First Steps in Privacy and Security

Your first responsibilty when handling health records is to keep them safe, private and secure. Follow these guidelines for privacy and security:

1. Keep paper records secure:
   
   
   • > When using paper documents that contain protected health information, make sure they are not in view of the others around you.
   • >When your paper documents are not in use, keep them in a location that is not accessible by others, either a locked room or locked cabinet.
   • > Send paper documents to medical records as soon as possible for scanning into our electronic health record.
   • > Destroy papers that you do not need as soon as you no longer need them. Submit them to the office for shredding.

2. Keep your electronic devices secure:
   
   
   • > Do not leave your electronic devices unattended!
   • > Do not download or create files to your personal devices that contain client PHI.
   • > When using personal devices that you might share with others, maintain a separate log-in for yourself and a guest account for others. Do not set up other admin accounts on shared devices!
   • > Do not share your Accend Services-issued devices with others.
   • > Become savvy about viruses, phishing scams, and other malware and schemes intended to gain access to information on your electronic devices.  Do not fall prey to these schemes!
   • > Install and update antivirus to protect you and your data against malicious software.
   • > Do not put personal accounts on company-issued equipment.

3. Keep your login secure:
   
   
   • > Use a login password that only you know for all devices you use to document your work.
   • > Select a strong password that is not easily guessable.Do not use your name! Your password should be at least 8 characters and contain at least 3 of the 4 data types (uppercase letters, lowercase letters, numbers, and special characters).
   • > If you have a shared computer, you must have a seperate user account for work. Do not share you login with anyone.
   • > Do not save log-in passwords on any device that you share with others.
   • > Do not share your login passwords that you use for work with anyone.
   • > Never use a password for Tabs^TM that you use for any other account.
   • > Never, ever, save your password on a pubic device, such as a training computer at the Accend offices, a library or other publicly-accessed computer.

4. Do not use unsecured methods to send or receive private health care information:
   
   
   • > Never send or receive private, protected information in email, text messaging, or other forms of electronic communication that you do not know for certain are secure and encrypted.
   • > Do not reply to messages sent by others if you cannot verify the method is secure and encrypted.
   • > You will be issued an encrypted email account at Accend. This account is encrypted only for internal communication with your coworkers and does not encrypt emails sent outside of the agency. You are responsible to ensure that emails sent with protected health information are encrypted.
   • > Do not use messaging to send or receive private information unless the messaging or email service you use is approved by Accend as secure and encrypted.
   • > Do not use personal accounts/personal numbers to contact clients.

Email

You will be issued an encryped email account at Accend. Employees are allowed to use their email for work-related purposes without limitations. They do however, represent our company wheverever they use it and must use it appropriatley. Remember that your issued email is Accend Services property and we have the right to monitor and archive emails when we feel the need to do so.

Email is often the medium of hacker attacks, confidentiality breaches, viruses and other malware. These issues can compomise our reputation, legality and security of our equipment. We take steps to ensure that your issued email is protected.

We encrypt your email upon your device on your first day at Accend. It is your responsibility, however, to make sure that your emails stay encrypted and protected. Most of the information you send, and will continue to send, will include a client’s name. This is considered protected health information by HIPPA, which is why it needs to be encrypted.

If you send unencrypted emails with protected health information in the content you are not in compliance with HIPAA rules and regulations.

Malicious Emails

Read more about malicious email in the Technology Guide here.

Internet Usage

At Accend we provide you with access to our wireless network. We dont want to restrict our employees access to websites of their choice, but we expect our employees to use good judement and remain productive at work while using the internet. Always use safe browsing techniques and beware not to:

• > Download or upload offensive or illegal material.
• > Send confindential information to unauthorized recipients.
• > Invade another persons privacy and sensitive information.
• > Download or upload movies, music, and other copyrighted material and software.
• > Visit potentially dangerous websites that can compromise the safety of our network and computers.
• > Partincipate in illegal acctions like hacking, fraud, buying/selling illegal goods, etc.

Company Issued Equipment

Accend Services provides you with a company issued work iPhone. These phones are to be used to contact various clients, co-workers, and for any work related purposes. Due to privacy concerns, we require that you DO NOT use or give out your personal phone number/s to any clients as a form of contact.

