 This episode was prerecorded as part of a live continuing education webinar. On-demand CEUs are still available for this presentation through all CEUs. Register at allceus.com slash counselor toolbox. I'd like to welcome everybody to today's presentation on confidentiality, HIPAA, and high tech. Now we're going to talk throughout this presentation in terms of both face-to-face and, you know, old-fashioned counseling where we've got paper charts because I know some people still, especially people in private practice, still have paper charts. And we're also going to talk about how it applies to e-therapy and electronic health records. So we're going to review HIPAA and high-tech regulations as they pertain to maintaining confidentiality and security of protected health information. Now that part is a little bit boring, you know, legalese is legalese. I'm going to try to make it as applicable to you as possible. In two hours, in one hour especially, but in two hours I can't begin to go over in-depth everything in HIPAA and high-tech. So one of the things that you will notice is that I'm kind of hitting the highlights. If you haven't had a HIPAA class or if you think you need more information about HIPAA, we will have an on-demand class that has the whole HIPAA text in it and everything. But for most people you're probably taking this for ethics and or for your HIPAA retraining requirement. Please feel free again to ask any questions in the webinar chat room and I will answer them to the best of my ability as we go through. I want to encourage you to critically assess your work practices for compliance. And, you know, you'll hear some things that I'll say and I'll give you some examples of places I've worked or things that I have heard about in other places where people work that are HIPAA violations. And we'll talk about whether it is, you know, how big of a deal it is and as we go through. And my third goal is just to help keep you awake throughout the presentation because I know some of this, you know, laws and rules and all that kind of stuff can get a little monotonous. So let's start out with business associates because when we talk about HIPAA and high tech, it's important to understand that there's a person or entity that performs certain functions or activities that involve the use or disclosure of PHI on behalf of or provide services to a covered entity. So basically anybody that has access to your PHI is potentially a business associate. Now, they've upped the requirement with high tech and they've said anybody who is a business associate is not just suggested to meet HIPAA requirements, but they are held to the same standard as HIPAA. And it's going to be really important that you get a business associate agreement signed with them. So business associate functions and activities, billing, claims processing, administration, benefit management. So if you use a billing company, which I know a lot of us do, it's important that you actually have a signed business associate agreement with them. Anybody who does data analysis, processing or administration, if they have access to your PHI, you'll need a business associate agreement. And utilization review and quality assurance, you know, and we're going to talk about some exceptions to this. But if you have an outside entity coming in to do utilization review and QA, you will need a business associate agreement. One thing they have determined is internet service providers. So whoever it is you get your internet from whether it's Comcast or AT&T or whatever they're called, wherever you are. They are not business associates because the information doesn't stop along the way. It just kind of goes through their channels. They make the analogy of the post office is not a business associate back when we used to mail things back and forth. So, you know, that's one thing you don't need to worry about. But software vendors providing electronic health record systems and providers of virtual offices and your email services. And this is a biggie. Gmail is not HIPAA compliant. All of these clearly qualify as business associates. If the information lands in a place like the electronic health record, the virtual office or in your email, then it's important to understand that the business associate rule applies. So, you know, a lot of agencies use very, very unsecure emails. So, you know, if you work in an agency and you've got a tech department, they're probably handling that and keeping it encrypted and all that kind of stuff. If you're using Gmail, know that that is not HIPAA compliant. Even though they say Gmail is encrypted, you have to have a business associate agreement with them and Gmail is not going to sign one. And there are some other technical hurdles that help you understand that they are not HIPAA compliant. Risk analysis is required of the potential risks and vulnerabilities to the confidentiality, integrity and availability of protected health information. Now, the ones I have in blue are things that I have seen experienced and I think are regularly not followed. We'll just say that. And when it says required, that actually, it's actually stated as required in the statute. So, not only, you know, even if you're an individual practitioner, you have to have documentation that you completed a risk analysis of potential risks, vulnerabilities to the confidentiality and integrity of your information and the availability. You need to know that when you need the information, you can get to it and we're going to talk about disaster planning at some point during the day-to-day. But HIPAA does require that you back up and store information in a secure location that you can access in the event of some sort of electronic failure or natural disaster or something like that. So, HIPAA, if you remember, is the Health Care Information Portability and Accessibility Act. So, HIPAA does not just protect confidentiality, but it also makes sure or requires that we make sure the data and client files are available. So, even