HIPAA Policy

Policy

Employment Links will protect the confidentiality, integrity, and availability of protected health information that it receives, maintains, or transmits on behalf of clients we serve. This policy provides guidelines and principles as prescribed by the HIPAA Standards of Privacy of individually Identifiable Health Information. Employment Links will comply with HIPAA Breach Notification Rule (45 CFR §§ 164.400–414)

Employment Links designates a Privacy Officer responsible for the development, implementation, and oversight of HIPAA compliance. The current Privacy Officer is identified in the company directory and is available upon request through Administrative Staff.

A copy of the HIPAA Policy is distributed to each Client or to the Client’s legal guardian during admission to Employment Links. It is reviewed and discussed during intake with the Client and support team. Further HIPAA information is provided to the Client as needed.

Procedures

  1. A chronological, single plan file is developed for each Client.
    • Client files are stored in a secure filing cabinet in the main office.
    • Electronic records, if utilized, will be maintained in secure, password-protected systems with access limited to authorized personnel. Employment Links maintains administrative, physical, and technical safeguards to protect health information in accordance with HIPAA requirements.
    • The Client file contains all information and documentation pertinent to the Client’s service plan. It meets the rule standards, yet it is limited to elements necessary to ensure effective Client planning and implementation of plans.
    • The Client, case manager, social worker, legal representative, and family members are the primary sources of the information, however provisions are also made for the inclusion of relevant information from medical, psychiatric, and other social agencies, including legal documents and other evaluative summaries.
  2. All plan files and materials within the files are classified as either confidential or private data on Clients, as defined in Minnesota Statutes.
    • The majority of the information is private which means that the Client can examine it upon request and obtain copies.
    • Unless legal guardianship is assigned, parents and family may not access the Client’s records.
    • The Client or their guardian must sign an authorization in order to review the file. A staff member is available to discuss the file content during the review.
    • The file may contain classified, confidential material that the Client is not allowed to see. For example, information which is subject to a legal investigation may be defined as classified and confidential and would not be made available for review.
  3. Some staff may have access to case records if their work assignments require it.
    • Staff must keep the information private and not discuss it with anyone without consent for release of information.
    • Workforce members who fail to comply with this policy or who improperly access, use, or disclose protected health information will be subject to disciplinary action, up to and including termination of employment.
    • Government agencies may also require reasonable access to applicable client records in order to monitor its services delivery.
    • Program and financial audits may be conducted by regulatory agencies such as the Department of Human Services Licensing Division, as well as the county funding and authorizing services.
    • Occasionally, statistics and nameless data will be collected from some or all of our files. This information may be available to the government or public, but will not identify specific clients receiving services.
  4. Information released to other parties must be with the informed consent of the client (if legally competent) or the guardian (if the client is declared legally incompetent in a court of law).
    • An exception would be when the protection of the Client, another Client, or the community at large is involved, or when disclosure is required by law.
    • Requests for information are channeled through the Administrative Staff.
    • Requests must be accompanied by a signed authorization requesting specific information. A response will be forthcoming within one week.
    • All authorizations must include a description of the information to be disclosed, the name of the person or entity authorized to receive the information, the purpose of the disclosure, an expiration date or event, and the signature of the Client or their legal representative. Clients may revoke authorization at any time in writing.
    • Signed informed consent must be obtained from the Client receiving services or that Client’s legal representative for any press release using full names, photographs, or videos.
    • Plan files must contain signed releases authorizing services for medication administration, emergency medical care, and county authorization for services.
  5. When data is requested from a client receiving services or from the family, a Notice of Data Practices is given either verbally or in written form. It states the specific reason for the data request, how and when it will be used, with whom it will be shared, and the consequences of supplying or refusing to supply the information.
  6. Breach Notification
    • Employment Links will investigate any suspected or known unauthorized access, use, or disclosure of protected health information. In the event of a breach, Employment Links will comply with the HIPAA Breach Notification Rule (45 CFR §§ 164.400–414), including notifying affected individuals, the Minnesota Department of Human Services as applicable, and the U.S. Department of Health and Human Services within required timeframes.
  7. Record Retention and Destruction
    • Client records will be retained in accordance with Minnesota state law and Department of Human Services requirements. When records are no longer required to be maintained, they will be destroyed in a secure manner to protect Client confidentiality, including shredding of paper records and secure deletion of electronic records.

