ACTCM Privacy Training

June 2017

Meet HIPAA Training Requirement

Review HIPAA Standards

Integrate HIPAA Into Everyday Practice

The Health Insurance Portability and Accountability Act

was enacted by Congress in 1996

HIPAA serves three main purposes:

◦ To protect people from losing their health insurance if they change

jobs or have pre-existing health conditions

◦ To reduce the costs and administrative burdens of healthcare by

creating standard electronic formats for many administrative

transactions that were previously carried out on paper

◦ To develop standards and requirements to protect the privacy and

security of personal health information.

Enforced by Department of Health and Human Services

(DHHS) and the Office of Civil Rights (OCR)

Privacy Rule

◦ Mainly impacts employees that use or disclose individually

identifiable health information

◦ Compliance date: April 14, 2003

Transaction and Code Set Standards

◦ Mainly impacts business office and IT staff

◦ Compliance date: October 16, 2003

Security Rule◦ Mainly impact IT Staff and business office

◦ Compliance date: April 21, 2005

Important changes that updated the privacy standards and

strengthened the standards for security to develop national

safeguards to protect the confidentiality of an individual’s

medical information as more private health information

was held and transmitted electronically.

Important changes that granted individuals new rights to

their health information and strengthens the government’s

ability to enforce HIPAA

Updates:

◦ Copies of records in electronic format

◦ When patient’s pay out of pocket for medical services, they can

instruct information to be kept private from their health plan

◦ Limits how patient information is shared for marketing and

fundraising

◦ Prohibits sale of patient information without authorization

◦ Business associates are liable under HIPAA and are accountable to

consumers and DHHS

California has multiple statutes and regulations which require the protection of the

privacy of its residents’ confidential information such as credit cards, social security

numbers, and personal identification numbers (PINs), as well as medical and insurance

information. Major state privacy laws include:

California Health and Safety Code Section 1280.15 mandates that licensed facilities

report any unlawful or unauthorized access, use, or disclosure of a patient’s medical

information no later than 5 business days after the breach has been detected. The

institution is to report to both the Department of Public Health and the affected

patient(s). See also California Health and Safety Code Section 130200.

California Information Practices Act (Civil Code Section 1798) Codifies right to

privacy as a personal and fundamental right protected by Section 1 of Article I of the

Constitution of California and by the United States Constitution and that all individuals

have a right of privacy of information pertaining to them; for example, names, social

security numbers, physical description, home address, home telephone number,

education, financial matters, and medical or employment history.

Confidentiality of Medical Information Act (CMIA) Civil Code Section 56

et seq. requires that:

• Confidentiality of medical information be protected and establishes the

protections against disclosures of individually identifiable medical information

• Health care institutions notify California residents of breaches of electronic

social security number, access codes to financial accounts, and medical and

insurance information

• Health care institutions implement safeguards to protect the privacy and

confidentiality of medical information and define personal liability for breaches

of privacy.

Lanterman-Petris-Short Act (LPS) Welfare and Institutions Code Section

5328 et seq.) provides special confidentiality protections for medical records

containing mental health or developmental disabilities information.

Healthcare Providers

Healthcare Plans

Healthcare Clearinghouses

Business Associates of Covered Entities:

◦ Auditors

◦ Consultants

◦ Attorneys

◦ Data and Billing Firms

◦ Others with whom entities have agreements involving the use

of protected health information

As healthcare providers and clinical staff members, it is

our ethical and legal obligation to maintain the privacy

and confidentiality of our patient’s private health

information

To privacy

To confidential use of all their medical information

To obtain a written notice of privacy practices

To access and amend their own health information upon

request

To request restrictions on the use and disclosure of

Protected Health Information for Treatment, Payment, and

Health Care Operations (TPO)

To refuse to authorize disclosures of Protected Health

Information for purposes other than (TPO)

To withhold name from patient directory or account list

The HIPAA Privacy Rule requires that protected health

information (PHI) must be protected from unlawful

access or disclosure.

45 Code of Federal Regulations Sec 164.514 (2013)

Protected Health Information (PHI) is information that

is created or received by ACTCM Clinic and relates to

the past, present, or future health condition of a patient;

the provision of health care to patient; or the past,

present or future payment for the provision of health

care to a patient; and that identifies the patient or for

which there is reasonable basis to believe the

information can be used to identify the participant. PHI

includes information of persons living or deceased.

