Overview

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) has two parts:

  • Electronic Data Interchange (EDI): electronic billing
  • Privacy: confidentiality of client/client information and security of client records

HIPAA amends the Social Security Act creating stricter and more comprehensive regulations regarding the handling of confidential client/client information. The goal is to ensure a reasonable level of security in an era of electronic data collection and storage. Any agency that bills electronically falls under HIPAA requirements.

Any qualifying agency which does not abide by HIPAA regulations is in violation of federal law. HIPAA differs from the Social Security Act in that individuals, as well as professional and business agencies, can be held liable.

Penalties for violation of HIPAA regulations:

  • Criminal penalties
    • Knowingly: 1 year/$50,000.00
    • False pretenses: 5 years/$100,000.00
    • Malice, commercial advantage, personal gain: 10 years/$250,000.00
  • Civil penalties
    • $100.00 for each violation
    • $25,000.00 annual limit for violating each identical requirement-could be a big number

The University of Alabama Health Care Component (UAHCC)

The University of Alabama has been designated as a hybrid entity. Specific Health Care Components of the University, including the Speech and Hearing Center, must comply with HIPAA regulations.

Protected Health Information (PHI)

PHI includes but is not limited to billing, diagnostic, treatment, case management information (treatment plans, progress notes, lesson plans), videotapes, audio tapes, photographs, and conversations. The information can be in any form or medium, including on paper, verbal, taped, or electronic. The records can be formal or informal.

Administrative Policies

Compliance

The Speech and Hearing Center Policies and Procedures for HIPAA Compliance are effective April 14, 2003.

All employees and student clinicians engaged in the delivery of clinical services or who have access to protected health information must abide by HIPAA Policies and Procedures. Violation will be reported to the HIPAA Privacy and Security Officer and result in disciplinary measures as prescribed by University of Alabama policy. Violation and resultant disciplinary measures will be categorized as unintentional, knowingly, and knowingly for personal gain. Any individual who is aware of violation of HIPAA policy can report the violation with no concern of repercussions.

Training

All Department of Communicative Disorders/Speech and Hearing Center faculty, clinical supervisors, staff, and clinical practicum students will participate in HIPAA training.

Training in HIPAA Policies and Procedures will be provided as follows:

  • Faculty, clinical supervisors, and staff will be provided with the policies and procedures when joining the Department as a new employee. HIPAA Policies and Practices will be stored on the CD Department share drive for review. Changes in policies and practices as well as review of policies will take place annually in faculty meetings.
  • Students enrolled in clinical practicum classes will receive HIPAA training prior to engaging in observation or provision of clinical services.

Electronic Data Exchange (EDI)

All electronic billing will be conducted using standardized codes. The computer(s) used for EDI will have antivirus software and be password protected.

Designated Record Set

The following clinical documents are typical Speech and Hearing Center Record Sets:

  • Speech-Language Diagnostic Report
  • Audiologic Diagnostic Report
  • Plan of Care
  • Lesson Plans
  • Progress Notes
  • Speech-Language Treatment Report
  • Audiologic Treatment Report
  • IEP: Individualized Educational Plan; IFSP: Individualized Family Service Plan
  • Billing Forms

These clinical records fit the definition of protected health information (PHI).

Identification of Authorized Personnel

Clinical supervisors and practicum students participating in the delivery of clinical services must wear their Speech and Hearing Center ID. Parents/clients have the right to see identification before allowing a child/client to leave the waiting room with a clinician.

Privacy and Security Policies

Summary of Privacy and Security Policies

Protected health information cannot be accessed by, used by, or disclosed to an unauthorized individual or agency without the client’s written permission. No identifying client information can be disclosed during class presentations, teaching, or research without the client’s written permission. Clinical records, paper and electronic, must be handled and stored in a manner that ensures a reasonable level of privacy and security.

Policy on Access to Client Records

  • Protected health information in any form, including videotape or audiotape, cannot be used for activities not related to treatment, payment, or operation without the written permission of the client or parent/legal guardian.
  • Faculty, clinical supervisors, staff, or students uninvolved in delivery of clinical service to a client should not access client records which include protected health information unless authorized.

Identification of Access to Records Needed for Classes of Persons in Workplace

The following workforce members have need-to-know access to PHI. No workforce member can access PHI prior to HIPAA training.

