HIPAA Privacy Manual



left250002514600HIPAA Privacy Manualfor[Insert organization/practice name]900007300HIPAA Privacy Manualfor[Insert organization/practice name]righttop201340000100000201321850357629525Contents TOC \o "1-3" \h \z \u 1.HIPAA PRIVACY MANUAL INTRODUCTION PAGEREF _Toc358120051 \h 02.PRIVACY OFFICER JOB RESPONSIBILITIES PAGEREF _Toc358120052 \h 33.PRIVACY RULE PAGEREF _Toc358120053 \h 53.1.Patient Information Types PAGEREF _Toc358120054 \h 53.2.TPO PAGEREF _Toc358120055 \h 63.3.Patient Requested Restrictions PAGEREF _Toc358120056 \h 63.4.Confidentiality PAGEREF _Toc358120057 \h 73.5.Limitations of Use and Disclosure of PHI PAGEREF _Toc358120058 \h 73.5.1.Minimum Necessary Standard PAGEREF _Toc358120059 \h 73.6.Notice of Privacy Practices PAGEREF _Toc358120060 \h 73.7.Use of PHI for TPO and Non-TPO Purposes PAGEREF _Toc358120061 \h 83.8.Permissible Disclosures to Another Covered Entity for Certain Health Care Operations PAGEREF _Toc358120062 \h 83.9.Psychotherapy Notes Authorization PAGEREF _Toc358120063 \h 83.10.Marketing PAGEREF _Toc358120064 \h 93.11.Personal Representative PAGEREF _Toc358120065 \h 93.11.1.Decedents PAGEREF _Toc358120066 \h 103.11.2.Minors PAGEREF _Toc358120067 \h 104.POLICIES AND PROCEDURES PAGEREF _Toc358120068 \h 114.1.Privacy Policy PAGEREF _Toc358120069 \h 114.2.Illustrations of Situations Requiring/Not Requiring Authorization PAGEREF _Toc358120070 \h 134.3.Immunization Consent Policy PAGEREF _Toc358120071 \h 154.3.1.Sample Immunization Consent Agreement PAGEREF _Toc358120072 \h 174.4.Privacy Procedures – Patient PAGEREF _Toc358120073 \h 184.5.Patient Requests for Electronic Copy of EPHI Policy PAGEREF _Toc358120074 \h 204.6.Facilities Policy and Procedures PAGEREF _Toc358120075 \h 234.7.Data Breach Policy and Procedures PAGEREF _Toc358120076 \h 254.8.Training Policy PAGEREF _Toc358120077 \h 334.9.Workforce Confidentiality Agreement PAGEREF _Toc358120078 \h 354.10.Business Associates PAGEREF _Toc358120079 \h 384.10.1.Business Associates Policy PAGEREF _Toc358120080 \h 384.10.2.Business Associates Decision Tree PAGEREF _Toc358120081 \h 454.10.3.Listing of Typical Business Associates PAGEREF _Toc358120082 \h 474.10.4.Business Associate Agreement PAGEREF _Toc358120083 \h 484.11.Marketing PAGEREF _Toc358120084 \h 534.12.Workforce Termination PAGEREF _Toc358120085 \h 554.13.Policy, Procedure, and Agreement Review PAGEREF _Toc358120086 \h 565.FORMS PAGEREF _Toc358120087 \h 575.1.Notice of Privacy Practices PAGEREF _Toc358120088 \h 575.2.Receipt of Notice of Privacy Practices Written Acknowledgement Form. PAGEREF _Toc358120089 \h 615.3.Patient Authorization for Use and Disclosure of Protected Health Information PAGEREF _Toc358120090 \h 625.4.Authorization for Use and Disclosure of Psychotherapy Notes PAGEREF _Toc358120091 \h 635.5.Authorization for Use and/or Disclosure of PHI for Marketing, Fundraising, Publication, or Public Relations PAGEREF _Toc358120092 \h 645.6.Request for Limitations and Restrictions of Protected Health Information. PAGEREF _Toc358120093 \h 665.7.Request to Inspect and Copy Protected Heath Information PAGEREF _Toc358120094 \h 675.8.Patient Denial Letter PAGEREF _Toc358120095 \h 685.9.Request for Correction/Amendment of Protected Health Information PAGEREF _Toc358120096 \h 705.10.Request for Correction/Amendment of Protected Health Information PAGEREF _Toc358120097 \h 715.11.Request for an Accounting of Certain Disclosures of Protected Health Information PAGEREF _Toc358120098 \h 735.12.Patient Complaint Form PAGEREF _Toc358120099 \h 755.13.Fax Letter with Disclaimer PAGEREF _Toc358120100 \h 765.14.Form Review PAGEREF _Toc358120101 \h 776.LOGS PAGEREF _Toc358120102 \h 786.1.Privacy Officer Incident Log PAGEREF _Toc358120103 \h 786.2.Facility Maintenance Log PAGEREF _Toc358120104 \h 796.3.Training Documentation Log PAGEREF _Toc358120105 \h 806.4.Business Associate Log PAGEREF _Toc358120106 \h 816.5.Workforce Termination Record PAGEREF _Toc358120107 \h 826.6.Data Breach Record PAGEREF _Toc358120108 \h 836.7.Log and Record Review PAGEREF _Toc358120109 \h 847.JOB DESCRIPTIONS PAGEREF _Toc358120110 \h 858.PRIVACY RISK ANALYSIS PAGEREF _Toc358120111 \h 869.AUDIT/RISK ANALYSIS PAGEREF _Toc358120112 \h 8810.GLOSSARY PAGEREF _Toc358120113 \h 8911.INDEX PAGEREF _Toc358120114 \h 100HIPAA PRIVACY MANUAL INTRODUCTIONThis Manual reflects the policies and documentation for Organization Name’s protection of protected health information (PHI) as required by the HIPAA Privacy Rule. Organization Name is herein referred to as “the Organization” or “Organization.” ?This manual reflects the Organization’s REQUIRED Risk Management as required by the HIPAA Privacy Rule to reflect the implementation of privacy measures to reduce risk and vulnerabilities to a reasonable and appropriate level to comply with the rule. ?Policies and procedures are applicable to all the organization’s members such as owners, management, employees, volunteers and/or contractors. ?Membership includes, but is not limited to, employment, contractual or volunteer relationships. This manual complies with the documentation standard that requires covered entities to:(i) “Maintain the policies and procedures implemented to comply with this subpart in written (which may be electronic) form”; and (ii) “if an action, activity or assessment is required for HIPAA privacy compliance the organization will maintain a written (which may be electronic) record of the action, activity, or assessment.”This manual complies with CMS?documentation standard specifications.1. Time Limit (Required) - ??The Organization will “retain the documentation required by (HIPAA privacy Rule) ?for 6 years from the date of its creation or the date when it last was in effect, whichever is later.”2. Availability (Required) - Available in paper format at Organization and in electronic format with ITPC such that it is?“available to those persons responsible for implementing the procedures to which the documentation pertains.”3. Updates (Required) - Noted by dates on each page. The Organization will “review documentation periodically, and update as needed, in response to environmental or operational changes affecting the privacy of the electronic protected health information.”The contents reflect required or addressable items as detailed by: The ?HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) Privacy Rule ??The ?American Recovery and Reinvestment Act45 CFR Parts 160 and 164 - Modifications to the HIPAA Security, Privacy, and Enforcement Rules under the Health Information Technology for Economic and Clinical Health Act45 CFR Parts 160 and 164 Breach Notification for Unsecured Protected Health InformationPolicy requirement sources are outlined at the beginning of each policy. See reference section for a full listing of references. ?The nomenclature for documents found in the Code of Federal Regulations (CFR) include the appropriate title number, which precedes the CFR designation, followed by the chapter, part, and section numbers (Example 45 CFR §164.308(a)(2)). All material contained is only valid once reviewed by the Organization’s HIPAA Privacy Officer as evident by the initials of said officer on each policy with the date of the review and/or approval. . All policies require the review and formal approval by the Organization’s managing physician and/or Board of Directors. Dates of reviews are also noted on the bottom of each policy and or exhibit. ???All material is subject to review and modification in response to any environmental or operational change related to the protection of PHI as required by the Rule. ?This includes, but is not limited to: ?identified privacy incident, Organization change in ownership or key personnel, and/or the incorporation of new technology. ?The initials confirm these procedures, policies and logs are followed by this Organization and its employees. Reference pages reflect?the sources of appropriate implementation standards for the Organization. The Organization will maintain all revisions to the documents,?the dates of each revision, the individual who revised the document, the date of the most recent approval of the document, and the individual who approved it.Abbreviations or Acronyms Used:CMS – Centers for Medicare and Medicaid ServicesIIHI – Individually Identifiable Health InformationPHI – Protected Health InformationEMR – Electronic Medical RecordFIPS - ?Federal Information Processing Standards PublicationHIPAA ?- Health Insurance Portability and Accountability ActHITECH - Health Information Technology for Economic and Clinical Health ActMU – Meaningful UseSee Glossary in last Tabbed Section for definitions.IT Practice Consulting Corp., Pittsford, NYITPC-COPYRIGHT NOTICEFor the Manual, generally:Copyright ? 