Policies
It is the policy for Design for Change (DFC) to comply with the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Under HIPAA laws DFC protects clients’ Personal Health Information (PHI) from being disclosed without consent and electronically on an unsecured site.
Procedures
DFC has incorporated into the administrative and clinical practices HIPAA policies and procedures that have been extracted from the Privacy Rule and summarized to communicate the key points to staff and client.
[Notice of Privacy and Confidentiality]
This form will be given to ALL persons coming into DFC for an assessment. This notice must be posted in all offices and on the website as well. Beginning April 14th, 2003 every person given an assessment is to receive a Notice of Privacy Practice and Confidentiality (to be reviewed with a counselor) and will sign for acknowledgement. A copy of this form will be given to the client and a copy will remain in the person’s chart.
If an Acknowledgement is not signed by the person, a “good faith” effort should be completed at the bottom of the Acknowledgement section and signed by the counselor. This remains in the person’s chart.
The Notice includes individual’s rights (HIPAA regulations 42 C.F.R. Part 2, 45 C.F.R. Parts 160, 162 and 164, NRS 458.055 and any other applicable confidentiality laws) pertaining to his or her Protected Health Information (PHI) and records, and how such rights may be exercised. It covers DFC’s legal duties, describes the types of uses and disclosures that are permitted under this law, and how to file a formal grievance.
[Authorization to Release Information]
DFC Release of Information form has been revised to allow revocation of the release in writing. Limitations on information desired released may be indicated on the form. Psychotherapy notes are covered under HIPAA, thus are considered DFC’ property and are not required to be disclosed to the client. In cases when a client’s information is subpoenaed follow the RESPONDING TO A REQUEST FOR CLIENT RECORDS CLINICAL PROTOCOL. All other PHI in the client’s chart is their property and can be requested by and copied for the client.
[Accounting of Disclosures]
HIPAA requires an accounting of disclosures, which is a list of disclosures made without consent or authorization (in order for treatment, payment, or health care operations). All Qualified Service Organization / Business Associate that handle PHI on behalf of DFC must sign a Business Associate Agreement (BAA) ensuring their compliance with HIPAA. The agreements state that all inadvertent re-disclosures need to be reported to DFC within 24 hours of the incident. If there are cases where information is disclosed without an authorization a disclosure log needs to be implemented in the client’s chart.
[HIPAA Compliance Agreement by Employees]
New employees are trained in HIPAA within the first week of employment. Each staff member signs an agreement acknowledging the HIPAA regulations and penalties for violations of these regulations.
[Data Security]
Electronic PHI must be secured using robust measures such as encryption, firewalls, and antivirus software to protect sensitive information. Regular audits and monitoring will be conducted to ensure compliance with these security protocols. Additionally, workstations must be locked when unattended, and screens should be positioned to prevent unauthorized viewing, safeguarding PHI from potential breaches or accidental exposure.
[Incident Reporting and Policy Enforcement]
Any suspected or actual breach of PHI must be reported immediately to the Privacy Officer. DFC will investigate and document all breaches, notifying affected individuals, the Department of Health and Human Services, and, when applicable, the media, as required by HIPAA regulations. Non-compliance with this policy will result in disciplinary action, which may include termination of employment or contract. To ensure adherence to this policy, regular audits will be conducted.