This is the Advanced guide.
Tap on a topic and then subtopic below to navigate this guide.
As a health care provider in the digital age, especially as a home and community-based health care provider, you have exceptional challenges for keeping health care data about the people you serve safe and secure. This chapter explores those challenges and gives basic information about how to protect private health care information about the people you serve.
This policy/procedure may be updated at any time.
Tap here for a catalog of updates to this chapter since July 1, 2022.
While this policy references current clients in the text, it must be generally interpreted to mean anyone else and any other records, including:
If you discover that access to this information occurs, reporting this is required. Accessing and reading any information on others that can reasonably be considered confidential or private, or not reporting the security breach you have encountered, may be grounds for immediate termination as misconduct.
Identify dos and don'ts for keeping health records and private data safe and secure.
Use your electronic devices safely to assure privacy of health records.
Your first responsibilty when handling health records is to keep them safe, private and secure. Follow these guidelines for privacy and security:
You will be issued an encryped email account at Accend. Employees are allowed to use their email for work-related purposes without limitations. They do however, represent our company wheverever they use it and must use it appropriatley. Remember that your issued email is Accend Services property and we have the right to monitor and archive emails when we feel the need to do so.
If an employee starts getting suspicious mail from the same place, they should report it to the Cheif Privacy Officer and we can blacklist the source.
Email is often the medium of hacker attacks, confidentiality breaches, viruses and other malware. These issues can compomise our reputation, legality and security of our equipment. We take steps to ensure that your issued email is protected.
We encrypt your email upon your device on your first day at Accend. It is your responsibility, however, to make sure that your emails stay encrypted and protected. Most of the information you send, and will continue to send, will include a client’s name. This is considered protected health information by HIPPA, which is why it needs to be encrypted.
If you send unencrypted emails with protected health information in the content you are not in compliance with HIPAA rules and regulations.
Read more about malicious email in the Technology Guide here.
At Accend we provide you with access to our wireless network. We dont want to restrict our employees access to websites of their choice, but we expect our employees to use good judement and remain productive at work while using the internet. Always use safe browsing techniques and beware not to:
Accend Services provides you with a company issued work iPhone. These phones are to be used to contact various clients, co-workers, and for any work related purposes. Due to privacy concerns, we require that you DO NOT use or give out your personal phone number/s to any clients as a form of contact.
Your issued iPhone will be one of the main forms communication between you and your potential clients. Keeping that in mind, you will need to ensure that your iPhone is secure to protect any confidential information that could be located on your device. Due to these security reasons, you will need to change your password every 3-6 months. When choosing a password it must be at least 4 digits in length and it must never be a previous password.
Any other issued devices, such as a laptop or tablet, will have the same requirements. You must change your password every 3-6 months, and use it for work related purposes only.
The ability to take phtos and videos has gotten easier as smart phones have...well gotten "smarter". Whether it is your issued work phone or a personal phone, it is unacceptable to take pictures or videos of clients without agency authorization for an official purpose. If there is an official pupose it must also have prior written consent from the subject of the photo or video. We need to ensure that the clients confindentiality is protected and any possible PHI is handled with care. For consent, please contact your direct Supervisor or our Privacy Officer.
We may, however, at times record sessions for the purpose of training, quality assurance, and other treatment purposes. When sessions are recorded, all of the following procedures must be followed:
The following transmissions of protected health information are allowed, though staff members should take precaution to assure that the data sent is sent to the intended recipient:
When a parent or other authorized person asks that private, protected infomation be sent by email, we must encrypt the email. Prior to sending to someone who is not familiar with Zix, send an unencryped mail with the following link to instructions on how to set up a Zix account and how to open the encrypted mail. These videos are 25 and 29 seconds long. Easy!
https://go.zixcorp.com/learn-more.html
For the extent of the National Emergency Concerning the COVID-19 Pandemic, rules have been relaxed for the use of video calling apps to deliver telelhealth services. When the federal emergency expires, this policy will be amended to identify the apps allowed/not allowed.
