SUBJECT: HEALTH INSURANCE PORTABILITY AUTHORIZATION

SUBJECT: HEALTH INSURANCE PORTABILITY AUTHORIZATION

ACT (HIPAA) PRIVACY COMPLIANCE CHECKLIST

As previously communicated, the County Chief Privacy Officer has announced that he will be conducting Privacy Reviews of all Departmental Directly Operated Providers, under the authority of the Auditor- Controller. To prepare providers for these reviews, the DMH HIPAA Privacy team recently conducted informal Privacy Site Reviews of several programs. As a result of these reviews, the Privacy Team has identified a number of key areas for clinics/programs to address. Please review these carefully and share with your HIPAA liaisons and other key staff.

1. All staff must be aware of, and have access to, current HIPAA Privacy policies, procedures and forms. These may be accessed on line at <http://dmhweb/dmhpolicy/>. In addition, each facility must also have a set of HIPAA Privacy Policies and forms in its policy manual.

2. Clients receiving services since April 14, 2003 must have received the Notice of Privacy Practices. In addition, the completed Acknowledgement of Receipt form signed by the client or treatment staff must be filed in the medical record. (See DMH Policy 500.4 - Privacy Practices Notice). NOTE: Effective January 1, 2004, state law requires that the Authorization Form be in 14-point font. Please refer to revised DMH Policy 500.1, dated December 15, 2003, for the updated Authorization Form.

3. Any document with even minimal Protected Health Information, such as client name, is subject to HIPAA Privacy regulations. This includes not only medical records, but multiple other documents such as unit of service logs, case load listings, PATS forms etc.

4. Due diligence must be taken to assure that any client or treatment related information that must be stored or transferred electronically be done so in a manner so as to assure minimal risk of non- compliance due to unauthorized use or disclosure of PHI. This includes computers, email, PDA, computer disks, etc. While management staff are currently assessing the best way to assure compliance with HIPAA with respect to electronic storage and transfer of data, be sure to de-identify PHI to the fullest extent possible prior to email or storage in any electronic medium.

5. Computer workstations should not be left unattended when logged on. In addition, staff should use due diligence to assure that PHI on computer monitors is not visible to unauthorized personnel, including clients and visitors. This may be done through physical location of computers, positioning of monitors to hide PHI from public viewing, or purchase of privacy screens as necessary.

6. Each provider must establish an area designated as secure space set aside to house fax machines, network printers, copiers, staff mail boxes, medical records, financial services, data entry, registration, and other activities or equipment that require regular use of PHI. Internal policies must be developed so as to assure that only authorized person obtain access to these areas. This would exclude, clients, visitors, unauthorized persons/staff. If clients must enter or pass through secured spaces in order to access services, program staff should escort them

7. PHI in clinics/programs should be secured from view of unauthorized persons at all times. In particular, PHI left in staff mail slots should be in envelopes, folders, or placed face down.

8. Management should be aware of any systems that building security staff use to document, maintain, and store PHI, and assure that such PHI is not inappropriately used or disclosed.

9. Staff must utilize appropriate safeguards when sending faxes. Please refer to DMH Policy 500.21 “Safeguards for Protected Health Information” for specific guidelines. Also, be sure to use the DMH Approved fax cover form (attached to the policy). Each agency must have an internal policy and procedure that specifically identifies those staff responsible for retrieving fax documents.

10. Documents sent to network printers should be picked up immediately.

11. When clients are in the office, staff should ensure that PHI of other clients is secured from sight. Offices, when unattended, should be closed or locked and PHI should be placed face down, in desk, or file drawers.

12. Discarded PHI should always be placed in the locked Safeshred containers.

13. File cabinets, areas, or rooms designated as medical records locations should adhere to all DMH and State Medi-Cal Certification medical records policies and procedures so as to ensure compliance with state and federal regulations.

14. Management must implement systems that will allow staff to know where records are at all times. Agencies that use the honor (individual staff pulling and filing their own records) or TAB system for retrieving medical records must create an internal procedure that will identify location of charts at any given time.

15. All medical records must include an accounting of disclosure tracking sheet, as spelled out in DMH Policy 500.6 Accounting of Disclosures of Protected Health Information.

16. HIPAA Complaint forms should be accessible to clients in the waiting room or other public reception area settings so as to assure that clients can access them without having to request one from clinic staff. HIPAA Poster or the Notice of Privacy Practices must be posted in or waiting room or reception area.

Please be advised that the above is a preliminary list, based on our current review of providers. As modifications are made, you will be notified. Please feel free to contact Grant Lee at (213) 639-6391 for questions or comments.