Your issued iPhone will be one of the main forms communication between you and your potential clients. Keeping that in mind, you will need to ensure that your iPhone is secure to protect any confidential information that could be located on your device. Due to these security reasons, you will need to change your password every 3-6 months. When choosing a password it must be at least 4 digits in length and it must never be a previous password.

Any other issued devices, such as a laptop or tablet, will have the same requirements. You must change your password every 3-6 months, and use it for work related purposes only.

Photographs and Videos of Clients

The ability to take phtos and videos has gotten easier as smart phones have...well gotten "smarter". Whether it is your issued work phone or a personal phone, it is unacceptable to take pictures or videos of clients without agency authorization for an official purpose. If there is an official pupose it must also have prior written consent from the subject of the photo or video. We need to ensure that the clients confindentiality is protected and any possible PHI is handled with care. For consent, please contact your direct Supervisor or our Privacy Officer.

We may, however, at times record sessions for the purpose of training, quality assurance, and other treatment purposes. When sessions are recorded, all of the following procedures must be followed:

• > The individual being recorded will sign consent for the recording using the Authorization/Consent for Recording Behavioral Health Session, found in Tabs^TMat Assessment > Intake, Admission, Consents, ROI.
• > All copies of the recording (stored on recording device, stored on computers or flash drives) will be destroyed as soon as it is viewed for the intended purpose, no later than 2 weeks after the date the recording is made.

Electronic Submission of Data

The following transmissions of protected health information are allowed, though staff members should take precaution to assure that the data sent is sent to the intended recipient:

• > Fax to a known entity with a privacy (cover) sheet
• > Encrypted email
• > Billing software provided by payors that has been verified as secure by the payor
• > Other methods approved by the Accend Services Privacy Officer

Instructions to Outside Parties for Using Zix

When a parent or other authorized person asks that private, protected infomation be sent by email, we must encrypt the email. Prior to sending to someone who is not familiar with Zix, send an unencryped mail with the following link to instructions on how to set up a Zix account and how to open the encrypted mail. These videos are 25 and 29 seconds long. Easy!

https://go.zixcorp.com/learn-more.html

Insecure Methods Prohibited

No Accend Services staff member shall transmit or request transmission of private, protected health information without permission of the client or authorized legal representative via any of the following electronic means - including means provided or hosted by Accend Services - unless those means are determined to be secure and encrypted, labeled as such with a security certificate from a reputable third party, and approved by the Accend Privacy Officer.

• > Instant messaging apps
• > Video calling apps not authorized for use by this policy
• > Chat room
• > Blog
• > Any social media platform
• > Other electronic means not listed as allowable in this policy/procedure.

Responding to Insecure Methods

Regardless of the actions of others, including clients, guardians, or other service providers who may be in violation of these standards, Accend Services personnel shall not violate policies and procedures for electronic data transmission. Use the followingmethods to comply:

• > When replying to email containing private, protected information about a client or referral, eliminate identifying information in the text of the received email before replying
• > Decline invitations to use messaging or other online communication containing private, protected health infromation
• > Inform the sender of Accend Services policies and procedures
• > Report repeated violations immediately

Procedures for Release of Information

General Procedures:

Authorization for Release of Information Required

Release of information to any third party other than those parties or situations identified below requires a current, signed Authorization for Release of Information. This includes printed records and verbal communication.

We use the Minnesota Standard Consent Form to Release Health Information as this form must be accepted by law by all health care providers in Minnesota. To export the Tabs^TM version of this form to PDF, following the instructions found in the Technology Guide, here. Do not use the "General Release" for any medical records, including mental health records.

Procedures for Requesting Non-Health Information

For requests for Information that is not health-related, use the General Release in Tabs^TM

Minimum Necessary Disclosure

Any release to outside parties, or internal sharing of information must meet the standard for minimum necessary disclosure. This means that, as part of minimal necessary guidelines, a Accend must refrain from sending out a patient's entire medical record when responding to a disclosure. The only exception is when the covered entity can justify that the patient's entire record was required to meet the purposes of the request, and therefore adheres to minimum necessary guidelines.

