< tap to go back to guide menu

This is the Advanced guide.


Tap on a topic and then subtopic below to navigate this guide.



Data Privacy, HIPAA, and the Minnesota Health Records Act




Data Privacy and Security

As a health care provider in the digital age, especially as a home and community-based health care provider, you have exceptional challenges for keeping health care data about the people you serve safe and secure. This chapter explores those challenges and gives basic information about how to protect private health care information about the people you serve.

This policy/procedure may be updated at any time.

Tap here for a catalog of updates to this chapter since July 1, 2022.

First Steps in Privacy and Security

What You Will Learn

Identify dos and don'ts for keeping health records and private data safe and secure.

Use your electronic devices safely to assure privacy of health records.

Your first responsibilty when handling health records is to keep them safe, private and secure. Follow these guidelines for privacy and security:

  1. Keep paper records secure:

    • > When using paper documents that contain protected health information, make sure they are not in view of the others around you.
    • >When your paper documents are not in use, keep them in a location that is not accessible by others, either a locked room or locked cabinet.
    • > Send paper documents to medical records as soon as possible for scanning into our electronic health record.
    • > Destroy papers that you do not need as soon as you no longer need them. Submit them to the office for shredding.
    • > If transporting paper records such as between the office and a client's home, or from the client's home to the office or another location:
      • Documents must be in a folder or envelope, and preferrably in a bag or backpack,
      • If you leave documents in your car, your car must be locked,
      • Do not leave documents in your car overnight,
      • If you must take documents to your home office overnight to deliver the following day, and live with others or will have visitors, documents must be kept in a locked room or cabinet accessible only to you,
      • Deliver documents to the destination as soon as possible, no later than 24 hours, leaving them only with an authorized individual,
      • Never leave documents in a mailbox or mail slot, or other insecure area outside the home,
      • A housemate or family member is not authorized to accept documents on behalf of a client unless that individual is a parent or guardian, or you have permission from the client to give them to a family member.
  2. Keep your electronic devices secure:

    • > Do not leave your electronic devices unattended!
    • > Do not download or create files to your personal devices that contain client PHI.
    • > When using personal devices that you might share with others, maintain a separate log-in for yourself and a guest account for others. Do not set up other admin accounts on shared devices!
    • > Do not share your Accend Services-issued devices with others.
    • > Become savvy about viruses, phishing scams, and other malware and schemes intended to gain access to information on your electronic devices.  Do not fall prey to these schemes!
    • > Install and update antivirus to protect you and your data against malicious software.
    • > Do not put personal accounts on company-issued equipment.
  3. Keep your login secure:

    • > Use a login password that only you know for all devices you use to document your work.
    • > Select a strong password that is not easily guessable.Do not use your name! Your password should be at least 8 characters and contain at least 3 of the 4 data types (uppercase letters, lowercase letters, numbers, and special characters).
    • > If you have a shared computer, you must have a seperate user account for work. Do not share you login with anyone.
    • > Do not save log-in passwords on any device that you share with others.
    • > Do not share your login passwords that you use for work with anyone.
    • > Never use a password for TabsTM that you use for any other account.
    • > Never, ever, save your password on a pubic device, such as a training computer at the Accend offices, a library or other publicly-accessed computer.
  4. Do not use unsecured methods to send or receive private health care information:

    • > Never send or receive private, protected information in email, text messaging, or other forms of electronic communication that you do not know for certain are secure and encrypted.
    • > Do not reply to messages sent by others if you cannot verify the method is secure and encrypted.
    • > You will be issued an encrypted email account at Accend. This account is encrypted only for internal communication with your coworkers and does not encrypt emails sent outside of the agency. You are responsible to ensure that emails sent with protected health information are encrypted.
    • > Do not use messaging to send or receive private information unless the messaging or email service you use is approved by Accend as secure and encrypted.
    • > Do not use personal accounts/personal numbers to contact clients.

Email

You will be issued an encryped email account at Accend. Employees are allowed to use their email for work-related purposes without limitations. They do however, represent our company wheverever they use it and must use it appropriatley. Remember that your issued email is Accend Services property and we have the right to monitor and archive emails when we feel the need to do so.

Helpful Tips:

If an employee starts getting suspicious mail from the same place, they should report it to the Cheif Privacy Officer and we can blacklist the source.

