PHI & ROIs
What does PHI stand for?
Protected health information
Why do we take refresher HIPAA trainings?
Covered entities are required to provide periodic HIPAA Compliance training to employees
What is the Breach Notification Rule?
The most secure way to share information with a client is via SP.
TRUE
Where can you find our HIPAA Policies & Procedures?
Employee Handbook
Name 3 examples of PHI.
Identifiable info:
name, phone number, date of birth, address, initials, medical treatment or diagnoses
relates to client's past, present, or future treatment
What is HIPAA?
- federal law
- governs the electronic transmission of health records
-applies to "covered entities"
What is the Privacy Rule?
- protects all identifiable information about a client
- includes paper & electronic PHI
- requires that covered entities have HIPAA Policies & Procedures and strive to mitigate harm
Any online video platform is a secure method of providing telehealth.
FALSE
Examples: Skype, Zoom without a BAA are NOT secure
FaceTime is secure (end to end encryption)
Who is Thrive's Privacy & Security Officer?
Ivy
When does PHI HAVE to be released?
-When there is a national security investigation
- When required by law (mandated reporting, Tarasoff)
Why does HIPAA matter?
- law
- provides consistent standards & protections nationwide
- ties in with Code of Ethics (confidential info, ROIs, patient records)
What is the Security Rule?
focuses on physical, technical, and administrative safeguards for PHI
Maintaining unique, secure passwords for your Thrive Google account and SP account is part of your therapist responsibilities.
TRUE
What is Thrive's policy about releasing client PHI?
- respect client privacy and therapeutic relationship
- if possible, inform clients about releases of info.
- if receive records request for current client, we check with client first before releasing records. If not a current client and there is a signed ROI, we release the records.
When CAN PHI be released without an ROI?
- given to the client
- for the payment of services
- for public health or for limited research purposes
- between medical providers for treatment coordination
Where are psychotherapy notes stored?
- SEPARATELY from client record
- in SP under "Psychotherapy Note" section
What is an example of a security safeguard?
- using a HIPAA compliant EHR like SP
- keeping physical client records locked and secure
- having a plan in the event of a disaster (thanks, SP!)
- limiting who has access to PHI
When we have a BAA in place, it's safe to open any email attachments because of the agreement with the business associate.
FALSE
A BAA with Google does not protect against phishing, hacking, or scams.
What are 2 ways Thrive manages adhering to HIPAA for you?
- limiting who has access to PHI in SP (can only see your clients records)
- using Business Associate Agreements (BAAs) with outside entities (gmail, Google Voice, Zoom)
- Ivy performing an annual Risk Analysis & HIPAA Audit
- Keeping our HIPAA policies & procedures updated in Handbook
- Reporting breaches as needed
- Providing periodic HIPAA training
What should providers keep in mind when releasing PHI?
-Minimum necessary standard
-Timely access to records (30 days)
-Clients have right to request to amend their record if they believe it is inaccurate (Provider can agree and add note or disagree and client can submit a a statement)
What are psychotherapy notes?
- notes made by therapist in or after session
- CAN include: therapist's thoughts/observations, info therapist wants to remember for later
- CANNOT include: modalities of treatment, diagnosis, treatment plan, symptoms, prognosis, or progress
-HAVE to be stored separately
What is a BAA?
Business Associate Agreement
HIPAA Rules require that covered entities and business associates enter into contracts with their business associates to ensure that the business associates will appropriately safeguard protected health information.
If a client says they don't care who has access to their PHI, covered entities are released from following HIPAA.
FALSE
Clients can choose what info to share with whom.
Covered entities are still required to ensure that HIPAA practices are in place.
What are 2 examples of responsibilities therapists at Thrive have for protecting client data?
- using secure logins for SP and gmail
- not saving client ePHI to your laptop, phone, etc
- not releasing PHI or ePHI, other than in methods that comply with HIPAA. Non-compliant EXAMPLES: having SP open at a coffee shop where others can see your screen, leaving a printed form with a client's name on your desk where it's visible to another client, telling a friend a story about a client that includes PHI