Read more about this in the Telehealth Guide here.
No Accend Services staff member shall transmit or request transmission of private, protected health information without permission of the client or authorized legal representative via any of the following electronic means - including means provided or hosted by Accend Services - unless those means are determined to be secure and encrypted, labeled as such with a security certificate from a reputable third party, and approved by the Accend Privacy Officer.
Regardless of the actions of others, including clients, guardians, or other service providers who may be in violation of these standards, Accend Services personnel shall not violate policies and procedures for electronic data transmission. Use the following methods to comply:
Release of information to any third party other than those parties or situations identified below requires a current, signed Authorization for Release of Information. This includes printed records and verbal communication.
We use the Minnesota Standard Consent Form to Release Health Information as this form must be accepted by law by all health care providers in Minnesota. To export the TabsTM version of this form to PDF, following the instructions found in the Technology Guide, here. Do not use the "General Release" for any medical records, including mental health records.
For requests for Information that is not health-related, use the General Release in TabsTM
Any release to outside parties, or internal sharing of information must meet the standard for minimum necessary disclosure. This means that, as part of minimal necessary guidelines, a Accend must refrain from sending out a patient's entire medical record when responding to a disclosure. The only exception is when the covered entity can justify that the patient's entire record was required to meet the purposes of the request, and therefore adheres to minimum necessary guidelines.
Under Minnesota law, we may also be required to provide information to other persons or organizations for specific purposes and for coordination of your services. We will log of these releases in client records and make these logs available to clients upon request. Unless required by law, Accend Services will not release information to any other agency without a signed and dated consent from the client or his or her authorized legal representative. When we disclose information to these agencies and individuals, we will disclose only the minimum necessary required. Some examples of persons or agencies to whom we might disclose information include, but are not limited to, those listed below.
Accend Services will not release client health records without a signed and dated consent from the client or the client's legal guardian or conservator. There are some exceptions. Some of those exceptions include the following:
Release of Information to Law Enforcement is allowed only with authorization of the individual who is the subject of the request and any such release must comply with all other requirements of this policy.
Psychotherapy Notes: A separate authorization is required for release of Pyschotherapy Progress Notes and may not be combined with other authorizations to release information to any party.
Drug or Alcohol Use or Abuse Screening or Treatment Information: A separate authorization is required and may not be combined with other authorizations to release information to any party. Documents that include information about screening, testing or treatment for Drug and Alcohol Use or Abuse must be redacted before being released, unless we have this separate authorization.
HIV Status or Testing: A separate authorization is required and may not be combined with other authorizations to release information to any party. Documents that include information about HIV status or testing must be redacted before being released, unless we have this separate authorization.
Releasing assessment, testing, screening or treatment information of minors requires special consideration, and in some cases, may not be released without authorization by the child.
Psychotherapists may decline to release Psychotherapy Progress Notes for a minor when all of the following conditions are present:
Minors may request drug or alcohol screening, assessment and treatment for the following without the consent of their legal guardians. When this occurs, the child may also request that records be kept private.
Any staff member, client or other affected party may report data privacy violations by contacting a privacy officer or director of Accend Services. You should notify the privacy officer of any suspicious incident as soon as possible after learning of the potential privacy violation. It is better to report than not to. Here are some guidelines of when to report:
We have included, below, the roles and reponsibilites of each staff member at Accend Services, Inc for safeguarding protected health information of the individuals we support.
All Staff Members: All staff members shall adhere strictly with data privacy policies and procedures and report problems or breaches as needed, without fear of retaliation.
Privacy Officer: The IT Systems Manager shall act as the Privacy Officer, assuring compliance with federal and state data privacy rules, keeping abreast of changes in these rules, implementing procedural changes as needed, investigating alleged violations of data privacy and proposing action plans to address problems where identified.
