Privacy policy

Therapeutic Services Agency, Inc.

Privacy and Security Policy




Therapeutic Services Agency, Inc. (TSA) has adopted this policy to comply with our duties under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), the Department Health and Human Services (“DHHS”) security and privacy regulations, as well as our duty to protect the confidentiality and integrity of confidential medical information as required by law, professional ethics, and accreditation requirements. All personnel of TSA must comply with this policy. Familiarity with this policy and demonstrated competence in the requirements of the policy are an important part of every employee’s responsibilities.




This Policy is based on the following assumptions:


·         All personnel of TSA must preserve the integrity and the confidentiality of medical and other sensitive information pertaining to our clients.

·         The purpose of this Policy is to ensure that TSA and its staff have the necessary information to provide the highest quality care possible while protecting the confidentiality of that information to the highest degree possible so that clients do not fear to provide information to TSA staff for purposes of treatment.




A workstation is a desktop computer that while moveable is not normally moved except when the equipment is being repurposed or repaired. A portable device is a computer such as a laptop, notebook i-pad, smart phone or other device that can be easily moved or is portable. In this policy computer equipment refers to both types of equipment.



Policy Organization


This policy has two parts-the Privacy Policy, which addresses the use and disclosure of individuals’ health information-called “protected health information (PHI)” as well as individuals' rights to understand and control how their health information is used.


The Security Policy addresses procedures for protecting certain health information that is held or transferred in electronic form. The Security Policy operationalizes the protections contained in the Privacy Rule by addressing the technical and non-technical safeguards to secure individuals’ “electronic protected health information” (e-PHI).


Appendices are used throughout to provide more detail, procedures and useful forms etc. to ensure that client privacy is protected and as such are part of this policy.


Security and Privacy Responsibility


The Executive Director, Cheryl Smetana McHugh, is the assigned Security and Privacy Officer with certain duties being delegated as described throughout this policy to other staff who are members of a Risk Analysis Team established to ensure fidelity of policy implementation and adherence to procedures and safeguards. In general, the Technology Coordinator carries out Security procedures and training, and the Business Director handles protected health information access and disclosure.


Enforcement and Sanctions


All TSA staff must adhere to this policy, and all supervisors are responsible for enforcing this policy. Because client mental health information is among the most sensitive of medical information TSA will not tolerate violations of this policy. Violation of this policy is grounds for disciplinary action, up to and including termination of employment in accordance with TSA policy and criminal or professional sanctions that may be applied by the relevant authority.



Privacy Policy


To ensure client privacy, TSA and its staff will—


·         Collect and use individual information only for the purposes of providing services and for supporting the delivery, payment, integrity, and quality of those services. TSA staff will not use or supply individual service information for non-health care uses, such as direct marketing, employment, or credit evaluation purposes other than as authorized by the Department of Health and Human Services (“DHHS”) privacy regulations.

·         Collect and use individual information only—

o   To provide proper diagnosis and treatment.

o   With the individual’s knowledge and consent/authorization.

o   To receive reimbursement for services provided.

o   For research and similar purposes designed to improve the quality of and to reduce the cost of health care.

o   As a basis for required reporting of health information.

·         Recognize that information collected about clients must be accurate, timely, complete, and available when needed. Consequently, TSA staff will—

o   Use their best efforts to ensure the accuracy, timeliness, and completeness of data and to ensure that authorized personnel can access data when needed.

o   Complete and authenticate records in accordance with the law, ethics, and accreditation standards.

o   Maintain records for the retention periods required by law and professional standards.

o   Not alter or destroy an entry in a record, but rather designate it as an error while leaving the original entry intact and create and maintain a new entry showing the correct data.

o   Implement reasonable, cost-effective measures to protect the integrity of all data maintained about clients.

