The Health Insurance Portability and Accountability Act (HIP AA) Privacy Rule defines protected health information (Pm) as individually identifiable health information that includes, but is not limited to:

• Name
• Birth Date
• Social Security Number
• Date of Death
• Full face photographs
• Telephone and fax. numbers
• License/Certificate numbers
• Admission and discharge dates
• Email addresses
• Vehicle Identification Number (VIN)
• Geographic subdivisions smaller than a state(street address, city, county, zip code)

In general, the HIP AA Privacy Rule:

1. Grants individuals access to the information created and maintained about them by their health care providers and
2. Prevents the disclosure or release of PHI unless the client consents or it is mandated by law.

Preemption of the HIP AA Privacy Rule is allowed if other state or federal law:

1. Grants the client GREATER access to his/her PHI and/or
2. Gives the client's health information GREATER protections from disclosure.

"MINIMUM NECESSARY" access refers to the practice of limiting the disclosure of information to what is necessary to accomplish the purpose for which it is being used or disclosed. This includes access and use internally by staff and contractors. Staff and contractors should have access to, and use of, only the minimum necessary information needed to perform their duties.

The Agency must provide a Notice of Privacy Practices to its clients under the HIP AA Privacy Rule describing how information about the client is used by the Agency. It includes notice of when the Agency will disclose or release PHI without the client's authorization.

Effective September 1, 2012, the Texas Legislature enacted stringent health privacy legislation that extends client protections beyond those contained in HIP AA or the Health Information Technology for Economic and Clinical Health (HITECH) Act. Under the preemption provision in HIP AA, the stricter Texas law will apply to HIP AA covered entities doing business in the state. House Bill 300 is designed to ensure the security and privacy of PHI that is exchanged via electronic means. The law also grants new enforcement authority to a variety of state agencies, establishes standards for the use of electronic health records, and increases penalties for the wrongful electronic disclosure of PHI, including creating a new felony for wrongfully accessing or reading of electronic health records (HER) via electronic means.

Clients' Rights under the HIPAA Rules include, but are not limited to, the right to:

• Access their medical record and billing information, including the right to inspect and copy information;
• Request an amendment to their records;
• Request the Agency restrict/limit uses or disclosures of PHI when the Agency is carrying out treatment, payment, or healthcare operations;
• Request the Agency communicate with them in an alternate way or at an alternate location ( e.g., only send mail and phone calls to cell phone, only use email, etc.);
• Request an accounting or list of disclosures made of which the clients would not be aware;
• File a complaint; and
• Receive a copy of the Agency's Notice of Privacy Practices.

A Release of Information Form is required, under HIP AA Rules, to include all of the following core elements:

• Client's name;
• A description of the information to be disclosed;
• Name or specific identification of person authorized to make the disclosure;
• Name or specific identification of the person to whom to make the disclosure;
• A description of the purpose of the disclosure;
• An expiration date of the Release;
• Signature of the client, or the person authorized to sign on behalf of the client, including a description of that individual's authority to act for the client; and
• The date of the signature.

BEST PRACTICES for PRIVACY and SECURITY

• Keep medical records locked/secured.
• Only access client information you need to do your job, limiting it to the minimum necessary.
• Put client records and other documents containing PHI away when you aren't working on it.
• Monitor faxes containing PHI or other confidential information; don't leave them in the fax machine.
• Keep fax machines in areas not generally accessible by the public.
• Documents with PHI or confidential information to be discarded should be shredded; not put in with regular trash.
• Don't talk with clients, or coworkers about clients, in public areas or where you could be overheard.
• Protect computer passwords; never share or give them to others.
• Don't include PHI in emails unless it is encrypted or a secure email system is being used.
• When using the computer, close any open files containing PHI when you aren't using them and log off the computer when not using it.
• Keep computer screens out of eyesight of others.
• If you see any staff violating these best practices, give them a helpful/gentle reminder; don't just ignore it. Or, if appropriate, report the violation per the Agency's policy.

Report any problems or violations to the Agency's:

Reviewed by: