HIPAA Compliance Policies

RIGHTS AND PRIVACY OF PERSONS SERVED and HIPAA COMPLIANCE POLICY

RIGHTS AND PRIVACY OF PERSONS SERVED

Confidentiality

While delivering its services and programs, CARC collects personal information from its clients. Personal information means any information that could be used on its own, or with other information, to establish the identity of a client, the client’s service provider or the client’s substitute decision maker. Personal information also includes any other information about a client including information that is contained in a client record.

CARC collects, uses, and shares client’s personal information for the following purposes:

• Providing quality programs and services to clients
• Providing information to other people or organizations with client consent (for example, making a      referral for service)
• Contacting clients, donors, and members to evaluate CARC service and work
• Conducting research to understand the kinds of issues our clients are facing
• Reviewing client files to ensure high quality of service and documentation
• CARC may also collect, use, and share personal information with consent or as permitted or required by law. CARC is committed to protecting the privacy of its clients and      ensuring that:
• the personal information it receives from clients is kept safe, secure, confidential, accurate and up      to date
• clients understand why their personal information is collected by CARC
• CARC obtains client consent before collecting, using, sharing, or releasing client information, except as set out in this policy or permitted or required by law
• only the personal information necessary for the purposes listed above is collected from clients, unless otherwise consented to by the client or permitted or required by law
• access to client information is limited to the CARC employees involved in delivering services to clients or those entities or parties the client has given consent to share      information with as documented on (Release of Information Form)
• any external agents to whom CARC releases information have a need to know and only use and disclose client      information for the purposes for which it was originally provided
• clients can withdraw their consent at any time to the collection, use and disclosure of their      personal information
• clients have access to their record, except where CARC is entitled to refuse an access request, and can copy or correct their record and ask questions about CARC privacy policies      and procedures
• complaints about CARC privacy policies and procedures are handled efficiently and effectively
• all legal and regulatory requirements regarding client information are met and maintained

  This policy applies to all CARC employees.

1.  Obtaining Consent 

1.1  As CARC services often involve collaboration and consultation among employees, CARC employees will discuss the following with new clients:

• the nature and extent of consultation and collaboration in the CARC program or service which the new client is accessing
• the personal information that CARC may collect
• the purposes for which CARC collects, uses and shares personal information, as listed above.

1.2  Client’s rights and responsibilities including rights related to keeping client’s personal information private will be reviewed with all new clients at their first appointment following intake,

1.3  Clients will be asked to use a form indicating that the organization’s privacy policies have been discussed and that the client consents to the collection use and sharing of personal information for the purposes listed in this policy.

1.4  The signed forms will be maintained by the program (e.g., in the client’s paper record, filed centrally within the program). A note will be made in the client’s electronic record that the form has been signed.

1.5  In cases where it is not possible or practicable to obtain the client’s written acknowledgment (e.g., telephone only service), verbal acknowledgment that the organization’s privacy practices have been explained to, and accepted by, the client will be recorded in an activity note in the client’s record with the date and time the information was collected.

1.6  Consent will be that of the individual and must be knowledgeable, relate to the personal information and not be obtained through deception or coercion. A consent to the collection, use or sharing of personal health information about an individual is knowledgeable if it is reasonable in the circumstances to believe that the individual knows, (a) the purposes of the collection, use and/or disclosure, as the case may be; and (b) that the individual may give or withhold consent.

1.7  In the event that employees are concerned that a client does not have the capacity to consent to the collection, use and disclosure of his or her personal information, employees should:

• Consider whether the client understands the decision they are being asked to make
• Question whether the person understands the reasonably foreseeable consequences of the decision or lack of decision
• Consult with their supervisor  

2.  Client Withholding, Limiting or Withdrawing Consent 

2.1  Clients have the right to stipulate who will have access to their personal information. This means that they can withhold, limit or withdraw their consent to the collection, use or disclosure of personal information. The request may cover all or a specific part of a client’s record.

2.2  Electronic records: The CARC employee receiving the client’s request to withhold, limit or withdraw their consent will:

• Record the verbal instructions by the client in an activity note in the client’s electronic record

2.3  Paper records: If the client also has a paper file:

• The client’s file (either in whole or in part depending on the client’s instructions) to which access      is to be limited will be placed inside an envelope that will be sealed      with the instructions from the client stapled to the outside of the file. If the client’s request is to withdraw consent, the file will be safeguarded by CARC. If the client’s request is to withhold or limit consent, the supervisor responsible for the program will determine how best to comply with the client’s request.

