My Corporate Services‎ > ‎HIPAA‎ > ‎


Q.  Do all files need to be checked out when someone needs access to them?

A. Central files and Archived Files need to be checked out if someone needs access to the file. If a working file is going to leave the premises for an IPP, a doctor's appointment, etc., then the file needs to be checked out.

Q.  Do the program/progress notebooks need to be locked when not in use, or just out of sight without the client's name on the binder?

A. If the program/progress notebooks contain PHI, then they need to be locked up when not in use. If the notebooks happen to be stored in an office and the office has a lock on the door and the door is locked when no one is in the office, then the notebooks would be considered locked.

Q.  Why does the protected health information belong to the organization vs. clients supported? It is their information.

A. The protected health information is created by the organization and therefore is the organization's responsibility to protect. Any protected health information the organization receives regarding a client also becomes the organization's responsibility to protect.

Q.  If we are working on a file containing client information and we walk away from our desk to go and get something, is it ok to leave the PHI lying out on the desk?

A.  You should still attempt to protect the information by turning it over or placing it in a drawer. When you walk away from your desk, you never know how long you will be gone.

Q.  How are we expected to protect PHI when we are transporting the information back and forth to appointments, meetings, etc?

A. The PHI should be stored out of sight, in a closed container such as in a folder, clasped envelope, book bag, briefcase, portfolio, or file folder. It should be locked in the trunk of a car or put under the seat of a van. Never leave the PHI in view of someone else.

Q.  Do we need to track disclosures outside of treatment, payment, and operations?

A. The clients we support have the right to receive an accounting of disclosures of PHI made by the organization in the six years prior to the date on which the accounting is requested, except for disclosures made for: treatment, payment, and operations; permitted by law; an individual to whom the PHI pertains; a facility directory; people involved in the care of whom the PHI pertains; individuals for national security or intelligence purposes; correctional institutions or law enforcement officers; or prior to the compliance date of April 14, 2003.

Written policy and procedure. Privacy Officer will maintain org-wide disclosure log effective 4/06.

Q.  Are the doctors, dentists, eye doctors, podiatrist, etc., that clients we support see, considered MOSAIC's business associates and do we need Authorization for Disclosure?

A. The health care services identified are generally performed on our client's behalf, not ours. Each health care service provider is separately required to adhere to the Privacy Standards even without an arrangement with us. The sharing of PHI between the health care service and the organization is also permitted, without further authorization, as part of the "treatment" and "payment" arrangement. However, if we as an organization contract out for such services, as we might do with pharmacy, because of being paid a "global fee" or other such similar arrangement, then such services could be construed as being performed on behalf of the organization and would require a business associate agreement.

Q.  Is giving information for ambulance service and hospital care in Emergency Room considered part of treatment, payment, and operations (TPO)?

A. Yes. Scheduling appointments for clients is also considered part of TPO.

Q.  Is it alright to post pictures of clients we support on bulletin boards or in picture collages in group homes when there is no other identifying information other than just the picture?

A. As long as you have the client's authorization to post the picture you are fine. A photo is also an identifier.

Q.  Do we continue to disclose protected health information regarding a person we support to their family members as we have always done?

A. A provider may disclose PHI to notify or assist in notifying a family member, the client's personal representative, or another person responsible for the client's care; about their location, their general condition, or in the event of their death. If the client is able and available to agree or object, then the provider will give the client the opportunity to object prior to making this notification. If the client is unable or unavailable to agree or object the health care professionals will use their best judgement in communication with the person's family and others. Please refer to each State law regarding personal representatives.

    Remember a client we support who is their own legal guardian has the right to deny disclosure. They also have a right to revoke an authorization of disclosure they have signed previously.

    If the client we support is not their own legal guardian, then you are ok to disclose treatment information without their authorization. In this case, we treat the legal guardian as a client.

Q.  Do we always need to disclose information to a parent of a minor in services?

A. Always refer to the specific laws from each State because they are all different. State law will pre-empt HIPAA in this case.