Level Position Clearance
Level 1 Clinic Director/Department Chair, Clinic Coordinators Complete access
Level 2 Clincal Supervisors Need-to-know basis for delivery of clinical services
and clinical teaching
Level 3 Office Staff, Student Workers Need-to-know basis for operations
Level 4 Student Clinicians enrolled in CD clinical courses Need-to-know basis for staffing with clinical
supervisor and delivery of clinical services
Level 5 Faculty As authorized for teaching and research

Policy on Storage of Protected Health Information

  • All protected health information, including billing information, client files, photographs, videotapes, and audiotapes must be stored in a secure area. The door, storage cabinet, or file cabinet must be locked if the area is unsupervised. An inventory must be kept up-to-date.
  • Protected health information, including billing information, client files, photographs, videotapes, or audiotapes should not be left unattended.
  • Computer monitors should not be visible to unauthorized persons moving through the area. Computers will be anti-virus and password protected. Computers will lock if not in use.
  • The security of protected health information, including billing information, client files, clinical records, photographs, videotapes, or audiotapes is the responsibility of the person accessing the records.
  • Students should refer to the Department of Communicative Disorders Manual for policies regarding clinic files and working files.
  • Clinical records should be secure in the file and organized according to policies described in the Department of Communicative Disorders Manual.
  • PHI stored electronically is protected and cannot be stored on a hard drive or portable drive of any kind. PHI will be stored only on A&S share drive to accounts assigned specifically for PHI. Refer to the Department of Communicative Disorders Manual for specific instructions.

Policy on Observation of Diagnostic or Treatment Session

Observation of clinical services by students enrolled in courses in the Department of Communicative Disorders is part of the operation of the Speech and Hearing Center. Observation by other individuals, including parents/caregivers, must be carried out in accordance with observation policies in the Department of Communicative Disorders Manual.

Policy on Protected Health Information Stored on Computer

Protected health information can be stored on share drive accounts using password protected computers with have antivirus software. Students must complete HIPAA training prior being granted access to the student computer lab or being assigned a share drive account.

  • Students can write and save client reports only under the password protected University of Alabama Speech and Hearing Center share drive accounts on computers in the Speech and Hearing Center Computer Lab. PHI cannot be saved to the hard drive, flash drive or any type of portable/removable device. PHI cannot be e-mailed to any computer outside the Speech and Hearing Center. Students will be instructed in use of share drive accounts during beginning of the semester clinic meeting.
  • The HIPAA Privacy and Security Officer or Speech and Hearing Center office staff, with the UA tech support, will create student share drive accounts as well wipe them clean and reassign passwords when the student is no longer enrolled in clinical practicum.

Policy on Use of PHI for Fundraising and Marketing

PHI, including photographs, audiotapes, and videotapes, cannot be used for marketing, fundraising, or community awareness programs without the client’s permission.

Policy on Disposal of Records

The PHI records contained in client files are legal documents. They cannot be disposed of or destroyed without the approval of the Clinic Director.

  • Student clinicians cannot dispose of or destroy PHI.
  • Any document containing PHI targeted for disposal must be shredded.
  • Any clinical records to be archived must be stored in a manner and location in keeping with Privacy and Security regulations.

Policy on Workplace Security

All building and door keys must be stored in a secure location and out of sight. Never leave a key hanging in a lock.

  • Report any suspicious event or person to your clinical supervisor.
  • An up-to-date key inventory will be maintained in the Speech and Hearing Center office.
  • See the Department of Communicative Disorders Manual for procedures regarding the security of the clinic areas.

Notices

Notice of Health Information Practices

Notice of Health Information Practices is a detailed description of how PHI can be disclosed. Notice of Health Information Practices will be offered to each client at the time of his/her first appointment. It will be posted in the Speech and Hearing Center waiting room and on the Departmental web site (www.cd.ua.edu). Speech and Hearing Center clients will be offered a written copy during their first visit to the Speech and Hearing Center.