·         Recognize that clients have a right of privacy. TSA staff will respect clients’ individual dignity at all times. TSA staff will respect clients’ privacy to the extent consistent with providing the highest quality medical care possible and with the efficient administration of TSA

·         Act as responsible information stewards and treat all individual medical record data and related financial, demographic, and lifestyle information as sensitive and confidential. Consequently, TSA staff will—

o   Treat all individual medical record data, called “protected health information” (“PHI”), as confidential in accordance with the DHHS privacy regulations, other legal requirements, professional ethics, and accreditation standards.

o   Use or disclose only the minimum necessary health information to accomplish the particular task for which the information is used or disclosed.

o   Not divulge record data unless the client (or his or her authorized representative) has properly consented to the release or the release is otherwise authorized by the privacy regulations and/or other law, such as communicable disease reporting, child abuse reporting, and the like.

o   When releasing record data, take appropriate steps to prevent unauthorized re-disclosures, such as specifying that the recipient may not further disclose the information without client consent or as authorized by law.

o   Implement reasonable, cost-effective measures to protect the confidentiality of medical and other information maintained about clients.

o   Remove client identifiers when appropriate, such as in statistical reporting and in medical research studies.

o   Not disclose financial or other client information except as necessary for billing or other authorized purposes as authorized by the privacy regulations, other laws, and professional standards.

o   Recognize that some medical information is particularly sensitive, such as HIV/AIDS information, mental health and developmental disability information, alcohol and drug abuse information, and other information about sexually transmitted or communicable diseases, and that disclosure of such information could severely harm clients, such as by causing loss of employment opportunities and insurance coverage, as well as the pain of social stigma. Consequently, TSA staff will treat such information with additional confidentiality protections as required by law, professional ethics, and accreditation requirements.

o   Other than for treatment purposes or when authorized by the client, not use or disclose more than the minimum necessary health information to accomplish the particular task for which the information is used or disclosed.

o   Recognize that, although TSA “owns” the medical record, the client has a right of access to information contained in the record. TSA staff will—

§  Provide clients a notice of information practices that details their rights, our duties, and how we will use and disclose their PHI in accordance with the requirements of the privacy regulations.

§  Permit clients to access and copy their PHI in accordance with the requirements of the privacy regulations.

§  Provide clients an opportunity to request correction of inaccurate data in their records in accordance with the requirements of the privacy regulations.

§  Provide clients an accounting of uses and disclosures other than those for treatment, payment, and health care operations and those that the clients have consented to or authorized in accordance with the requirements of the privacy regulations.

§  Permit clients to request restriction on the use and disclosure of their PHI and to request alternate forms of communications in accordance with the requirements of the privacy regulations.


Procedures to implement the privacy provisions of this policy are found in the TSA HIPPA Privacy Manual.


Security Policy


The Security Policy operationalizes TSA’s privacy efforts with regard to the collection, storage, and transmission of electronic protected health information (e-PHI). The policy is organized into three sections describing administrative, physical and technical safeguards along with other steps that are needed to ensure security of e-PHI.


I        Administrative Safeguards


A.                Security Management Process


1.      Risk Analysis- TSA establishes an ongoing process to analyze risk.  A Risk Analysis Team is constituted as part of TSA’s Management Team. The Team will consist of the following:

§  Executive Director as Security and Privacy Officer.

§  Business Director

§  Technology Coordinator

§  Others as needed

The team will conduct an initial written risk analysis of its e-PHI and will establish an on-going process for review and problem solving (see Appendix A: Risk Analysis Procedures.)


2. Risk Management- TSA will evaluate the risk analysis conducted above and will implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level noting especially the sensitivity of client mental health information. This management plan will be part of the Risk Analysis document.


3. Information System Activity Review- Data, media, and computer assets are the physical property of TSA wherever located and data users have no expectation of privacy in TSA’s data, media, computer or other information assets, wherever located. TSA audits for compliance. Use of personal equipment, such as phones, laptops, tablets, notebooks, and so forth, to use, record, or store TSA information subjects the user to the terms of this policy. TSA needs to audit data for integrity and system users for compliance with laws, regulations, professional ethics, accreditation requirements, and TSA’s policies and procedures.


TSA will institute internal audit of health and other critical information in its system to ensure the integrity of such data and will audit data users’ activities on TSA owned equipment to ensure compliance with laws, regulations, professional ethics, accreditation requirements, and its own policies and procedures.


Most TSA electronically protected health information is contained within Procentive, which by Business Associate agreement is responsible for internal security. Staff should be aware that activity on Procentive is recorded down to the level of each key stroke.


Some limited TSA e-PHI is maintained on the TSA servers. This information may be audited when there is a ‘triggering event’ as well as on a regular basis (see Appendix C: System Activity Review.) E-PHI downloaded to other devices used by staff is subject to policy provisions described below.


Overall control of data security on TSA systems is the responsibility of the Technology Coordinator. At a minimum, he or she will maintain an access or audit log of who accessed the TSA server and will maintain the security of TSA password protected flash-drives.