No matter what form it takes:

◦ Notes on a patient’s medical charts

◦ Health information or personal information entered into a

computer

◦ Discussions about a patient’s condition

◦ Any verbal or written patient information

Any identifiable health information becomes protected

health information (PHI) under HIPAA

A covered entity may not use or disclose protected

health information except:◦ As the individual authorizes in writing

◦ As the HIPAA Privacy Rule permits or requires

1. Name * 11. Certification/License Number(s)

2. Address 12. Vehicle ID/ License Plate

3. Birth Date * 13. Device ID

4. Telephone Number(s) 14. URL

5. Fax Number(s) 15. IP Address

6. Email Address 16. Biometric ID

7. Social Security Number * 17. Face Photo

8. Medical Record Number 18. Any other unique identifying

9. Credit Card Number number, characteristic or code

10. Account Number

1. Appoint a Privacy and Security Officer

The Clinic Operations Director is the designated Privacy and

Security Officer and is responsible for:

◦ Train staff in HIPAA compliance

◦ Assure that HIPAA-related policies and procedures are instituted and

followed

◦ Review activity that takes place in the Clinic to detect security risks

◦ Serve as the contact person for patients who have questions,

concerns, or complaints about the privacy of their PHI.

◦ Investigate and respond to security incidents and take appropriate

action in the event of a breach in security, and eliminate or mitigate

any damaging effects

2. Privacy Incident Response Team (PIRT)

Comprised of the Privacy/Security Officer (Clinic

Operations Director), Associate Academic Dean, Assistant

Director of Clinical Education, and additional members

deemed appropriate.

Because customer service and privacy are of utmost

importance to ACTCM, it is our policy to promptly

receive, respond, and resolve patient complaints regarding

allegations of improper use or disclosure of PHI by

ACTCM or our business associates.

ACTCM is prohibited from intimidating patients who wish

to register a complaint about privacy

3. Policy and Procedure to Process Privacy Complaints

Formal Patient Complaints: An individual may submit a written

formal complaint about ACTCM Clinic’s privacy practices,

including but not limited to complaints regarding:

◦ The privacy and security of PHI;

◦ Use and disclosure of PHI;

◦ Patients’ access to, or amendment of, their PHI;

◦ Practices or actions of ACTCM’s business associates;

◦ ACTCM’s marketing practices; or

◦ Any other complaint relating to ACTCM’s privacy policies and

procedures.

All individuals can also direct complaints to DHHS/OCR

3. Processing Privacy Complaints

The Privacy Officer receives the complaint and fills out the

ACTCM Incident Form attaching the written formal complaint and

forward it to the members of PIRT to review and take appropriate

actions to prevent further inappropriate incidents. ACTCM must

maintain complete documentation of the complaint and PIRT’s

review and disposition of the matter, including a record of any

changes to policies or procedures or the imposition of actions

against members of its staff, faculty or students, if any. ACTCM

must retain all documents relating to the complaint and the

investigation for a period of at least seven (7) years from the date

of the incident.

3. Processing Privacy Complaints

Internal Privacy Violation Reviews: ACTCM staff, faculty and

students are encouraged to report violations of federal and state

privacy laws and ACTCM’s privacy policies (Privacy Violations) to

ACTCM’s Privacy Officer. Whenever possible Privacy Violations

arise, the Privacy Officer along with PIRT will conduct an

investigation and determine whether a violation has occurred. If

PIRT determines that staff , faculty, student or business associate has

committed a Privacy Violation, that person shall be subject to

appropriate actions as determined by PIRT, Director of Human

Resources, or any appropriate manager or supervisor.

It is the policy of ACTCM not to retaliate against or intimidate

anyone who has knowledge of any privacy violations

4. HIPAA Compliance Training

It is ACTCM’s policy to provide training to all staff, faculty,

and students who have access to PHI on its privacy policies and

procedures and to ensure that education curriculum and

materials are created and maintained to provide adequate

training to students to properly handle PHI during their clinical

hours. Privacy training will review ACTCM’s privacy policies

and procedures and will discuss any changes in these policies

and procedures. The training program will focus on federal

laws and regulations governing the privacy, confidentiality, and

security of PHI, as well as any important and relevant state

laws

The American College of Traditional Chinese Medicine

Confidentiality of Patient, Employee and Agency

Business Information Form

◦ Faculty

◦ Staff

◦ Students

◦ Volunteers

◦ Visiting Medical Professionals

◦ Business Associates

Statement of Policy:

It is the legal and ethical responsibility of all ACTCM ……to use personal and

confidential patient, employee and agency business information (referred to here

collectively as “confidential information”) in accordance with the law and ACTCM

policy, and to preserve and protect the privacy rights of the subject of the

information as they perform their duties.

