Embed Size (px)
Citation preview
Ducks in a Row:
HIPAA for Therapists
Katie Malinski, LCSW
www.HIPAAforTherapists.com
1
Disclaimer
• I’m a therapist. I am not a lawyer.
• I am sharing my own personal ideas and understandings of HIPAA & HB300.
• This workshop doesn’t cover everything.
• This is not legal advice.
Course Objectives
• Understand HIPAA requirements
• Understand how our professional Ethics intersect with these laws
• Identify typical problems the private practice therapist might encounter
• Understand possible solutions, and their ethical implications
• Organize your thinking—and efforts—about HIPAA
2
The Good News
As a licensed therapist following your professional Code of Ethics, you already provide a similar or better level of privacy to your clients in most ways than what the new HIPAA guidelines require.
The Other News
• New Requirements!
• Time to update:
Security
Technology
PAPERWORK!
3
But don’t let it scare you!
• The HIPAA & HITECH regulations are complex and do require quite a bit of work to get compliant, but
• you can do it, and
• your practice can be the better for having done this work. Really!
The Bird’s Eye View: Summarizing HIPAA in 4 sentences
Think very hard and methodically about privacy and security in your practice.
Identify all places where privacy and security might be at risk.
Develop a plan to address those risks, & take action.
Now document everything, continually maintain & update those documents, and keep thinking, evaluating, training, learning.
4
Basic Terms
HIPAA: Health Insurance Portability & Accountability Act.
– 2003 Federal Law with new requirements for 2013. Compliance deadline has now passed. Privacy rule & security rule.
PHI: Protected Health Information.
– This one is easy. Your client’s: name, contact information, diagnosis, treatment, progress, status, etc. If it’s about your client, it’s PHI.
Basic Terms 2
Covered Entities: “Healthcare providers who “conduct certain financial and administrative transactions electronically…. such as electronic billing and fund transfers” (or : pre-authorization, statement of benefits, etc.)
If you have never billed insurance, you might not have to comply with HIPAA. You might want to anyway, though, it’s becoming standard care.
Note: If you have ever conducted those transactions, you’re HIPAA for life. :^)
5
Basic Terms 3
HITECH: Health Information Technology for Economic & Clinical Health. 2009 Fed. Law updates HIPAA & increases enforcement.
NOPP/NPP: stands for Notice of Privacy Practices.
BA/BAA: Business Associate Agreements.
The Requirements, 1
• Have a "Notice of Privacy Practices" policy and form.
• Update your NOPP now, if not done in 2013.
• Post your updated NOPP in your office.
• Offer all new clients a copy of your updated NOPP, have written proof of this.
• For existing clients, post your updated NOPP on your website, or distribute directly if no website.
6
The Requirements, 2
• Have a designated "Privacy officer" and “Security Officer” (ie, you) for your office. Example page 30
• Conduct a risk assessment. (Including an inventory of electronic devices that have PHI.)
• Address risks.
• Know what constitutes a breach, and what the procedures are if you have one.
The Requirements, 3
• Have a data backup & disaster recovery plans.
• Have backup person in case you are sick, incapacitated, or die.
• Use strong passwords, virus protection, and a firewall.
• Don't release PHI without signed consent. (This is Code of Ethics, not HIPAA.)
7
The Requirements, 4
• Have subs, billing people, employees, admin, cloud storage provider, etc. sign a Business Associate Agreement.
• Encrypt electronic records. (Not required, but strongly recommended.)
• Get “appropriate” training, have written proof.
• Recommended: update your HIPAA training yearly, particularly while we are in this period of change/transition.
The Requirements, 5
• If you use/have electronic records, you must provide patients with electronic EMR w/in 30 days when requested. You can provide via other methods if client agrees.
• Consider using separate psychotherapy notes (I’ll come back to this one).
• Policies & Procedures document (I’ll come back to this).
8
The Requirements, 6
• Have an ongoingly updated “HIPAA Compliance File.”
• Have your legal counsel read & approve all HIPAA-related policies, forms, etc.
• Know & follow your professional Code of Ethics.
• Requirements checklist pages 26-27
Texas-specific Requirements
• Expanded definition of “covered entity”.
• Training is required for new employees within 90 days of hire.