The Technology Coordinator will monthly audit the TSA server for log-in and attempted log-ins. Also, in the normal course of his duties he will look for any vulnerabilities that may show a weakness in the system. A log of any relevant findings will be reported monthly to the Risk Analysis team and kept for six years. If any security breaches are detected he will follow TSA’s Report Procedure and participate in any needed investigation per TSA’s response Procedure.


All supervisors, data users, and employees are responsible for reporting problems with data integrity to their supervisors and the Technology Coordinator.


B.    Workforce Security


TSA has established chains of command and authority and all staff have a supervisor.  All staff at orientation are provided a copy of their job descriptions and a written description of the access to e-PHI which they acknowledge and sign.  All staff have been screened and provided documentation of their credentials, if any, and have had background checks conducted. A termination checklist is provided that includes a security check-out and special procedures are used for involuntary termination.


C.     Security Awareness Training


TSA has established an induction process that in part addresses security awareness training:

Once new staff have been cleared following the above workforce security procedures staff acknowledge TSA’s training and the scope of their use of e-PHI.
Staff view a HIPAA orientation video.
Staff meet with the Technology Coordinator to review internal communication and access to systems.
Staff are trained in Procentive.
Staff need for the use of company portable computers, personal computers, mobile phones, and other devices is assessed and staff trained in securing e-PHI on any devices.

Staff certify their training, their awareness and agreement to comply with this policy including TSA security requirements for the use of such equipment, and give their written warranty to comply with these requirements including requirements for the use of portable devices (Appendix F: HIPAA & HITECH Staff Awareness Form & Portable/Home Users Warranty.)


Following its initial Risk Analysis TSA has provided training to all its staff and undertaken steps four and five above. Periodic updates are provided to staff to promote adherence to security and privacy compliance.


D.    Security Incident Procedures


A Response and Reporting Procedure is part of this policy and described more fully in Appendix B. These procedures are based on the following assumptions:


·         Breaches of security, confidentiality, or TSA’s policies and procedures may occur despite security and confidentiality protections.

·         Early detection and response to such breaches is critical to stop any such breach, correct the problem, and mitigate any harm.

·         In appropriate cases, a thorough investigation is necessary to assess the breach, mitigate any harm, determine how to prevent recurrence, and provide a basis for any necessary disciplinary action.

·         TSA has a duty to mitigate the harm of a breach and, in some cases, has a duty to notify the subject of the breach, DHHS, and the media.

·         Other federal and state laws, such as the Red Flag Rules, may also require notification and/or mitigation.


All officers, agents, and employees of TSA must adhere to this section of the policy and the attached procedures, and all supervisors are responsible for enforcing this policy. TSA will not tolerate violations of this policy. Violation of this policy is grounds for disciplinary action, up to and including termination of employment and criminal or professional sanctions.



E.    Contingency Plan


Contingency planning is needed should TSA experience an emergency or unusual occurrence such as power interruption or the disruption by any cause of critical business operations.  TSA has a Contingency Plan (Appendix D: Contingency Plan) that addresses data backup, disaster recovery and emergency mode operation. Because of the size of the company formal testing and revision procedures are not necessary but can be completed through the regularly scheduled meetings of the Risk Analysis team. The Technology Coordinator will schedule an annual review of Appendix D Contingency Plan issues in conjunction with the Evaluation review noted below. Likewise because of the smaller size of the company, the nature of community based mental health and TSA’s use of  Procentive as a repository of most e-PHI data no assessment of criticality of applications and data is warranted.


F.        Evaluation


The Risk Analysis team will annually review its security measures to ensure that the integrity and confidentiality of such data remain adequately protected. The Technology Manager will schedule this evaluation each February.


G.       Business Associate Contracts


TSA must hire other individuals or organizations to perform services for it involving individually identifiable health information. The use of business associates is encouraged to improve productivity and reduce costs. Such use of business associates does not, however, eliminate the need to protect TSA’s PHI maintained, used, or disclosed by the business associate pursuant to the business associate agreement.


Breach of confidentiality of individually identifiable health information may harm clients  and others and risk legal liability for TSA and for the business associate. HIPAA requires TSA to have a written contract with such individuals or organizations, known as a business associate agreement. Failure to have a compliant business associate agreement may subject TSA to liability for the business associate’s breach of the security, privacy, or data integrity of TSA’s protected health information.


