ADMINISTRATIVE POLICY AND PROCEDURE

Department: All Agency

Policy #: 4.21

Policy Title: Privacy and Security

Purpose: The purpose of this policy is to ensure the Lydia Home Association programs into compliance with the Health Insurance Portability and Accountability Act of 1996.

Policy: Clinicians are to maintain the privacy and security of Private Health Information in accordance with the Health Insurance Portability and Accountability Act of 1996.

Procedure:

  1. Through its programs, LHA uses client Personal Health Information (PHI). As such, Lydia employees are obligated to implement policies and procedures to protect client PHI and to inform clients of our privacy practices. Under HIPAA, LHA is required to appoint a “Privacy Officer” to oversee compliance with the law. Employees with questions would consult the privacy officer after consultation with supervisors.

  2. HIPAA applies most specifically to Lydia’s clinical programs, where we have always maintained standards of privacy and security that are in compliance with requirements of the Mental Health Code. In most instances, HIPAA standards do not require additional measures.

  3. All clients in clinical programs will be given a copy of our NOTICE OF PRIVACY PRACTICES by the therapist at their first appointment.

  4. All client records containing personal health information must be kept in locked files in a secure area of the building.

  5. Access to client files is permitted only to those staff members who have specific responsibilities regarding the care of the client or the maintenance and review of the file for the purposes of treatment, payment or operations.

  6. Computer access is password protected. Employee passwords are to be on file with the program director, but otherwise should be kept confidential. Passwords of terminated employees will be deleted.

  7. Computer documents or files containing client information must be individually password-protected at the highest level of security. Staff members will find a secure place for storing document passwords and inform the program director how to access the passwords.

  8. Computer screens in public areas must be placed so non-staff individuals are not able to read confidential information on the screen.

  9. When staff members are not in direct control of their computers, or when they are unable to monitor their computer, they should log off. During counseling sessions or other meetings with non-staff members, computer monitors should be turned off or kept private through the use of a password-protected screen saver.

  10. Client information may only be entered on an employee’s personal computer with the express written consent of the employee’s supervisor, and then only to facilitate the creation of case reports or notes which must be transferred to the client’s official file or to an LHA computer. The client information must then be removed from the employee’s personal computer.

  11. Faxes and e-mails containing client PHI must contain a statement regarding the possible inclusion of confidential information and instructions to the recipient in case of misdirected communication

  12. Fax machines must be located so that non-staff members do not have access to the fax machine.

  13. E-mail transmissions containing PHI must be protected from disclosure to unauthorized individuals through encryption or password protection for attached documents.

  14. Clients must give written permission to communicate via e-mail in order for staff to send and receive e-mail transmissions with them.

  15. Client schedules will not be posted in places available to non-staff members.

  16. Client information sent through office mail must be placed in a closed envelope.

  17. All conversations including client information will be held in private locations where they cannot be overheard by a third party.

  18. Confidential client information should be shared only with those with a need to know the information in order to provide treatment, secure payment or conduct care operations for the client.

  19. Desk surfaces will be cleared of all confidential client information when someone other than the employee might have access to the employee’s office.

  20. All business files containing client PHI will be kept in locked files, including data entry forms, service reports and billing information.

  21. Written consent must be obtained from the client whose picture or other personal information will be used in any public documents such as publicity or fundraising materials. Client stories containing PHI that are used in a disguised fashion without written consent must be reviewed with the LHA Privacy Officer to unsure there is no reasonable basis to believe that the information could be used to identify the individual.

    Effective Date: 8/23/06