2.4  In cases where the withholding, limiting or withdrawal of consent will limit or prevent CARC from continuing to deliver services, employees will discuss with the client the consequences of their withholding, limiting or withdrawal of consent.  

3.Disclosure without Consent Including Responding to Summons/Subpoenas/Court Orders and Requests from Police

3.1  CARC will not disclose the personal information of clients without their consent, except where:

· It is believed the client or someone else is in imminent danger of serious physical harm (see Duty to Warn policy)

· A child under the age of 18 is at risk of or has been abused or neglected (see Child Abuse Reporting and Documentation policy)

· CARC is subpoenaed or is otherwise served with a court order, summons, warrant or a similar requirement issued by a person who has jurisdiction to compel the production of information in a proceeding

·  It is otherwise permitted or required by law.

3.2  If CARC employee is served with a warrant, summons, subpoena, order or similar requirement issued in a proceeding, the individual must immediately notify their supervisor, who will provide advice and direction as to how to respond. CARC employees should follow the same procedure in response to requests by police officers for client information.

3.3  In general, where an order, summons, warrant, subpoena or other requirement to produce documents has been served on CARC, CARC will:

• Make every attempt to respond in a way that is respectful of the order or other requirement, while at the same time taking steps to preserve the client's right to confidentiality
• Make an exact copy of the file to remain at CARC and deliver the documents to the court or other proceeding in a sealed enveloped marked “private and confidential”.

3.4  Where CARC discloses personal information without the client’s consent, the client will be notified of such disclosure as soon as reasonable, practical, safe and/or legally possible in the circumstances.   

4. Release of Information with Client Consent

4.1 Personal information, whether all or part of a client record, will not be released to third parties without the written consent of the client or the client’s substitute decision maker, where applicable. Clients are required to complete the CARC Authorization to Request or Release Information Form, depending on the nature of the request. Consents provided on these forms are valid for one year, unless otherwise limited or withdrawn by the client in advance of that date. CARC may disclose a client’s personal information, provided that the disclosure, to the best of CARC knowledge, is for a lawful purpose.

4.2  Reports from third parties contained in a client record may not be released without the written consent of the third party. Clients will be encouraged to pursue access to this information directly with the third party.

4.3  In exceptional circumstances, where written consent is not possible, the oral consent of the client to the release of personal information will be accepted and will be recorded in the client’s file.

4.4  In response to requests to release information to third parties, the CARC service provider will ensure that the client understands the purpose for which the information is being released and to whom the information is being released. The CARC service provider will also explain that CARC cannot guarantee the confidentiality of the information once it has been released.  

5.  Safeguarding of Personal Information

5.1  Client information stored electronically is protected by password in Clinical Advisor. Access to the electronic database is limited on a need-to-know basis for added security.

5.2  Client information collected in hard copy form is stored in locked cabinets accessible only by the counselors or authorized CARC employees providing service to the client, and the relevant program managers. Upon access, the employee accessing the file must sign the access log in the clients’ chart.

5.3  Access to client information will be limited to those who need to know the information for the purposes set out in the client’s consent or as otherwise permitted or required by law.

5.4  CARC employees are prohibited from leaving a client’s personal information, (in paper or electronic form), unattended or exposed to anyone other than the client.

5.5  CARC will not send confidential personal information to clients by email.

5.6  CARC requires external agents, such as third-party auditors, to maintain the confidentiality of client information and to refrain from using client information for any purpose other than the purposes for which consent was provided by the client. Where appropriate and necessary, CARC will obtain the consent of the client to disclosure of information to external agents. (External agents are persons or companies with which CARC has contracts and that may encounter personal information.)

5.7 When disposal is permitted or required, records of client personal information will be disposed of in a secure manner such that reconstruction of the records is not reasonably foreseeable in the circumstances.  