Treatment Director: The Treatment Director shall assist the Privacy Officer in conducting investigations of potential data privacy violations as needed or as delegated by the Executive Director, in implementing corrective action, and training staff members in policy or procedural changes.
Executive Director: The Executive Director shall receive reports of potential data privacy violations and investigations, and approve recommended action plans.
Upon receiving a complaint or report of a breach of data privacy, the Accend Services Privacy Officer will immediately investigate and determine:
After completion of a full internal investigation, the investigating officer shall report results of the investigation and recommended remedial action immediately to the Executive Director. The Executive Director shall review the data privacy violation and data privacy law to determine whether or not reporting to an outside agency is required, and report as necessary. As appropriate, Accend Services shall also inform the clients or their guardians of any potential adverse impacts resulting from a data privacy violation involving them, and any actions taken to mitigate them. The Privacy Officer and Executive Director will determine and implement approved actions as necessary to prevent future potentional occurrences of breaches of data privacy. Actions may include but are not limited to the following
The 3 Rules of HIPAA
What protected health information is and why it needs to be safeguarded
HIPAA is an acronym that stands for the Health Insurance Portability and Accountability Act. HIPAA is a federal law that was enacted in 1996 to implement healthcare reform. This law requires administrative, physical and technical safeguards to be implemented to address the confidentiality, integrity and availability of protected health information. HIPAA is made of three rules:
The HIPAA Privacy Rule establishes national standards to protect individuals’ medical records and other personal health information. It applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically. These are referred to as "the covered entities" by HIPAA. The Privacy Rule requires appropriate safguards to protect the privacy of health information. It sets limits and conditions on the uses and disclosures that may be made of personal health information and gives client's rights over their health information.
So, what is the information we need to be protecting? Well, it is any "individually identifiable health information" which we refer to as Protected Health information (PHI). The Privacy Rule protects all PHI held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. Individually identifiable health information is information, including demographic data, that relates to:
There are 18 identifiers which are listed under what is protected health information. These identifiers are listed below:
As stated previously, the Privacy Rule is used to define and limit the circumstances in which a client's protected health information may be used or disclosed by a covered entity. These limits and circumstances are listed below. Please read carefully!
Basic Principle: A covered entity may not use or disclose protected health information unless:
Required Disclosures: A covered entity must disclose protected health information in only two situations:
Permitted Uses and Disclosures: A covered entity is permitted, but not required, to use and disclose protected health information, without an client’s authorization, for a variey of reasons. Some examples are:
It gets tricky when sharing mental health information about a client. It is hard to know what is identifying information or what is not. As a simple common sense guideline, if you are unsure...dont share it. Always be aware of what you share!
Keep in mind also that just because law enforcement may ask for or even insist they are entitled to information, they may not be except in emergency situations. If you are unsure, please do not disclose, and seek guidance first.
For more information see the Summary of the HIPAA Privacy Rule here.
An essential condition of the Privacy Rule is the principle of "minimum necessary" use and disclosure. A covered entity must make reasonable efforts to use, disclose, and request only the minimum amount of protected health information needed to accomplish the intended purpose of the use, disclosure, or request. The only exceptions to the minimum necessary requirement are the times when a covered entity is disclosing information for the following reasons:
As said previously, client's have a right to their personal private health records. Federal and state law requires that clients may review any information in their health records that are kept by health care providers regarding any diagnosis, treatment and prognosis. If a client or authorized representative asks in writing, we will provide copies of records or copies of a summary of the information in the records. We may not provide this information if we have determined that it is detrimental to the client's physical or mental health, or is likely to cause the client to inflict self harm, or to harm another. If such a determination has been made, then the information shall be given to an appropriate third party. In cases where clients make reasonable requests, we will provide a summary of the information in the client's record at no cost.
Accend Services shall notify all clients of their rights regarding privacy and confidentiality of their health data using the following methods:
The HIPAA Security Rule establishes national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity. Electronic protected health infromation is a subset of information covered by the Privacy Rule. It is all individually identifiable health information a covered entity creates, receives, maintains or transmits in electronic form.