if you're in a small practice, I mean, obviously it's easier to do the risk analysis here, but you do need to do one and have it documented. If there is ever a breach, they're going to look for your risk analysis documentation. Risk management is also required. So, you have to implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with the statute. Now, reasonable and appropriate is what we want to focus on here. It doesn't need to be Fort Knox. If you remember, back in the olden days, we used to talk about it had to be behind two locked doors. So, if you're using old-fashioned paper records, you know, that's one of those things that you can consider is, you know, if somebody walked into your office, are the client records sitting on your desk? That is not HIPAA compliant. If you get up and, you know, walk away from your desk, then somebody can access those charts. I see this violated a lot. So, it's really important to pay attention to what the security measures are. If you do have paper charts, how do you store those when you leave your desk? Do you store them in a locked filing cabinet, which is, you know, the ideal solution? If you have electronic health records, if you get up again and go to the bathroom, get a cup of coffee, whatever you're doing, can somebody sit down at your desk and access that information? Generally, you want to have security measures in place, like a timeout. So, if there's been zero activity on your computer for a minute and a half, it will automatically lock. But you should also be in the habit of locking your screen when you get up and walk away from your computer. Even if you don't have an electronic health record, if you just type your progress notes or something on the computer, it's important to make sure that somebody can't access it. And you have to have a sanction policy. If there's, you know, anybody else in your office or if you are working for an agency, they need to have a sanction policy. If people fail to comply with the security policies. For example, they download client information because they still need to do, they got backed up and they need to do like three weeks worth of notes, which in and of itself is an ethical issue, but never mind. So, they download the information onto a thumb drive, a jump drive, whatever you want to call it, that is not encrypted. And they take it out of the facility, take it home and plug it into their non-encrypted hard drive on their computer to type up the information. So many violations there on so many different levels. So, if they found out that someone was doing that, there would have to be some sort of a sanction for it. Now, people need to know ahead of time what the rules are, but you also need to use obviously good common sense. Information system activity review is required. So someone, if you're using an electronic health record or if you're just using your own computer, you need to regularly kind of audit who's been trying to access your network, who's been on your network, and if anybody's had access or tried to access anything. Now, at this point, I'll give my little spiel that if you're using any kind of computer, not just a laptop, the entire hard drive needs to be encrypted, not just the folders that you're working on because when you print, it goes to a whole different folder and it gets saved in a print, what's called a print spool. So you can theoretically have PHI on your hard drive or laptop that is not encrypted, even if you had an encrypted file. So have your whole hard drive encrypted. That way, if anybody ever gets it, anybody ever breaks into your office, heaven forbid, you lose your laptop. You don't have to worry about that. You also want to have the ability to wipe your computer from virtually. So if you do lose your laptop, you can log in and wipe all the data that's on there from a remote location just to prevent anybody from hacking the encryption. Let's see. You want to ensure that all members of the workforce have appropriate access to the electronic health information or just health information, protected health information, and prevent those who don't from obtaining access to protected health information, electronic or not. Another example where I used to work, we had paper charts. You know, I've been doing this for about 20 years now. So, you know, we're going back past paper chart back to paper charts. And unfortunately, I am not able to handle technical questions in the middle of the webinar. So I will get to any technical questions afterwards. The PHI that you have stored, you need to make sure that the janitors can't get to it, or if they do, they've been trained and had all the background clearing and everything. But generally, you want to have policies in place where if janitorial staff is going somewhere where protected health information is in an unsecured setting, like in racks and racks and racks of files. That there is someone there to monitor the situation. Worst case scenario, have some sort of video monitoring so you can make sure that you are not having your PHI breached. You can regularly audit those videotapes to make sure they're not going in and looking at it. Most janitorial staff really doesn't care, but it's one of those things that HIPAA wants you to set up. Also making sure that your front desk staff doesn't have access to all of the information. You know, we really don't want people being able to grab an entire chart and have it at the front desk. Yes, they need the demographic data for billing. The front desk needs certain data to check people in. But we need to figure out a way that they can have access to that without having access to progress notes, medical notes, et cetera. So that's one of the things that HIPAA puts forth is that we need to do our best to make sure that people who have no business reading progress notes don't have access to progress notes, whether it's electronic or paper. Now electronic, it's a lot easier because you can control access to certain areas in a electronic health system. Paper, it's