• If you use/have electronic records, you must provide patients with electronic EMR w/in 15 days when requested. You can provide via other methods if client agrees. (HIPAA says within 30 days.)
9
Progress Notes versus Psychotherapy
• Psychotherapy Notes – Documenting or Analyzing contents of conversation
during a counseling session – Separate from the rest of the medical record
• NOT Psychotherapy notes (ie, Progress notes) – Medication Rx and monitoring – Counseling start and stop times – Model and frequency of treatment – Results of Clinical tests – Summary of diagnosis, functional status, treatment
plan, symptoms, prognosis, and progress
Risk Assessment
• Although doing a privacy/security self-assessment has been a HIPAA requirement for years, very few therapists have actually done one.
• Consider this a top-priority item. I encourage you to think of this as an ethical issue, too.
• DIY in 3 “easy” steps:
10
Risk Assessment: Step 1
• Where is PHI?
o Laptop
o Cell phone
o Biller
o Email
o Document
o paper files
o printer’s hard drive
o deleted computer files
o desk or file cabinet
Risk Assessment: Step 2
• What could possibly go wrong?
• What is the likelihood of that happening?
• What size mess would it cause?
• Document.
11
Risk Assessment: Step 3
• Make a plan to address identified risks.
• Prioritize those that are High Risk and/or
High Impact
• Document
• Turn to the next page for the sample.
12
Sample Risk Assessment
Category Possible ProblemsLikelihood of
breach
Potential
impact of
breach
Possible SolutionsProgress/ Date
Fixed
Cell phone Can be lost or stolen. high low
Cell phonePHI in the contacts list, texting
history, and in email.medium low
Cell phonePHI in archives, possible breach
when device is retired.low low
Can easily be hacked. This exposes
both current email, archived email,
email addresses, etc.
low
high--I only
email about
appts but
clients send
private info
EmailClients may share email account and
someone else could see their PHIhigh low-high
EmailEmails can be sent to incorrect
addresses.high low
Screen risks in
generalClients can see screen.
Use screen obscuring film or close/turn off
computer.
PasswordsHackable: password, abc123, used
on multiple sites, etc.
Choose high quality password. Consider
password manager.
Require password. Delete PHI. Create
policy for periodically reviewing/removing
PHI. Install remote wiping software/ap.
Have policy & plan to wipe/sanitize device
prior to its retirement.
Take certain precautions: checking the e-
mail address for accuracy before sending,
send an e-mail alert to the patient for
address confirmation prior to sending the
message. Create informed consent form
re: unencrypted email, with info on
alternatives (patient portal, etc.) Limit the
amount or type of information disclosed.
Use patient portal to send significant PHI.
(c) 2013 Katie Malinski, LCSW. www.HIPAAforTherapists.com This is only a sample. Please do not distribute. Consult your attorney prior to use. 13
Sample Risk Assessment
LaptopLaptop has client info on it. Laptop
could be stolen (or lost.)
Laptop
Laptop carried between home and
office (used for personal and
professional uses.)
LaptopLaptop connected to unencrypted
wifi 24/7
LaptopPHI in archives, possible breach
when device is retired.
Flash /USB drive Super high risk of loss. high high Encrypt entire drive.
WIFI Office wifi is shared.
WIFI
Password to wifi known to several--
not sure if other therapists are
sharing it.
WIFIOffice/home wifi may not be
encrypted.
TextingPHI in archives, possible breach
when device is retired or if stolen.
TextingMessage can be intercepted or mis-
delivered.
Remove PHI. Use encryption. Use
password. Get wifi security. Turn off
computer at end of day. Have policy & plan
to wipe/sanitize device regularly & prior to
its retirement.
Have policy & plan to wipe device prior to
its retirement. Use password. Prohibit PHI
via texting. Limit content/sensitivity of PHI.
Use encryption. Use patient portal type
systems. Create, document, revise relevant
policies.
Others sharing wifi are therapists, also
bound by HIPAA standards. Misuse by
other therapists highly unlikely. Discuss
HIPAA regs with other professionals.
Create group policy about wifi. Change
password. New policy prohibits sharing
password. Encrypt wifi.