Laws controlling the privacy of, access to and maintenance of confidential

information include, but are not limited to, the federal Health Insurance Portability

and Accountability Act (HIPAA), the California Information Practices Act (IPA),

the California Confidentiality of Medical Information Act (COMIA)…..

Confidential information includes information that identifies or describes an

individual and individual and the disclosure of which would constitute an

unwarranted invasion of personal privacy…..

The term “medical information” includes the following: medical and psychiatric

records, including paper printouts, photos, videotapes, diagnostic and therapeutic

reports, x-rays, scans, laboratory and pathology samples; patient business records,

such as bills for service or insurance information whether stored externally or on

campus; electronically stored or transmitted patient information; visual observation

of receiving medical care or accessing; verbal information provide by or about a

patient; peer review/risk management information and activities; or information the

disclosure of which would constitute an unwarranted invasion of privacy.

Acknowledgement of Responsibility I understand and acknowledge

that:

It is my legal and ethical responsibility to preserve and protect the

privacy, confidentiality and security of all medical records, proprietary

and other confidential information relating to ACTCM, its patients,

activities and affiliates, in accordance with the law and agency policy.

I agree to access, use or disclose confidential information only in the

performance of my duties, where required by or permitted by law and

only to persons who have the right to receive that information. When

using or disclosing confidential information, I will use or disclose only

the minimum information necessary.

I agree to discuss confidential information only in my workplace and

for ACTCM- related purposes. I will not knowingly discuss any

confidential information within the hearing of other persons who do

not have the right to receive the information. I agree to protect the

confidentiality of any medical, proprietary or other confidential

information which is incidentally disclosed to me in the course of my

relationship with ACTCM.

Acknowledgement of Responsibility I understand and acknowledge

that:

I understand that psychiatric records, drug abuse records, and all

references to HIV testing, such as clinical tests, laboratory or

otherwise, used to identify HIV, or antibodies or antigens to HIV, are

specially protected by law.

I understand that my access to all ACTCM electronic information

systems is subject to audit in accordance with ACTCM policy.

I understand that violation of any of ACTCM policies and procedures

related to confidential information or of any state or federal laws or

regulations governing a patient’s right to privacy may subject me to

legal and/or disciplinary action up to and including immediate

termination from my employment/professional relationship with

ACTCM.

I understand that I may be personally liable for harm resulting from my

breach of this agreement and that I may also be held criminally liable

under the HIPAA privacy regulations for an intentional and/or

malicious release of protected health information.

ACTCM provides each new patient with a Notice of Privacy

Practice (NPP) and requires them to read and sign the document

upon their first visit. In addition, the Clinic will post the NPP in

plain view of the Clinic waiting room and will make the NPP

available to all patients upon request.

The NPP must be written in plain language.

Patients have the right to adequate notice of:

◦ the uses and disclosures of PHI that may be made by ACTCM;

◦ the patient’s rights with respect to PHI; and

◦ ACTCM’s legal obligations regarding PHI.

The NPP will also provide a description of ACTCM’s

complaint procedures in regards to privacy issues, the name

and phone number of the Privacy Officer, and the date of the

notice

Our Pledge Regarding Medical Information:

The privacy of your medical information is important to us.

We understand that your medical information is personal and

we are committed to protecting it. We create a record of the

care and services you receive at our clinic. We need this

record to provide you with quality care and to comply with

certain legal requirements. This notice will tell you about the

ways we may use and share medical information about you.

We also describe your rights and certain duties we have

regarding the use and disclosure of medical information. This

notice will remain in effect until it is replaced or amended by

changes in law.

Use and Disclosure of Your Medical Information

We gather personal health information in several ways. This information comes

from you, from other healthcare providers, and from third party payers. This

section describes different ways that we use and disclose medical information.