a little bit harder. You need to implement procedures for the authorization and or supervision of workforce members who work with protected health information or in locations where it might be accessed. So if you have a one of the places I worked used to have sort of a kiosk where all the clinicians could go log in, go to their, their clients files and access the data they needed print from their whatever. We also had a place that I used to work that they would you only we only had one printer. So it was important to kind of be able to know what was going on. Unfortunately, in this particular situation, the printer was not in a secured location. So it was behind the front desk and all clinicians had to send everything they wanted to print to this printer at the front desk and you can see where there's all kinds of protected health information violation possibilities coming out. You could have a one clinician get somebody else's progress notes, you could have front desk staff get hold of progress notes that they're not supposed to access all kinds of stuff. So it is really important if you're having printing stuff out to make sure that you know that that is secure. Same thing with faxing, you don't want to just randomly fax information to a unsecured fax machine you want to make sure whoever's the intended recipient is there and able to access it. There's only so much you can do in order to verify that but you do want to have that as a policy. Implement procedures to determine that access of a workforce member to the protected health information is appropriate. Like I said, janitorial staff front desk staff billing staff. You know, they all have different levels of need from no need to some need to access the chart but they don't need all of the clinical information. And you need to implement procedures for terminating access to protected health information when the employment or other arrangement with the workforce member ends or changes. I think most agencies you know they turn off your access turn take away your key shut down your key card. So most agencies are really good at this. It's monitoring who has access to the information among the people that are currently employed with the agency. It's important to implement written policies and procedures for authorizing access to PHI. If again there's a breach and most of the time this isn't going to come up but if there is a breach they're going to want to say what were your policies for ensuring that such and so person didn't have access to this information. One of, you know, my experience has been we had multiple instances in a facility that I worked at where we would have family members of staff people. It was a very, very, very large agency, but we would have family members of staff people come through our treatment center. And obviously that family member is not going to be entitled to access to that client record. So it was important to make sure that we had a process if there was highly sensitive information to also guard against people having access to it. Implement policies and procedures that establish document review and modify a user's right of access to a workstation transaction program or process. So if you have virtual workstations, how do people log on? You don't want to have everybody logging on using the same username and password. Really bad mojo because that gives somebody access to stuff they don't need. You want to make sure you have key cards or keys to get into offices and places where protected health information is stored. And it's important to also use secure passwords. You don't want to use something like, you know, forgot or some common word. You want to make sure you have a secure password that has capital, lowercase and numbers and or special characters in it, which can be a challenge to use one trick that I was taught was I have a standard kind of password that I use on some things, not on my PHI. But, you know, if you pick a password for your PHI, then change it periodically by changing it. The numbers associated with it, either using a particular date like the year or the month that you changed it. So it's easier to remember when you have to update your password. Most places prompt you to update your password every six months. Management, not only line staff, but management as well as anybody who would have access to PHI needs to have training for HIPAA and high tech security. They need to have access to periodic security updates. Now it doesn't have to be a formal training, maybe sending out a memo that everybody has to sign off on or, you know, however your agency wants to do it. But if you change electronic health records, if there's a security update that people need to know about a change in policy, it's important to send that out. You need to have procedures for guarding against detecting and reporting malicious software. So again, if you're using your personal computer to do clinical work, you know, you have a totally encrypted hard drive. That's wonderful. But you also need to have lots of protection against malware if that computer connects to the internet at all. You want to have procedures for monitoring login attempts and reporting discrepancies. So if somebody tries to log into your workstation, you know, they log in three times. It locks them out for 30 minutes or until somebody else like your IT department comes and unlocks it for them. And there needs to be procedures for creating, changing and safeguarding passwords. Tell people and make sure they know it and they can be disciplined for it. Don't write your password and put it in your desk drawer. That's, you know, and most of you are kind of probably looking around right now. No, that's the first place people are going to look. If you have a password, there are things like we use a program called LastPass, but there are a lot of password storage programs out there if you want to store your password somewhere that are like mega, mega encrypted. So you don't have to remember every permutation of the