HIPAA & Protected Health Information (PHI)
What does HIPAA stand for?
Health Insurance Portability and Accountability Act.
What is ESM’s policy on releasing client information?
Client information is confidential and can only be released with written authorization or when legally required.
Can you name one specific right a client has under confidentiality laws?
What should ESM staff do if served a subpoena for a client’s records?
Do not accept the subpoena—direct the individual to Karina Genest.
An ESM staff member receives a call from a hospital stating a client has been admitted to the hospital. What should the response be?
"We can neither confirm nor deny the presence of any individual receiving services from this agency" if we do not have a release of information on file.
What type of information is protected under HIPAA?
Protected Health Information (PHI), which includes names, medical records, addresses, and billing information.
Can ESAM staff confirm whether an individual is an ESM client?
No, staff must respond with: "We can neither confirm nor deny the presence of any individual at this facility."
What administration enacted the HIPAA laws?
Clinton
Under ESM policy, who has the authority to handle legal document requests?
Karina Genest or a designated representative.
A case manager at ESM learns a client is suicidal. What must they do?
They must follow duty to warn and protect laws, meaning they may breach confidentiality if the client is at immediate risk. Ensure you follow up with your supervisor immediately if you have contacted EMS or Law Enforcement. Complete a reportable event within 24 hours.
Who must comply with HIPAA regulations?
Healthcare providers, insurers, business associates, and any entities handling medical data.
What are the four primary reasons we may breach confidentiality?
Duty to warn (harm to self/others), child/elder abuse reporting, legal court orders, and health emergencies.
True or False: companies who destroy client PHI documents do not have to abide by HIPAA?
False. Companies that store or destroy medical records must follow the HIPAA regulations
What should ESM staff do if law enforcement arrives at any office with a court order?
Contact Karina Genest immediately or your supervisor if she is not available. Do not confirm or deny the client's presence.
A staff member overhears a conversation where a CCM discloses PHI about a client that you do not work with. What should you do?
Speak with the CCM and inform them of the incidental disclosure of PHI. Encourage conversations are held in private when at all possible.
What is the main purpose of the HIPAA Privacy Rule?
To protect individuals' medical records and limit access to health information without proper authorization.
How should ESM staff handle visitor inquiries about clients?
Any disclosing of any client information must follow the confidentiality protocol.
What injury might you sustain that allows for disclosure of your PHI?
Gunshot
What is the name of the added layer of protection individuals with substance use disorders have regarding their PHI?
42CFR. Noncompliance with 42 CFR Part 2 disclosure rules can lead to significant civil fines and, in some cases, criminal charges.
A CCM received a call from a well-known provider a previous client now resides with. They need to verify his medication list because he ran out. What should they do?
No details should be shared. We cannot disclose any information, even if the client had an ROI for this client and provider previously. All ROI's are no longer valid after a client discharge.
Under what circumstances can PHI be disclosed without consent?
Mandatory reporting (child/elder abuse), legal subpoenas, law enforcement investigations, and medical emergencies.
What are the financial penalties for breaching HIPAA?
Tier 1: Up to $100,000 per violation or $100,000 per day, whichever is greater.
Tier 2: Up to $250,000 per violation or $250,000 per day, whichever is greater.
Tier 3: Up to $500,000 per violation or $500,000 per day, whichever is greater.
Tier 4: Up to $1,000,000 per violation or $1,000,000 per day, whichever is greater.
Name two entities that are not required to abide by HIPAA.
What is the difference between a subpoena and a court order in terms of ESM’s legal obligations?
A subpoena requests information, but a court order mandates compliance. ESM must seek legal review before responding to either.
An ESM CCM wants to discuss a client’s case with an external provider for better care coordination. What must be done first?
They must obtain client consent before sharing any protected information, as all CCM's must follow strict confidentiality under HIPAA.