Parties To Whom We Must Release Information

Under Minnesota law, we may also be required to provide information to other persons or organizations for specific purposes and for coordination of your services. We will log of these releases in client records and make these logs available to clients upon request. Unless required by law, Accend Services will not release information to any other agency without a signed and dated consent from the client or his or her authorized legal representative. When we disclose information to these agencies and individuals, we will disclose only the minimum necessary required. Some examples of persons or agencies to whom we might disclose information include, but are not limited to, those listed below.

• > Parents/legal guardians of a minor, except in the circumstances described below;
• > Legal representatives who have health care and financial decision-making authority for an adult client;
• > The client's case manager, his or her supervisor, financial worker, and other authorized social services staff assigned to a client's case;
• > County public health nurses, county or state screeners, or other officials responsible for authorizing services;
• > Authorized persons such as licensers, investigators, or other officials at the Minnesota Department of Health or the Minnesota Department of Human Services;
• > Ombudsman and county or state investigative agencies when we make a report of possible maltreatment (abuse or neglect) of a vulnerable adult or child;
• > Health Boards or health professional licensing boards or agencies while engaged in authorized investigative or licensing activities;
• > Medical examiners or coroners;
• > Law enforcement or investigative agencies when our clients present a threat of harm or are potential victims of serious threats of physical violence;
• > Insurance companies and other payors for services provided by Accend Services when the information is required to obtain payment.

Situations Where Release May Be Allowed Without Authorization

Accend Services will not release client health records without a signed and dated consent from the client or the client's legal guardian or conservator. There are some exceptions. Some of those exceptions include the following:

• > In a medical emergency, to treating professionals;
• > When a federal or state law requires it;
• > When we receive a court order or a federal grand jury subpoena requiring release of health information;
• > General statistical data, not associated with a specific client or person.

Release to Law Enforcment Officials

Release of Information to Law Enforcement is allowed only with authorization of the individual who is the subject of the request and any such release must comply with all other requirements of this policy.

Information Requiring a Separate Release

Psychotherapy Notes: A separate authorization is required for release of Pyschotherapy Progress Notes and may not be combined with other authorizations to release information to any party.

Drug or Alcohol Screening or Treatment Information: A separate authorization is required and may not be combined with other authorizations to release information to any party. Documents that include information about screening, testing or treatment for Drug and Alcohol Use must be redacted before being released, unless we have this separate authorization.

HIV Status or Testing: A separate authorization is required and may not be combined with other authorizations to release information to any party. Documents that include information about HIV status or testing must be redacted before being released, unless we have this separate authorization.

Considerations for Releasing the Records of Minors

Releasing assessment, testing, screening or treatment information of minors requires special consideration, and in some cases, may not be released without authorization by the child.

Psychotherapy Notes

Psychotherapists may decline to release Psychotherapy Progress Notes for a minor when all of the following conditions are present:

• > the child is, in the best judgement of the psychotherapist and in consultation with his or her supervisor, of sufficient age and mental status to request that Pscyhotherapy Notes be kept private;
• > the psychotherapist believes that release of Psychotherapy Notes could potentially cause harm to the child;
• > the psychotherapist is reasonably certain that no harm shall result by the child's refusal to release the records; and
• > there is no court order or other special legal requirement to release them.

Certain Medical Procedures and Screenings

Minors may request drug or alcohol screening, assessment and treatment for the following without the consent of their legal guardians. When this occurs, the child may also request that records be kept private.