password you're using, but you do need to have a process for safeguarding your passwords. And again, even if you're using your own personal computer and it's fully encrypted, you want to change that password every six months in order to prevent any sort of problems. Establish and implement as needed policies and procedures for responding to a disaster that damages system that contain electronic PHI. And this is also true about paper PHI, but, you know, most of the time we don't have a backup copy of the paper records. So, you know, that's one of the reasons that EPHI is somewhat preferable. But there has to be a written data backup plan. So where are you backing it up? How's it encrypted? Where's it stored? How do you recover it? You know, if you have a complete system failure and your server just fries, and it happens, it's important that you have a backup of all the client data somewhere that you can access. Ideally, and you can set it up so it happens automatically, that you've got backups that are occurring very, very frequently. If you're in a private practice, it's not as big of a deal to have it done like every five or 10 minutes. But you can get it as frequently as real-time backup. So anytime anything changes, the system runs a backup and stores it somewhere off-site. So if there is a natural disaster or, you know, a power fluctuation or something happens, you do have a copy of that data. That's required. The disaster recovery plan has to include procedures, and a lot of us who are in private practice haven't done this. It has to include procedures to enable continuation of critical business processes and for the protection and security of EPHI while operating in emergency mode. So again, it's important that, you know, even if your server fries, you can access the information on that backup server for all the clients that you've got today while your IT department is getting you set up again. It's also important that, you know, if there's a natural disaster and I spent many, many, many years in Florida and we would have hurricanes and there are places, tornadoes, whatever. If you are for some reason, you know, can't go back to your facility, it's important to be able to access that information from a remote location where you are continuing to provide clinical services. So if you're going to the shelters to meet with your clients or if you have a temporary shelter set up, and we'll talk about this in two classes when we talk about disaster recovery. Your agency should have a plan in place, so if your building was completely wiped out, you would have somewhere where you could go and restart treatment relatively quickly in order to not disrupt continuity of care or the ability to refer to designated clinicians and the ability for them to access the PHI, which obviously they wouldn't have access to unless there was an emergency. But there has to be a disaster recovery plan to maintain continuity of care. It is recommended, not required, to implement policies and procedures for periodic testing and revision of these contingency plans. If you're a small practice, probably not going to be something you have to regularly test. If you are a community mental health agency with 100 clinicians, your IT departments probably periodically testing and making sure that, you know, if the stuff hits the fan, they can actually recoup all of the data. You can implement physical access to electronic information systems and the facility or facilities in which they're housed. So at a clinic, you know, you go in and can people access the electronic information systems? Can somebody just go up to a computer and start working on it? Places I've worked before. I'm not saying there are times when you're going to get up and have to go to the bathroom or get something off a printer or something and leave a client unattended, if you will, in the office. But you don't want them to be able to access any of the PHI written or electronic. So your computer needs to be locked and encrypted and your paper files, anything you have written the old fashioned way needs to be in a locked file drawer. People with home offices, and I see a lot more breaches here where people with home offices have their client information stored, you know, in a file that is maybe encrypted, but they're using a profile that everybody else in the family uses. Or they have information on their computer and they don't have all the security measures. So they may be working on a progress note, get up, go to make supper, somebody else sits down at the computer, opens it up, and Jim Bob's progress note pops up and everybody in the family potentially could see it. The other place where this comes up is if you're working in a home office and people, you know, your families, whatever, are walking around behind you and you're doing a video chat with somebody or even if you're doing just a chat chat or typing notes, and people can walk up behind you, start reading what you're typing. It's really important to make sure that wherever you're providing the services, wherever there is protected health information, only you can access it or and or people that are, you know, determine that they need to have access to it. You also don't want to work on your laptop that has PHI on it on unsecured Wi-Fi, such as, you know, I'm just going to work on my progress notes while I sit at Starbucks or McDonald's or something and use their Wi-Fi potential for being hacked there. It's slim, but it is not good practice to be on Wi-Fi. Now if you go in there and you don't connect to the Wi-Fi and you're just working on your laptop typing or progress notes, you know, you don't have a chance of having a problem there. But there are a lot of unsecured Wi-Fi hot points that have malware on them that will infect your computer. If you have workstations that multiple people use, it needs to be clear what functions can be performed at that workstation and who has access to what. The physical attributes of the surroundings of a specific workstation