Q.  Can we engage in confidential conversations with other co-workers or with people we support regarding their care even if there is a possibility that they could be overheard?

A. Yes, HIPAA did not intend to prohibit providers or care givers from talking to each other and to those they support. We are required to implement reasonable safeguards to protect confidential conversations such as stepping into an office, taking the conversation to an area away from others, etc. This type of disclosure would be considered an incidental disclosure.

Q.  Do we need to have an authorization for disclosure signed when we share information with doctors, therapists, etc., regarding a client we support?

A. A doctor is a covered entity and would be considered part of treatment so it is ok to share protected health information. As long as the disclosure is for treatment, payment or operations, then the PHI may be shared.

The Notice of Privacy Practices allows health information to flow outside the organization in these cases.

Q.  Can we use first and last initials on erasable boards posted in offices that have dates of IPP's, lab work, etc?

A. As long as the information is de-identified then you may put dates of appointments, IPP's, etc. It would be best practice if the erasable board is away from general public viewing, but it can be done as long as the name is de-identified.


Q.  Can the staff person who is escorting an individual to a doctor's appointment take the entire working file that contains the current day to day information, current program plans, current documentation, and current medical information?

A. When transporting PHI whether by the staff or the individual, the minimum necessary information should be carried.

Q.  Do people we support or their legal guardians need to sign the Acknowledgment of Receipt of Notice of Privacy Practices on an annual basis?

A. No. The Acknowledgment of Receipt of Notice of Privacy Practices only needs to be signed one time. All other informed consents that a program has signed on an annual basis will continue to do so other than consent for release of disclosure unless it is a State requirement. This document has been prepared for use across the entire MOSAIC agency and will be the form used for all disclosures.

Q.  Is it necessary that the individual understand the Notice of Privacy Practices?

A. Yes. This is why the "Notice of Privacy Practices Talking Points" was developed. It is important that individuals we serve understand their rights under the HIPAA Privacy Rule. The six rights are:

    The right to request restrictions on certain uses and disclosures of their protected health information.
    The right to receive confidential communications of their protected health information.
    The right to inspect and copy their protected health information.
    The right to request an amendment of their protected health information.
    The right to an accounting of disclosure of their protected health information.
    The right to a paper copy of the organization's Notice of Privacy Practices.

Q.  When do we need to have the Notice of Privacy Practices to all the people we serve?

A. New admissions will receive one at the time of admission and prior to the delivery of service.

A copy of the Notice along with the signed Acknowledgment of Receipt of Notice of Privacy Practices should be kept in the permanent record. The person in service should always have access to a Notice and they or their legal guardian must also be given a copy to keep. If you are unable to get a signed Acknowledgment, you must document you "good faith" effort to do so on the Acknowledgment.

Q.  As a Host Home provider how do we monitor disclosing PHI when we are trying to make the person in service an integral part of the family?

A. Incidental disclosure of PHI within the family is going to occur. Host Home providers need to abide by the Privacy Rules when it comes to disclosure outside of their home.

Q.  What is the responsibility/liability of an independent contractor?

A. If the independent contractor is a business associate of ours, they will be asked to sign a business associate agreement. The business associate may have access to protected health information in order to carry out the service, but will not disclose any protected health information other than to fulfill their obligations. The business associate is also required to implement safeguards to prevent the use or disclosure of PHI in any other manner.

Q.  Do Host Home providers, respite providers, etc., need to secure and protect health information?

A. This type of provider is an independent contractor, and is considered a business associate. Within a business associate agreement, the business associate is also responsible for the privacy of protected health information.

Q.  Do Host Home providers require HIPAA Training since they are independent contractors?

A. It has been determined that we will provide HIPAA Training to the Host Home providers since they provide direct support services. We will also treat Host Home providers as a Business Associate.

Q.  When is a new employee required to have HIPAA training?

A. A new employee is required to have HIPAA Overview training and policy and procedure training within 60 days of employment.

Q.  How will the people we serve who work in sheltered workshops, offices, or as volunteers be handled under HIPAA regarding training?