• > to determine the presence of or to treat pregnancy and conditions associated therewith, or
• > venereal disease,
• > alcohol and other drug abuse

Reporting, Investigating and Responding to a Data Privacy Violation

Any staff member, client or other affected party may report data privacy violations by contacting a privacy officer or director of Accend Services. You should notify the privacy officer of any suspicious incident as soon as possible after learning of the potential privacy violation. It is better to report than not to. Here are some guidelines of when to report:

• > Theft or damage of equipment
• > Unauthorized use of a system or unauthorized use of a password
• > Computer hacking attempts
• > Malicious software
• > Security weaknesses
• > Breaches to client or employee privacy

Investigation

Upon receiving a complaint or report of a breach of data privacy, the Accend Services Privacy Officer will immediately investigate and determine:

• > Whether or not a data privacy violation has occurred
• > Who has been affected by the violation
• > Whether the violation was intentional or unintentional
• > What were possible contributing factors to the privacy violation, including physical or other security, staff training, policies and procedures, etc
• > What is the potential adverse impact on the client whose privacy has been violated
• > Whether the breach is required to be reported to HHS

Responding

After completion of a full internal investigation, the investigating officer shall report results of the investigation and recommended remedial action immediately to the Executive Director. The Executive Director shall review the data privacy violation and data privacy law to determine whether or not reporting to an outside agency is required, and report as necessary. As appropriate, Accend Services shall also inform the clients or their guardians of any potential adverse impacts resulting from a data privacy violation involving them, and any actions taken to mitigate them. The Privacy Officer and Executive Director will determine and implement approved actions as necessary to prevent future potentional occurrences of breaches of data privacy. Actions may include but are not limited to the following

• > Staff re-training, disciplinary or other remedial action
• > Changes in policies or procedures
• > Physical changes in the work environment
• > Other security changes in the work environment

---

---

Health Insurance Portability and Accountability Act

HIPAA is an acronym that stands for the Health Insurance Portability and Accountability Act. HIPAA is a federal law that was enacted in 1996 to implement healthcare reform. This law requires administrative, physical and technical safeguards to be implemented to address the confidentiality, integrity and availability of protected health information. HIPAA is made of three rules:

1. Privacy Rule
2. Security Rule
3. Breach Notification Rule

The Privacy Rule

The HIPAA Privacy Rule establishes national standards to protect individuals’ medical records and other personal health information. It applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically. These are referred to as "the covered entities" by HIPAA. The Privacy Rule requires appropriate safguards to protect the privacy of health information. It sets limits and conditions on the uses and disclosures that may be made of personal health information and gives client's rights over their health information.

Protected Health Information

So, what is the information we need to be protecting? Well, it is any "individually identifiable health information" which we refer to as Protected Health information (PHI). The Privacy Rule protects all PHI held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. Individually identifiable health information is information, including demographic data, that relates to:

• > the client's past, present or future physical or mental health or condition
• > the provision of health care to the client
• > the past, present, or future payment for the provision of health care to the client

There are 18 identifiers which are listed under what is protected health information. These identifiers are listed below:

1. Name
2. Address (all geographic subdivisions smaller than state, including street address, city county, and zip code)
3. All elements (except years) of dates related to an individual (including birthdate, admission date, discharge date, date of death, and exact age if over 89)
4. Telephone numbers
5. Fax number
6. Email address
7. Social Security Number
8. Medical record number
9. Health plan beneficiary number
10. Account number
11. Certificate or license number
12. Any vehicle or other device serial number
13. Device identifiers and serial numbers
14. Web URL
15. Internet Protocol (IP) Address
16. Finger or voice print
17. Photographic image - Photographic images are not limited to images of the face
18. Any other characteristic, identifying number, or identifying code that could uniquely identify the individual

Use and Disclosure of Protected Health Information

As stated previously, the Privacy Rule is used to define and limit the circumstances in which a client's protected health information may be used or disclosed by a covered entity. These limits and circumstances are listed below. Please read carefully!

Basic Principle: A covered entity may not use or disclose protected health information unless:

1. the Privacy Rule permits or requires
2. the client who is the subject of the information (or the client’s personal representative) authorizes in writing

Required Disclosures: A covered entity must disclose protected health information in only two situations:

1. To the clients (or their personal representatives) specifically when they request access to, or an accounting of disclosures of, their protected health information
2. To Health and Human Services (HHS) when it is undertaking a compliance investigation or review or enforcement action

Permitted Uses and Disclosures: A covered entity is permitted, but not required, to use and disclose protected health information, without an client’s authorization, for a variey of reasons. Some examples are:

• Treatment, Payment, Health Care Operations.
• Where required by law, a court order, or a subpeona.
• When it is believed necessary to prevent or lessen a serious and imminent threat to a person such as a medical emergency, a credible threat of harm by or to an individual served, a domestic abuse situation and others.
• Authorized health oversight activities, such as audits and investigations necessary for oversight of the health care system and government benefit programs.
• De-identified data submitted to governing bodies or research programs or facilities.