(c) 2013 Katie Malinski, LCSW. www.HIPAAforTherapists.com This is only a sample. Please do not distribute. Consult your attorney prior to use. 14
Sample Risk Assessment
Your bank or credit
card processorNo BAA on file.
Probably okay. Basic financial transactions
are not considered PHI. Elec. Receipts &
invoices aren't basic.
Carbonite/online
backupNo BAA on file.
Get BAA or switch to HIPAA complaint
storage/cloud.
Client informed?
Clients may not be adequately
informed of risks of emailing their
PHI.
Need informed consent specific to email.
Billing contractor Don't have BAA on file from them. Get BAA.
Cleaning crew,
landlord, property
manager
Have access to office. Unsecured
paperwork and computers could be
seen/used.
Secure PHI at the end of every day. Lock
records. Password protect computer.
Consider encryption. Consider BAA. Ask for
entry log.
Banking software/
Quicken, etcHas client info
Use initials. Password protect. Get BAA for
online services.
Digital
copier/printer
May have PHI on stored hard drive.
Can be stolen or accessed after
retirement/end of lease agreement.
Create and maintain plan to periodically
wipe hard drive of copier. Sanitize upon
retirement.
Website contact
form
Probably stores info on server. Info
avail. to hosting employees, website
admins, etc.
Use email address instead, or can use form
w/in Google Apps (with BAA.)
Other
(c) 2013 Katie Malinski, LCSW. www.HIPAAforTherapists.com This is only a sample. Please do not distribute. Consult your attorney prior to use. 15
Email and Texting
• Not secure! – PHI transmitted when emailing or texting – PHI is available to companies/providers – Open to hacking – Could be misdelivered or seen by wrong person
• Solutions – Stop – Encrypt – Use a portal – Get client’s informed consent. Sample page 31
HIPAA Policies & Procedures Document, 1
• Create a Policy & Procedures document for your practice. This document will basically state that you are going to do all the things you are supposed to do.
• It’s very meta.
• This piece meets with a lot of resistance, understandably. Just plan to take it step by step.
16
HIPAA Policies & Procedures Document, 2
Items to include:
• Culture statement, like: "Protecting the security and privacy of my clients' PHI is very important to me. To this end, I will follow the procedures listed below, all procedures listed in my NOPP & BAA policies, my professional Code of Ethics, and all applicable state and Federal laws concerning the privacy and security of my clients’ PHI.”
• ____ is the designated privacy officer. All privacy related questions or requests will be addressed by her/him.
• ____ is the designated security officer. All security related questions or requests will be addressed by her/him.
HIPAA Policies & Procedures Document, 3
• HIPAA risk assessment will be reviewed & updated
quarterly. When PHI is identified as being at risk, a response plan will be developed and documented in the risk assessment. Timelines and progress will also be recorded in the risk assessment.
• HIPAA compliance file will be reviewed [quarterly.] • Contingency plan: what you’ll do if fire/sickness/death. • Small breaches: written on the breach log & filed
w/OCR at year end. • Large breaches (500+) will be filed with OCR within 60
days.
17
HIPAA Policies & Procedures Document, 4
• Other P & P related to breaches • Complaints will be documented on the Complaint
Log. • Disclosures are logged in each patient's file • All HIPAA documentation will be kept on file for a
minimum of 6 years. • All businesses that have access to PHI will have a
BAA on file. • I will participate in a HIPAA training once per
____ (I recommend every yearly for now)
Other HIPAA Stuff
• Know that clients can opt out of allowing communication with the insurance company if they entirely self pay.
• There is no such thing as “HIPAA Certified.” This federal law is generally non-specific about technologies/practices/solutions, preferring instead to put us in charge of identifying risks and taking appropriate steps to prevent/minimize them.
