Privacy Statement and HIPAA

POLICY:
The purpose of this policy is to establish privacy safeguards as described in the Health Insurance Portability and Accountability Act (HIPAA). This federal regulation was created to protect individually identifiable health information from unauthorized use or disclosure, and to further protect such information from tampering, loss, alteration or damage. It is not the intent of this Enola policy and procedure to address all of the safeguards necessary to protect electronic data containing individually identifiable health information, as those safeguards are addressed in the Group Security policies and procedures.

GENERAL:
Since The Enola Group maintains individually identifiable health information, the Group is required to put into place appropriate administrative, physical, and technical safeguards to protect the privacy of such information. Federal legislations require procedures that reasonably safeguard individually identifiable health information from intentional or unintentional use or disclosure that is in violation of privacy policies.

  • Administrative Safeguards: Individually identifiable health information will be implemented. Confidential information that is transmitted by facsimile (fax) machines, e-mail, printers, copiers, by telephone or other oral means of communication must be protected from unauthorized use and disclosure.
  • Physical Safeguards: Individually identifiable health information will be implemented for physical safeguards to prevent unauthorized use or disclosure of individually identifiable health information maintained by the organization.
  • Technical Safeguards: Individually identifiable health information will be implemented for all computer systems and other electronic media, including identification of staff who need access to electronic data and control of access through the use of passwords.

BACKGROUND:
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule requires covered health care components to implement appropriate administrative, physical, and technical safeguards to avoid unauthorized use or disclosure of individually identifiable health information.

Agencies are not asked to “guarantee” the safety of individually identifying health information against all imaginable assaults; instead, agencies are instructed to use protections that are flexible, scalable, and provide reasonable safeguards. Agencies are also instructed to consider the potential impacts on client care and other issues such as the financial and administrative burdens of implementing various safeguards. Safeguards addressed in this policy and procedures include the administrative, physical, and technical protections necessary for safeguarding individually identifying health information as it is found in the working environment (e.g., oral communications, paper records, medical supplies/equipment, computer screens, etc.).

PROCEDURES:
The Enola Group has assessed the individually identifiable health information that it receives, sends, uses, and maintains throughout, and has implemented reasonable administrative, physical, and technical safeguards in order to ensure that information is protected and is not subject to unauthorized use or disclosure.

Administrative Safeguards
Disclosure of individually identifiable health information is essential for a variety of reasons, including treatment, payment of health care services, and health care operations (TPO) purposes. Safeguarding such information requires that Enola Group ensure disclosures are permitted for treatment, payment, or operations purposes, or authorized by the client’s guardian, or else required or permitted by law. The Group must also ensure that the disclosure does not violate a communications or use and disclosure restriction that the client or client’s guardian has requested and the Group has granted. Procedures have been developed that ensure methods used for disclosing individually identifiable health information outside of the Group are safeguarded to protect client confidentiality and the agency’s use and disclosure of such information.

Mail or Hand Delivery
Whenever feasible, documents containing individually identifiable health information should be hand delivered or mailed using the US Postal Service, courier, or other delivery service. All documents containing individually identifiable health information shall be placed in a secure container (e.g., sealed envelope) that is labeled “Confidential”, is addressed to the recipient, and includes a return name and address. When transmitting individually identifiable health information via interoffice mail, the information shall be placed in a sealed envelope and then placed inside the interoffice envelope.

Facsimiles
The Enola Group has designated the following specific fax machines that may be used to send and/or receive documents containing individually identifiable health information:

  Administrative Office 828-433-5520
  Human Resource Office 828-437-6189
  Signature Day 828-433-4490
  EHS Caldwell 828-757-8632
  EHS Alexander 828-635-1469
  EHS Burke 828-438-6457

 

