FAQ

HIPAA Training
It is mandatory that all ADPH Workforce, volunteers, and interns receive HIPAA Privacy and Security Awareness training?

Volunteers and Interns (students)
Volunteers and interns are required to complete the current HIPAA training. Such training must be documented in the student/volunteer folder, and maintained by that division, bureau, or clinic, in written and electronic form, for at least (6) years after the student/volunteer separates or longer if required by other applicable Department policies.

New Employees
New employees must complete the most current HIPAA Privacy and Security Awareness training, the current year refresher training, and complete the electronic acknowledgement form.

Current Employees
Current employees must complete all refresher training and complete the electronic acknowledgement form.

When must a new employee/volunteer/intern complete HIPAA Training?
New employees, interns and volunteers must complete the HIPAA Training during their orientation period and prior to coming in contact with protected health information.

e-HIPAA Log

What is the e-HIPAA Log?
The e-HIPAA Log is used by appropriate designated ADPH staff to document disclosure of patient/client health information.

What are the types of disclosures that must be documented on the e-HIPAA Log?
The following disclosures of patient/client information must be documented in the e-HIPAA Log:
Unauthorized release of PHI. These unauthorized releases must also be documented in the Automated Report of Incidents and Accidents (ARIA) System;

• Authorized releases based upon subpoena or judicial process;

• Authorized releases to law enforcement, national security, emergencies, abuse investigator agencies;

• Requests to limit release of PHI;

• Requests to amend or correct PHI;and

• Requests for accounting of PHI.

I was not previously given access to the e-HIPAA Log link, but I think I need to document a disclosure. Who do I talk to?
Contact you Area Clerical Director to ensure that your intended report meets the requirements. If your Area Clerical Director authorizes your access to the system, complete the e-HIPAA Log Training in LCMS, then have the supervisor send an email to the Privacy Officer requesting access.

Email Encryption

Does ADPH utilize e-mail encryption?
Yes, the Department currently utilizes Symantec e-mail encryption software. Our encryption software does not affect e-mails being sent within Lotus Notes. The encryption software will activate when the system finds protected health information being e-mailed outside of Lotus Notes.
Employees should place [ENCRYPT] in the subject line of the email to activate the software. The recipient of the email will receive an automatic email notifying them that they are being sent and email containing protected health information and require them to register with our system. After registering, they will be able to receive emails from our employees by entering a password.

Shred Bin vs. Recycle Bin: Does it Really Matter?
Yes, ADPH requires that covered entities apply appropriate administrative, technical, and physical safeguards to protect the privacy of PHI, in any form. This means that the Department must implement reasonable safeguards to limit incidental, and avoid prohibited uses and disclosures of PHI, including in connection with the disposal of such information. Employees are not allowed to abandon PHI or dispose of it in dumpers or other containers that are accessible by the public or other unauthorized persons. Therefore, paper-based PHI must only be disposed of by utilizing a shredding machine or by placing the documentation in a secured shred bin. PHI must NOT be placed in a recycle bin. The placement of PHI in a recycle bin, dumpster or trash can will be considered a HIPAA violation.

Outside Auditors/Government Investigator

An outside auditor/government investigator just showed up at my office requesting patient records. What do I do?
Individuals requesting PHI for the purpose of performing an audit or investigation must meet HIPAA requirements in order to access PHI held by the Department. If a non-Department staff member requests to view PHI to perform an audit or investigation, you should take the steps listed below:
1. Ask for a copy of their badge and business card.
2. Notify your supervisor who will contact the Office of General Counsel and provide them with a copy of the badge and business card.
3. If the request for PHI is approved, log any disclosure in the e-HIPAA Log for any patient whose records were accessed.
*Do not provide external auditors or investigators access to your passwords or log-in information. If access to Department systems is necessary, the Security Officer must be notified and will work to develop a means of access to necessary systems.

Faxing

I need to fax some records to another health care provider, but my co-worker says that there are faxing procedures that I must follow. Is that true?
Yes, ADPH had faxing procedures that can be found in the 2022 ADPH HIPAA Privacy and Security Policy. Faxing of PHI is permitted but not recommended. Faxing of PHI is only permitted if the sender first calls the recipient and confirms that the recipient or his/her designee should wait at the fax machine to receive the fax and then call the sender to confirm receipt of the document. Both the sender and the recipient must be attentive to the sensitive nature of PHI.

Oh no! I just sent a fax to the wrong number in error. What do I do now?
Contact the Privacy officer immediately at 334-206-9324. You must be advised to fax a notice to the incorrect fax number explaining that the information has been misdirected and ask for confirmation in writing that the information has been shredded or destroyed. Do not include any identifying information about the patient when you send the second fax.

Immediately document the incident by filing an ARIA report. Finally, verify the fax number with the correct recipient before attempting to fax the information again.

Can STD information be faxed?
Yes, as long as the fax procedures noted in the HIPAA policy are followed. You can fax STD information just as you would any other medical record. This is the case whether it is faxed between health departments, to and from central office, and any other health care entities with authority to receive the information. Exception: AIDS/HIV information cannot be faxed.

Business Associate Agreements

What is a Business Associate Agreement?
A "Business Associate" is a person or entity who creates, receives, maintains, or transmits PHI for the Department.

Why do I need to consider having a Business Associate Agreement?
The HIPAA Rules require that covered entities and business associates enter into a Business Associate Agreement (BAA) to ensure that business associates will appropriately safeguard PHI. A business associate may use or disclose PHI only as permitted or required by its BAA or as required by law.
As of 2012, business associates are directly liable under the HIPAA Rules and subject to civil and criminal penalties for making uses and disclosures of PHI that are not authorized by agreement or required by law. A business associate also is directly liable and subject to civil penalties for failing to safeguard electronic protected health information (e-PHI) in accordance with the HIPAA Security Rules.

How do I know if I need to enter into a Business Associate Agreement?
ADPH utilizes a BAA Flowchart so that employees can more easily decide whether a BAA is necessary. A copy of the flowchart is attached to the 2022 ADPH HIPAA Privacy and Security Policy and can also be found on this website under Forms.