2013 ITPCITPC will permit limited copying of this Manual, or portions thereof, for the internal use of the purchaser or authorized user of the Manual. ?This Manual, however, may not be further copied or otherwise reproduced, redistributed or resold without the prior written consent of ITPC. ?All other rights are reserved. ?To request permission or obtain additional information, please contact ITPC at 866-985-7884 or HIPAA@itpc-. ?This Manual has been prepared to provide the reader with accurate information on the topics covered in the Manual. ?The Manual is being provided with the understanding that ITPC is not engaged in rendering any legal or accounting advice through this manual. ?ITPC has made recommendations regarding referenced CMS or NIST standards for implementation. The privacy officer and managing physician or Board of Directors must sign off on all policies and procedures after verifying they are consistent with the size and scope of their Organization and respond to all audit results.The toolkit and manual template does not constitute legal advice. STATE LAW DISCLAIMER: This manual includes privacy protections in accordance with the national HIPAA Privacy Rule. The HIPAA privacy rule establishes a national minimum standard. If a state law provides greater privacy protections, the state law must be observed.?PRIVACY OFFICER JOB RESPONSIBILITIES 45 C.F.R. § 164.530(a). ?A covered entity must designate a privacy officer responsiblefor developing and implementing its privacy policies and procedures, and a contactperson or contact office responsible for receiving complaints and providingindividuals with information on the covered entity’s privacy practicesPrivacy Officer Designate: Appointed on: ?<date>Privacy Officer Initials: ??___________Contact Person/Contact Office: __________The privacy Officer for this organization oversees all ongoing activities related to the development, implementation, maintenance of, and adherence to, the organization’s policies and procedures related to the privacy of patients’ protected health information (PHI) in compliance with federal and state laws and the organization’s privacy policies and procedures (the “privacy Policy”).Responsibilities:Take all reasonable efforts to assist the organization in maintaining the confidentiality, integrity, and availability of patients’ PHI.Maintain current knowledge of applicable federal and state privacy laws via consultation with IT Practice Consulting and legal counsel, as needed.. Develop, oversee, and monitor implementation of the organization’s Privacy Policies and ensure that the integrity of the Privacy Policies is maintained at all times so that persons may not make unauthorized edits to Privacy Policies.Report regularly to the organization governing body and officers and/or owners (as applicable) regarding the status of the privacy policies.Work with legal counsel, consultants, management, and committees to ensure that the organization maintains appropriate administrative materials in accordance with organization management and legal requirements.Establish and administer a process for receiving, documenting, tracking, investigating, and taking action on all complaints concerning the organization’s privacy policies and procedures in coordination and collaboration with other similar functions, and, when necessary, with legal counsel.Oversee, direct, deliver, or ensure the delivery of privacy training and orientation to all employees, volunteers, medical and professional staff, and other appropriate personnel (organization workforce).Monitor attendance at all privacy policies training sessions and evaluate participants’ comprehension of the information provided at training sessions as well as maintain appropriate documentation of privacy training.Monitor organization compliance with privacy policies including periodic privacy risk assessments.Monitor and evaluate, on no less than an annual basis, the effectiveness of the privacy policies in meeting the organization’s goal for protection of PHI.Coordinate and participate in disciplinary actions related to the failure of organization workforce members to comply with the organization’s Privacy Policies and/or applicable law.Monitor access controls to PHI. Maintain access to PHI only by authorized personnel.Monitor technological advancements related to electronic protected health information protection and privacy for consideration of adaptation by the organization.In concert with the organization’s officers or owners, coordinate and facilitate the allocation of appropriate resources for the support of and the effective implementation of the privacy policies.Initiate, facilitate, and promote activities to foster privacy information awareness within the organization.Cooperate with CMS, OCR and other regulatory agencies, in consultation with the organization’s legal counsel, and organization officers or owners in any compliance reviews or investigations.Act as point of contact for the organization’s legal counsel in an ongoing manner and in the event of a reported violation.Maintain all business associate contracts and respond appropriately if problems arise.Act as the organization-based point of contact for receiving, documenting, and tracking all complaints concerning privacy policies and procedures of the organization.Maintain documentation of the organization’s Privacy Policies and Procedures for a minimum of six yearsApproval:Date of Approval:Reviewed:Date(s) of Review:PRIVACY RULEPatient Information TypesThe Privacy Rule considers 18 items that could be used to identify a patient. They are:1. Name2. Any address specification such as street, city, county, precinct, and zip code*3. All dates except for the year including birthdate, admission date, discharge date, date of death and all ages over 894. Telephone number5. Fax number6. Electronic mail address7. Social Security number8. Medical record number9. Health plan beneficiary number10. Account number maintained by the healthcare provider11. Certificate or license number such as driver’s license number12. Vehicle identifier and serial number including license plate number13. Medical device identifier and serial number such as pacemaker serial number14. Web site address15. Internet protocol (IP) address number16. Biometric identifiers including finger and voice prints17. Full face photographic images and any comparable image, and18. Any other unique identifying number characteristic or code.*Entire zip code must be removed if the geographic unit formed by combining all zip codes with the same three initial digits has a population of = 20,000 people; otherwise only the last two digits must be removed.De-Identified Data IIHI is considered de- identified 1) if the 18 aforementioned items are removed from the information, or 2) a statistician or similarly experienced person determines that there is a very small risk of re- identifying the information and he/she documents his/her findings.Limited Data SetA Limited Data Set is PHI that excludes specific, readily identifiable information about the individual patients as well as their relatives, employers and members of their households. Sixteen of the 18 aforementioned items must be removed from the limited data set. The items that can remain are date references [e.g., admission, discharge and service dates; date of death; age (including age 90 and over)], and any geographic subdivision (including town or city, state or five-digit zip codes), but excluding postal addresses.TPOTPO refers to the treatment, payment or healthcare operations of a practice.T: Treatment means the provision, coordination or management of healthcare and related services by one or more healthcare providers or the referral of a patient for healthcare from one provider to another.P: Payment means the activities conducted by the practice to obtain reimbursement for healthcare services. This includes, among others, billing, claims management, collection activities, verification of insurance coverage, and precertification of services.O: Healthcare Operations means activities related to your practice’s business and clinical management and administrative duties. Some examples of these activities are quality assurance, quality improvement, case management, training programs, licensing, credentialing, certification, accreditation, compliance programs, business management and general administrative activities of the practice. Healthcare Operations is further defined to include all activities associated with the selling, merging, transferring or consolidation of medical practices and other covered entitiesPatient Requested RestrictionsUnder certain circumstances, the Privacy Rule allows patients the right to request restriction(s) on uses or disclosures of their PHI for TPO. Patients must be informed of their rights to request such restriction(s) to their records; however, the provider is not required to agree to the restriction. If the provider agrees to a restriction(s), it must document the restriction(s) and must abide by the restriction(s) unless there is an emergency and the restricted PHI is necessary to provide emergency treatment. In an emergency, the healthcare provider providing treatment cannot disclose the restricted information beyond the emergency treatment situation.A patient-requested restriction on PHI may be terminated by the practice if:1) The