also needs to be considered. So again, think about going to the doctor and this is one of my big pet peeves. Go to the doctor and you're standing there checking in and the receptionist pulls up, you know, whatever. And you can see everybody who has an appointment that day or you can see charts, you know, maybe she was working on somebody else's chart when you walked up and you can see clearly what she was working on. Now, you know, obviously, if we're clinicians, we're not going to try to read it because we know that's not kosher. But, you know, some people get curious. They need to have those blocking screens so people can't see what they're working on. You have to be right in front of the computer and you want to make sure that people aren't walking behind you. But pay attention to the physical attributes. If you have an office on the first floor, obviously, second floor and above are not an issue. And you have your back to the window and there's a walkway right outside. Chances of somebody looking in the window and reading the PHI pretty small, but it's probably best to have at least some sort of shears over it just to be ultra. Ultra safe. Implement physical safeguards for all workstations that access electronic PHI to restrict access to unauthorized users. This includes printers and fax machines. Now, we want to protect what comes out of the fax machine. Like I said, I worked in one place where we had to send everything to a central fax machine that was not in a secured area, which was, you know, kind of bad mojo. In my opinion. So whoever can access those paper documents, we need to make sure that they have a reason to have access to it. And, you know, they're cleared and all that kind of stuff. But it's also important to remember, especially on those big copiers, most of them have hard drives in them. So you send something to a copier and maybe three other people sent stuff to the copier at the same time. It gets stored in the hard drive on the printer. So then it gets printed out, but you need to make sure that, you know, what happens to the data on that hard drive? Is it encrypted? You know, ideally that's what you'd be asking your copy guy. And how is that data handled? Again, business associate agreement. When you get rid of the copy machine, or if you have to get a new hard drive for your copy machine, what happens to that data? Not something to be concerned about for your, you know, little desktop printers. They don't have any long term memory. And once you unplug them, you know, everything's pretty much gone. But it is important to understand that, you know, some things get held in this temporary memory or even on a hard drive. I think one of the places I worked, it would store the last 400 pages that were printed. So that's a lot of protected health information. Implement policies, procedures that govern the receipt and removal of hardware and electronic media, such as thumb drives and laptops that contain protected health information into and out of the facility and the movement of these items within the facility. So, you know, think back to recent government scandals where information was on on a laptop on an iPad on a blackberry, and it wasn't effectively wiped before it was given to the next person. Or, you know, the information wasn't effectively disposed of. So there's required to be a written policy for how you're going to dispose of things that have protected health information. So is it going to be destroyed? Is it going to be wiped? And typical wiping doesn't completely clean up the drive. There are shredder programs that you need to use. You need to consult your IT person for the programs that you need to use to make sure that the data is not recoverable. If you're going to reuse media, like most people do, you know, you go to an agency and they will issue a laptop that three other people have probably had before you. That's not disallowed, but there needs to be a process for removing the PHI of the people before you. One place that I worked at, instead of removing the PHI, they would just set you up a new profile and leave the other person's PHI on there, which is technically not HIPAA compliant. It needs to be removed before you have access to it. Now, yes, you would probably have to be a hacker to be able to get in there. But to be ultra safe, it's, you know, definitely best if you completely wipe the PHI before the device, even if it's a thumb drive, goes to a new person. Make sure that anything you use is full-disk encrypted. There are thumb drives, jump drives, whatever you call them where you are, that are fully encrypted to like super duper encryption levels. And obviously I'm not the tech person in our agency, but you can get those. They're not overly expensive, but it is important to make sure if you're going to put something on electronic media that it is encrypted. And I know I sound like a broken record. Accountability. Now this is not required, but it's addressable. Maintain a record of the movements of hardware and electronic media and any person responsible, therefore. I love how they use their for in legal documents. Anyway, so have a log of who's got the got the information, you know, if Jane has computer ABC, and then she quits, and it gets reissued to Sam, then Sam needs to sign it out. I think most agencies do a pretty good job of tracking that information. You also need to track when that in that particular device is taken out of service and how it's destroyed. Technical policies and procedures for electronic information systems that maintain protected health information to allow access only to those persons or software programs that have been granted access rights. Think LinkedIn or Google. If you have, if you do any surfing on the net, you are probably familiar with the fact that you can go and search for something on, you know, Firefox or whatever browser you're using. And then all of a sudden you're getting served ads for that same thing everywhere you go. Or if you go to LinkedIn, suddenly they know