Email is often the medium of hacker attacks, confidentiality breaches, viruses and other malware. These issues can compomise our reputation, legality and security of our equipment. We take steps to ensure that your issued email is protected.

We encrypt your email upon your device on your first day at Accend. It is your responsibility, however, to make sure that your emails stay encrypted and protected. Most of the information you send, and will continue to send, will include a client’s name. This is considered protected health information by HIPPA, which is why it needs to be encrypted.

If you send unencrypted emails with protected health information in the content you are not in compliance with HIPAA rules and regulations.

Malicious Emails

Read more about malicious email in the Technology Guide here.

Internet Usage

At Accend we provide you with access to our wireless network. We dont want to restrict our employees access to websites of their choice, but we expect our employees to use good judement and remain productive at work while using the internet. Always use safe browsing techniques and beware not to:

Company Issued Equipment

Accend Services provides you with a company issued work iPhone. These phones are to be used to contact various clients, co-workers, and for any work related purposes. Due to privacy concerns, we require that you DO NOT use or give out your personal phone number/s to any clients as a form of contact.

Your issued iPhone will be one of the main forms communication between you and your potential clients. Keeping that in mind, you will need to ensure that your iPhone is secure to protect any confidential information that could be located on your device. Due to these security reasons, you will need to change your password every 3-6 months. When choosing a password it must be at least 4 digits in length and it must never be a previous password.

Any other issued devices, such as a laptop or tablet, will have the same requirements. You must change your password every 3-6 months, and use it for work related purposes only.

Photographs and Videos of Clients

The ability to take phtos and videos has gotten easier as smart phones have...well gotten "smarter". Whether it is your issued work phone or a personal phone, it is unacceptable to take pictures or videos of clients without agency authorization for an official purpose. If there is an official pupose it must also have prior written consent from the subject of the photo or video. We need to ensure that the clients confindentiality is protected and any possible PHI is handled with care. For consent, please contact your direct Supervisor or our Privacy Officer.

We may, however, at times record sessions for the purpose of training, quality assurance, and other treatment purposes. When sessions are recorded, all of the following procedures must be followed:

Electronic Submission of Data

The following transmissions of protected health information are allowed, though staff members should take precaution to assure that the data sent is sent to the intended recipient:

Instructions to Outside Parties for Using Zix

When a parent or other authorized person asks that private, protected infomation be sent by email, we must encrypt the email. Prior to sending to someone who is not familiar with Zix, send an unencryped mail with the following link to instructions on how to set up a Zix account and how to open the encrypted mail. These videos are 25 and 29 seconds long. Easy!

https://go.zixcorp.com/learn-more.html


Insecure Methods Prohibited

Temporary Exceptions for Video Calling

For the extent of the National Emergency Concerning the COVID-19 Pandemic, rules have been relaxed for the use of video calling apps to deliver telelhealth services. When the federal emergency expires, this policy will be amended to identify the apps allowed/not allowed.

Read more about this in the Telehealth Guide here.

No Accend Services staff member shall transmit or request transmission of private, protected health information without permission of the client or authorized legal representative via any of the following electronic means - including means provided or hosted by Accend Services - unless those means are determined to be secure and encrypted, labeled as such with a security certificate from a reputable third party, and approved by the Accend Privacy Officer.

Responding to Insecure Methods

Regardless of the actions of others, including clients, guardians, or other service providers who may be in violation of these standards, Accend Services personnel shall not violate policies and procedures for electronic data transmission. Use the followingmethods to comply:

Procedures for Release of Information


General Procedures:


Authorization for Release of Information Required

Release of information to any third party other than those parties or situations identified below requires a current, signed Authorization for Release of Information. This includes printed records and verbal communication.

We use the Minnesota Standard Consent Form to Release Health Information as this form must be accepted by law by all health care providers in Minnesota. To export the TabsTM version of this form to PDF, following the instructions found in the Technology Guide, here. Do not use the "General Release" for any medical records, including mental health records.

Procedures for Requesting Non-Health Information

For requests for Information that is not health-related, use the General Release in TabsTM

Minimum Necessary Disclosure

Any release to outside parties, or internal sharing of information must meet the standard for minimum necessary disclosure. This means that, as part of minimal necessary guidelines, a Accend must refrain from sending out a patient's entire medical record when responding to a disclosure. The only exception is when the covered entity can justify that the patient's entire record was required to meet the purposes of the request, and therefore adheres to minimum necessary guidelines.