Incoming fax transmissions of documents that contain individually identifiable health information are protected from unauthorized disclosure to staff or others who are not authorized to access the information. The Enola Group staff should request that those faxing confidential information should call in advance to schedule the transmission. All incoming faxes containing individually identifiable health information must be promptly distributed to the appropriate party or placed in a secure place until the documents can be retrieved. This requires frequent monitoring of fax machines Efforts to protect outgoing fax transmission of documents containing individually identifiable health information shall be initiated by staff as follows. Prior to faxing such documents, staff shall attempt to schedule the transmission with the recipient, so that the faxed document can be promptly retrieved by the recipient. Where feasible, routine destination fax numbers are pre-programmed into fax machines. Fax machine managers should test pre-programmed numbers every three months in order to further reduce transmission errors. The fax machine managers should also request that routine recipients of faxed documents containing individually identifiable health information inform the agency immediately if their fax number changes so that records and programmed numbers can be updated accordingly.Staff who are authorized to send faxes with individually identifiable health information shall check the recipient’s fax number before transmittal and shall confirm delivery via telephone or review of the confirmation of fax transmittal. Fax machine managers should maintain fax transmittal summaries and confirmation sheets for six (6) years.In the event of a misdirected fax, the recipient must be contacted immediately and shall be asked to destroy the information by either burning or shredding the document. Misdirected faxes containing protected health information are considered accidental disclosures and must be accounted for in accordance with the Group’s ‘Use and Disclosure, Accounting of Disclosures’ policy and procedure. A Disclosure of PHI form should be completed. In addition, the fax machine manager shall complete a Privacy Incident Report in accordance with ‘Administrative, Privacy Incident Reporting’ policy and procedure.

Enola Group fax machine managers should ensure that the following confidentiality statement is included on all fax cover sheets used when transmitting documents containing individually identifiable health information.

“The documents accompanying this transmission contain confidential health information that is legally privileged. This information is intended only for the use of the individual or entity named above. The authorized recipient of this information is prohibited from disclosing this information to any other party unless required to do so by law or regulation and is required to destroy the information after its stated need has been fulfilled. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or action taken in reliance on the contents of these documents is strictly prohibited. If you have received this information in error, please notify the sender immediately and arrange for the return or destruction of these documents.”

In addition to the required confidentiality statement, the fax cover sheet should contain:

Sender’s name
Mailing address
Email address
Phone number
Fax number
Recipient’s name
Phone number
Fax number
Number of pages transmitted, including coversheet; and Instructions for verification of fax receipt

Email
Enola Group staff are encouraged to use communication methods other than email when sending individually identifying health information, however it is recognized that in some instances such transmissions are necessary in order to operate efficiently. Prior to establishing e-mail communication containing individually identifying health information, Group staff must recognize that e-mail is considered public record, but confidential information contained in or attached to an e-mail can be protected from public disclosure in accordance with G.S. 132-6. Furthermore, staff sending PHI through email must recognize that e-mails containing individually identifying health information can be forwarded by the recipient to someone not authorized to have access to the information; therefore, communications via e-mail shall only be sent to persons who understand DHHS privacy policies.

When sending PHI using email, the following rules should be used:

1) Avoid using e-mail for particularly sensitive matters (e.g., HIV status, psychiatric disorders) and time-sensitive messages (e.g., appointment scheduled for next day).

2) Avoid including individually identifiable health information in the subject line or body of an e-mail. If it is essential for the efficiency of business operations to send individually identifiable health information via e-mail, the information must be sent as a password protected attachment to the e-mail. Staff are discouraged from using direct identifiers in the attached document (e.g., client name, social security number, address) unless necessary, and should de-identify the information whenever feasible in accordance with the Group’s Privacy Policy, ‘Use and Disclosure, De-Identification of Protected Health Information’. The intended recipient of the information must be aware that the information will be forthcoming and provided with the password to open the file attachment. Note: Do not email the password.

3) Ensure that e-mails are addressed correctly by reviewing the recipient's e-mail address before sending the e-mail and making sure the e-mail client software did not automatically fill in an incorrect e-mail address after the first few characters were typed.

4) When disclosing individually identifying health information to a third party for purposes other than treatment, payment or health care operations, the disclosure must be documented and accounted for in accordance with Privacy Policy, ‘Use and Disclosure, Accounting of Disclosures’.

5) In the event of a misdirected e-mail with a body which contains PHI or a file attachment that was NOT password protected that contains individually identifying health information, the recipient must be contacted immediately and shall be asked to delete the e-mail and attachment. Misdirected e-mails containing PHI in the body or attachments with PHI which are not password protected are considered accidental disclosures and must be accounted for in accordance with the Privacy Policy, ‘Use and Disclosure Policies, Accounting of Disclosures’. In addition, the staff person shall complete a Privacy Incident Report in accordance with the Privacy Policy, ‘Administrative, Privacy Incident Reporting’.

6) Enola Group staff shall include the following confidentiality statement on all e-mails containing individually identifiable health information as file attachments.
“The documents accompanying this e-mail contain confidential health information that is legally privileged. The authorized recipient of this information is prohibited from disclosing this information to any other party unless required to do so by law or regulation and is required to destroy the information after its stated need has been fulfilled. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or action taken in reliance on the contents of these documents is strictly prohibited. If you have received this information in error, please notify the sender immediately and delete the e-mail and accompanying file attachment.”