patient agrees to or requests the termination in writing;2) The patient orally agrees to such termination and the oral agreement is documented;3) The practice informs the patient that it is terminating the restriction (such a termination is only effective against PHI created or received after the date of termination).ConfidentialityIn addition to patient- imposed restrictions on PHI, the practice must allow patients to request that communications regarding PHI be delivered by alternative means (e.g., picked up in person rather than mailed) or in alternative locations (e.g., different addresses). The practice must accommodate reasonable requests of such confidential communications. However, the practice may require the patient to make such a request in writing and may condition the accommodation on information as to payment mechanisms, if any, and an alternative address or other contact method. The practice may not condition the confidential communication on receiving an explanation from the patient as to the basis for such a request.Limitations of Use and Disclosure of PHIThe Privacy Rule limits the use and disclosure of a patient’s PHI. The Privacy Rule generally requires medical practices to take reasonable steps to limit the use or disclosure of PHI to the minimum necessary to accomplish the intended purpose.Minimum Necessary StandardThe request by a healthcare provider to use and receive the information for treatment purposes, such as in the case where a patient has been referred to another provider for a consultation.Disclosure to the patient who is the subject of the information.When the patient has signed an authorization for the practice to release the PHI to a third party, such as an employer or life insurance company.Any disclosures that the Department of Health and Human Services (DHHS) requires under the Privacy Rule for enforcement purposes.Any uses or disclosures that are required by any other law, such as a police investigation.Notice of Privacy PracticesMedical practices and other covered entities with direct treatment relationships must provide the patient with the Notice of Privacy Practices for PHI and use best efforts to obtain the patient’s written acknowledgment of receipt of the Notice.A Notice of Privacy Practices is a document that health care providers and other covered entities must develop in order to inform patients about their rights surrounding the protection of their PHI.If written acknowledgement of the receipt of the Notice of Privacy Practices is not obtained, thenthe practice must document its efforts to do so.The practice may not deny medical treatment for failure to sign an acknowledgment of receipt of the Notice of Privacy Practices. The practice may use and disclose the patient’s PHI in accordance with the Privacy Rule and state law regardless of the patient’s refusal to sign an acknowledgment.Use of PHI for TPO and Non-TPO PurposesA practice may only use and disclose protected health information (“PHI”) without a writtenpatient authorization, or as otherwise permitted or required by laws as follows:For its own treatment, payment and health care operations purposesFor the treatment activities of any health care providerFor the payment activities of another covered entity or any health care providerFor the health care operations activities of another covered entity if each entity either has or had a relationship with the individual who is the subject of the PHI, andthe purpose of the disclosure relates directly to certain limited types of of health care operations (described in the text box “Permissible Disclosures to Another Covered Entity for Certain Health Care Operations”) and the PHI pertains to such relationship, or(ii) for the purpose of healthcare fraud and abuse detection or compliance;For any health care operations activities of an organized healthcare arrangement in which the disclosing covered entity participates.Permissible Disclosures to Another Covered Entity for Certain Health Care OperationsPractices may disclose PHI to other covered entities for that covered entity’s health careoperations, to the extent that the patient has a relationship with the individual who is thesubject of the PHI and under the following health care operations:quality assessment and improvement activities, including outcomes evaluation and development of clinical guidelines, provided that the obtaining of generalizable knowledge is not the primary purpose of any studies resulting from such activities;population-based activities related to improving health or reducing health care costs, protocol development, case management, care coordination, contacting of health care providers and patients with information about treatment alternatives;related quality assessment functions that do not include treatment;review of the competence or qualifications of health care professionals;evaluation of practitioner and provider performance and health plan performance,;training programs in which students, trainees or practitioners in areas of health care learn under supervision to practice or improve their skills as health care providers;training non-health care professionals;accreditation, certification and licensing activities; andcredentialing activities.Psychotherapy Notes AuthorizationAt a minimum, Psychotherapy Note Authorizations must:contain a specific expiration date that relates to the patient or the purpose of the use or disclosure (except for those authorizations related to research, which must post either an expiration date/event, or a statement that no such expiration date/event exists)name the person/entity authorized to make the requested use or disclosure (for example, the practice)name the person/entity authorized to receive the PHI from the medical practicedescribe the PHI to be used or disclosedinclude a description of each purpose of the use or disclosureinform the patient of his/her right to revoke the Authorization, including exceptions to this right and a description of how to revoke the Authorizationwarn the individual that additional disclosures may occur and that the PHI may no longer be protected by the Privacy Ruleinclude a statement that treatment may not be conditioned on receipt of the authorization, or under the circumstances where it can be conditioned such as for research purposes, a statement about the consequences of refusing to sign the authorizationbe signed by the patient or his/her personal representativeif signed by a personal representative, a description of his/her authority to act for the individual.Marketing The activities listed below are not defined as marketing activities and therefore do not need an authorization:The use of a patient’s PHI to further that patient’s particular treatment. For example, aphysician’s recommendation of a specific name brand pharmaceutical or over-the-counter pharmaceutical or a referral of that patient to another provider is not considered “marketing” under the Privacy Rule.The use of a patient’s PHI in the course of managing or coordinating that individual’s treatment or recommending alternative treatment, therapy, providers or settings. For example, reminder notices for appointment, annual exams or prescription refills are not marketing.The use of a patient’s PHI in describing if and whether a product or service or paymentfor the same is covered by the patient’s benefit plan or otherwise payable by a Covered Entity is not marketing.A marketing communication that is face-to- face with the patient. For example, if the provider is providing sample products to the patient during an office visit. A marketing communication that involves the provision of products or services of nominal value, such as pens or toothbrushes with the practice name on it.Personal RepresentativeA person is a “personal representative” of a living individual if, under applicable law, the person has the authority to act on behalf of an individual in making decisions related to healthcare (e.g., guardians, persons with power of attorney, etc.).DecedentsThe difference lies in the fact that the decedent cannot authorize that PHI be disclosed, whereas a living individual may do so. State law will determine who the personal representative of a decedent is.MinorsHIPAA defers to all state laws regarding the disclosure of minors’ health information to a parent, whether that law provides greater or lesser protection to the individual.Approval:Date of Approval:Reviewed:Date(s) of Review:POLICIES AND PROCEDURESPrivacy Policy It is the policy of our practice that all physicians and staff preserve the integrity and theconfidentiality of protected health information (“PHI”) pertaining to our patients. The purpose of this policy is to ensure that our practice and its physicians and staff have the necessary medical and PHI to provide the highest quality medical care possible while protecting the confidentiality of the PHI of our patients to the highest degree possible. Patients should not be afraid to provide information to our practice and its physicians and staff for purposes of