6.  Notice to Clients of Theft, Loss, Unauthorized Access, Use or Disclosure of Personal Information

6.1  Employees are required to report to their supervisor and to the COO any theft, loss, unauthorized access, use or disclosure of personal information of CARC clients. In programs where funders require it, managers will file a serious occurrence report in this situation.

6.2  In the event of such theft, loss, unauthorized access, use or disclosure of personal information of a CARC client, CARC will notify the client as soon as possible.

6.3  Oral contact with the clients will be logged in the client record and will be followed up by a letter, which will be included in the client record.

6.4  In the case of former clients, contact will be made orally, if possible, and also in writing, at the last known address for the client recorded in CARC database.  

7.   Client Access to and Correction of Personal Information

7.1  Clients wishing to review their records should contact the CARC service provider, relevant program manager.

7.2  Within 30 days of any such request, an appointment will be made for the client to review his/her personal information in a confidential manner on CARC premises, in the presence of a CARC employee, unless CARC is entitled to refuse the request, in which case written notice will be given. Clients may bring a support person to this appointment if they wish. Up to 60 days may be required in the case of complex searches for records. In exceptional circumstances (e.g., a client is unable to come to CARC office due to health issues), a copy of the record may be sent to the individual with consent.

7.3  CARC is required to retain client personal information that is the subject of a request for access for as long as necessary to allow the client to exhaust any recourse under the Personal Health Information Protection Act, 2004 that he or she may have with respect to the request. This may require CARC to maintain the record for longer than the typical client record retention period.

7.4  Clients who wish an explanation of their records may contact CARC the assigned program manager or the COO.

7.5  Clients will not be permitted to access third party records without the consent of the third party. In such cases, a CARC staff member will direct the client to obtain the requested information directly from the third party.

7.6  Clients wishing to correct information in their file shall provide the correction in writing to CARC. The written correction will be included in the client’s record, and, within three weeks of receipt, CARC will notify the client of its response to the correction via written communication.

8.   Time Frames for Making Entries into Client Charts and Completing Reports

8.1 If an evaluation or psychosocial evaluation is administered, the CARC professional staff doing the evaluation has fifteen (30) working days to complete the report from the day the evaluation was initially conducted.

8.2 Each designated clinician at CARC must document in the client’s chart, the communication between themselves and the client (as well as collateral contacts) regarding the persons served treatment plan and discharge planning. Individual and/or group entries into a client chart will be completed in a timely fashion and should be put into the record immediately after the session (progress notes should be signed and dated), but in no case later than 48 hours following the session. Individualized client plans are to be developed within the 30 DAYS following the initial CARC psychiatric and/or bio psychosocial assessment.

8.3 Discharge planning should be initiated with the client at the earliest possible point in the individual planning and service delivery process; and take place no less than one-month prior tithe actual discharge, if possible. Discharge planning for persons with Coexisting/Co-Occurring medical, psychological, psychiatric disorders/disabilities/conditions and/or intellectual disabilities should be part of the planning from the beginning to explore other available options/resources. Regarding documenting critical incidents, interactions with the person served, and confidential data all entries must entered within 48 hours of the encounter.

8.4 When there is a a subpoena is for a client’s entire medical record, CARC will verify the subpoena and release the record except for specially protected records. Specially protected records include mental health records; drug/alcohol treatment records; psychotherapy notes; testing for or treatment of HIV, AIDS, and STDs; and mental health, behavioral health, or treatment records for substance abuse programs. If CARC receives a request for specially 8.5 protected records those records can only be released under one of the following conditions: A court order signed by a judge specifically ordering the records related to the specially protected areas; or A valid authorization signed by the patient specifically authorizing the practice to release that portion of the record.

9.   Appointment of Privacy Officer

9.1  The Privacy Officer for CARC is the COO.

9.2  The name and contact information for the Privacy Officer is available on the CARC website, in the Client Rights and Responsibilities Statement and in the CARC Employees Directory.

9.3  The duties of the Privacy Officer include:

• Maintaining knowledge of privacy legislation and regulations
• Ensuring that all employees and volunteers have training on the privacy policy
• Monitoring employee compliance with CARC privacy policy
• Responding to privacy-related complaints and concerns
• Responding to requests for access and correction
• Responding to inquiries from the public about CARC privacy practices
• Liaising with other organizations, the public and government, as necessary, on privacy-related issues   

10.   Inquiries and Complaints

10.1   Questions, comments or complaints about the CARC privacy policies and procedures or about the collection, use or disclosure of personal information will be directed to the COO.