everybody you've ever emailed with. LinkedIn and Google and some of those other places may access information theoretically not for nefarious reasons just for marketing, which you may consider nefarious but that I digress. But they can't have access to PHI. So you've got to make sure that if you have client data, you know, again going back to don't want to be using Gmail. You have client data on your computer that no other third party programs can access it unless you have given them explicit permission. You need to have a unique user identification. Emergency access is required. And again, this goes back to the access portion of HIPAA. You need to be at be able to access data from a remote site during a natural disaster, for example, or staff may need to access it in medical emergencies. Another example, when I was working in clinic, we used to have paper charts before electronic health records, they were all locked up very securely. So when the billing staff and the staff who handled all of the charts were not there. Nobody could access that data. So if we would have a client fall out, and we would have to residential facility, and we would have to call EMS, we couldn't get to the chart right away. So eventually they put in a safe and the program director had the combination to the safe, but whoever was on duty had to call the program director to get the combination. It was a big issue. So it's important to make sure that whoever needs to access it can access it. So automatic log off is addressable. Like I said, most of the time agencies have it set so after a certain period of inactivity, your computer automatically, it doesn't just go to sleep, but it locks. And that's a good thing to have. Okay uses and disclosures and we're going to get into this a lot more in the second half, but it is important to understand and we all do that HIPAA has big issues on uses and disclosures. A covered entity which is clinicians us is permitted to use or disclose PHI to the individual for treatment payment or health care operations, or required by the secretary under subpart C. Generally, there is not a big issue with disclosing information to the individual. Now what information you disclose that can be a matter of policy and whether they have access to progress notes and we'll get into a little bit more of that later. But individuals do have the right by HIPAA to access their medical health record, or at least a summary of the data there in. When using or disclosing to P or requesting PHI from another covered entity or business associate make reasonable efforts to limit the PHI to the minimum necessary to accomplish the intended goal. So, again, if you're asking for information from somebody. You don't need to necessarily know their HIV status and their last 17 progress notes and yada yada, you need their assessment their discharge summary their treatment plan. And it's important to only give the minimum necessary unless you have a specific written disclosure that where the client saying I want you to give, you know, new clinician Jane all of this information. This requirement does not apply to and this is where our legal department is great, because there are a lot of caveats. It doesn't require to disclosures to or requests by a health care provider for treatment. So for continuity of care, you don't have to give the minimum necessary and drag your feet. If the clients dot calls you and you know it's their doctor uses or disclosures made to the individual, you don't have to give the minimum necessary. It doesn't mean you won't, but it means you aren't required to only give the minimum necessary. There are other disclosures that are required by law. When we think about mandatory reporting responses to subpoenas we'll get into that later. Or disclosures that are required for compliance with applicable requirements of this sub chapter, such as, again, if there is an investigation of billing practices or something. Law enforcement or the investigating agency, the Secretary of Health and Human Services may request certain information. Whenever you don't have a signed disclosure and you're disclosing to anyone besides the individual, my recommendation and I'm not a lawyer. My recommendation is always to check with legal if at all possible and keep it to the minimum necessary. So a good common sense goes a long way here. As a general rule, authorization is required. A separate authorization and a lot of agencies actually have never seen a separate authorization for psychotherapy notes, even though it's required. You cannot combine request an authorization for release of general chart information with one for psychotherapy notes. Authorizations required for psychotherapy notes, a covered entity must obtain an authorization for any use or disclosure of psychotherapy notes, except to carry out the following treatment, payment or health care operations. It's used by the originator of the therapy notes for treatment. So if you're giving it to someone else, you know, and that kind of conflicts with what we heard earlier about if you need to share information for the continuity of care. So that's where legal comes in. You can use it in internal training programs, it's best to take the information and redact any identifying patient information. And you don't need a separate disclosure for psychotherapy notes. If you are defending yourself in a legal action or other proceeding brought by the individual against you as the clinician or the agency. Authorizations are not valid. Yes, we are bad about these a lot of times, which is why it's all blue. If the documentation has the following defects, the expiration date has passed or the expiration event has occurred. And in response to the question about whether this varies by state or HIPAA is overarching HIPAA is a federal requirement. The states will also have requirements and restrictions, which we'll talk about, for example, when we get to notifying people about communicable diseases. So states may have more restrictive guidelines