18
Other HIPAA Stuff
Therapists probably don’t need to be told, but:
• Patients can request to opt out of certain fundraising communications
• Providers must get permission to sell PHI
• There are limits on how PHI is used for certain kinds of marketing
HIPAA vs. Your Code of Ethics
• Under HIPPA – Easier for family to have involvement in care
– Allows release of PHI for treatment or financial reasons without consent
• Code of Ethics – Client has control of who can be involved
– Consent required even for treatment purposes, financials
• Follow Ethical Codes or State Laws that are more strict
19
HIPAA Compliance File
What goes in it Where to get it
NOPP Form My forms packet, NASW, your lawyer
NOPP Policy My forms packet, NASW, your lawyer
Compliance & Privacy Officer Designation Sample from me, make your own
Risk Assessment Sample from me, make your own
Informed Consent Your existing form/DIY, internet search,
your lawyer
Email Consent Sample from me, make your own
Consent to Release My forms packet, NASW, your lawyer,
TX AG office
Handout page 28
HIPAA Compliance File-2
What goes in it Where to get it
Business Associate Policy My forms packet, NASW, your lawyer
Business Associate Form My forms packet, NASW, your lawyer
Breach Policy My forms packet, NASW, your lawyer
Breach Notification Log My forms packet, NASW, your lawyer
Complaints Log My forms packet, NASW, your lawyer
Disclosure Log (in client file) My forms packet, NASW, your lawyer
Handout page 28
20
HIPAA Compliance File-3
What goes in it Where to get it
Ongoing Compliance Review Log Sample from me, make your own
Policy & Procedure Document, if using My forms packet, your lawyer, DIY
Any other forms, including old forms: keep for 6 years
Proof of CE on HIPAA. Recommended: yearly updates.
CEU provider. Me!
www.HIPAAforTherapists.com
HIPAA Compliance File Checklist: page 28
See sample/green binder
HIPAA Compliance Log
1st quarter/ date
2nd quarter/ date
3rd quarter/ date
4th quarter/ date
Reviewed risk assessment & current security/privacy protocols
Identified new potential risks
Created plan/timeline to address new risks if needed
Reviewed HIPAA compliance file
Update forms as needed
Participated in HIPAA training (attach CEU certificate)
Other
Handout page 29
21
Possible Solutions
Cloud-based practice management system (CBPMS)
– Probably the easiest solution
– Generally have calendar, notes, chart function. Some also: bill insurance, patient portal, intake paperwork, iphone app, and more.
– Allow you to keep stored PHI off your own devices—this significantly simplifies your tech risks.
– I use and love Simple Practice.
– Check out Rob Reinhart’s blog (resource page) for a review of all major systems.
Possible Solutions
Google Apps for Business
– $5/month per user
– Will sign a BAA
– Includes Calendar, Email, Drive and Vault.
– Complicated to set up but they have customer services reps to take you through step by step.
22
Possible Solutions
Go paperless! – Satisfies data backup & disaster recovery challenges. – I believe this is the ‘way of the future.’ – Choose a CBPMS for your practice going forward. – Old Files: scan them, save files with encryption and
multiple backups. Shred files. Big job. – For new clients: Choose a CBPMS that lets clients fill
out forms online ahead of time. OR, continue to use paper intake forms, which you then scan/shred. Think about the fit & ethics for your client base.
– Most cloud-based systems allow uploads for handwritten notes or art, etc.
When you have questions…
1. Interpreting law needs a lawyer.
2. Evaluate your situation. Include:
1. Your clients’ needs
2. Ethics
3. Sustainability/practicality
4. Your risk tolerance
23
What else is in your packet?
• HIPAA Requirements Summary checklist , p26
• HIPAA Compliance File checklist, 28
• My ongoing HIPAA compliance log form, 29
• My designated privacy/security officer form
• My email/texting consent form, 31
• My Complaints log, 32
• More valuable resources, 33
• How to get more support for this process
How to Get Started
Consider doing one of these tasks tonight:
• Get a manila folder, write “HIPAA Compliance File” on it. Put your existing NOPP & today’s training certificate in it.
• Buy the Forms Packet
• Create a “I am the privacy/security officer form.”
• Create (or copy my) email consent form.
• Start a list of where ePHI is kept in your practice.
• Look in to encryption.
• Sign up for my follow-up group (accountability & support!)
24
Lean In
• Therapists highly value client privacy. • This legislation is a chance to keep up our high privacy
standards in a changing and technological world. • Going through the risk assessment process can help
identify and improve places where your ‘back-office’ standards aren’t up to the level of excellence you aim for clinically.
• This process can help you feel more confident and proud of your ‘practice management,’ and less worried about what might happen the next time someone asks to look at your files. This is an important part of Ethical practice.