treatment, payment and healthcare operations (“TPO”). To that end, our practice and its physicians and staff will—Adhere to the standards set forth in the Notice of Privacy Practices.Collect, use and disclose PHI only in conformance with state and federal laws andcurrent patient covenants and/or authorizations, as appropriate. Our practice, itsphysicians and staff will not use or disclose PHI for uses outside of practice’s TPO,such as marketing, employment, life insurance applications, etc. without anauthorization from the patient.Use and disclose PHI to remind patients of their appointments unless they instruct usnot to.Recognize that PHI collected about patients must be accurate, timely, complete, andavailable when needed. Our practice and its physicians and staff willImplement reasonable measures to protect the integrity of all PHI maintained.Recognize that patients have a right to privacy. Our practice, its physicians andstaff respect the patient’s individual dignity at all times. Our practice, its physicians and staff will respect patients’ privacy to the extent consistent with providing the highest quality medical care possible and with the efficient administration of the facility.Act as responsible information stewards and treat all PHI as sensitive and confidential. Consequently, our practice, its physicians and staff will:Treat all PHI as confidential in accordance with professional ethics; andNot disclose PHI unless the patient (or his or her authorized representative) has properly authorized the release or the release is otherwise authorized by law.the release or the release is otherwise authorized by law.Recognize that, although our practice “owns” the medical record, the patient has a right to inspect and obtain a copy of his/her PHI. In addition, patients have a right to request an amendment to his/her medical record if he/she believes his/her information is inaccurate or incomplete. Our practice and its physicians and staff will-Permit patients access to their medical records when their written requests are approved by our practice. If we deny their request, then we must inform the patients that they may request a review of our denial. In such cases, we will have an on-site healthcare professional review the patients’ appeals.Provide patients an opportunity to request the correction of inaccurate or incomplete PHI in their medical records in accordance with the law and professional standards.All physicians and staff of our practice will maintain a list of certain disclosures in the patient chart of PHI for purposes other than TPO for each patient and those made pursuant to an authorization as required by HIPAA rules. We will provide this list to patients upon request, so long as their requests are in writing.All physicians and staff of our practice will adhere to any restrictions concerning the use or disclosure of PHI that patients have requested and have been approved by our organization.All physicians and staff of our practice must adhere to this policy. Our practice will not tolerate violations of this policy. Violation of this policy is grounds for disciplinary action, up to and including termination of employment and criminal or professional sanctions in accordance with our practice’s personnel rules and regulations.Our practice may change this privacy policy in the future. Any changes will be effective upon the release of a revised privacy policy and will be made available to patients upon request.Approval:Date of Approval:Reviewed:Date(s) of Review: Illustrations of Situations Requiring/Not Requiring Authorization Under the HIPAA Privacy Rule, our practice must obtain patient authorization if it wants to use PHI for non-TPO purposes.To disclose PHI about a patient to a third party (e.g., a life insurance underwriter).To market a product or services except if the marketing communication is face-to-face with the patient or it involves a promotional gift of nominal value.To raise funds for any entity [other than your practice];For research [unless your practice has a signed waiver approved by the Institutional Review Board(IRB) for the use and disclosure of PHI or has de-identified PHI];To use psychotherapy notes, unless use or disclosure is required for:law enforcement purposes or legal mandatesoversight of the provider who created the notesa coroner or medical examineravoidance of a serious and imminent threat to health or safety; Under the HIPAA Privacy Rule, our practice does not have to obtain patient authorization to disclose PHI:For treatment, payment and healthcare operations purposesTo a provider who has an indirect treatment relationship with the patient;To a health oversight agency with respect to audits, civil, administrative, and/or criminal investigations, proceedings or actions, inspections, licensure or disciplinary actions;In response to a court order, court-ordered warrant, subpoena or summons;To law enforcement for the purpose of identifying or locating a suspect, fugitive, material witness or missing person, (e.g., disclosing a deceased individual’s PHI if suspicion persists that death may have resulted from criminal conduct);To organ procurement organizations or other entities engaged in the procurement, banking, or transplantation of cadaveric organs, eyes or tissue for donation and transplantation;As required by law for public health activities and the prevention or control of disease, injury or disability, including but not limited to communicable diseases and product defects or problems (e.g. With food and dietary supplements and product labeling issues);As required by law to social or protective services with respect to victims of abuse, neglect or domestic violence;Of Armed Forces personnel for activities deemed to assure proper execution of military mission;To authorized federal officials for the conduct of lawful intelligence or counter-intelligence as authorized by the National Security Act;To authorized federal officials as it relates to protecting the President of the United States, to foreign heads of state or other authorized persons;To the United States Department of State as it relates to obtaining security clearance, service abroad and other provisions of the Foreign Service Act;To correctional institutions or law enforcement as it relates to inmates’ healthcare or the health and safety of individuals treating and transferring inmates;To a person who may have been exposed to a communicable disease, if the practice is authorized by law to notify such persons in the conduct of a public health intervention or investigation;To an employer, if the practice provides healthcare to the patient at the request of the employer: to conduct an evaluation relating to medical surveillance of the workplace; or evaluate whether the individual has a work-related illness or injury;To an auto insurance company or workman’s compensation when they are responsible for payment of the practice’s services.Where the exchange of Protected Health Information is for public health activitiesWhere the exchange of PHI is for research purposesWhere the exchange of PHI is for the sale, transfer, merger or consolidation of all or part of a Covered Entity and for related due diligenceWhere the exchange of PHI is for services rendered by a Business Associate pursuant to a Business Associate contract and at the specific request of the Covered EntityWhere the exchange of PHI is providing an individual with access to his/her PHIWhere the exchange of PHI is for any other purposes that the Secretary deems necessary and appropriateApproval:Date of Approval:Reviewed:Date(s) of Review: Immunization Consent Policy Privacy - § 164.512(b)(1) permits a covered entity to disclose proof of immunization to a school where State or other law requires the school to have such information prior to admitting the student.?Privacy - § 164.512(a) permits a covered entity to use or disclose protected health information to the extent that such use or disclosure is required by law and the use or disclosure complies with and is limited to the relevant requirements of such law.Privacy Rule at § 164.512(b) permits a covered entity to disclose protected health information for public health activities.Privacy Rule at § 164.514(d)(3)(iii)(A) provides that a covered entity, when making a permitted disclosure pursuant to § 164.512 to a public official, may determine, if such a determination is reasonable under the circumstances, that information requested by a public official is the minimum necessary information for the stated purpose, if the public official represents that the information requested is the minimum necessary for the stated purpose(s). PolicyThe organization will obtain agreement for authorization to disclose proof of immunization to a school. A parent signature is not required. The agreement may be oral, from a parent, guardian or other person acting in loco parentis for the individual, or from the individual himself or herself, if the individual is an adult or emancipated minor. Oral agreement will relieve burden on parents, schools, and