For more information see the Summary of the HIPAA Privacy Rule here.

Minimum Necessary

An essential condition of the Privacy Rule is the principle of "minimum necessary" use and disclosure. A covered entity must make reasonable efforts to use, disclose, and request only the minimum amount of protected health information needed to accomplish the intended purpose of the use, disclosure, or request. The only exceptions to the minimum necessary requirement are the times when a covered entity is disclosing information for the following reasons:

• > Treatment
• > Sharing information to the client who is the subject of the information, or the client’s personal representative
• > Purposes for which and authorization is signed
• > To HHS for compliant investigation, compliance reveiw or enforcement
• > Disclosures required by law

Client Rights with Data Privacy

As said previously, client's have a right to their personal private health records. Federal and state law requires that clients may review any information in their health records that are kept by health care providers regarding any diagnosis, treatment and prognosis. If a client or authorized representative asks in writing, we will provide copies of records or copies of a summary of the information in the records. We may not provide this information if we have determined that it is detrimental to the client's physical or mental health, or is likely to cause the client to inflict self harm, or to harm another. If such a determination has been made, then the information shall be given to an appropriate third party. In cases where clients make reasonable requests, we will provide a summary of the information in the client's record at no cost.

Accend Services shall notify all clients of their rights regarding privacy and confidentiality of their health data using the following methods:

• > We will post our Data Privacy Notification on our website, in admission material and in conspicuous locations in our offices;
• > Upon initiation of services, admitting personnel shall provide clients with a Data Privacy Notification and request for authorization for disclosure to additional persons or agencies as needed;
• > At least annually, service provider staff members will remind clients of their data privacy rights and request continuing authorization for disclosures outside of those listed in the notification;
• > At any time, clients may withdraw or add to previous authorizations to disclose information.

The Security Rule

The HIPAA Security Rule establishes national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity. Electronic protected health infromation is a subset of information covered by the Privacy Rule. It is all individually identifiable health information a covered entity creates, receives, maintains or transmits in electronic form.

The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information. Specifically, covered entities must:

• > Ensure the confidentiality, integrity, and availability of all e-PHI they create, receive, maintain or transmit
• > Identify and protect against reasonably anticipated threats to the security or integrity of the information
• > Protect against reasonably anticipated, impermissible uses or disclosures
• > Ensure compliance by their workforce

The Breach Notification Rule

The Breach Notification Rule requires a covered entity to notify affected individuals and HHS following a breach of unsecured PHI. It requires that a covered entity notifies affected individuals and HHS without reasonable delay but no later than 60 calendar days from discovering the breach.

Definition of a Breach

What is a breach? A breach is any impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of PHI and poses a significant risk of financial, reputational, or other harm to the affected individual. An impermissible use or disclosure of PHI is assumed to be a breach unless the covered entity demonstrates that there is a low probablity that the PHI has been compromised based on a risk assessment of at least the following factors:

• > The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification
• > The unauthorized person who used the protected health information or to whom the disclosure was made
• > Whether the protected health information was actually acquired or viewed
• > The extent to which the risk to the protected health information has been mitigated

There are three exceptions to the definition of a breach. A breach is not:

1. Unintentional access or use of PHI by an employee or individual acting under the authority of a covered entity
2. Inadvertent disclosure of PHI from one person authorized to access PHI at a covered entity to another person authorized to access phi a different covered entity
3. Unauthorized disclosures in which an unauthorized person to whom PHI was disclosed would not reasonably have been able to retain the information

Consequences of a Breach

Health and Human Services is now required to investigate and impose civil penalties where violations are due to willful neglect. This can be against a covered entity or It's business associate. The penalties are based off of the HIPAA violation tiers. It has four teirs and ranges from $100 per incident to $1.5 million per incident. See the image for further information on tiers and penalities.