that, you know, add on to HIPAA, it's really important to be aware of. If the expiration date has passed, so if you put on there for the duration of treatment and the client has discharged, then that treatment authorization is no longer valid. It is better to have an actual date. If the authorization has not been filled out completely, please don't have blank signed authorizations in your chart. It makes my skin crawl whenever I see that because so much bad can happen. So if a client needs to have to sign an authorization, they're just going to have to bring them happy selves back in or mail a written one to you. If the authorization is known by the covered entity to have been revoked and there is debate on this. So again, consult legal about whether the revocation can be verbal or it has to be written. My training has said verbal or written revocation is sufficient to invalidate the authorization. So look at your authorization documents and see what they say when somebody is signing a release of information. Does it say they have to revoke it in writing or can it be verbal? But again, from an ethical standpoint, if I know in good faith that my client has revoked authorization, even if they haven't given me written revocation yet, I'm not going to release that information. That's me. Authorization is also invalidated if it's known to be false. So if you know somebody put false information about their date of birth or who they are, you know, John Smith comes in and is trying to get information about Jane Doe. Well, I guess that wouldn't work about Sam Spade. So John Smith fills out the authorization as if he were Sam Spade, which is why you need, if you're not known to the person, why you need to have a picture ID to verify that the person is who they say they are. Compound authorizations are authorizations for the user disclosure of protected health information. And they may not be combined with any other document to create a compound authorization, except an authorization for user disclosure of psychotherapy notes may only be combined with another authorization of psychotherapy notes. So you can't, again, you can't have the psychotherapy notes in there with the discharge summary and the assessment and all that other stuff. You also don't want to have it as part of a authorization for release of information and a consent for treatment or something. You need to be very specific and, you know, notes or something that they're very clear need to have their own authorization. An individual may revoke an authorization provided under the section at any time provided the revocation is in writing. But to the extent and remember I said that some agencies are good with a verbal revocation. You've got a little bit of backup if you insist that it has to be in writing be with this section right here. But again, we're going with looking at ethics as well as the letter of the law. So if they have a person can revoke their consent for release of information in writing, except if the covered entity has taken action in reliance there on. So for some reason you need it in order to complete billing or something else where if they revoke it, it significantly hurts the agency. Then that could be that could be a problem and potentially you could deny them the ability to revoke their authorization. Or if the authorization was obtained as a condition of obtaining insurance coverage. Other law provides the insurer with the right to contest a claim under the policy or policies itself. So if you're trying to get insurance and I know this is going to be a big one eventually if they go back to pre existing conditions. If you're trying to get insurance and the insurance company wants to see your records to see if you've had any sort of pre existing condition and you revoke that consent and you say no you're not allowed to see you're not allowed to give information to blue cross if they want to find out about anything about me. The insurance company can choose at that point to either say no we're not going to cover you, or if you want us to cover you, you must allow release of information. So core elements of authorizations and there's a lot of text here I'm going to kind of go through it real fast and summarize it. A description of the information to be used or disclosed. Specific and meaningful client data is not specific and meaningful assessment attendance, drug screens, discharge summary treatment plan, those are specific on our release that we have we have checkboxes. So we can check the different things that need to come out saves a little bit of time. The name or other specific identification of the person or class of persons authorized to make the requested user disclosure. So who's disclosing it and it's either the person or the person's legal guardian. The name of the persons who are going to receive the information. A description of each purpose of the requested user user disclosure, the statement at the request of the individual is sufficient. Of the purpose when the individual initiates the authorization so you don't need to go in if the individual initiated it, which is most of the time, like 99% of the time. All you need to do is put at the request of the individual, not specifically why they want everything released. The expiration date or expiration event that relates to the individual or purpose of the user disclosure, you cannot have an open ended release of information. Typically in the facilities that I've worked at again co occurring disorders so we typically have clients step down and in treatment for a little while. We would either do three months, six months or one year from the date of initial treatment as a general rule and making sure they knew they could revoke their consent for release of information at any point in time. The person needs to sign and date it. If a personal representative of the individual you're dealing with a individual who is not able to sign for themselves because they're not of age or they're not competent. We need to know what the authority