covered entities, and greatly facilitate the role that schools play in public health, while still giving parents the opportunity to consider whether to agree to the disclosure of this information. Disclosure is limited to proof of immunization. The school must be required by the State of other law to have such proof of immunization.The organization will document the agreement obtained under this provision. The documentation must make clear that agreement was obtained. Acceptable documentation requesting disclosure of his or her child’s immunization records to the child’s school includes:A retained copy of parent written requestA retained copy of parent email requestA notation in the child’s medical record after a parent phone callA mere request by a school to a health care provider for the immunization records of a student would not be sufficient to permit disclosure under this provision.Mandated Immunization DisclosuresThe Privacy Rule does not prohibit immunization disclosures that are mandated by State law, nor does it require authorization for such disclosures. With regard to State laws that require covered entities to disclose immunization records to schools and allow parents to opt out, this is not in any way prohibited by the Privacy Rule. Disclosures of protected health information to State immunization registries are permitted by the Privacy Rule and also do not require authorization. A covered entity, when making a permitted disclosure pursuant to § 164.512 to a public official, may determine, if such a determination is reasonable under the circumstances, that information requested by a public official is the minimum necessary information for the stated purpose, if the public official represents that the information requested is the minimum necessary for the stated purpose(s). Under this provision, a covered entity may rely on State law or a State official’s determination of the minimum necessary information required for proof of immunization, unless such determination is unreasonable.Approval:Date of Approval:Reviewed:Date(s) of Review:Sample Immunization Consent AgreementDate ______________________________________I hereby consent, as the legal guardian of _______________________________, and authorize _________________________ to release a copy of said child’s immunization records to the following individual or office:Name: ___________________________________________Address: _________________________________________________________________________________________________________________________________Fax Number:___________________________________________Phone Number:___________________________________________Privacy Procedures – Patient Privacy Policy: Our practice recognizes and respects the fact that the patient has a right to inspect and obtain a copy of his/her Protected Health Information (PHI).Privacy Procedures to accomplish this Privacy PolicyThe Privacy Officer will provide the front office staff with an original form for patients to complete when the patient desires to inspect and copy his/her PHI. The front office staff will photocopy and make available to patients the form to Inspect and Copy PHI or print one out upon request. The front office staff will respond to patients’ requests and questions concerning inspecting and copying their PHI. In addition, the front office staff will distribute the form to the patients upon their request.Once the patient completes the form, the front office staff should forward the form to the Privacy Officer for review.Once the patient has submitted his/her request in writing (using the practice’s form is optional), the front office staff must verify that the patient’s signature matches his/hersignature on file.Due to all of the required elements of the written request, the use of the practice form is only optional IF the patient generated form meets all of the requirements.The Privacy Officer must review the patient’s request and respond to the patient within 30 days from the date of the request. The Privacy Officer can request an additional 30- day extension as long as the request is made to the patient in writing with the reason for the delay clearly explained and the expected date by which we will complete action on the request.The Privacy Officer should agree to all reasonable requests. If access is denied, thePrivacy Officer must provide the patient with an explanation for the denial as well as a description of the patient’s review appeal.When the patient has requested to inspect their PHI and his/her request has been accepted, the Privacy Officer or other authorized practice representative should accompany the patient to a private area to inspect his/her records and remain with the patient during inspection. After the patient inspects the record, the Privacy Officer will note in the record the date and time of the inspection, and whether the patient made any requests for amendments or changes to the record.When the patient’s request to copy his/her PHI has been accepted, the front office staff should copy his/her record within 7 business days at a reasonable charge that adheres to state law charge limitations. There are maximum allowable copying charges that may vary from state to state. The charge must still be “reasonable” even if a higher charge is allowed under state lawApproval:Date of Approval:Reviewed:Date(s) of Review:Patient Requests for Electronic Copy of EPHI PolicyPatient Request for Electronic Copy of EPHISection 13405(e) of the HITECH Act requires that when an individual requests a restriction on disclosure pursuant to § 164.522, the covered entity must agree to the requested restriction unless the disclosure is otherwise required by law, if the request for restriction is on disclosures of protected health information to a health plan for the purpose of carrying out payment or health care operations and if the restriction applies to protected health information that pertains solely to a health care item or service for which the health care provider has been paid out of pocket in full.§ 164.524(c)(2): Require covered entities to provide electronic information to an individual in the electronic form and format requested by the individual, if it is readily producible, or, if not, in a readable electronic form and format as agreed to by the covered entity and the individual.Privacy Rule at § 164.524(c)(2)(ii) to require that if an individual requests an electronic copy of protected health information that is maintained electronically in one or more designated record sets, the covered entity must provide the individual with access to the electronic information in the electronic form and format requested by the individual, if it is readily producible, or, if not, in a readable electronic form and format as agreed to by the covered entity and the individual.§ 164.524(c)(3) If requested by an individual, a covered entity must transmit the copy of protected health information directly to another person designated by the individual.§ 164.524(c)(4) of the Privacy Rule permits a covered entity to impose a reasonable, cost-based fee for a copy of protected health information (or a summary or explanation of such information). Such a fee may only include the cost of: (1) The supplies for, and labor of, copying the protected health information; (2) the postage associated with mailing the protected health information, if applicable; and (3) the preparation of an explanation or summary of the protected health information, if agreed to by the individual§ 164.524(c)(4)(i) Includes the labor for copying protected health information, whether in paper or electronic form, as one factor that may be included in a reasonable cost-based feeSection 13405(e)(2) of the HITECH Act provides that a covered entity may not charge more than its labor costs in responding to the request for the copy§ 164.524(b)(2)(iii) that permits a covered entity a one-time extension of 30 days to respond to the individual’s request (with written notice to the individual of the reasons for delay and the expected date by which the entity will complete action on the request).Implementation Specification: ?RequiredRisk Level: ?lowFinancial Impact: ?n/aProviding Electronic Information to an individual in the electronic form:Organization will provide the record in the form and format requested by the patient, if in reproducible form; otherwise Organization will provide some kind of readable electronic copies of protected health information that are currently available on its various systems (example: PDF), to which the Organization and patient have mutually agreed.If the individual declines to accept any of the electronic formats that are readily producible by the organization, the covered entity will provide a hard copy as an option to fulfill the access request.Transmitting a copy of protected health information to another designated personIf requested by an individual, the organization will transmit the copy of protected health information directly to another person designated by the individual.When an individual