|
| |
 |
HIPAA Privacy Rules
Governing the use and disclosure
of health information.
|
|
|
|
|
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) authorized the United States Department of Health and Human Services to enact rules that protect the privacy of health information. MHS staff members throughout the agency follow policies and procedures that implement the provisions of these new rules.
These "privacy rules" are formally identified as the Standards for Privacy of Individually Identifiable Health Information, and are published in the Federal Register as Title 45 of the Code of Federal Regulations (CFR), Part 160 - General Administrative Requirements; Part 162 - Administrative Requirements; and Part 164 - Security and Privacy.
The Centers for Medicare and Medicaid Services (CMS), a Federal agency within the U.S. Department of Health and Human Services, implements and monitors various provisions of HIPAA. One of the provisions that most affects the operations of MHS are the Administrative Simplification provisions (HIPAA, Title II) that established national standards for electronic health care transactions, and for protecting the security and privacy of health data. According to CMS, adoption of these standards will "improve the efficiency and effectiveness of the nation's health care system by encouraging the widespread use of electronic data interchange in health care."
Provisions of HIPAA govern the use and disclosure of health information, establish national standards for electronic health care transactions and national identifiers for providers and employers, and address the security of health data. HIPAA was intended to protect and enhance the rights of consumers, improve the quality of health care in the U.S., and improve the efficiency and effectiveness of the nation's health care.
HIPAA is the first set of federal laws governing the privacy and security of all health information. (Earlier federal laws governed only the privacy of assessment and treatment information about alcohol and drug-abuse services and HIV infection.)
MHS was in full compliance with the HIPAA privacy rules on 14 April 2003, the deadline for implementation of the rules. MHS is also in full compliance with the electronic transaction standards that took effect in October 2003. The HIPAA Implementation Subcommittee of the MHS Quality Assurance Committee completed a substantial revision of our privacy and confidentiality policies, to ensure compliance with HIPAA. The policies include:
|
|
Policy
|
Brief Description
|
|
HIPAA Compliance Program
|
This policy first established the agency’s HIPAA Compliance Program in October, 2001.
|
|
Maintaining the Security and Confidentiality of Electronic Information
|
Enacted in March, 2001, this policy established procedures for ensuring that authorized staff have access to information needed to fulfill their duties, and for maintaining the security and privacy of client information.
|
|
Administrative Requirements for the Implementation of HIPAA
|
Designates the Director of Quality Assurance as the agency’s Senior Privacy Officer, and the Client Rights Officer/Risk Manager as the person to receive client complaints relating to HIPAA. Establishes requirements for training staff and documenting agency efforts to comply with HIPAA. It also prohibits acts to intimidate clients for the exercise of their rights.
|
|
Use and Disclosure of Protected Health Information
|
Establishes the policy that we use and disclose client information only to (1) provide services, (2) conduct necessary administrative activities, and (3) comply with the law. The use and disclosure of client information is limited to the minimum necessary to conduct the service, or accomplish the administrative or legal function.
This policy also describes procedures for informing clients of their rights, obtaining their informed consent for services, and obtaining their authorization for the disclosure of information about them.
|
|
Use of the Consent for Treatment Form
|
This revision of our current policy states that the new Notice of Privacy Practices for Protected Health Information is reviewed with and given to clients upon admission to services, in addition to the Client Rights and Grievance Policy, and the notice of MACSIS enrollment.
|
|
Accounting of Disclosures of Protected Health Information
|
Clients now have the right to review disclosures of information about them that the client has not authorized, with only a few exceptions. This policy describes how we’ll track and report these ‘accountable disclosures."
|
|
Client’s Request to Inspect or Obtain a Copy of Information in the ICR
|
Another revision of current policy, describing how clients may review and get copies of information in their Integrated Clinical Record (ICR), or "chart." HIPAA requires that we respond promptly, defines circumstances in which we may decline a client’s request, and describes procedures we must follow when we decide to deny a request.
|
|
Client’s Request for Record Amendment
|
Clients now have the right to request that we amend information in the client’s chart. This policy describes how clients may request an amendment, and how we must respond to the request.
|
|
Confidentiality Policy Statement
|
Revision of the current policy that all staff members and other workforce members are informed of their duties regarding the use of health information.
|
|
Client Risk Precautions
|
Enacted in 1999, this policy describes the procedures that we are required by state law to follow when a client makes a specific threat.
|
|
The federal Office for Civil Rights (OCR) in the US Department of Health and Human Services monitors compliance with the Privacy Rules. Information on a wide range of topics about the the Privacy Rules is available at the OCR Privacy Website, or by calling the OCR Privacy toll-free phone line at 866-627-7748.
Information about OCR's civil rights authorities and responsibilities can be found at the Office for Civil Rights (OCR) homepage. If you believe that a person or organization covered by the Privacy Rules (a "covered entity") violated your health information privacy rights or otherwise violated the Privacy Rules, you may file a complaint with OCR. For additional information and guidance about filing a complaint, please contact the MHS Client Rights Officer, or see the OCR Fact Sheet How to File a Health Information Privacy Complaint.
On 9 May 2008, HHS added new enforcement data to its website on HIPAA Privacy Compliance and Enforcement. You may now access enhanced information about several aspects of OCR’s health information enforcement program, including (1) Charts showing state-specific case investigation results; (2) Calendar-year enforcement-results graphs and charts; (3) Calendar-year graph showing complaint receipts; and (4) Yearly variation in the issues in cases resolved through corrective action. You may click here to access the new OCR data section. The enhanced Compliance and Enforcement website provides information for consumers, health care providers, health plans, and others in the healthcare industry, and may be found by clicking here.
|
 |
Copyright ©
Mental Health Services for Homeless Persons, Inc. (MHS)
1744 Payne Avenue; Cleveland, Ohio 44114 U.S.A.
216-623-6555 - TTY/TDD: 216-623-6540
The URL of this page is
http://www.mhs-inc.org/HIPAA.asp
It was most recently updated on 12 May 2008.
We welcome your comments.
Please write to Joel[at]mhs-inc.org
Explore! Enter search terms in the text-box below, and click the Search button to find information within the MHS website, or throughout the web.
|
|
|
|
|
