● Social Security number. ● Dates related to birth, death, admission, discharge. ● Telephone and fax numbers. ● Email or URL addresses. ● Medical record numbers, account numbers, health plan beneficiary numbers. ● Vehicle identifiers such as drivers license numbers and license plate numbers. ● Full-face photographs distributed by the agency. ● Any other unique identifier, code, or characteristic used to identify clients that is protected under HIPAA. In addition to reasonable safeguards, covered entities are required to develop and implement policies and procedures that limit the sharing of protected health information and to implement them as appropriate for their practices. The policies must limit who has access to protected health information and specify the conditions under which it can be accessed and designate someone to be responsible for ensuring that procedures are followed (Privacy Officer). It may seem that the law serves only to place limits on the sharing of information. However, it does allow the sharing of protected health information as long the mental health worker takes reasonable precautions with the information. Some steps professionals can follow include: ● Ensure that protected health information is kept out of sight. This could mean keeping it in separate locked files, covering or turning over any material on your desk, or setting your computer to “go blank” after a minute or two in case you walk away. ● If you must discuss protected health information in a public area such as a waiting room, hospital hallway, or courtroom, make sure you speak quietly and others cannot overhear your conversation. If privacy cannot be assured, move to another area or schedule another time to discuss the information. ● Use email carefully. Make sure you send the information only to the appropriate people. Watch the “CC” lines to make sure your email is not copied to unauthorized parties. Use passwords and other security measures on computers. ● If you send a fax, don’t leave the material unattended. Make sure that all of the pages go through and check the fax numbers carefully to make sure the information is sent to the correct person. You should also add a disclaimer stating that the information in your fax is confidential. ● Avoid using client names in hallways, elevators, restaurants, etc., unless absolutely necessary. ● Post signs and routine review standards to remind employees to protect client privacy. ● Secure documents in locked offices and file cabinets. Note that there is another law, 42 CFR Part 2, which provides additional protections for clients receiving alcohol and drug treatment. Information is available at the Substance Abuse and Mental Health Services Agency (SAMHSA) website at https:// www.samhsa.gov/about-us/who-we- are/laws-regulations/ confidentiality-regulations-faqs This law applies to any program that engages in substance abuse education, treatment, or prevention and is regulated by or receives assistance from the federal government (Kunkel, 2012). Although the SAMHSA (2019) Web page on this subject provides detailed legal information, some salient points are as follows: ● A client or patient who has signed a consent form allowing disclosure to multiple parties can revoke the consent to one or more of those parties. ● A single consent form can allow information to be exchanged for different purposes, such as treatment and management, but the form must specify the type and amount of information that can be disclosed to each of the recipients and the information disclosed must be solely for the purpose at hand. ● In the case of an immediate threat to the health and safety of the individual or the public, steps must be taken
health information (Protected Health Information or PHI) by organizations (Covered Entities) subject to the rule. These organizations include: ● Most doctors, nurses, pharmacies, hospitals, clinics, nursing homes, and other health care providers. ● Health insurance companies, HMO’s, and most employer group health plans. ● Certain government programs that pay for health care, such as Medicare and Medicaid Key provisions of the standards include: ● Access to medical records : Patients may ask to see and get a copy of their health records and have corrections added to their health information. ● Notice of privacy practices : Patients must be given a notice that tells them how a covered entity may use and share their health information and how they can exercise their rights. ● Limits on use of personal medical information : The privacy rule sets limits on how health plans and covered providers may use individually identifiable health information. Generally health information cannot be given to the patient’s employer or shared for any other purpose unless the patient signs an authorization form. ● Prohibition of marketing : Pharmacies, health plans, and other covered entities must first obtain an individual’s specific authorization before disclosing their patient information for marketing. ● Stronger state laws : As stated earlier, confidentiality protections are cumulative; any state law providing additional protections would continue to apply. However, should state law require a certain disclosure: such as reporting an infectious disease outbreak: the federal privacy regulations would not preempt the state law. ● Confidential communications : Patients have the right to expect covered entities to take reasonable steps to ensure communications with them are confidential. For example, a patient may want to be called on their work phone rather than home telephone. ● Complaints : Patients may file a formal complaint regarding privacy practices directly to the provider, health plan, or to the HHS Office for Civil Rights. Consumers can find out more information about filing a complaint at https://www.hhs.gov/ hipaa/filing-a-complaint/index.html or by calling (800) 368- 1019. It is very important to know that professionals who work in the mental health field are responsible for following and enforcing the HIPAA Privacy Rule. There can be severe civil and criminal penalties if procedures are not followed, and depending on the situation, an individual employee may be held responsible for not protecting a client’s privacy. For unknowing civil violations of the standards, the Office for Civil Rights (OCR) may impose monetary penalties of from $100 to $50,000 per violation, with an annual maximum of $25,000 per year for repeat violations. Penalties are higher for reasonable cause and willful neglect. PL 104-191 prescribed criminal penalties for certain actions such as knowingly obtaining protected health information in violation of the law. The Department of Justice handles criminal penalties, which are significantly higher than civil penalties, ranging from $50,000 and one year in prison up to $250,000 and 10 years in prison if the offenses are committed with the intent to sell, transfer, or use PHI for commercial advantage, personal gain, or malicious harm. This rule ensures protections for clients by limiting the way covered entities can use personal medical information. The regulations protect medical records and other individually identifiable health information (identifiers), whether the information is transmitted in electronic, written, or verbal format. This then would include faxes, email, online databases, voicemail, and video recordings, as well as conversations among practitioners. Examples of identifiable health information include: ● Name or address – including city, state, and zip code.
EliteLearning.com/Social-Work
Book Code: SWUS1524
Page 80
Powered by FlippingBook