directs the organization to send the copy of protected health information to another designated person, the request must be made in writing, signed by the individual, and clearly identify the designated person and where to send the copy of the protected health information. If the organization has decided to require all access requests in writing, the third party recipient information and signature by the individual can be included in the same written request; no additional or separate written request is required.Requests for Restrictions on Restricted Health Care Item or ServiceThe organization will employ some method to flag or make a notation in the record with respect to the protected health information that has been restricted to ensure that such information is not inadvertently sent to or made accessible to the health plan for payment or health care operations purposes, such as audits by the health plan. The organization will apply minimum necessary policies and procedures, which require limiting the protected health information disclosed to a health plan to the amount reasonably necessary to achieve the purpose of the disclosure. If the organization is required by law to submit protected health information to a Federal health plan, it may continue to do so as necessary to comply with that legal mandate.Cost-Based FeeReasonable, cost-based fee for a copy of protected health information (or a summary or explanation of such information) including supplies for, and the labor for copying protected health information, whether in paper or electronic form the postage associated with mailing the protected health information, if applicable, the preparation of an explanation or summary of the protected health information, if agreed to by the individual Fee ________________Timeframe to honor requests for electronic copies of EPHIOrganizations have 30 days to provide accessOrganization is to provide the access requested by the individual in a timely manner, which includes arranging with the individual for a convenient time and place to inspect or obtain a copy of the protected health informationAn organization has a one-time extension of 30 days to respond to the individual’s request (with written notice to the individual of the reasons for delay and the expected date by which the entity will complete action on the request).Procedures: See Vendor Specific SectionApproval: ??????????????????????????????Date of Approval: Reviewed: ????????????????????????????Date(s) of Review:Facilities Policy and Procedures§164.310(a)(2)(ii): Facility access controls - Implement policies and procedures to safeguard the facility and the equipment therein from unauthorized physical access, tampering, and theft. §164.310(a)(2)(iv): Facility access controls - Implement policies and procedures to document repairs and modifications to the physical components of a facility which are related to security (for example, hardware, walls, doors, and locks). Policy: The Organization recognizes the importance of physical security in preventing unauthorized access to PHI and has developed the following policies and procedures. Inspections: ?It is the Organization’s policy to conduct routine physical inspections of the facilities. Each outside access point has appropriate physical safeguards as well as those access points not directly under visual protection. ?Inspections, repairs and maintenance records are maintained in the facilities log.Doors: <Deadbolts>Keys are assigned and distributed by the Privacy OfficerWindows: ?Note if accessible Alarm System: ??Note building/office space Physical Charts:Separate and not visible to patientsTracking mechanism for locationSecurity of Charts if transported - <>Destruction of Charts Workstations (if applicable): ?Physical location of workstations are documented in hardware log. Visible at all times: password protected, log off for inactivity or if stepping away from locationIf NOT visible at all times: ?area where computer is located has physical access restrictions as specified. ?These restrictions may include observed entry points and/or locked entry points. The hardware is password protected, automatic log off procedure when not in useFront Office / Check-InPatient Sign-in Sheets – Minimum necessary recommendedDemographics and Insurance Verification - <how done________>Verbal DiscussionsIn protected areas?When calling patients back?Dictating Areas – privateExam room doors – closedTelephone discussions – Private areasConfirmation of person on the other end of the phone is who they say they are by revealing a unique identifierPrinted Materials or Computer Monitor Screens?None should be accessibleSchedulesLab LogsX-ray logs Privacy NoticesPhysically postedCopies availablePosted on covered entity’s website, if covered entity maintains a websiteFaxPrivate areaConfirmation of fax numberApproval:Date of Approval:Reviewed:Date(s) of Review:Data Breach Policy and ProceduresData Breach Policy and ProceduresFor covered entities and their business associates under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) (Sec. 13402 of HITECH)45 CFR 160 and 164: Breach Notification for Unsecured Protected Health InformationSection 13402 of the HITECH Act requires HIPAA covered entities to provide notification to affected individuals and to the Secretary of HHS following the discovery of a breach of unsecured protected health information.Section 13402(b) of the HITECH Act requires a business associate of a covered entity that accesses, maintains, retains, modifies, records, destroys, or otherwise holds, uses, or discloses unsecured protected health information to notify the covered entity when it discovers a breach of such information.Section 13402(d) of the Act and the implementing regulations at § 164.404(b) require covered entities to notify individuals of a breach without unreasonable delay but in no case later than 60 calendar days from the discovery of the breach, except in certain circumstances where law enforcement has requested a delay.Section 13402(e)(1) of the HITECH Act provides for both actual written notice to affected individuals, as well as substitute notice to affected individuals if contact information is insufficient or out-of-dateSection 13402(e)(1)(B) of the HITECH Act expressly requires that a covered entity that has insufficient or out-of-date contact information for 10 or more individuals provide substitute notification to such individuals via posting on their Web site or notification in major print or broadcast media in the areas in which the affected individuals likely reside.Section 13402(e)(2) of the HITECH Act, implemented at § 164.406 requires that a covered entity provide notice of a breach to prominent media outlets serving a State or jurisdiction, following the discovery of a breach if the unsecured protected health information of more than 500 residents of such State or jurisdiction is, or is reasonably believed to have been, accessed, acquired, or disclosed during such breach. This media notice is in addition to, not a substitute for, individual notice.Section 13402(e)(3) of the HITECH Act requires covered entities to notify the Secretary of breaches of unsecured protected health information. The Act requires covered entities to report breaches affecting 500 or more individuals to the Secretary immediately. For breaches affecting fewer than 500 individuals, covered entities may maintain a log of all such breaches occurring during the year and annually submit such log to the Secretary§ 164.404(a)(2) With respect to covered entities by stating that a breach shall be treated as discovered by a covered entity on the first day the breach is known to the covered entity, or by exercising reasonable diligence would have been known to the covered entity; a covered entity is deemed to have knowledge of a breach if such breach is known, or by exercising reasonable diligence would have been known, to any person other than the person committing the breach, who is a workforce member or agent of the covered entity§ 164.404(c) incorporates the statutory elements to be included in the notices§ 164.406(b) requires covered entities to notify prominent media outlets without unreasonable delay and in no case later than 60 calendar days after discovery of the breach.§ 164.406(c) requires that notification to the media include the same information required to be included in the notification to the individual under § 164.404(c).§ 164.410(b) requires that a business associate provide notice of a breach of unsecured protected health information to a covered entity without unreasonable delay and in no case later than 60 days following the discovery of a breach.§ 164.410(c)(1) requires business associates, to the extent possible, to provide covered entities with the identity of each individual whose unsecured protected health information has been, or is reasonably believed to have been, breached. §164.412(a) based on the requirements of 45 CFR 164.528(a)(2)(i) of the Privacy Rule, provides for a temporary delay of notification in situations in which a law enforcement official provides a statement in writing that the delay is necessary because notification would impede a criminal investigation or cause damage to national security, and specifies the time for which a delay is required.