10.2   The COO will follow the procedures set out in the Grievance Policy in responding to, resolving, and recording privacy-related complaints.

10.3   If the client is not satisfied with the response provided by the CEO and/or designee, the client may contact the:

Louisiana Office of Behavioral Health

P. O. Box 629 |

Baton Rouge, LA 70821-0629 or by calling 225-342-9500

Confidentiality-Administrative and All Other Records

Policy: The following sets forth minimum standards for the security safeguarding of administrative and all other records including confidential or proprietary information by employees of CARC. To the extent that any other internal policy of CARC or a Company subsidiary, business group, or office sets forth more stringent standards or requirements, such policy will control.

PROCEDURES AND PROCESS

Confidential and Proprietary Information

In the course of your employment with CARC, you may create, receive, know of, or gain access to information that is confidential and/or proprietary. Confidential and proprietary information may be in a physical form (on paper, in an e-mail, on a diskette, videotape, etc.) or may be knowledge acquired through conversations to which you are a party or that you overhear. Proprietary information may consist of any system, information, or process that could give CARC an advantage over its competitors.

Confidential information includes non-public information that you are expected to safeguard from disclosure to the public. All proprietary information is confidential information. Therefore, proprietary, and confidential information will be collectively referred to in this Policy as "confidential information."

Examples of confidential information include, but are not limited to personnel records, contracts, budgets, billing information, legal information, records of donations, and/or donors, and other protected or sensitive information and records.   

Employee Obligations Regarding Confidential Information

All employees are required to safeguard confidential information and only use or disclose it as expressly authorized or specifically required while performing their specific job duties.

Misuse of confidential information can be intentional (acts and/or omissions), or a product of negligence or inadvertence. Misuse includes but is not limited to: 

• Accessing information not directly germane or relevant to the employee's specifically assigned tasks
• Disclosing, discussing and/or providing confidential information to any individual not authorized to view or access that data, including but not limited to third parties, volunteers, vendors, and other University employees.
• Reckless, careless, negligent, or improper handling, storage or disposal of confidential data, including electronically stored and/or transmitted data, printed documents and reports containing confidential information.
• Deleting or altering information without authorization
• Generating and/or disseminating false or misleading information
• Using information viewed or retrieved from CARC systems for personal or any other unauthorized or unlawful use.

Basic Practices to Protect Confidentiality

Confidential information may be communicated only to those persons who need to know it for a legitimate business purpose. Confidential information relating to third parties is often governed by a confidentiality or non-disclosure agreement which may have terms more rigorous than those set forth below. Always confirm whether an applicable confidentiality or non-disclosure agreement exists and comply with its requirements. If you have any questions, seek the guidance of CARC’s Compliance Office. Confidential information may be communicated to other employees of CARC or to CARC's outside lawyers and other consultants only if: 

• The recipient has a legitimate need for and is authorized to receive the information in connection with his or her employment responsibilities; and,
• No identifiable harm can reasonably be expected to result from communication of the information to the recipient.

Information should not be communicated if it would give rise to a conflict between the interests of the recipient and those of CARC or its clients, or if it is reasonably foreseeable that the recipient would misuse the information. Confidential information concerning a transaction may be shared with other participants in the transaction only to the extent necessary to effectuate the transaction and only insofar as is consistent with your obligation to serve the client's interests.

The following practices should be followed to help prevent the misuse of confidential information. 

