any outsourced providers like accountants, bookkeepers, mailing services, computer technicians, auditors, inspectors, consultants, collection agencies, etc.)
  1. Are all verbal conversations about a client held with only those authorized to hear that information (including BAs, client’s family members, etc?) If not, how will you remedy?
  1. Are all breaches of electronic/hardcopy security of PHI investigated and documented by the HCO? If not, how will you remedy?
  1. Does the HCO document all security breaches and the resulting corrective action for inclusion in the HIPAA Compliance Notebook? If not, how will you remedy?
  2. Does the HCO report all security breaches and resulting corrective action to the staff? If not,how will you remedy?
  1. Is all client PHI backed up daily and stored in a disaster proof/resistant location, preferably off site? If not,how will you remedy?
  1. Does the Center have a plan for when its normal operations are disrupted by an emergency? If not, how will you remedy?
  1. Is the staff trained to implement the emergency plan and is it located in the HIPAA Compliance Notebook? If not, how will you remedy?
  1. Is PHI thoroughly eliminated from all electronic devices (personal and Center) when the device is no longer in use and/or when the device’s owner leaves the Center’s employment? If not, how will you remedy?
  1. Is PHI appropriately protected when transmitted over open networks (e.g. internet)? If not, how will you remedy?
  1. Are the physical premises at which PHI is stored protected by an intrusion alarm? If not, how will you remedy?
  1. Have you included in your Compliance Notebook other elements from a careful review of other sources, consultation with authoritative sources, and current professional literature?

If not so, what remedy?