A. If the people in services are employees of the organization, then they must be trained by the organization. If a person in services works in a sheltered workshop or is part of a janitorial crew for example and it is part of job training, coaching, and habilitation, then the person in services does not need to be trained.

If a person in services is a volunteer and it is part of habilitation, job training, etc., and they are being supervised, then they do not need to be trained. But if the person in service is a volunteer as a non-paid position, then they are considered part of the workforce.

Q.  Do we need to give HIPAA training to our volunteers, students, and temporary staff?

A. Yes, these listed individuals would be considered part of the workforce. HIPAA defines workforce as not only the employees of the organization, but also any volunteers, trainees, students, and other persons whose work is directly controlled by the organization. Training for a new member of the workforce must be completed within 60 days of hire.

Q.  Is it ok to have just one key for the locked files so we don't have to make keys for each staff person to access the files, and then keep the one key hanging near the file cabinet for everyone to use?

A. You must ask yourself how secure is the one key? If the key is accessible to more of the workforce then just the staff who need access to the files, then the files are not secure. If the key is not secure, the files are not secure.

Q.  What is the definition of protected health information, "PHI"?

A. Protected Health Information means:
  • information, including demographic information, that relates to the past, present, or future physical or mental health or condition of an individual;
  • the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual;
  • idAentifies the individual (or for which there is a reasonable basis for believing that
  • the information can be used to identify the individual); and
  • information that is received by the provider or created by the provider.
Q.  Do employees (workforce) whom "home office" need to shred protected health information when disposing it?

A. Yes. Anyone who is part of the workforce and working out of their home must protect the information in the same manner as if they were working in an office building.

Q.  Does the HIPAA Privacy Standards apply to us as employees as it does to people in services regarding PHI?

A. The Privacy Standards do not specifically speak in reference to employees, however, Mosaic is not only considered a Health Care Provider but also a Health Care Plan under HIPAA. As a self-funded Health Care Plan, Mosaic has a responsiblility of protecting employees medical information as it relates to the Health Care Plan. Please refer to the Notice of Privacy Practices as it relates to the employee Health Care Plan on the intranet located under Human Resources.

Q.  Does the fax machine, copy machine, and employee mailboxes need to be secure?

A. Fax machines, copy machines, and employee mailboxes should not be accessible to the general public. If at all possible, they should be kept in an area where the general public cannot visually see. Documents should not be left on faxes or copy machines.

Q.  Will the employee handbook reflect employee's responsibility to comply with HIPAA?

A. Yes, the employee handbook will reflect HIPAA in several areas such as the confidentiality agreement, employee sanction, non-retaliation, etc.

Q.  After a team meeting, what should be done with all the records and information regarding the person served that is shared at the meeting?

A. The documentation should be shredded once the meeting is over unless it is a permanent part of the record or needs to be maintained. Keep in mind the requirement for minimum the necessary disclosure. Ask if it is necessary for everyone at the meeting to have copies of the written reports or documentation, or, if a verbal summary would be enough.

Q.  If an individual is residing in his or her own home, do we need to lock the PHI?

A. Yes. Because we are still responsible for the PHI, even if it is kept in the individual's own home. The organization must obtain written permission from the individual, or legal guardian, in order to store PHI in the individual's own home. The organization must provide the locked container for storage and it must be locked when not in use.

Q.  What is the difference between a working file, a central file, and an archived file?

A. A Working file is the day-to-day documentation or information, current medical information and all current program plans. This file should only contain information one (1) year old or less and must be locked when not in use.

A Central file (all data from the working file) is a file that is kept in the central office or group home that is always kept locked and must be signed out to review. After two (2) years the central file data must be taken to the archived files and stored for a minimum of 6 years or longer per each state's regulations.

An Archived file is a file that is kept in storage for a minimum of 6 years or longer depending on each state's regulations. After that it will be destroyed. This file must also be kept locked at all times and must be signed out in order to review. No file should be waiting to be archived for more than two (2) weeks.

The sign out form for the central and archived files must have a designated person responsible for the sign out process and the sign out form must include the following: who, what, when (date and time), purpose, and time returned.