• Avoid discussing or even speculating about confidential matters in places where you may be overheard by people who do not have a valid need to know such information.
• Avoid discussing confidential information on cellular phones and take great care when discussing such information on speaker phones. Do not discuss confidential information      with relatives or social acquaintances.
• Always put confidential documents away when not in use and, based upon the sensitivity of the material, keep such documents in a locked desk or cabinet. Do not leave documents      containing confidential information where they may be seen by persons who do not have a need to know the content of the documents.
• Avoid unnecessary copying of confidential documents.
• Do not use trash or recycling bins to dispose of confidential documents. If available, use shredders prior to disposal.
• Never distribute internal-use-only documents outside CARC.
• When necessary, use codewords to conceal clients' identities or information regarding clients' proposed business or transactions.
• Do not give your computer IDs and passwords to any other person.
• Passwords protect computers and log off when they are not in use.
• Be aware that the Internet and other external electronic mail carriers are not secure environments for the transmission of confidential information.
• If you notice unfamiliar or unauthorized people in your department, do not hesitate to notify Security.
• Be aware that your conduct, particularly deviations from your normal activities (e.g., a research analyst does not return phone calls, or a market maker stops making a market) can signal to others that you have confidential information.
• Know and abide by all applicable policies relating to firewalls and other information barriers.
• Comply with the specific terms of any confidentiality agreements of which you are aware.
• When employees join or leave CARC or transfer from one part of CARC to another, take precautions to protect against disclosure or misuse of confidential information that they may possess.
• Refer requests for information on CARC and third-party securities from the financial community, such as securities analysts, brokers, or investors, to CARC’s Investor Relations contact.
• Refer requests for information on CARC and third-party securities from the media or press to CARC’s Chief Executive Officer or President.
• Refer requests for information from the Securities Exchange Commission or other regulators to CARC’s General Counsel.

Seeking Advice/Reporting Disclosures of Confidential Information

If you believe that you or others have received confidential information inappropriately, inform the compliance officer immediately to avoid any potential problems. If you are uncertain as to whether information is confidential, treat it as such and ask for guidance from your general counsel or compliance officer. Similarly, contact the compliance officer immediately if you believe that you have provided confidential information to somebody who does not have a valid need to know it.

The Health Insurance Portability And Accountability Act (HIPAA) 

The Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security, and Breach Notification Rules protect the privacy and security of health information and give patients the right to their health information. HIPAA establishes standards to safeguard the protected health information (PHI) that you hold if you’re one of these covered entities or their business associate: 

• Health plan 
• Health care clearinghouse 
• Health care provider that conducts certain health care transactions electronically  

The HIPAA Privacy Rule 

The HIPAA Privacy Rule puts restrictions on the uses and disclosures of protected health information (PHI). PHI is all individually identifiable information about a patient’s healthcare services or payment rendered for those services. PHI comes in many forms, including oral, written, and electronic. Any communication of PHI is covered by HIPAA. 

Examples of PHI include, but are not limited to: 

• the patient’s name 
• the patient’s social security number 
• the patient’s diagnosis or information about the medical treatment the patient received 
• the medical staff’s personal notes on a patient 
• the patient’s billing information (including health insurance carrier) 
• the patient’s date of birth 

There are many other types of data that are PHI. Think about your own job. What types of PHI do you work with? What steps do you take to safeguard your patients’ PHI? 

The Privacy Rule also gives patients certain rights with respect to their PHI. 

These rights are: 

• The right to access, inspect, and copy a patient’s own medical records, including the right to obtain an electronic copy of the medical record if it is maintained electronically by the health system 
• The right to request restrictions on the release of a patient’s medical records, including disclosure restrictions to a health insurer when a patient pays out-of-pocket for his/her medical treatment 
• The right to opt out of the patient directory while in the hospital 
• The right to request an accounting of the disclosures made of the patient’s medical records to      outside entities 
• The right to request an amendment of his or her medical records and to receive a response to this request within 60 days 
• The right to receive a Notice of Privacy Practices at the first treatment encounter or by request 
• The right to request and receive confidential communications concerning their PHI by alternative means 
• The right to file a complaint with the Office for Civil Rights of the US Department of Health and Human Services if HIPAA is violated 
• The right to be notified if the privacy of his/her protected health information has been breached, as defined by HIPAA 

The “Minimum Necessary” Rule 

HIPAA has a “Minimum Necessary” Rule regarding PHI. This rule states that when you are using or disclosing a patient’s PHI, you must use or disclose only the minimum amount necessary to achieve the purpose of the use or disclosure. For example, if you receive an inquiry regarding a patient’s bill from an insurance carrier, you only need to disclose the patient’s PHI that relates directly to the inquiry. The patient’s entire medical record does not need to be disclosed. 

Use and Disclosure of PHI 

PHI may be accessed, used, or disclosed only when specifically permitted by HIPAA. All other uses or disclosures are prohibited. 