Privacy Notices

  1. The Notice of Data Practices describes Employment Links’ policy on the use and release of Client Information. This notice may be amended from time to time.
    • It is given to all clients receiving services at admission, as well when or if changes occur to the privacy policies.
    • Proof of distribution of this notice will be kept in the client file.
  2. Employment Links routinely mails or emails copies of the client’s program plans, evaluations, and reviews to the county case manager, and to other interdisciplinary team members as requested by the Client or guardian.
    • Employment Links only duplicates and disseminates its own records, not those received from other sources.
    • Employment Links releases only the minimum necessary information required to respond to the disclosure request.
  3. The Client has the right to request to amend information contained in their file. Employment Links will provide written acknowledgement of this request either granting or denying the ‘amend’ request. This documentation will be maintained in the client’s file.
  4. Employment Links may deny access to a Client’s files if the access request is reasonably likely to endanger the life or physical safety of the Client or someone else.
  5. Employment Links will document disclosure of Client information and make an accounting of these disclosures available to the Client upon request. The accounting must cover the last six years, beginning with disclosure made after April 13, 2011. This will not include disclosures to:
    • Carry out treatment, payment or health care operations.
    • Disclosures to the Client.
    • Disclosures for national security or intelligence purposes.
  6. Clients may request that Employment Links communicate with them in an alternative way or at an alternative location.
    • For example, a client may ask that all communication be written rather than verbal, or that communication be sent to work rather than home.
    • Employment Links will document these requests, and will accommodate all reasonable requests for alternative communication.
  7. Clients may request that Employment Links restrict use and disclosure of the Client’s records for ordinary treatment, payment, or healthcare operations.
    • If Employment Links grants the request to restrict use of the Client information, we will abide by it except in the case of a medical emergency.
    • A Client may not request restrictions on disclosure to receive records.
  8. Electronic Communication
    • Employment Links will use reasonable safeguards when communicating protected health information electronically. Email, text messaging, or other electronic communication methods will be used in accordance with privacy and security standards, and clients will be informed of any associated risks when applicable.

Verification

Employment Links will verify the identity of a person requesting Client information to make sure that the person has the authority to receive the information and that the person who is requesting the records is the same person who is authorized to receive them.

Disclosures to Business Associates

  1. Certain people and businesses may require access to portions of the Client record set in order to do their work.
  2. Employment Links must have a HIPAA Business Associate Agreement with the business before any information can be released to them.
  3. A signed copy of the agreement will be maintained on a permanent basis in the program file.
  4. Business Associates are required to safeguard protected health information and report any breaches in accordance with HIPAA requirements.

Employee Training

Staff will receive training on this policy and topic during orientation and on an annual basis. Questions concerning privacy and this policy will be directed to the Designated Privacy Officer.

Training will include privacy, security, and breach reporting requirements, as well as role-specific responsibilities for safeguarding protected health information.

All staff must complete required HIPAA training prior to accessing client information.

Complaints

Clients and staff may make complaints to the Designated Privacy Officer regarding Employment Links’ HIPAA policies, procedures, or compliance with privacy regulations. A client or staff who makes a complaint or participates in an investigation will not be retaliated against. The Designated Privacy Officer will maintain a record of all complaints.

Complaints Procedure

Complaints may be made in person, by phone, by email or in writing. A Client or staff may also file complaints with the offices listed below:

Privacy Officer:
Minnesota Department of Human Services
444 Lafayette Rd. North
St. Paul, MN 55155-3813

Office of Civil Rights:
Medical Privacy, Complaint Division
U.S. Department of Health and Human Services
200 Independence Ave. SW, HHH Building Room 509H
Washington, D.C. 20201

This policy also complies with the Minnesota Government Data Practices Act (Minnesota Statutes Chapter 13) and applicable Minnesota Department of Human Services licensing requirements.