Parties To Whom We Must Release Information

Under Minnesota law, we may also be required to provide information to other persons or organizations for specific purposes and for coordination of your services. We will log of these releases in client records and make these logs available to clients upon request. Unless required by law, Accend Services will not release information to any other agency without a signed and dated consent from the client or his or her authorized legal representative. When we disclose information to these agencies and individuals, we will disclose only the minimum necessary required. Some examples of persons or agencies to whom we might disclose information include, but are not limited to, those listed below.

Situations Where Release May Be Allowed Without Authorization

Accend Services will not release client health records without a signed and dated consent from the client or the client's legal guardian or conservator. There are some exceptions. Some of those exceptions include the following:

Release to Law Enforcment Officials

Release of Information to Law Enforcement is allowed only with authorization of the individual who is the subject of the request and any such release must comply with all other requirements of this policy.

Information Requiring a Separate Release


Psychotherapy Notes: A separate authorization is required for release of Pyschotherapy Progress Notes and may not be combined with other authorizations to release information to any party.

Drug or Alcohol Screening or Treatment Information: A separate authorization is required and may not be combined with other authorizations to release information to any party. Documents that include information about screening, testing or treatment for Drug and Alcohol Use must be redacted before being released, unless we have this separate authorization.

HIV Status or Testing: A separate authorization is required and may not be combined with other authorizations to release information to any party. Documents that include information about HIV status or testing must be redacted before being released, unless we have this separate authorization.

Considerations for Releasing the Records of Minors

Releasing assessment, testing, screening or treatment information of minors requires special consideration, and in some cases, may not be released without authorization by the child.

Psychotherapy Notes

Psychotherapists may decline to release Psychotherapy Progress Notes for a minor when all of the following conditions are present:

Certain Medical Procedures and Screenings

Minors may request drug or alcohol screening, assessment and treatment for the following without the consent of their legal guardians. When this occurs, the child may also request that records be kept private.

Reporting, Investigating and Responding to a Data Privacy Violation

Any staff member, client or other affected party may report data privacy violations by contacting a privacy officer or director of Accend Services. You should notify the privacy officer of any suspicious incident as soon as possible after learning of the potential privacy violation. It is better to report than not to. Here are some guidelines of when to report:

Roles and Responsibilites:

We have included, below, the roles and reponsibilites of each staff member at Accend Services, Inc for safeguarding protected health information of the individuals we support.

All Staff Members: All staff members shall adhere strictly with data privacy policies and procedures and report problems or breaches as needed, without fear of retaliation.

Privacy Officer: The IT Systems Manager shall act as the Privacy Officer, assuring compliance with federal and state data privacy rules, keeping abreast of changes in these rules, implementing procedural changes as needed, investigating alleged violations of data privacy and proposing action plans to address problems where identified.

Treatment Director: The Treatment Director shall assist the Privacy Officer in conducting investigations of potential data privacy violations as needed or as delegated by the Executive Director, in implementing corrective action, and training staff members in policy or procedural changes.

Executive Director: The Executive Director shall receive reports of potential data privacy violations and investigations, and approve recommended action plans.

Investigation

Upon receiving a complaint or report of a breach of data privacy, the Accend Services Privacy Officer will immediately investigate and determine:

Responding

After completion of a full internal investigation, the investigating officer shall report results of the investigation and recommended remedial action immediately to the Executive Director. The Executive Director shall review the data privacy violation and data privacy law to determine whether or not reporting to an outside agency is required, and report as necessary. As appropriate, Accend Services shall also inform the clients or their guardians of any potential adverse impacts resulting from a data privacy violation involving them, and any actions taken to mitigate them. The Privacy Officer and Executive Director will determine and implement approved actions as necessary to prevent future potentional occurrences of breaches of data privacy. Actions may include but are not limited to the following






What You Will Learn:

The 3 Rules of HIPAA

What protected health information is and why it needs to be safeguarded

Health Insurance Portability and Accountability Act

HIPAA is an acronym that stands for the Health Insurance Portability and Accountability Act. HIPAA is a federal law that was enacted in 1996 to implement healthcare reform. This law requires administrative, physical and technical safeguards to be implemented to address the confidentiality, integrity and availability of protected health information. HIPAA is made of three rules:

  1. Privacy Rule
  2. Security Rule
  3. Breach Notification Rule

The Privacy Rule

The HIPAA Privacy Rule establishes national standards to protect individuals’ medical records and other personal health information. It applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically. These are referred to as "the covered entities" by HIPAA. The Privacy Rule requires appropriate safguards to protect the privacy of health information. It sets limits and conditions on the uses and disclosures that may be made of personal health information and gives client's rights over their health information.