Enola Group will not compile client e-mail addresses for marketing or fundraising purposes or supply client e-mail addresses to any third party for advertising, solicitations, or any other use.

Telephone
Whenever it is necessary for staff to discuss individually identifiable health information via the telephone with a client or a client’s family members or friends, workforce members, business associates, or other health care providers, staff must follow requirements for protecting such information.

Staff may only release a specific client’s health information over the telephone to persons who have a right to receive and a need to know status as regards the information being released. Furthermore, protected health information may only be mentioned over the phone when the person doing so is absolutely sure of the identity of the person he or she is speaking with. The Group shall honor any agreed upon requests made by the client or client’s guardian as to the use of alternate forms of communication (e.g., alternate telephone numbers) or restrictions regarding the use or disclosure of that clients individually identifying health information (see “Consumer Rights, Client Privacy Rights). Telephone conversations that include the use or disclosure of confidential information should be conducted in private locations wherever possible and in a low voice to ensure such information is shared with only the intended recipient.

When receiving calls, staff shall not discuss individually identifiable health information (e.g., client’s diagnosis or condition) until the following can be confirmed: 1) Identity of the caller (e.g., a “call back” to validate the number called, or definite voice recognition) 2) Verification that the caller has a need to know, and the use or disclosure of confidential information is permissible.

If confirmation cannot be made, the staff person shall not confirm or deny that the client has in the past or is currently receiving services from the Group.

When making calls, staff shall not discuss individually identifiable health information until the identity of the person on the phone line has been confirmed. In the event an answering machine or voice mail system picks up the call, staff should leave a message requesting that the person they need to speak to return the call. The message shall include ONLY the name and telephone number of the person that should receive the return call (e.g., “This message is for Mary Jones. Please contact Mary Smith at 555-1313). Messages left on an automatic answering machine or voice mail system shall not contain individually identifiable health information (e.g., name of the client, diagnosis, test results, etc.).

Agency staff shall be informed of the security risks of cellular and wireless phones. Communication via cellular and wireless phones should not be used to discuss confidential information; as such, communication is not secure, unless encrypted. Staff shall not use these devices to communicate confidential information unless there is an emergency or a wired; landline phone is not readily available.

Other Oral Communications
Staff should take reasonable steps to protect the privacy of all verbal exchanges or discussions of individually identifying health information, regardless of where the discussion occurs. Where possible, staff should use enclosed offices for the verbal exchange of individually identifying health information. In work environments that contain few offices or closed rooms, staff participating in the verbal exchanges of individually identifying health information shall conduct these conversations in a low voice and as far away from others as possible. Employees are responsible for avoiding talking about residents outside of the workplace (at restaurants, during lunch hour, for example).

Privacy Safeguards Training
Enola Group includes training on safeguards in the Privacy training provided to all employees. Staff are trained in the Group’s procedures for carrying out all the administrative, physical, and technical safeguards that Enola Group has in place to guard against unauthorized use or disclosure of individually identifiable health information.

Monitoring Compliance
Enola Group monitors staff compliance with the Privacy Safeguards policy and procedure through the mechanism of periodic walk-through conducted by the members of The Enola Group Privacy and Security Committee, and through the use of the Minor HIPAA Violation Tickets issued by the members of that committee. In addition, staff are taught the privacy safeguards, and taught to self-report privacy safeguard violations.

Physical Safeguards
A physical safeguards assessment has been conducted in order to assess The Enola Group’s work areas for privacy and physical safeguards of individually identifiable health information. The information collected was used to determine where physical safeguard deficiencies existed, and to identify the measures necessary to secure the area. The Group will reassess physical safeguards every two years, in January of odd-numbered years, and also any time a new location is used for providing services. Physical Access The Enola Group has identified those areas where staff routinely maintain, transmit, and receive individually identifiable health information. These areas include both staff offices and the homes where residents live. Locations containing protected health information should be either constantly manned by employees who have received privacy training, or physically secured as appropriate during business and non-business hours. Such areas should only be accessed by authorized staff.

Offices which contain protected health information shall employ a two-level protection system. Every time such offices are not manned by an employee who has received privacy training, the office door will be closed and locked, AND no PHI will be left visible within the office. Turning over paper which reveals PHI so that the blank back is showing is, when combined with the locked door, an acceptable method of protecting PHI. Employees are responsible for locking the office at the end of the day, and locking lockable storage cabinets, when applicable, at the end of the day.