• There is good in these new guidelines—both for you and for your clients, and you can handle this well.
25
©2013 Katie Malinski, LCSW. www.HIPAAforTherapists.com Please do not distribute. Please do consult with your attorney before use. This is not legal advice.
HIPAA Requirements Checklist
Check! I have this!
I don’t have this. My plan to get this done:
Completion date:
Have a "Notice of Privacy Practices" policy, updated for 2013.
Post your updated NOPP in your office, AND on your website. Distribute to clients directly if no website.
Offer clients a copy of your NOPP, have written proof.
Have a designated "Privacy officer" and “Security Officer” (ie, you) for your office.
Conduct a risk assessment. (Including an inventory of electronic devices that have PHI.) Address risks.
Know what constitutes a breach, and what the procedures are if you have one.
Have a data backup & disaster recovery plans.
Have backup person in case you are sick, incapacitated, or die. Document this for yourself & with them.
Use strong passwords, virus protection, and a firewall. Consider consulting with an IT professional.
26
©2013 Katie Malinski, LCSW. www.HIPAAforTherapists.com Please do not distribute. Please do consult with your attorney before use. This is not legal advice.
Don't release PHI without signed consent. (This is Code of Ethics, not HIPAA.)
Have an ongoingly updated “HIPAA Compliance” file. See sample for contents.
Know & follow your professional Code of Ethics.
Have subs, billing people, employees, admin, cloud storage provider, etc. sign a BAA.
Recommended: Encrypt electronic records.
Consider using separate psychotherapy notes
HB300 says: If you use/have electronic records, you must provide patients with electronic EMR within 15 days when requested. You can provide via other methods if client agrees. (HIPAA says within 30 days.)
Get “appropriate” training. HB300: employee training within 90 days. Recommended: updated training yearly.
Know that clients can restrict communication with the insurance company if they self pay.
Have a Policies & Procedures document
Have legal counsel read & approve all HIPAA-related policies, forms, etc.
27
©2013 Katie Malinski, LCSW www.HIPAAforTherapists.com Please do not distribute. This is not legal advice. Consult with your attorney prior to use.
HIPAA & HB300 Compliance File Checklist
Form needed Do you have it?
Where you can get it. Notes
NOPP form My forms packet, NASW, your lawyer
NOPP policy (inc. policy on handling complaints)
My forms packet, NASW, your lawyer
Designating Compliance Officer & Privacy officer
Sample from me, make your own
Risk Assessment Sample from me, OCR, make your own
Informed Consent Your existing form/DIY, online search, your lawyer
Email Consent Sample from me, make your own
Consent to Release Form My forms packet, NASW, your lawyer, TX AG office
Business Associate Policy My forms packet, NASW, your lawyer
Business Associate Form My forms packet, NASW, your lawyer
Breach Policy My forms packet, NASW, your lawyer
Breach Notification Log My forms packet, NASW, your lawyer
Complaints Log Sample from me, make your own
Disclosure Log (In client file)
My forms packet, NASW, your lawyer
Ongoing Compliance Review Log
Sample from me, make your own
Policies & Procedures document
My forms packet, DIY, your lawyer
Any other forms, including old forms: keep for 6 yrs
Proof of “appropriate” training. Rec: yearly
From CEU provider. Mine: www.HIPAAforTherapists.com
28
© 2013 Katie Malinski, LCSW www.HIPAAforTherapists.com Please do not distribute. Please do consult with your attorney prior to use. This is not legal advice.
HIPAA Compliance Log
1st quarter/date
2nd quarter/date
3rd quarter/date
4th quarter/date
Reviewed risk assessment &
current security/privacy
protocols
Identified new potential risks
Created plan/timeline to
address new risks if needed
Reviewed HIPAA compliance file
Updated forms as needed
Participated in HIPAA or HB300
training (attach CEU certificate)
Other
29
Katie Malinski LCSW
3906 North Lamar Boulevard, Suite 208 • Austin, Texas 78756 • 512-940-4477 www.katiemalinski.com
Designated Privacy and Security Officer for this Practice
Katie Malinski, LCSW is the designated Security Officer for this practice.