We will not use or disclose your medical information for any purpose not listed

below, without your specific written authorization. Any specific written

authorization you provide may be revoked at any time by writing to us. We may

use and disclose your medical information in the following ways:

For treatment

For payment

For healthcare operations

When required by law this office will not use your health information for

marketing communications without your written authorization. However, this

office may send birthday cards, newsletters and appointment reminders, by

telephone calls or mail.

Patient Rights

Upon written request, you have the right to access, review or

receive copies of your health care records. There is a copy fee of

$15 and with 10 working days to process it.

Upon written request you have the right to receive a list of items

this office disclosed about your healthcare information.

You have the right to request that this office place additional

restrictions on disclosure of your protected health information.

You have the right to request that we amend your protected health

information; the request must be in writing.

You have the right to receive all notices in writing.

If you have questions, complaints or want more information about

ACTCM’s privacy policies and procedures, please contact this office.

Contact: Tracy Tognetti, Clinic Operations Director/Privacy Officer

Telephone 415-282-9603, Ext. 32

Address: 455 Arkansas Street, San Francisco CA 94107

You many also send written complaints to the U.S. Department of

Health and Human Services. For more information, please visit

http://www.hhs.gov/hipaa

Patient’s Consent for the Purposes of Treatment, Payment, and Healthcare

Operations

I, __ , give consent to ACTCM Community Clinic to use and disclose my individual

identifiable health information or Protected Health Information for the specific

purposes of: providing treatment to me, relating to the payment of services this

office has rendered to me, and the general administrative operation this practice

provides to me.

Protected Health Information includes:

Demographic information

Information gathered by this practice as it relates to my past, present and future

physical or mental health or condition

Information gathered by this office for past, present or future payments of healthcare

services.

Information used for healthcare operations purposes, including quality assessment

activities, credentialing, business management and other general operations

procedures or activities.

Patient’s Consent for the Purposes of Treatment, Payment, and Healthcare

Operations

I understand I have the right to request a restriction on the use and disclosure of my

protected health information for the purposes of treatment, payment, and healthcare

operations of the clinic, but the clinic is not required to agree to these restrictions.

However, if the clinic agrees to a restriction that I request, the restriction is binding

to the clinic.

I understand I have the right to read and discuss the Notice of Privacy Practices

form before I sign this consent form, regarding the use and disclosures of my

protected health information.

I have the right to revoke this consent, in writing, at any time except to the extent

that ACTCM Community Clinic has acted in reliance on this consent.

CONSENT TO USE AND PUBLICATION OF CLINICAL DATA AND

CONTENTS OF PATIENT RECORDS FOR STATISTICAL PURPOSES,

RESEARCH AND PUBLICATION

I, __________________(print patient's name) authorize The American College of

Traditional Chinese Medicine and members of its Clinic Medical Staff, faculty and

students to review my records for the purpose of collecting statistical data or

pertinent clinical information for the purposes of research, publication, education

and case review. I give my permission and consent to the publication of statistical

and/or clinical data obtained from by records. I understand that all patient records

are protected by clinic protocols and confidentiality agreements. I also understand

that I will never be identified as the source of this information and that if any

particulars of my case are used for the purposes of publication all possible clues to

my identity will be disguised or altered. I understand that there is the remote

possibility of being accidentally identified as the source of the clinical data but that

the way this information is handled makes the risk very small.

To the individual or their authorized representative

(personal representatives, parents of minors, and others

legally authorized to make healthcare decisions on

behalf of patients)

Covered entities may impose reasonable, cost-based

fees for PHI requests.

If patients request a copy of their charts, they must fill

out a copy request form and ACTCM’s copy fee is $15.

For treatment (providing, coordinating or managing a patient’s

care, include patient education and training, consultations

between providers and referrals),

For payment (activities related to being paid for services

rendered, including eligibility determinations, billing, claims

management, utilization review and debt collection)

For healthcare operations (activities such as quality assessment,

student training, contracting for health care services, medical

review, legal services, auditing, business planning and

development, licensing and accreditations, business management

and general administrative activities)

When the individual has the opportunity to agree or

object, such as when the patient brings another person

into the treatment room for their office visit

For the purpose of public health or mandated by law

ACTCM will use and disclose PHI only as permitted under

HIPAA. The terms “use” and “disclose” are defined as

follows:

◦ Use- The sharing, employment, application, utilization,

examination, or analysis of individually identifiable health

information by any ACTCM staff, faculty or student or ACTCM

Business Associate; and

◦ Disclose- For information that is PHI, disclosure means any

release, transfer, provision or access to, or divulging in any other

manner of individually identifiable health information to persons

not an ACTCM staff, faculty or student with a business or

educational need to know PHI.