of that person is, is it their attorney, is it their legal guardian, is it their parent, yada yada. In addition to the core elements, the authorizations must contain statements adequate to place the individual on notice of the following. And generally this is at the end of your release of information. And I know I'm going through this in just extremely minute detail, but it's important because we use these so often. The individual's right to revoke the authorization in writing and the exceptions to the right revoke and how the person may revoke the authorization need to be down there, or the ability or inability to condition treatment, enrollment or eligibility for benefits on authorization by stating that the covered entity may not condition treatment on whether the individual signs the authorization when the prohibition on conditioning of authorizations and paragraph before of this section applies. In certain situations you're not going to be able to deny treatment if the person says I'm not giving you a release of information. You also have to have the consequences to the individual of a refusal to sign the authorization when the covered entity can condition treatment on failure to obtain such order authorization such as court ordered treatment. So and this came up and this is also true with some insurance but this would come up with me when I used to work with clients who are ordered by the court for treatment. If they did not release sign the release of information for their probation officer. I had to, you know, make them known, make them aware ahead of time that this would probably result in the violation of their probation. That's just the way it was. They were coming to us as a result of a court order. And they could talk with their attorney and do all that kind of stuff. However, if they didn't sign the release of information. These were the potential consequences. And you do need to have the potential for information disclosed pursuant to the authorization to be subjected to redisclosure by the recipient and no longer be protected. So if you give it information to somebody else like John Smith wants information released Sally Sally Sue. We need to have a statement at the bottom that says we can't guarantee the security of your information if we release it to this other person who is probably not protected under the HIPAA requirements. Plain language needs to be there no legal ease no therefore is no party of the first part it has to be written so the average person can read and understand it and the individual must get a copy. HIPAA indicates which situations in which situations information may be disclosed. However, many agencies and providers are bound by other regulations such as the code of federal regulations 42 part two, which applies to any agency that provides substance abuse treatment, as well as state regulations which may be more rigid. Seek guidance from a qualified legal professional regarding implementation of HIPAA and confidentiality requirements. This presentation reviews highlights from HIPAA code and is not a comprehensive guide for confidentiality or HIPAA compliance. HIPAA requires that written and electronic protected health information be maintained with reasonable security. Providers must implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access to only those persons or software programs that have been granted access rights. Providers must have policies for emergency access such as in the case of a natural disaster or medical emergency and are required to develop and implement written policies and procedures that establish document review and modify a user's right to access a workstation, transaction, program or process. And I will give you a hint. This chart or this slide is going to be important to you in the very, very near future. HIPAA requires that PHI be backed up and stored in a secure location and that electronic PHI be encrypted, wiped from devices before reissuing them and maintained behind security protocols which limit access to only approved people. A separate consent must be signed for psychotherapy notes and a valid consent for release of information must be completely filled out and contain certain very explicit information or it is invalid and disclosure based on an invalid release is prohibited. Breathing. Okay, so if you are in a private practice situation and do not have access to a legal department, what would be a good resource for legal advice for EPHI information and guidance? I would start with your local or not your local but your state board, your state ethics board and see if they have free legal advice. Look to universities in your area that have law schools. A lot of times they have law clinics where you can get advice. There are also services and it used to be called prepaid legal but that you can sign up with that can help you for a minimal charge. I don't know what we pay for month per month anymore when we signed up it was like $7 a month or something but you can access an attorney at any point and run questions by them and get some minimal stuff answered. The other place that you might check is with your insurance provider. So whoever does your liability insurance, they are wanting to make sure that you aren't held liable for any sort of HIPAA violations either. So they may have some suggestions. They may have some training on it if you don't have a legal department to access. Those would be the first places I would check if I was looking for low cost and affordable access to an attorney. If you enjoy this podcast, please like and subscribe either in your podcast player or on YouTube. You can attend and participate in our live webinars with Dr. Snipes by subscribing at allceuse.com slash counselor toolbox. This episode has been brought to you in part by allceuse.com providing 24 seven multimedia continuing education and pre certification training to counselors, therapists and nurses since 2006. Use coupon code counselor toolbox to get a 20% discount off your order this month.