Protected Health Information

So, what is the information we need to be protecting? Well, it is any "individually identifiable health information" which we refer to as Protected Health information (PHI). The Privacy Rule protects all PHI held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. Individually identifiable health information is information, including demographic data, that relates to:

There are 18 identifiers which are listed under what is protected health information. These identifiers are listed below:

  1. Name
  2. Address (all geographic subdivisions smaller than state, including street address, city county, and zip code)
  3. All elements (except years) of dates related to an individual (including birthdate, admission date, discharge date, date of death, and exact age if over 89)
  4. Telephone numbers
  5. Fax number
  6. Email address
  7. Social Security Number
  8. Medical record number
  9. Health plan beneficiary number
  10. Account number
  11. Certificate or license number
  12. Any vehicle or other device serial number
  13. Device identifiers and serial numbers
  14. Web URL
  15. Internet Protocol (IP) Address
  16. Finger or voice print
  17. Photographic image - Photographic images are not limited to images of the face
  18. Any other characteristic, identifying number, or identifying code that could uniquely identify the individual
Use and Disclosure of Protected Health Information

As stated previously, the Privacy Rule is used to define and limit the circumstances in which a client's protected health information may be used or disclosed by a covered entity. These limits and circumstances are listed below. Please read carefully!

Basic Principle: A covered entity may not use or disclose protected health information unless:

  1. the Privacy Rule permits or requires
  2. the client who is the subject of the information (or the client’s personal representative) authorizes in writing

Required Disclosures: A covered entity must disclose protected health information in only two situations:

  1. To the clients (or their personal representatives) specifically when they request access to, or an accounting of disclosures of, their protected health information
  2. To Health and Human Services (HHS) when it is undertaking a compliance investigation or review or enforcement action

Permitted Uses and Disclosures: A covered entity is permitted, but not required, to use and disclose protected health information, without an client’s authorization, for a variey of reasons. Some examples are:

Be Aware:

It gets tricky when sharing mental health information about a client. It is hard to know what is identifying information or what is not. As a simple common sense guideline, if you are unsure...dont share it. Always be aware of what you share!

Keep in mind also that just because law enforcement may ask for or even insist they are entitled to information, they may not be except in emergency situations. If you are unsure, please do not disclose, and seek guidance first.

For more information see the Summary of the HIPAA Privacy Rule here.

Minimum Necessary

An essential condition of the Privacy Rule is the principle of "minimum necessary" use and disclosure. A covered entity must make reasonable efforts to use, disclose, and request only the minimum amount of protected health information needed to accomplish the intended purpose of the use, disclosure, or request. The only exceptions to the minimum necessary requirement are the times when a covered entity is disclosing information for the following reasons:

Client Rights with Data Privacy

As said previously, client's have a right to their personal private health records. Federal and state law requires that clients may review any information in their health records that are kept by health care providers regarding any diagnosis, treatment and prognosis. If a client or authorized representative asks in writing, we will provide copies of records or copies of a summary of the information in the records. We may not provide this information if we have determined that it is detrimental to the client's physical or mental health, or is likely to cause the client to inflict self harm, or to harm another. If such a determination has been made, then the information shall be given to an appropriate third party. In cases where clients make reasonable requests, we will provide a summary of the information in the client's record at no cost.

Accend Services shall notify all clients of their rights regarding privacy and confidentiality of their health data using the following methods:

The Security Rule

The HIPAA Security Rule establishes national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity. Electronic protected health infromation is a subset of information covered by the Privacy Rule. It is all individually identifiable health information a covered entity creates, receives, maintains or transmits in electronic form.


The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information. Specifically, covered entities must:

The Breach Notification Rule

The Breach Notification Rule requires a covered entity to notify affected individuals and HHS following a breach of unsecured PHI. It requires that a covered entity notifies affected individuals and HHS without reasonable delay but no later than 60 calendar days from discovering the breach.