It is important to note that PHI may always be used for treatment of a patient. No authorization or consent by the patient is required for this use. The Minimum Necessary Rule discussed above does not apply to the use of PHI for treatment. Generally, the Privacy Rule permits disclosure of PHI to an individual who is involved in the patient’s care, so long as the patient does not object to this disclosure. 

In general, PHI also can be used to obtain payment for healthcare services rendered to the patient, for healthcare operations, when requested by the patient, or when required by law. The law does contain some exceptions to these general rules, so be sure to contact the division of Corporate Compliance within the facility you are working or your immediate supervisor with any questions. 

Remember that the rules about PHI include verbal or spoken PHI. Do not discuss PHI where you can be overheard by others. Try to move to a more private location before discussing it. 

Finally, it is important to always dispose of PHI properly. This means shredding it and disposing of it in locked bins. Do not throw out paper containing PHI in regular wastebaskets or dumpsters. 

If you follow these steps, you will help to keep patients’ PHI safe. 

PHI can be used for research. However, it can be used only with the approval of a Health System-authorized Institutional Review Board (IRB) and with either informed consent and authorization, a waiver of informed consent or authorization, or under a data use agreement as determined by the IRB. 

Finally, the 2013 HIPAA regulations also included several changes that affect the use and disclosure of PHI. For example, medical providers can now release the immunization records of patients enrolled in educational institutions that are required by the state to have such information, as long as the provider obtains permission for the release of the records from the patient or from the patient’s parent or guardian, if the patient is under 18 years of age. The law no longer requires the medical provider to obtain written permission before the information can be released. Similarly, PHI may now be released to family members and others who were involved in the care, or payment for care, of a deceased patient prior to death, unless doing so is inconsistent with any prior expressed preference of the deceased patient that is known to the Health System. These changes in the regulations were meant to make it easier on patients and on family members or individuals involved in the patient’s care to access the patient’s PHI.  

Not all of the regulations released in 2013 made it easier to disclose PHI. Many of the regulations actually made it more difficult for medical providers to use or disclose PHI without written authorization from the patient. For example, the new HIPAA regulations place severe limitations on the ability of medical providers to sell PHI or to use PHI for marketing purposes. As a result, the health system has a general prohibition against selling the PHI of patients, and it will only do so in very limited circumstances if it has a prior written authorization from the patient. The Health System must also obtain a patient’s authorization using a HIPAA-compliant authorization form before using or disclosing the individual’s PHI for Marketing purposes. Healthcare staff should speak to a supervisor or the facility’s division of Corporate Compliance if they have any questions about the sale or marketing of a patient’s PHI.   

The Security Rule 

The HIPAA Security Rule protects electronic PHI and sets standards for the electronic transmission of PHI. The Security Rule provides three types of safeguards:  

• The administrative safeguards set limits on who may access PHI electronically. It also requires detection systems to detect and prevent security breaches and ongoing evaluations and audits of computer systems’ security. 
• The physical safeguards required by the Security Rule include facility access controls, such as ID badges, which must be worn at all times. The Security Rule also requires device and media controls to track hardware.  
• The technical safeguards include software to monitor for viruses, the encryption of data, and system      tracking of logon attempts. It is important that all healthcare workers in a facility have a basic understanding of the technical safeguards as they help the facility reduce the risk to electronic protected health information or ePHI. 

· Access Control: Everyone must have a unique ID and password and should never share it. 

· Electronic Access: Electronic records must be accessible at all times. 

· Automatic Logoff: After a certain period of inactivity, system should force a logoff. 

· Audit Controls: The ability to see who has accessed the patient’s record. 

· Integrity: System checks to ensure no data has been manipulated either unintentionally or by an unwanted source. 

· Person or entity authentication: You are who you say you are (password, token, or both). 

· Encryption protecting PHI at rest: Data is encrypted while stored where appropriate and reasonable. 

· Encryption in transit: Data is encrypted while being transmitted. 

The healthcare facility’s Health Systems are always working hard to ensure the security of data through these safeguards and others. 

Protecting ePHI 

Everyone in the healthcare facility is responsible for protecting PHI, whether it’s contained in a written document, stored on a portable device or a computer, or spoken about between employees in an appropriate context. Each facility’s HIPAA policies help everyone do this by informing employees about the safeguards and procedures that must be utilized to secure PHI. For example, most healthcare facilities have a policy regulating the use of portable devices containing PHI. 