The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information. Specifically, covered entities must:
The Breach Notification Rule requires a covered entity to notify affected individuals and HHS following a breach of unsecured PHI. It requires that a covered entity notifies affected individuals and HHS without reasonable delay but no later than 60 calendar days from discovering the breach.
What is a breach? A breach is any impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of PHI and poses a significant risk of financial, reputational, or other harm to the affected individual. An impermissible use or disclosure of PHI is assumed to be a breach unless the covered entity demonstrates that there is a low probablity that the PHI has been compromised based on a risk assessment of at least the following factors:
There are three exceptions to the definition of a breach. A breach is not:
Health and Human Services is now required to investigate and impose civil penalties where violations are due to willful neglect. This can be against a covered entity or It's business associate. The penalties are based off of the HIPAA violation tiers. It has four teirs and ranges from $100 per incident to $1.5 million per incident. See the image for further information on tiers and penalities.
There can also be penalties for a HIPAA violation for an employee. The type of sanctions depend on the severity of the violation, intent, etc. Below are a few examples of HIPAA violations along with the penalties on the employee:
Any staff member, client or other affected party may report data privacy violations by contacting a privacy officer or director of Accend Services. You should notify the privacy officer of any suspicious incident as soon as possible after learning of the potential privacy violation. It is better to report than not to.
In Minnesota, the collection, protection and sharing of health information is governed by the Minnesota Health Records Act (MHRA) and the Health Insurance Portability and Accountability Act (HIPAA).
> MHRA protects the information in medical records and the sharing of the information but does not control how it is to be protected or how it is to be transmitted electronically.
> HIPAA and the associated Privacy Rule, set the standards for the collection, protection and sharing of individually- identifiable health information.
> Covered entities in Minnesota must follow both MHRA and HIPAA. HIPAA sets a minimum standard that must be followed while MHRA sets out additional protections for Minnesota patients. The MHRA is more stringent than HIPAA in several respects.
In general, MHRA grants patients the rights to access their health records upon request. Providers must provide written notice of their health records practices and written notice of patient’s right to access their records.
Health records may only be disclosed to a third party with a signed and dated consent (or as a result of a specific authorization in the law) The signed and dated consent is generally valid for one year unless otherwise specified.
1. For a medical emergency when the provider is unable to obtain the patient’s consent due to the patient’s condition or the nature of the emergency.
2. To other providers within related health care entities when necessary for the current treatment.
3. To a health care facility in certain circumstances when a patient is returning to a healthcare facility and is unable to provide consent.
Mental health records are treated the same as other types of information in medical records. Minnesota Law considers psychotherapy notes to be part of the patient’s health record and patients have the right to access the notes in the same way they access the rest of their health record. If information in the psychotherapy notes is detrimental the physical or mental health of the patient or is likely to cause the patient to inflict self-harm or to harm another, a provider may withhold psychotherapy notes from a patient.
A provider must disclose mental health records to a law enforcement agency if they provide the name to the patient and communicates that the patient is involved in a mental health crisis and the disclosure of the records is necessary to protect the health and safety of the patient or another person, The scope of the disclosure is limited to the minimum necessary for law enforcement to safely respond to the crisis.
The Minnesota Department of Health developed a standard consent form to access health records. This form complies with MHRA. Accend has chosen to adopt the form when requesting medical records. It is a legally enforceable request and organizations must honor it. Click here to access more information regarding DHS medical record information.
This guide is a living document. We want to improve it with your help. Do you have questions? Found a typo? Find yourself wanting more information? Please send us your thoughts about anything in this chapter by tapping on the link below.
Updates to this chapter since July 1, 2022 are listed below.
October 12, 2022:
May 17, 2024:
Language added on securely transporting documents in First Steps in Privacy and Security.
November 15, 2024:
Language added to include applicability of this policy extends beyond current client records.