Acknowledgement of Notice of Health Information Practices

Acknowledgement of Notice of Health Information Practices form must be signed by each client, or client representative, at the time of the first visit to the Speech and Hearing Center. This form summarizes Notice of Health Information Practices and acknowledges that the client has been offered the Notice of Health information Practices in its entirety. It explains Health Information Practices specific to the Speech and Hearing Center. Once this form has been signed, PHI can be disclosed to an agency/individual/service delivery program for the purpose of treatment, payment, or Speech and Hearing Center operations. Treatment and diagnostics are considered treatment. The Acknowledgement of Notice of Health Information Practices form is kept in the client file and must be updated every three years.

Policy on Disclosure of Information Not Covered by the Summary of Health Information Practices Form

PHI cannot be disclosed for reasons other than treatment, payment, or operations unless the Authorization to Release or Obtain Information form has been completed and signed. Examples of when this form would be necessary include but are not limited to release of records to an attorney without a subpoena, a class presentation, brochure, or research project.

Policy on Disclosure of PHI for Teaching/Research

PHI cannot be used for teaching or research purposes without a signed authorization form unless the PHI has been de-identified according to HIPAA requirements:

  • Telephone numbers
  • Fax numbers
  • Electronic mail addresses
  • Social security numbers
  • Medical record numbers
  • Health plan beneficiary numbers
  • Account numbers
  • Certificate/license numbers
  • Vehicle identifiers and serial numbers, including license plate numbers
  • Device identifiers and serial numbers
  • Web Universal Resource Locators (URLs)
  • Internet Protocol (IP) address numbers
  • Biometric identifiers, including finger and voice prints
  • Full face photographic images and any comparable images
  • Any other unique identifying number, characteristic, or code, except as permitted by re-identification procedures.

Policy on Oral Disclosure of Protected Health Information

  • Protected health information should not be communicated verbally within earshot of unauthorized individuals. ? Do not discuss a diagnostic or treatment session in the waiting room or any other area in which there are unauthorized persons.
  • Do not discuss a diagnostic or treatment session without written permission with anyone other than the clinician or clinical supervisor, the client, or client representative.
  • Do not discuss PHI outside the Speech and Hearing Center or with unauthorized individuals.
  • Do not provide protected health information over the telephone without written permission, or within earshot of unauthorized persons.
  • Messages cannot be left on clients’ answering machines or voice mail unless the Permission to Contact form has been signed. This form will be retained in the client’s file. It will be updated every three years.

Policy on Faxing Protected Health Information

When faxing individually identifiable health information, the Speech and Hearing Center will:

  • use a special fax cover sheet
  • include a “confidential” statement on the Fax Cover Sheet
  • use fax machines located in secure, limited access areas
  • verify fax requests from unfamiliar sources
  • test preprogrammed fax number before it is used the first time

The Speech and Hearing Center will not fax sensitive, highly personal PHI. Students cannot FAX PHI without the approval of their clinical supervisor.

Policy on Email Disclosure

Disclosure of PHI by e-mail involves unique risks. Client permission to transmit PHI by e-mail is authorized on the E-Mail Consent Form. Diagnostic and treatment reports, or other highly sensitive information will not be transmitted outside the Speech and Hearing Center by e-mail.

Policy on Social Media

Social media, such as Facebook and MySpace, cannot be used to communicate with client or client’s parent/caregiver.

Policies on Clients’ Rights

Policy on Client’s Right to Review and Amend PHI

The client has the right to review and amend most of the records in the client file. The client has the right to request that those records be amended. The request for amendment must be submitted in writing and reviewed by the clinical supervisor. The request can be granted or denied as deemed appropriate by the clinical supervisor. This form will be retained in the client’s file.

Policy on Information Not to be Disclosed

Information which the clinician deems to be private does not have to be disclosed to the client. Information not to be disclosed should be recorded on the Do Not Disclose This PHI form.

Policy on Disclosure as Required by Law

The Speech and Hearing Center will disclose PHI as required by law, such as requirements to report abuse or in response to a subpoena. (See Notice of Privacy Practices). The University of Alabama Office of Counsel, 348-5940, should be contacted before records are released in response to a court order or subpoena. Should a subpoena be served to a Speech and Hearing Center employee or student, it must be served in the main office.

Policy on Right to Accounting of PHI Disclosure

The client has the right to know to whom and for what reason PHI has been disclosed. The Summary of File Access form must be kept up to date in each client file.