Staff must be particularly mindful of locating shared fax machines, copiers and printers in areas where physical access is controlled. Client records storage areas should be locked at all times other than when manned by an employee who has received privacy training.

Homes at The Enola Group have private areas, where the public is not allowed to go unescorted, and public areas. Public areas of homes shall have no PHI visible, including full names of residents on bulletin boards, chalk boards, or white boards. Pictures of residents may be hung in private areas, such as bedrooms, or in any private or public area if authorization has been received from the resident’s guardian. Any time resident names are visible in public areas, only the first name and last initial of the resident shall be used.

Meeting rooms which include white boards, chalk boards, or black boards which are used during meetings should receive special attention. At the conclusion of each meeting, care must be taken to remove from visibility all PHI. Where handouts containing protected health information have been used, all remaining handouts must be removed from the room at the end of each meeting.

The Enola Group’s Executive Director shall maintain documentation of building repairs, workspace modifications, and equipment purchases that are required to cure physical safeguard deficiencies. Such records will serve as documentation of due diligence for physically safeguarding the health information maintained by The Enola Group.

Safeguarding Confidential Information on Computer Screens
Staff shall ensure that privacy is not violated when staff are using computers. The Group will safeguard individually identifiable health information displayed on computer monitors using a combination, as necessary, of the following:

  • Relocating the workstation or repositioning the computer monitor so only the authorized user can view it;
  • Installing polarized screens that shield information on the screen from persons who are not directly in front of the monitor;
  • Clearing information from the computer screen when it is not actually being used; and
  • Turning off the computer when not in use.

Safeguarding Confidential Information on Agency Premises
Enola Group staff shall take reasonable steps to ensure the privacy of client information in areas where visitors, repairmen, vendors and family members are permitted. General safeguards must be implemented that protect individually identifiable health information from unauthorized use or disclosure.

Disposal of Documents and Supplies Containing PHI
Supplies containing protected health information, such as prescription bottles, shall be disposed of using the medical waste system, by placing the item into one of the medical waste depositories.

Paper records containing protected health information shall be disposed of by shredding. Shredding should be performed in such a way that it is not possible to read any protected health information after the shredding. The shredding may be performed by the employee in possession of the paper with PHI.

Working Outside the Secured Work Environment
Employees are discouraged from removing protected health information from the Group, however it is recognized that there are sometimes situations where work outside of the secured environment is necessary. When it is necessary for staff to take client information home or to another work environment, the following guidelines should be followed:

  1. Original client medical or financial records in paper format shall never be removed unless under order of the court or when necessary for treatment purposes
  2. The remote work area must provide adequate privacy and security
  3. Telephone usage where PHI is discussed should be restricted to the use of a wired, land-line phone
  4. Confidential information should be secured in locked rooms or a locked storage container when not in use

Original client medical or financial records in paper format shall never be removed from Enola Group unless under order of the court or when necessary for treatment purposes.

Technical Safeguards
Granting Access to Individually Identifiable Health Information Access to protected health information is granted on a “need to know” basis for each employee and workforce member, relative to their specific relationship with clients and specified business. The access level of individually identifiable health information granted to an individual is the minimum necessary needed to do his or her job (see Privacy Policy “Use and Disclosure, Minimum Necessary), and is managed by the Local Area Network’s rights assignment system. Employees should log off the network whenever they are not going to be using the workstation for 15 minutes or more.

Desktop Computers
Protected health information should not be stored on the hard drive of desktop computers. In situations where two or more users share a computer, each user should log off the system prior to relinquishing the computer to the next user.

Portable Computing Devices
Portable computing devices include a range of electronic devices ranging from laptops to personal digital assistants (PDA). Because of their small size and portability, loss or theft is a constant possibility. The best practice is to keep protected health information off such devices entirely, however this is not always possible. Devices should be password protected, and where possible, the PHI on the device should be encrypted. Physical security is critical. End users and departments are responsible for keeping track of PDAs, laptops, and other mobile devices. If the portable computing devices is lost or stolen, the user of that system is responsible for notifying his or her department head, and the Privacy Officer.

Password Management
Enola Group requires that all staff accessing information through computer workstations use secure, personal passwords. Passwords should never be revealed to anyone, including a supervisor, family members, or co-workers.