ACRONYMS: HIPAA: Health Insurance Portability and Accountability Act PHI: Protected Health Information

Download (0)

Full text



POLICY:    Privacy  and  Security  of  Protected  Health  Information  (HIPAA  Policies  

and  Procedures)

DATE  APPROVED:      Pending



(At  present,  none  of  the  activities  that  NAMI  Eastside  provides  fall  under  HIPAA  

as  no  files  are  maintained  on  anyone  beyond  their  contact  info,  see  privacy  policy  

12).    If  for  any  reason  that  should  be  changed  or  be  defined  otherwise,  NAMI  

Eastside  will  adhere  to  the  policy  as  outlined  below.    

To  ensure  that  all  communications  involving  Protected  Health  Information  (PHI)  

comply  with  the  federal  regulations  outlined  in  the  Health  Insurance  Portability  

and  Accountability  Act  of  1996  (HIPAA),  Washington  State  Administrative  Code  

(WAC),  the  Revised  Code  of  Washington  (RCW),  and  all  other  laws  and  

regulations  protecting  personal  information.                



HIPAA:  Health  Insurance  Portability  and  Accountability  Act

PHI:  Protected  Health  Information




1. Protected  Health  Information  (PHI).    

1. Definition.    

1. Any  information,  whether  oral  or  recorded,  in  any  form  or   medium,  that  is  created  or  received  by  NAMI  Eastside;  relates   to  the  past,  present,  or  future  physical  or  mental  health  or   condition  of  an  individual;  or  the  provision  of  health  care  to  an   individual.

2. Any  information  that  identifies  the  individual  or  can  be  used  to   identify  the  individual  is  protected.

3. PHI  includes  any  number  or  code  issued  by  a  government  entity   for  the  purpose  of  personal  identification  that  is  protected  and   is  not  available  to  the  public.    Examples  of  such  information   include,  but  is  not  limited  to,  the  following:

1. Personal  Identification  Numbers  such  as  tax  identification   number,  social  security  number,  driver's  license  number,   state  identification  card  number.

2. Financial  and  Health  Information  such  as  account   numbers  or  access  codes,  credit  card  numbers,  medical   history,  medical  status,  donor  status.

2. Penalties.

1. Violations  of  HIPAA  regulations  and  of  this  policy  may  result  in   disciplinary  action.

2. HIPAA  also  holds  violators  accountable,  with  civil  and  criminal   penalties  that  can  be  imposed  for  violations  of  patients’  privacy   rights.

1. Civil  penalties  range  from  $100  per  incident  up  to  $25,000   per  person,  per  year,  per  standard.    

2. Federal  criminal  penalties,  including  additional  monetary   penalties  and  imprisonment,  may  be  imposed  for  more   abusive  and  egregious  violations.    These  may  include   knowingly  violating  patient  privacy  by  improperly   obtaining  or  disclosing  PHI;  obtaining  PHI  under  “false   pretenses”;  or  obtaining  or  disclosing  PHI  with  the  intent   to  sell,  transfer  or  use  it  for  commercial  advantage,   personal  gain  or  malicious  harm.

3. Access.    

1. NAMI  Eastside  makes  internal  practices,  books  and  records,   including  policies  and  procedures  and  PHI,  relating  to  the  use  


and  disclosure  of  PHI  received  from,  or  created  or  received  by   NAMI  Eastside  on  behalf  of  King  County,  available  to  King   County  to  determine  compliance  with  the  privacy  rule.    

2. The  agency  shall  maintain  a  list  (Access  by  Job  Function)  

specifying  the  job  categories  within  the  agency  having  access  to   PHI  necessary  to  carry  out  their  job  duties,  the  categories  or   types  of  PHI  needed,  and  the  conditions  appropriate  to  such   access.    Employees  are  prohibited  access  to  PHI  beyond  that   specified.  (See  also  NAMI  Eastside  policy  Confidentiality  of   Mental  Health  Information  and  Records,  Disclosing  


4. Confidentiality/Disclosures.    

1. Confidentiality  requirements  apply  to  all  information,  oral  and   recorded,  which  is  compiled,  obtained  or  maintained  in  the   course  of  providing  service,  establishing  membership  or   receiving  financial  support.

2. Oral  communications  include,  but  are  not  limited  to,  face-­‐to-­‐

face  conversations,  telephone  conversations,  and  discussions  in   a  group  setting.    Additionally,    

1. Caution  should  be  taken  when  retrieving  voice  mail   messages  from  your  telephone  when  the  speaker  is  on.

2. Cell  phone  conversations  are  subject  to  interception  and   should  not  be  regarded  as  confidential.

3. Employees  and  volunteers  may  disclose  protected  information   only  if  it  is  appropriate  and  necessary  to  the  performance  of   their  job  responsibilities  and/or  an  exception,  as  allowed  by   law,  to  the  confidentiality  requirements.    All  disclosures  must   limit  the  PHI  disclosed  to  the  minimum  necessary  to  

accomplish  the  purpose  of  the  disclosure.  All  disclosures  must   be  documented.  (See  Confidentiality  policies.).