§ 164.414 Covered entities and business associates have the burden of proof, to demonstrate that all notifications were provided or that an impermissible use or disclosure did not constitute a breach and to maintain documentation§ 164.414(a) requires covered entities to comply with the administrative requirements of § 164.530(b), (d), (e), (g), (h), (i), and (j) of the Privacy Rule with respect to the breach notification provisions of this subpart.§ 164.530(j)(1)(iv) requires covered entities to maintain documentation to meet burden of proof.For covered entities and their business associates under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) (Sec. 13402 of HITECH)45 CFR 160 and 164: Breach Notification for Unsecured Protected Health InformationPolicy: ?All privacy incidents are to be reported to the Privacy officer and are to evaluated by the privacy officer. A data breach may require notification to affected individuals and to The Department of Health and Human Services (HHS) as well as to the media. ?The Organization will do an analysis to see if notification is necessary.A risk assessment is to be performed following both impermissible uses and disclosures (that do not otherwise fall within the other enumerated exceptions to breach).Risk Assessment and Analysis will occur as follows: ??Impermissible Acquisition, Access, Use or Disclosure of “Unsecured” PHI that Compromises the Security or Privacy of PHINote: The analysis must include applicable State identity theft and/or data breach notification laws which could result in notification requirements, regardless of whether notice is required under the federal Data Breach Notification Rule.Risk Factors to Consider:Evaluate the nature and the extent of the protected health information involvedWhat types of identifiers were exposed?What is the likelihood of re-identification of the information?Determine the probability that the protected health information could be re-identified based on the context and the ability to link information with other available information How sensitive is the PHI, e.g., communicable disease?Evaluate who impermissibly used the protected health information or to whom the disclosure was madeDoes the unauthorized person who received the information has obligations to protect the privacy and security of the information?If the If the information impermissibly used or disclosed is not immediately identifiable, will the unauthorized person who received the protected health information have the ability to re-identify the information?Evaluate whether or not the protected health information was actually acquired, viewed, or alternatively, if only the opportunity existed for the information to be acquired or viewedWas the protected health information ever viewed?Evaluate the extent to which the risk to the protected health information has been mitigatedHas the organization attempted to mitigate the risks to the protected health information following any impermissible use or disclosure, such as by obtaining the recipient’s satisfactory assurances in writing that the information will not be further used or disclosed or will be destroyed ?Has the organization considered consider the extent and efficacy of the mitigation when determining the probability that the protected health information has been compromised?Risk Assessments will be through, completed in good faith, and with reasonable conclusions.If an evaluation of the factors discussed above fails to demonstrate that there is a low probability that the protected health information has been compromised, breach notification is required.If protected health information is encrypted pursuant to the breach notification rule and HHS guidance, then no breach notification is required following an impermissible use or disclosure of the information.Data Breach Exceptions:A Workforce Member, or person acting under the authority of the covered entity or business associate, who unintentionally acquires, accesses or uses PHI in good faith and within the scope of their authority, and the acquisition, access or use does not result in further use or disclosure in a manner not permitted under the Privacy Rule..An Authorized Person inadvertently discloses to another Authorized Person within the Organization or its business associate or OHCA as long as there are no further disclosures or uses not permitted under the Privacy Rule.. Organization discloses PHI to an Unauthorized Recipient and the Organization has a good faith belief that the recipient would not reasonably have been able to retain the PHI.If results of risk assessment analysis determine that there is a data breach then notice of that breech is required. The notice shall occur as follows: Notice To: Every affected individual will be notified in written form via first-class mail at the last known address of the individual or next of kin if the individual is deceased, or by electronic mail if specified by the individual, in advance as the preferred method of notice. Current patients, if affected, will be notifiedFormer patients or their representative, if affected, will be notified, even if :DeceasedMinorIncompetentThe media will be notifiedOnly if more than 500 persons were affected via prominent media outletsVia electronic method(s) and/or print, serving affected area without unreasonable delay, but no later than 60 days after discoveryThe notification, which may be in the form of a press release, must be provided directly to prominent media outlets serving the State or jurisdiction where the affected individuals reside.Media notice is in addition to, not as a substitute for, individual notice.The Department of Health and Human Services (HHS) will be notifiedIf more than 500 persons were affected – HHS should be notified within 60 days of discoveryIf fewer than 500 persons were affected – an Annual Electronic Report should be submitted to HHS not later than 60 days after the end of the calendar year in which the breaches were ‘‘discovered,’’ not in which the breaches ‘‘occurred.’”Maintain all logs for 6 years (see Burden of Proof Section). The Organization will use the HHS website for form & instructions: ? of Notice: Promptly/without unreasonable delayThe time period for breach notification begins when the incident is first known, not when the investigation of the incident is complete, even if it is initially unclear whether the incident constitutes a breach as defined in the rule. A covered entity is expected to make the individual notifications as soon as reasonably possible after the covered entity takes a reasonable time to investigate the circumstances surrounding the breach in order to collect and develop the information required to be included in the notice to the individual. Notify individuals of a breach without unreasonable delay but in no case later than 60 calendar days from the discovery of the breachDiscovery - the breach is treated as discovered by the covered entity at the time the workforce member or other agent has knowledge of the breach.Workforce and Agents – knowledge imputed to the OrganizationBusiness Associate – knowledge imputed only if your agent The 60 days is an outer limit and therefore, in some cases, it may be an ‘‘unreasonable delay’’ to wait until the 60th day to provide notification.When? ????Time frames in special casesThe Organization can choose earlier notice:If expect imminent issueAlternative warning can be usedLaw Enforcement can delay if it affects:Criminal InvestigationNational SecurityAs specified by them or up to 30 daysIf a law enforcement official states delay orally, the covered entity or business associate must document the statement and the identity of the officialWhat?Breach notices be written in plain language so that individuals will be able to understand them more easily, which means the notice should be written at an appropriate reading level, using clear language and syntax, and not include any extraneous material that might diminish the message it is trying to convey.The breach notice will include:A brief description of what happened, including the date of the breach and the date of the discovery of the breach, if known; A description of the types of unsecured protected health information that were involved in the breach (such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved); However, no specific data will be included in the notice. Any steps individuals should take to protect themselves from potential harm resulting from the breach; A brief description of what the covered entity involved is doing to investigate the breach, mitigate the harm to individuals, and to protect against any further breaches; Contact procedures for individuals to ask questions or learn additional information, which shall include a toll- free telephone number, an email address, Web