Privacy is the right of an individual to be left alone. Informational privacy is the individual's ability to control what information is available and who has access to that information.

Confidentiality is the responsibility for limited disclosure of private matters. This includes the responsibility to use, disclose or release such information with the knowledge and consent of the individual identified.

All of us have access to confidential information and most of us have access to the most sensitive or personal information, medical/mental health information. Not only do we have a moral and ethical responsibility to protect all information that exists within White Bird, we have a legal responsibility.

WHITE BIRD POLICIES AND PROCEDURES: WHERE TO FIND
Our 'Privacy Policy' is included in our Policy and Procedures Manual, a copy of which is provided to each program. It is meant to explain our values and policies to the public concerning the sharing of personal information.

This guide will give you a brief overview and serve as a quick reference when questions arise. Please read and familiarize yourself with this policy and guidebook. You are responsible for being aware of their contents.

HIPAA requires that you receive training at hire and annually to refresh and remind you how important confidentiality is to your job. You must sign a Confidentiality Agreement at that time. Make sure you are clear on what you are signing and the commitment you are making.

REGULATIONS & LAWS CONCERNING CONFIDENTIALITY THAT WHITE BIRD MUST FOLLOW
Congress passed the Health Insurance Portability and Accountability Act (HIPAA) in 1996 in an attempt to improve health care nationally through four main objectives;

• Make sure that health insurance is available to workers and their families when they change or lose their jobs.
• Reduce fraud and abuse HIPAA allows the Department of Health and Human Services and the Justice Department to pursue organizations suspected of fraud. It also protects whistleblowers and establishes severe penalties for those who are found guilty of fraud.
• Administrative Simplification use of standard electronic file formats, codes and identifiers is expected to greatly reduce the cost of processing a healthcare transaction and help reduce fraud.
• Protection of Patient Information with electronic data interchange comes strict security measures and stringent protection of patient information.

Except when federal regulations are more restrictive, we follow the guidance of the State of Oregon. If you have any questions about specific laws or regulations, contact your security officer.

According to Oregon Revised Statutes, Oregon Administrative Rules and several federal laws and regulations:

• We must furnish our written policy on confidentiality when requested.
• We must have a process in place to track and allow members to request any information that White Bird has about them.
• We must allow members to ask to modify their information.

According to HIPAA privacy regulations:

• Patients have a right to access the information we have about them and can request that we change that information.
• We must make sure that only staff who need confidential information to do their jobs have access to it and that the minimal necessary information is accessed.
• We must designate a security officer who is responsible for training our staff, creating administrative and personnel policies and procedures, and making sure that physical and system safeguards are in place.
• Providers must get written consent from patients to use their information for treatment, payment, and healthcare options.

Protected Health Information (PHI) is any information that, individually or in combination, could identify the person should someone see or overhear it. Certain information is unique to an individual and by itself can identify that person. If health information is linked with the following unique items, it qualifies as PHI:

• Name, social security number, street address, driver's license number
• Telephone or fax numbers, e-mail address or web site addresses/URL
• Medical record or patient identification numbers, including account number, health plan ID numbers
• Biometric identifiers, including finger and voice prints
• Full-face photographic images and any comparable images
• Any other unique identifying number, characteristic, or code

HIPAA regulations allow us to use PHI in 'treatment, payment and healthcare operations.' Thus, with proper security and procedures, we may use PHI to:

• Determine eligibility and coordination of benefits and adjudication of health benefit claims, including pre-authorization
• Do billing, claims management, collections and obtain payment
• Complete a review of healthcare services for medical necessity, coverage and appropriateness of care
• Do utilization review
• Undertake quality assessment and improvement activities
• Credential providers and evaluate provider performance
• Conduct or arrange for a medical or legal review and for auditing, including fraud and abuse
• Engage in agency planning and development
• Work towards the resolution of grievances

We are obligated to make reasonable efforts to request only the minimum necessary amount of information needed to do the task.

Patients have a right to access their own protected health information and often the PHI of their minor children. White Bird procedures are intended to assist members in accessing their information. It is of vital importance that these procedures are followed to the letter, so that sensitive or confidential information is released only to those who have a right to view it.

We can share PHI with others only in these circumstances:

• For treatment, payment and healthcare operations with other healthcare providers and clearinghouses
• When written authorization has been provided by the individual
• When it's for the use of the Department of Health and Human Services in the investigation and enforcement of HIPAA rules
• Under the order of a court or legal authority
• For business associates with whom we have a written contract

PROTECTING INFORMATION
We can protect confidential information by following these guidelines:

• Access only information needed to do your job.
• Be careful not to share confidential information with friends, or relatives, or in social situations.
• If you no longer use a program, screen or database, ask to have it removed from your computer.
• Don't show, tell, copy, give, sell, review, change, or discard any information unless it is part of your job. If it is part of your job, follow the correct department procedures (such as shredding documents with confidential information before discarding).
• Don't misuse or be careless with confidential information. Make sure that confidential information at your desk is not visible.
• Be aware that computer monitors can display PHI and should not be visible to passers-by.
• Make sure any documents left after a meeting are properly disposed of.
• Keep your computer password a secret.
• Don't share any confidential information, even if you are no longer a White Bird staff.
• Know that your access to confidential information can be audited.
• Be careful with faxes, both to whom you are sending them and by whom they are received. Always include a White Bird cover sheet with a confidentiality statement on it.
• Know that White Bird may revoke computer access at any time.
• Don't review confidential information from our offices.
• Don't make unauthorized copies of White Bird documents, records or software.
• Remember that you are responsibility for your use or misuse of confidential information.
• If you are unsure or uncomfortable about confidential information or its use, talk with the Operations Coordinator or the Security Officer. It is better to ask than to make assumptions.

CONSEQUENCES OF BREACH IN CONFIDENTIALITY
If you are aware of or see a breach of confidentiality, report it immediately to the Operations Coordinator or Security Officer. Breaches in confidentiality have been divided into the following levels with corresponding disciplinary actions for each.

Level 1: Carelessness
This level of breach occurs when a White Bird staff unintentionally or carelessly accesses, reviews, or reveals protected information to themselves or others without a legitimate need to know or provide the protected information.
Examples:

• An employee discusses protected information in a public area
• An employee leaves a copy of protected information in a public area

Disciplinary Actions, depending on the offense, will include: counseling, an oral or written warning, documented in the staff personnel file and review of the confidentiality policy and procedures.

Level 2: Curiosity or Concern (no personal gain)
This level of break occurs when an employee intentionally accesses or discusses protected information for purposes other than conducting White Bird business or other authorized purposes, but for reasons unrelated to personal gain.
Examples:

• An employee looks up birth dates, addresses or friends
• An employee access or reviews a patient record out of concern or curiosity

Disciplinary Actions, will include a written warning, documented in the staff record, counseling and review of the confidentiality policy and procedures.

Level 3: Personal Gain or Malice
This level of breach occurs when an employee accesses, reviews or discusses protected information for personal gain or malicious intent.
Examples:

• An employee reviews protected information for use in a personal relationship
• An employee compiles a mailing list for personal use or to be sold
• An employee sells protected information to the media

Disciplinary Action, will include recommendation to the personnel committee for termination; and in the case of a a criminal action, possible civil or criminal penalties.