2. Restricted  Areas.

1. Rooms/offices  are  considered  to  be  restricted  if  they  can  be  locked,   with  access  limited  to  employees  and  volunteers  with  a  need  to   know.    Documents  containing  PHI  that  are  maintained  in  restricted   areas  may  be  considered  to  be  secure,  subject  to  the  following:

1. Restricted  areas  must  be  kept  locked  when  not  occupied  or   monitored.

2. Non-­‐NAMI  Eastside  employees  and  volunteers  without  a  need-­‐

to-­‐know  must  always  be  accompanied  when  in  restricted  areas.


3. Non-­‐restricted  Areas.

1. Non-­‐restricted  areas  include  areas  that  are  accessible  by  the  public,  or   are  regularly  used  for  purposes  that  involve  non-­‐NAMI  Eastside  

employees/volunteers  or  those  with  limited  need  to  know.    Such  areas   may  include  conference  rooms,  waiting  areas,  reception  areas,  copy   areas,  rooms  used  for  group  meetings,  shared  offices,  all  off-­‐site   locations  where  services  are  provided,  etc.    Materials  containing  PHI   must  never  be  left  or  stored  in  non-­‐restricted  areas  unless  in  locked   cabinets  with  keys  available  only  to  those  designated.

1. Information  should  never  be  left  lying  out  in  the  open  in  plain   view.    .

2. Internally  created  documents  and  lists,  created  for  the  purpose   of  operational  necessity,  must  contain  information  limited  to   the  purpose  for  which  it  is  created,  must  be  limited  in  

distribution  to  those  who  have  a  need  for  the  information,  must   be  maintained  in  secure  places,  and  must  be  archived  in  a   secure  place  or  destroyed  once  the  purpose  has  been  satisfied.

3. Care  should  be  taken  to  ensure  that  oral  communications  are   not  overheard  in  adjacent  areas,  or  by  persons  without  a  need   to  know.

4. Cover  sheets  or  other  means  of  concealment  must  be  used  for   PHI  when  left  in  employee  or  volunteer  mailboxes.

5. PHI  may  be  requested  via  fax  machine  only  when  the  recipient   who  has  a  need  to  know  is  available  to  accept  the  information   as  it  is  received.    PHI  should  only  be  sent  if  the  designated   recipient  will  be  present  to  pick  up  the  information  as  received,   verified  via  real-­‐time  telephone  contact.

6. Fax  copies  that  contains  PHI  and  are  picked  up  by  a  person  other   than  the  specific  person  to  whom  it  is  addressed  must  be  handled  in   such  a  way  as  to  protect  the  information.    If  the  recipient  is  

identified,  the  material  should  be  given  directly  to  that  person.    If  the   intended  recipient  is  not  available,  cover  sheets  or  other  means  of   concealment  must  be  used  when  leaving  the  information  in  

employee  or  volunteer  mailboxes.    If  no  specific  recipient  is   identified  on  the  fax,  the  material  will  be  given  to  the  Program   Coordinator  for  assignment.

4. Computers.

1. It  is  acceptable  to  retain  PHI  on  a  local  computer  hard  drive  providing   the  computer  is  either  maintained  in  a  restricted  area  or  is  password   protected  and  there  is  operational  need  for  having  access  to  the  

information.  Once  there  is  no  longer  operational  need,  the  information  


must  be  deleted  from  the  hard  drive,  although  it  may  be  saved  to  disk   for  storage  in  a  locked  cabinet/desk  if  desired  for  archiving.

2. Hard  drive  data  backed  up  onto  disk  must  be  kept  in  a  locked   cabinet/desk.

3. PHI  must  not  be  left  displayed  on  a  screen  when  the  computer  is  not  in   use.    Additionally,  screens  should  not  display  PHI  where  there  is  a   chance  that  anyone  without  a  need  to  know  can  see  it.

5. Handling  PHI  Off-­‐site

1. Documents  containing  PHI  should  never  be  removed  from  the  worksite   unless  absolutely  necessary  to  fulfill  a  job  function.    When  necessary,  or   when  PHI  is  created  off-­‐site,  all  reasonable  precautions  shall  be  made  to   safeguard  the  information  against  potential  disclosure,  and  shall  be   returned  to  a  secure  area  as  soon  as  possible  when  no  longer  needed  to   complete  a  specific  job  function.

6. Disposal  of  PHI.    

1. Destruction.    Careless  disposal  of  PHI  poses  a  significant  threat  to   identity  theft,  putting  an  individual's  privacy,  financial  security,  and   other  interests  at  risk.      


It  is  unlawful  in  the  State  of  Washington  to  dispose  of  personal   information  without  making  reasonable  efforts  to  destroy  that   information.  The  statute  requires  shredding  of  the  document,  or   erasing  or  otherwise  modifying  this  personal  information  to  make  it   unreadable  before  discarding  the  document.  Utilize  the  

shredder/shredding  bins  when  possible.

At  the  end  of  each  work  day  or  shift,  each  employee  or  volunteer  is  

required  to  have  either  destroyed,  deposited  in  the  designated  

shredding  container  or  store  in  compliance  with  NAMI  Eastside  

policies  and  procedures  PHI  received  during  that  period.





Related subjects :