Even with a business associate agreement in place, TSA may be liable for the business associate’s breach if it has actual knowledge of the breach and does not take proper measures to correct it or if it exercises too much control over the business associate’s performance of its duties under the contract. Recent changes to HIPAA may make TSA liable for breaches committed by business associates even if a business associate contract is not in place. The procedures for TSA’s interaction with Business Associates is described in Appendix E: Business Associates.



II       Physical Safeguards


A.   Facility Access Control


TSA’s facility access is addressed by routine practices that include a standard that all computers and servers are in locked buildings or rooms; i.e. the doors to the facility are locked and the room in which the computer/server is also locked if in a room. At TSA owned locations only TSA staff have keys and keys are collected when staff leave employment. Some TSA landlords have access to TSA facilities and at North Branch computers are locked in place because North Branch staff do regular cleaning.  At. St. Paul and Anoka landlords rarely if ever access the TSA offices. Each location has special considerations given the variability of locations including stand along buildings, inside mall entrances, outside mall entrances, and locations with school and county facilities.  The main TSA office that houses the server has a security system.


Because of the smaller size of TSA it is not reasonable or appropriate to have contingency operations, a formal security plan, access control, validation procedures or specialized maintenance records.


B.   Computer Equipment Use


TSA owns and uses a variety of workstation computers that can access e-PHI. These include portable computers, and desktop computers. An inventory of equipment is maintained and each workstation was reviewed in the risk analysis and results recorded on an assessment summary. All TSA computers have access to e-phi but with proper controls. Policies and procedures for workstation use are found in Appendix F: TSA Computer and Technology Policy Summary.



C. Computer Equipment Security


All TSA computer equipment in TSA offices are password protected. The Technology Coordinator is responsible for maintaining access safeguards to computer equipment.


D. Computer Equipment (Device & Media) Controls


Controls for data, media and computer assets are of two types-those assets owned by TSA and those that are the property of staff or partners such as schools. For this reason different standards and accountability apply to each type. Because loss or breach of confidentiality may cause severe harm to the subject of the information staff need to know that protection of these assets are among the most important of their duties. Especially important is that there are few ways to protect portable assets other than maintaining good custody and control over the asset. Staff removing these assets from TSA facilities or using their own portable devices need to be vigilant in following security procedures.  These are described in Appendix F: TSA Computer and Technology Policy Summary.


The Technology Coordinator will be responsible for overseeing the movement of TSA owned devices among staff and sites. S/he will ensure that e-PHI stored on any computer will be removed and properly stored before any device is re-used. Likewise the removal of assets will follow the procedures as noted in Appendix F.



III     Technical Safeguards


A.   Access Controls


The Business Director will determine which personnel get access to e-PHI. In making such determinations, s/he will follow these guidelines:


a. Prospective data users will not get access unless they have a need for access.

b. Prospective data users will get only the minimum access necessary to perform duties requiring such access.

c. Staff that would otherwise properly have access may be screened off access in certain circumstances, such as if the access would be to a family member’s health information.

d. Clinical staff will have access only to data of clients that they have some responsibility for, with supervisors and directors having access to all staff reporting to them and their ‘reports.’

e. Access will be limited to necessary tasks.

f. When third-party commercial service providers need access, the Business Director will determine whether and how much access such service providers need and grant access in accordance with this Policy. Business associate agreements must be in place for those service providers that are performing a service requiring access to PHI.


Data users must comply with the following requirements:


a. Use the e-PHI data only for purposes authorized by TSA.

b. No employee may access any confidential patient or other information that they do not have a need to know.

c. Do not disclose confidential client or other information unless properly authorized.

d. No e-PHI should be stored in the cloud without a Business Associate Agreement.  The use of Dropbox or other cloud based storage solutions for e-PHI is prohibited without prior consent from TSA IT department. 

e. You must not leave printers unattended when printing confidential client or other information. This rule is especially important when two or more computers share a common printer or when the printer is in an area where unauthorized personnel have access to the printer.



B. Electronic Signature and Authentication.


The Business Director is responsible for developing procedures for determining which individuals are authorized to authenticate particular portions of patient medical records. The clinician placing the electronic signature into the specified field(s) of Procentive is considered to have signed and authenticated that specified information entered into the system as a part of the patient’s legal medical record.


