personal notes a secret. If asked under oath if all records have been provided, however, the consequences of perjury The privacy rule (HIPAA) In the late 20th century, the problem of employees losing health insurance between jobs and the danger of healthcare fraud led to the creation and passage of an important new law (HIPAA Journal, 2017). In 1996 the 104th Congress amended the Internal Revenue Code of 1986 and created Public Law 104-191, the Health Insurance Portability and Accountability Act. This Act established the first-ever national standards for the protection of certain health information, in an effort, not just to prevent fraud, but to protect client and patient privacy. These standards, developed by the Department of Health and Human Services, took effect April 14, 2003. The Privacy Rule standards address who can use, look at, and receive individuals’ health information (Protected Health Information or PHI) by organizations (Covered Entities) subject to the rule. These organizations include: ● Most doctors, nurses, pharmacies, hospitals, clinics, nursing homes, and other health care providers. ● Health insurance companies, HMO’s, and most employer group health plans. ● Certain government programs that pay for health care, such as Medicare and Medicaid Key provisions of the standards include: ● Access to medical records : Patients may ask to see and get a copy of their health records and have corrections added to their health information. ● Notice of privacy practices : Patients must be given a notice that tells them how a covered entity may use and share their health information and how they can exercise their rights. ● Limits on use of personal medical information : The privacy rule sets limits on how health plans and covered providers may use individually identifiable health information. Generally health information cannot be given to the patient’s employer or shared for any other purpose unless the patient signs an authorization form. ● Prohibition of marketing : Pharmacies, health plans, and other covered entities must first obtain an individual’s specific authorization before disclosing their patient information for marketing. ● Stronger state laws : As stated earlier, confidentiality protections are cumulative; any state law providing additional protections would continue to apply. However, should state law require a certain disclosure: such as reporting an infectious disease outbreak: the federal privacy regulations would not preempt the state law. ● Confidential communications : Patients have the right to expect covered entities to take reasonable steps to ensure communications with them are confidential. For example, a patient may want to be called on their work phone rather than home telephone. ● Complaints : Patients may file a formal complaint regarding privacy practices directly to the provider, health plan, or to the HHS Office for Civil Rights. Consumers can find out more information about filing a complaint at https://www.hhs.gov/hipaa/filing-a- complaint/index.html or by calling (800) 368-1019. It is very important to know that professionals who work in the mental health field are responsible for following and enforcing the HIPAA Privacy Rule. There can be severe civil and criminal penalties if procedures are not followed, and depending on the situation, an individual employee may be held responsible for not protecting a client’s privacy. For unknowing civil violations of the standards, the Office for
and ethical misconduct may be worse than what was written in the notes.
Civil Rights (OCR) may impose monetary penalties of from $100 to $50,000 per violation, with an annual maximum of $25,000 per year for repeat violations. Penalties are higher for reasonable cause and willful neglect. PL 104- 191 prescribed criminal penalties for certain actions such as knowingly obtaining protected health information in violation of the law. The Department of Justice handles criminal penalties, which are significantly higher than civil penalties, ranging from $50,000 and one year in prison up to $250,000 and 10 years in prison if the offenses are committed with the intent to sell, transfer, or use PHI for commercial advantage, personal gain, or malicious harm. This rule ensures protections for clients by limiting the way covered entities can use personal medical information. The regulations protect medical records and other individually identifiable health information (identifiers), whether the information is transmitted in electronic, written, or verbal format. This then would include faxes, email, online databases, voicemail, and video recordings, as well as conversations among practitioners. Examples of identifiable health information include: ● Name or address – including city, state, and zip code. ● Social Security number. ● Dates related to birth, death, admission, discharge. ● Telephone and fax numbers. ● Email or URL addresses. ● Medical record numbers, account numbers, health plan beneficiary numbers. ● Vehicle identifiers such as drivers license numbers and license plate numbers. ● Full-face photographs distributed by the agency. ● Any other unique identifier, code, or characteristic used to identify clients that is protected under HIPAA. In addition to reasonable safeguards, covered entities are required to develop and implement policies and procedures that limit the sharing of protected health information and to implement them as appropriate for their practices. The policies must limit who has access to protected health information and specify the conditions under which it can be accessed and designate someone to be responsible for ensuring that procedures are followed (Privacy Officer). It may seem that the law serves only to place limits on the sharing of information. However, it does allow the sharing of protected health information as long the mental health worker takes reasonable precautions with the information. Some steps professionals can follow include: ● Ensure that protected health information is kept out of sight. This could mean keeping it in separate locked files, covering or turning over any material on your desk, or setting your computer to “go blank” after a minute or two in case you walk away. ● If you must discuss protected health information in a public area such as a waiting room, hospital hallway, or courtroom, make sure you speak quietly and others cannot overhear your conversation. If privacy cannot be assured, move to another area or schedule another time to discuss the information. ● Use email carefully. Make sure you send the information only to the appropriate people. Watch the “CC” lines to make sure your email is not copied to unauthorized parties. Use passwords and other security measures on computers.
Page 97
Book Code: SWTX1525
EliteLearning.com/Social-Work
Powered by FlippingBook