The Privacy Rules does allow for “incidental”

disclosure of PHI as long as the covered entity used

reasonable safeguards

ACTCM will apply the “Minimum Necessary” rule to

the release of client information

ACTCM health care worker’s disclosure of and access

to Protected Health Information is based on the scope

of their job and the information they need to perform

that job

Under certain conditions, ACTCM may release PHI without patient

knowledge or authorization such as:

◦ For treatment, payment, and health care operations

◦ For public health activities that involve safety or communicable disease

◦ About victims of abuse, neglect, or domestic violence

◦ For judicial and administrative proceedings

◦ For law enforcement purposes

◦ Organ and tissue donations

◦ To avert a serious threat to health or safety

◦ For specialized government functions

◦ For workers’ compensation

◦ To the Department of Health and Human Services or Attorney General for

enforcement of the privacy rules

Personal (legal) representatives are entitled to receive

the same information you would share with the patient

If consent is verbal, make a note in the medical record

If you have doubts, give the patient an opportunity to

object to sharing information with a person

Disclosures of PHI when the patient is not present: When a patient is not

present or when ACTCM cannot practically give the patient an opportunity

to agree or object to the use or disclosure, ACTCM may, in the exercise of

professional judgment, determine whether the disclosure is in the patient’s

best interests and if so, disclose only the PHI that is directly relevant to the

person’s involvement with the patient’s health care. The clinic must follow

these guidelines when deciding whether to disclose PHI when the patient is

not present:

◦ Only disclose PHI that is directly related to the patient’s current

condition.

◦ Consider the patient’s best interests and construe this opportunity

narrowly, allowing disclosures only to those persons with close

relationships with the patient, such as family members.

◦ Take into account whether the disclosure is likely to put the patient at

risk of serious harm.

In the State of California it is against the law AND

authorization is required to disclose certain kinds of

health information about mental health, substance

abuse, STDs and HIV/AIDS, and minors

Generally, authorization by the patient is required to

disclose mental health information to parties outside of

the ACTCM Safety Net

For treatment purposes, it is permissible to disclose

mental health information to parties within the ACTCM

Safety Net without patient authorization

➢ Other examples where Mental Health information can

be shared:

• with ACTCM Safety Net professionals providing patient

care

• for training purposes

• as required by Homeland Security Act

• with coroner or medical examiner

• to avert public health or safety threat

• when required by law

If State or Federal funds subsidize all or part of an

ACTCM Safety Net substance abuse program and/or

agency, then federal and state laws will require you to

obtain written patient authorization before disclosing

substance abuse information

For treatment purposes, patient authorization is NOT

needed to disclose substance abuse information

within the ACTCM Safety Net if a program and/or

agency does not receive federal or state funding

It is against the law to disclose HIV test results and

Protected Health Information related to treatment of

STDs when the treatment was rendered within the

Municipal STD clinic without specific written patient

authorization.

Consent is necessary to disclose the Protected Health

Information of minors

◦ If a minor is emancipated they may consent to the disclosure of

their own Protected Health Information

◦ Otherwise, a parent or assigned guardian must consent to

disclosure of Protected Health Information

ACTCM must reasonably safeguard PHI, including verbal information, from

any intentional or unintentional use or disclosures. Measures that ACTCM

takes to protect patients’ privacy include:

◦ Making available treatment rooms where the clinicians can counsel patients

regarding treatment of their medical conditions including use of herbs.

◦ Do not discuss cases in the hallways, waiting area, patio area or front desk

◦ Speaking quietly or asking that waiting patients stand a few feet back from the

counter when speaking to patients from behind the front desk counter.

◦ Telephone calls made in the reception area should generally be for routine

appointment reminders and appointment clarification, and only first names

should be used.