TSA provides the clinical staff training and orientation on the use of the electronic signature as a required part of training on the automated medical record.


The signature applied within the automated medical record system is considered the authentication of the specific entry into the medical record, whether that electronic signature image is reviewed on a workstation or pen-based tablet screen directly within the computerized medical record system or whether the signature image has been printed on the paper version of the visit note or medical record entry.


Clinician staff applying the electronic signature are attesting to having reviewed the contents of that entry and having determined that the entry contains what the individual clinician intended. Once the clinician has authenticated the entry, the system does not permit anyone to overwrite, delete, or alter it. Corrections must be made by generating a new entry.


TSA’s security system protects the computer system by two levels of access control mechanisms with unique identifiers being assigned to each individual user on the system.


To gain entry into the Procentive on all TSA owned computer equipment and access patients’ medical record information, the clinician must authenticate himself or herself on two levels:

After turning on the unit, a unique login and password specific to the clinician must be entered to gain access to the applications on unit.
To enter the Procentive, a second unique login and password specific to the clinician must be entered to gain access to patient information.

Once the clinician has authenticated into the patient information area of Procentive, only patients assigned to that clinician during scheduling or case management assignment are available to that clinician on the tablet.


The unit will reject a user and deny entry into Procentive  after three attempts at entering the unique login and password information incorrectly. System administrator level intervention is required for the clinician to gain reaccess into the system. System administration level access is granted only to the system administrator and specific controlled designees that have been trained in system security policies and procedures. This step prevents unauthorized entry into the secured patient medical records and ensures that only appropriately identified and password-secured staff access secured patient areas of the system.


Passwords are unique to the clinicians. Clinicians may not share their login or password information and must treat it as strictly confidential.


 The Technology Coordinator will develop procedures to verify that a person or entity seeking access to e-PHI is the one claimed by requiring something known only to that individual, such as a password or a PIN (see Appendix F for more password information.) Access to e-PHI on TSA servers also is restricted by “Permission” restrictions in the domains and folders a determined by the Business Director.


C. Remote Access


Users may not establish modems, internet, or other external network connections that could allow unauthorized users to access TSA’s system or information without the prior approval of TSA IT staff.


The use of Windows Remote Desktop is typically reserved for TSA IT staff, but there may be occasions when another employee needs to use Remote Desktop Connection. Use of Remote Desktop needs to be approved by TSA IT staff. 


Certain third party contractors who provide technology support to TSA are allowed to log in remotely and certain authorized staff have access through “Go to my PC.”


D. Emergency Access


TSA services are limited to social services and mental health services.  No other medical or physical health practice is a part of TSA services.  So, there is not an emergency need to access client information in the case of damage to equipment or system inaccessibility. The handling of client emergencies are not dependent on having any information in the client record as might be the case in physical medical health (ex: blood type, allergies, etc.) Back-up copies of client directory and descriptive information for foster care clients is kept in the On-Call book.



D. Automatic Log-off and Encryption


Automatic Log-off is a part of all TSA owned equipment and the Procentive system. There is no reason to disable this feature.


Encryption is not needed on TSA computer equipment because each unit is password protected as described above as is the Procentive client information system. No e-phi is allowed on TSA computer equipment because the e-phi is stored on the Procentive server or TSA servers.


Although encrypting emails that we send would be cost-effective, the emails would be of little use unless the recipients could decrypt (read) the appointment reminders. Our patients do not have the funds to purchase compatible decryption packages, and we do not have funds to purchase decryption packages for them, especially because they have many different operating systems. Further, we can sanitize the emails so that no sensitive PHI, is included in the email.


C.   Audit Controls


The Technology Coordinator will audit log-in and access attempts consistent with TSA’s Information System Activity Review (Audit) Policy and report, investigate, and take remedial action (if necessary) of access breaches consistent with TSA’s Report and Response Procedure.


D.   Documentation and Evaluation


Documentation for reviews, breach identification, tests and revisions to security measures will be kept by the Technology Coordinator for six years.


TSA will institute an annual review of its security measures that protect health information and other critical information in its system to ensure that the integrity and confidentiality of such data remain adequately protected.


TSA’s’s Technology Coordinator is responsible for conducting such annual reviews.


The Security Officer may, at any time, conduct a review if appropriate because of a new risk or a breach.


All supervisors, data users, and employees are responsible for reporting new or changed risks to their supervisors, who will then report the same to the Security Officer.