There can also be penalties for a HIPAA violation for an employee. The type of sanctions depend on the severity of the violation, intent, etc. Below are a few examples of HIPAA violations along with the penalties on the employee:

• > Wrongfully accessing or disclosing PHI: Fines up to $50,000 and up to 1 year in jail
• > Obtaining PHI under false pretense: Fines up to $100,000 andup to 5 years in jail
• > Wrongfully using PHI for commercial activity: Fines up to $250,000 and up to 10 years in jail

Reporting, Investigating and Responding to a Breach

Any staff member, client or other affected party may report data privacy violations by contacting a privacy officer or director of Accend Services. You should notify the privacy officer of any suspicious incident as soon as possible after learning of the potential privacy violation. It is better to report than not to.

---

---

The Minnesota Health Records Act

What is the Minnesota Health Records Act?

In Minnesota, the collection, protection and sharing of health information is governed by the Minnesota Health Records Act (MHRA) and the Health Insurance Portability and Accountability Act (HIPAA).

> MHRA protects the information in medical records and the sharing of the information but does not control how it is to be protected or how it is to be transmitted electronically.

> HIPAA and the associated Privacy Rule, set the standards for the collection, protection and sharing of individually- identifiable health information.

> Covered entities in Minnesota must follow both MHRA and HIPAA. HIPAA sets a minimum standard that must be followed while MHRA sets out additional protections for Minnesota patients. The MHRA is more stringent than HIPAA in several respects.

What are the basic requirements of the MHRA?

Patient Rights

In general, MHRA grants patients the rights to access their health records upon request. Providers must provide written notice of their health records practices and written notice of patient’s right to access their records.

Disclosure of health records

Health records may only be disclosed to a third party with a signed and dated consent (or as a result of a specific authorization in the law) The signed and dated consent is generally valid for one year unless otherwise specified.

Health records may be released without consent:

1. For a medical emergency when the provider is unable to obtain the patient’s consent due to the patient’s condition or the nature of the emergency.

2. To other providers within related health care entities when necessary for the current treatment.

3. To a health care facility in certain circumstances when a patient is returning to a healthcare facility and is unable to provide consent.

Mental Health Records

Mental health records are treated the same as other types of information in medical records. Minnesota Law considers psychotherapy notes to be part of the patient’s health record and patients have the right to access the notes in the same way they access the rest of their health record. If information in the psychotherapy notes is detrimental the physical or mental health of the patient or is likely to cause the patient to inflict self-harm or to harm another, a provider may withhold psychotherapy notes from a patient.

A provider must disclose mental health records to a law enforcement agency if they provide the name to the patient and communicates that the patient is involved in a mental health crisis and the disclosure of the records is necessary to protect the health and safety of the patient or another person, The scope of the disclosure is limited to the minimum necessary for law enforcement to safely respond to the crisis.

Standard Consent Form

The Minnesota Department of Health developed a standard consent form to access health records. This form complies with MHRA. Accend has chosen to adopt the form when requesting medical records. It is a legally enforceable request and organizations must honor it. Click here to access more information regarding DHS medical record information.

---

---

Feedback or Questions about this Chapter

This guide is a living document. We want to improve it with your help. Do you have questions? Found a typo? Find yourself wanting more information? Please send us your thoughts about anything in this chapter by tapping on the link below.

Updates to this Chapter

Updates to this chapter since July 1, 2022 are listed below.

---

October 12, 2022:

• Heading, subheadings and navigation menu reformatted and re-ordered.
• Information about the Minnesota Health Records Act added.
• Clarification that privated, protected information can be sent to parities outside of Accend as long as the email is encrypted.
• Clarification of prohibited means of electronic communication to transmit private, protect information, with a callout on temporary exceptions during the federal (COVID-19)emergency.
• Simplification of the Use and Disclosure of Protected Health Information section of this guide, specifically Permitted Uses and Disclosures, with a link to further information added.
• Eliminated references to a separate "Data Privacy" policy, as this is now a combined Policy/Procedure.
• Some typos corrected that do not change the meaning or intent of the text.

---