Katie Malinski, LCSW is the designated Privacy Officer for this practice.
All privacy and security questions, requests, and concerns should be directed to me, and I will be
responsible for handing them.
Policy effective date:
April 1, 2013.
***This is just a sample. Please consult your attorney prior to use. This is not legal advice.***
30
Katie Malinski LCSW
3906 North Lamar Boulevard, Suite 208 • Austin, Texas 78756 • 512-940-4477 www.katiemalinski.com
Email and Texting Consent
HIPAA regulations and my professional Code of Ethics both require that I keep your Protected
Health Information private and secure, and indeed I want to do so. Email is a very convenient
way to handle administrative issues like scheduling or receipt requests, but email is not 100%
secure. Some of the potential risks you might encounter if we email include:
Misdelivery of email to an incorrectly typed address.
Email accounts can be ‘hacked,’ giving a 3rd
party access to email content and addresses.
Email providers (ie, Gmail, Comcast, Yahoo) keep a copy of each email on their servers,
where it might be accessible to employees, etc.
For these reasons, I will not use email to discuss clinical issues (ie, the important things we talk
about in session.)
If you are comfortable doing so, I am happy to use email to handle small administrative matters
like scheduling and billing.
If you are not comfortable with these risks, we can handle administrative issues via phone calls.
If you choose to subscribe to my parenting e-newsletter, that will be emailed to you until you
choose to unsubscribe.
I do not text.
Please indicate your preference about email below and sign.
I DO DO NOT consent to use email for administrative matters.
If given, consent will expire 2 years after our last appointment. This means that I will not
initiate contact via email, although you are always still welcome to email me, and I can
reply briefly if you do.
Name Date
***This is just a sample. Please consult with an attorney before use. This is not legal advice.***
31
© Katie Malinski, LCSW 2013. This is just a sample.
Please consult with an attorney before using. Please do not distribute this form.
Complaints LOG
Complaints Policy: (Also listed in the NOPP Policy.)
If a client has a complaint about a privacy or security matter, the Privacy Officer
(YOURNAMEHERE) is available to discuss the concern. Complaints will be taken seriously,
treated with respect, and you will not be retaliated against. You may also file a complaint with
the federal Office of Civil Rights. The OCR complaint procedures can be found here:
www.hhs.gov/ocr/privacy/hipaa/complaints/
Policy effective date: April 1, 2013.
Complaints Log
Date Client Complaint Outcome
32
© 2013 Katie Malinski, LCSW. Ducks in a Row: HIPAA & HB300 for therapists. www.HIPAAforTherapists.com
Resources
Office of Civil Rights (OCR) This is the federal agency in charge of HIPAA.
o Info for Covered Entities:
http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/index.html
o The OCR’s FAQ answer about email:
http://www.hhs.gov/ocr/privacy/hipaa/faq/health_information_technology/570.html
o Breach info:
o http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/
HB300. Read the whole thing—it’s short!
o http://www.statutes.legis.state.tx.us/Docs/HS/htm/HS.181.htm
Person-Centered Tech/Roy Huggins. A therapist who is also a tech expert!
o http://www.personcenteredtech.com
o Offers technology trainings & great info on his website/blog and Linked In group.
Tame Your Practice/Rob Reinhardt: Another therapist who is also a tech expert. His
blog has a very helpful review of all the major practice management programs.
o http://www.tameyourpractice.com/
Simple Practice
o Cloud-based practice management system I use & love
o http://www.simplepractice.com/
NASW (I’ll include the other prof. orgs as soon as they have resources!)
o Sample forms including NOPP, NOPP policy, BAA, Disclosure Log, etc.
o Forms at: www.socialworkers.org/hipaa
o Several HIPAA & HB300 webinar trainings by a lawyer. (one is free)
“Ducks in a Row” HIPAA & HB300 CEU training. This is my website!
o www.HIPAAforTherapists.com
o Sign up for my mailing list (“Tiny Ducks”: HIPAA update info)
o Read the NASW article
o Coming soon: Interactive program that supports you step-by-step to actually get
the work done! :^)
Erin Gilmer, Austin-based HIPAA attorney.
o Also does patient advocacy work & help with the legal side of insurance.
o http://www.gilmerhealthlaw.com/
33