Computer users must actively protect all facility computers from loss or theft. It is very important that all employees keep track of their equipment and storage devices. Computers should be locked whenever not in use. 

Employees should never leave a computer or any device containing PHI – or paper PHI – in a car overnight. The computer, device, or files should be removed from the visible areas of the car during short stops. It only takes a minute for a thief to break into a car and take the PHI. 

All computers and mobile devices must be password protected, and a screensaver should be used whenever possible in accordance with the healthcare facility’s policy. Employees should store all documents containing PHI on network drives, not on their computer hard drive. 

Email, social media networks, and programs such as Instant Messenger can be as fun as they are useful. However, you must be extremely careful when using them in the workplace or when referencing the workplace. 

The basic principles for using your work-based email are: 

• Use your workplace email for work-related business only. 
• Do not forward workplace emails to a personal email account. 
• Make sure that your emails are professional in all respects. 
• Email communication with patients or about patients must be treated with the same confidentiality as the written or electronic medical record. 
• Emails that contain a patient’s PHI must have the word “secure” or the term “PHI” in the subject line. 
• A patient’s PHI should never be included in the subject line as that does not get encrypted. 
• The special rules for email communication with patients, such as patient consent and encryption, must be followed at all times. 
• If you are not sure how to encrypt emails at your location, please call the help desk in your facility. 

Social Media

Increasingly, social media is becoming a vehicle for business and personal communication. The facility’s confidentiality policy and HIPAA privacy rules apply equally to anything posted on social media platforms that is patient health information or confidential business information. 

Absolutely no facility health system information should be posted on your personal social media account or any other similar sites. This includes protected health information, stories about things that happened in the workplace, and confidential business information. Even if it seems harmless or doesn’t identify the patient, you cannot put any health system information on your personal social media accounts. Think before you act. Protect patient privacy and protect the health system’s confidential business information.   

Health System Business Information and Employee Data 

In addition to PHI, please remember that all health system business information, which includes employee personal data, should be treated as confidential at all times. You should only use this information when you are required to do so for your job. You should never use health system information for personal gain or for any other unauthorized reason. 

Breach Notification 

One of the most important developments under HIPAA is the updated breach notification requirement. Beginning in 2011, certain kinds of improper disclosures of PHI must be reported to the federal government and the affected patients must be notified of the breach. “Breach” is defined as “an unauthorized acquisition, access, use or disclosure of unsecured, unencrypted protected health information which violates the HIPAA Privacy Rule and compromises the security or privacy of PHI. An impermissible use or disclosure of protected health information is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information was compromised.” 

Anyone associated with the health system who becomes aware of a breach or even a potential breach must notify their immediate supervisor and the facility’s division of Corporate Compliance immediately. Compliance and the Legal Affairs division will take the lead in making the determination as to whether the breach must be reported to the government and whether the affected patients need to be notified. 

No one other than the Compliance and Legal Affairs should attempt to make this determination or conduct an investigation into the alleged breach. Your responsibility is to notify Corporate Compliance as soon as you become aware of the potential breach. Compliance and Legal Affairs, along with any other appropriate departments, will handle the rest of the matter. 

Duty to Report Compliance Violations 

All facility health system employees have a duty to report compliance-related violations. These include: HIPAA, coding and billing issues, EMTALA violations, theft of company assets, Stark and Anti-Kickback violations, gift issues, and violations of the Code of Ethical Conduct and the Health System’s policies and procedures.  

There are a number of ways that you can report violations. You can report to your supervisor, to the facility’s division of Corporate Compliance, or to the Compliance Helpline (if available). In addition, be sure to report all violations to your staffing agency. 

 Questions, comments or complaints about the CARC privacy policies and procedures or about the collection, use or disclosure of personal information will be directed to the administrator. Please contact CARC's Administrator at (888) 462-4496.

If you are not satisfied with the response provided by the Administrator and/or designee, the client may contact the:

Louisiana Office of Behavioral Health

P. O. Box 629 |

Baton Rouge, LA 70821-0629 or by calling 225-342-9500