Definition of a Breach

What is a breach? A breach is any impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of PHI and poses a significant risk of financial, reputational, or other harm to the affected individual. An impermissible use or disclosure of PHI is assumed to be a breach unless the covered entity demonstrates that there is a low probablity that the PHI has been compromised based on a risk assessment of at least the following factors:

There are three exceptions to the definition of a breach. A breach is not:

  1. Unintentional access or use of PHI by an employee or individual acting under the authority of a covered entity
  2. Inadvertent disclosure of PHI from one person authorized to access PHI at a covered entity to another person authorized to access phi a different covered entity
  3. Unauthorized disclosures in which an unauthorized person to whom PHI was disclosed would not reasonably have been able to retain the information

Consequences of a Breach

Health and Human Services is now required to investigate and impose civil penalties where violations are due to willful neglect. This can be against a covered entity or It's business associate. The penalties are based off of the HIPAA violation tiers. It has four teirs and ranges from $100 per incident to $1.5 million per incident. See the image for further information on tiers and penalities.

There can also be penalties for a HIPAA violation for an employee. The type of sanctions depend on the severity of the violation, intent, etc. Below are a few examples of HIPAA violations along with the penalties on the employee:

Reporting, Investigating and Responding to a Breach



Any staff member, client or other affected party may report data privacy violations by contacting a privacy officer or director of Accend Services. You should notify the privacy officer of any suspicious incident as soon as possible after learning of the potential privacy violation. It is better to report than not to.





The Minnesota Health Records Act

What is the Minnesota Health Records Act?

In Minnesota, the collection, protection and sharing of health information is governed by the Minnesota Health Records Act (MHRA) and the Health Insurance Portability and Accountability Act (HIPAA).


> MHRA protects the information in medical records and the sharing of the information but does not control how it is to be protected or how it is to be transmitted electronically.

> HIPAA and the associated Privacy Rule, set the standards for the collection, protection and sharing of individually- identifiable health information.

> Covered entities in Minnesota must follow both MHRA and HIPAA. HIPAA sets a minimum standard that must be followed while MHRA sets out additional protections for Minnesota patients. The MHRA is more stringent than HIPAA in several respects.

What are the basic requirements of the MHRA?

Patient Rights

In general, MHRA grants patients the rights to access their health records upon request. Providers must provide written notice of their health records practices and written notice of patient’s right to access their records.

Disclosure of health records

Health records may only be disclosed to a third party with a signed and dated consent (or as a result of a specific authorization in the law) The signed and dated consent is generally valid for one year unless otherwise specified.

Health records may be released without consent:

1. For a medical emergency when the provider is unable to obtain the patient’s consent due to the patient’s condition or the nature of the emergency.

2. To other providers within related health care entities when necessary for the current treatment.

3. To a health care facility in certain circumstances when a patient is returning to a healthcare facility and is unable to provide consent.

Mental Health Records

Mental health records are treated the same as other types of information in medical records. Minnesota Law considers psychotherapy notes to be part of the patient’s health record and patients have the right to access the notes in the same way they access the rest of their health record. If information in the psychotherapy notes is detrimental the physical or mental health of the patient or is likely to cause the patient to inflict self-harm or to harm another, a provider may withhold psychotherapy notes from a patient.

A provider must disclose mental health records to a law enforcement agency if they provide the name to the patient and communicates that the patient is involved in a mental health crisis and the disclosure of the records is necessary to protect the health and safety of the patient or another person, The scope of the disclosure is limited to the minimum necessary for law enforcement to safely respond to the crisis.

Standard Consent Form

The Minnesota Department of Health developed a standard consent form to access health records. This form complies with MHRA. Accend has chosen to adopt the form when requesting medical records. It is a legally enforceable request and organizations must honor it. Click here to access more information regarding DHS medical record information.




Feedback or Questions about this Chapter

This guide is a living document. We want to improve it with your help. Do you have questions? Found a typo? Find yourself wanting more information? Please send us your thoughts about anything in this chapter by tapping on the link below.

Questions, Feedback & Suggestions

Updates to this Chapter

Updates to this chapter since July 1, 2022 are listed below.



October 12, 2022:



May 17, 2024:

Language added on securely transporting documents in First Steps in Privacy and Security.