◦ Keep the volume at an appropriate level over the phone so conversations cannot

be overheard. Telephone calls requiring sensitive information or more

disclosure should be made from the Faculty Office or Herbal Dispensary.

◦ Avoid leaving any PHI or other sensitive information on voicemail messages.

ACTCM’s general policy is to mail PHI whenever possible. If faxing, only the PHI

actually needed is sent and is only permitted if the sender first calls the recipient and

confirms that the recipient or his or her designee will be waiting at the fax machine, and

then calls the sender to confirm receipt of the document.

◦ Each fax must use an ACTCM fax cover sheet containing the following

confidentiality statement: Confidentiality Notice: This communication and any

attachments are for the sole use of the intended recipient and may contain

information that is confidential and privileged under state and federal privacy laws.

If you received this fax in error, be aware that any unauthorized use, disclosure,

copying, or distribution is strictly prohibited. If you have received this fax in error,

please contact the sender immediately and destroy all copies of this message.

◦ If a fax containing PHI is transmitted to the wrong recipient:

Fax a request to the incorrect fax number explaining that the information has been

misdirected, and ask that the materials be returned or destroyed.

Obtain written attestation that the recipient destroyed all copies and did not

disclose the information

Fill out an incident report and submit it to the Privacy Officer.

Emailing patient’s PHI is discouraged, and do not send confidential information unless

absolutely necessary.

◦ De-identify the information if possible

◦ Warn patients who communicate with email that their confidentiality cannot be

ensured

◦ Add the following confidentiality notice footer to your message: Confidentiality

Notice: This email communication and any attachments are for the sole use of the

intended recipient and may contain information that is confidential and privileged

under state and federal privacy laws. If you received this email in error, be aware

that any unauthorized use, disclosure, copying or distribution is strictly prohibited.

If you received this email in error, please contact the sender immediately and

destroy/delete all copies of this message.

d. If an email containing PHI is transmitted to the wrong recipient:

Send an email to the incorrect recipient explaining that the information has been

misdirected, and ask that the materials be returned or destroyed.

Obtain written attestation that the recipient destroyed all copies and did not

disclose the information

Fill out an incident report and submit it to the Privacy Officer.

Use of PHI in electronic medical records system: ACTCM staff,

faculty and students are currently not using an electronic medical

records system, but ACTCM uses MediSoft software for

accounting and billing purposes

MediSoft can only be accessed by clinic staff, each of which has

a unique user name and password. The reception computers are

turned off after business hours, and patients and non-essential

staff, faculty and students are restricted from the computer area.

MediSoft has audit controls to record and examine our records

activities

Controls to help ensure that health data has not been altered in an

unauthorized manner

The Security Rule requires a number of physical steps to ensure

that PHI contained in paper files and computers is protected:

Controls to ensure that access to sensitive information is available

on a need-to-know basis

Paper PHI files are stored and locked in file cabinets each night

ACTCM’s Clinic has a dedicated server located downstairs in a

locked room

ACTCM Clinic computers are protected by a firewall and

malware protection

ACTCM Clinic files are backed up every night

Failure to comply with the HIPAA Privacy and Security

Rules can lead to significant financial and other

penalties.

Required to report breaches of PHI disclosure

violations to DHHS

Civil and criminal penalties, to both individuals and

companies may be enforced and includes fines up to

$1.5 million and ten years of imprisonment.

18 month HIPAA audit ($50K to $150K)

ACTCM Clinic has ongoing internal auditing and

proactive identification for potential violations

AVOID:

◦ Discussing cases where other patients or visitors may

hear you- hallways, waiting area, front desk, patio

◦ Discussing herbal formulas with patients at the front

desk

◦ Leaving charts or records where other people can see

◦ Sharing medical information with family and friends

◦ Removing charts from the Clinic- Charts should be

returned to the front desk as soon as possible

It is essential that everyone providing care and

services to our patients be aware of their

surroundings to ensure confidentiality. Be aware

of where you are, who is around you, and what

information can been seen or heard by someone

else. Try to minimize the chances of accidental

disclosure.

All Medical Information that clearly identifies an

individual is confidential

You should only use patient information to perform

your specific job task

EVERYONE is accountable for:

◦ Protecting patient privacy

◦ Knowing and following policies and procedures

◦ Asking questions when unsure about processes

◦ Reporting potential privacy violations to the Privacy and

Security Officer