site, or postal address. To the extent that the organization may have obligations under other laws with respect to communication to affected individuals, the organization will take necessary steps to ensure effective communication with individuals with disabilities and/or limited English proficient personsHow?First class mail requiredElectronic mail if specified as the preferred method by the individual in advance. If there is insufficient contact information for 10 or more individuals substitute notice is required and will be done by :Conspicuous posting on the home page of the covered entity’s website ORnotice in major print or broadcast media in the geographic areas where the affected individuals likely resideBy phone if in addition to written mail or email if urgent situations involving possible imminent misuse of the individual’s information.For either method involving 10 or more individuals, the covered entity will have a toll-free phone number, included in the notice, active for 90 days, where an individual can learn whether the individual’s unsecured protected health information may be included in the breach and to include the number in the notice.Obligation of NotificationThe covered entity has the final obligation for breach notification regardless of whether the breach was committed by the covered entity or business associate. The covered entity may delegate the breach notification to a business associate; the business associate agreement should specify that the business associate will do so in full compliance with the Data Breach Notification Rule and applicable State law .Business associates and covered entities have the flexibility to set forth specific obligations for each party, such as:who will provide notice to individuals when the notification from the business associate to the covered entity will be required (the timeframe for the business associate to notify the covered entity must provide sufficient time for the covered entity to meet any notice obligation within its required timeframe)All required notifications must be provided and all requirements of the Data Breach Notification Rule must be met.Notification by a Business AssociateBusiness Associates to provide breach notification to covered entities without unreasonable delay as specified in the business associate agreement and in sufficient time for the covered entity to be able to meet its 60–day notice requirement.Business associates to provide covered entities with the identity of each individual whose unsecured protected health information has, or is reasonably believed to have been, affected by the breach. A business associate is required to notify the covered entity of the breach of unsecured protected health information so that the covered entity can notify affected individualsA breach shall be treated as discovered by a business associate as of the first day on which such breach is known to the business associate or, by exercising reasonable diligence, would have been known to the business associate.Business associates, to the extent possible, to provide covered entities with the identity of each individual whose unsecured protected health information has been, or is reasonably believed to have been, breachedBusiness associates could provide the covered entity with immediate notification of the breach and then follow up with the required information when available but without unreasonable delay and within 60 days.Business associates must information even if it becomes available after notifications have been sent to affected individuals or after the 60-day period has elapsed.Business associates and covered entities have the flexibility to set forth specific obligations for each party, such as who will provide notice to individuals and when the notification from the business associate to the covered entity will be required, following a breach of unsecured protected health information, so long as all required notifications are provided and the other requirements of the final rule are metParties should consider which entity is in the best position to provide notice to the individual, which may depend on circumstances, such as the functions the business associate performs on behalf of the covered entity and which entity has the relationship with the individual. Parties should ensure that the individual does not receive notifications from both the covered entity and the business associate about the same breach, which may be confusing to the individual.Burden of ProofAll workforce members must be appropriately trained and knowledgeable about what constitutes a breach and on the policies and procedures for reporting, analyzing, and documenting a possible breach of unsecured protected health information.Covered entities must maintain documentation to meet burden of proof. This includes: Documentation that all required notifications have been provided or that no breach occurred and notification was not necessary. If a covered entity’s determination with respect to whether a breach occurred is called into question, the covered entity should produce the documentation that demonstrates the reasonableness of its conclusions based on the findings of its risk assessment.When a covered entity or business associate knows of an impermissible use or disclosure of protected health information, it should maintain documentation that all required notifications were made, or, alternatively, to demonstrate that notification was not required: (1) Its risk assessment demonstrating a low probability that the protected health information has been compromised by the impermissible use or disclosure or (2) The application of any other exceptions to the definition of ‘‘breach”Approval: ??????????????????????????????Date of Approval: Reviewed: ????????????????????????????Date(s) of Review:Training Policy Implementation Specification: ?AddressableRisk Level: ?mediumFinancial Impact: ?minimum of the salary rate for the time spent training per employeeTraining is conducted within one week of the date the member joins the organization and is reviewed annually. ?Privacy updates are distributed to the members via written notice for any changes or updates to the Privacy policy that occur less than annually. ?Training conducted by: ?The Privacy Officer?????????Attendees include those persons on the Training Documentation Form. ?Training included: (Please check next to action item to indicate training completion.)Introduction to HIPAA and the Privacy RuleIntroduction for Privacy Officer and Overview of Privacy OfficerResponsibilitiesExplanation of Workforce Confidentiality AgreementsOverview of Practice’s Privacy Policies and ProceduresOverview of Practice’s Notice of Privacy PracticesExplanation of Privacy FormsPatient Authorization FormForm Requesting Restriction on Uses and Disclosures of PHIForm to Inspect and Copy PHI and to Implement Access DenialForm to Amend PHIForm to Receive Accounting of Disclosures of PHIPatient Complaint FormExplanation of Who Can Disclose PHIDiscussion of Job Responsibilities as it Relates to PHIExplanation of Minimum Necessary StandardApproval:Date of Approval:Reviewed:Date(s) of Review:Workforce Confidentiality AgreementNOTE: THIS AGREEMENT MUST COMPLY WITH APPLICABLE STATE LAWI understand that THE ORGANIZATION has a legal and ethical responsibility to maintain patient privacy, including obligations to protect the confidentiality of patient information and to safeguard the privacy of patient information of any Organization we work with. I understand that THE ORGANIZATION has a legal and ethical responsibility to maintain the confidentiality, integrity, and accessibility of protected health information of each Organization we work with, whether such information is maintained in hard copy or electronic format.In addition, I understand that during the course of my relationship with THE ORGANIZATION, I may see or hear other confidential information, such as business and financial data and operational information pertaining to an Organization we work with that THE ORGANIZATION is obligated to maintain as confidential.In addition, I understand that during the course of my relationship with THE ORGANIZATION, I may see or hear other confidential information of THE ORGANIZATION, such as business and financial data and operational information that must remain confidential. THE ORGANIZATION confidential information includes, but is not limited to, client and vendor names and contact information, or project names, business and operational techniques, processes and know-how, as well as specific product, service and customer development information. In addition, I understand that during the course of my relationship with THE ORGANIZATION, I may have access to databases or other client information that is confidential including names, addresses and contact information. I may not reproduce these databases or copy them in any way. I may not keep this information on any personal computers or storage media. Any ORGANIZATION related phone numbers on personal cell phones must be labeled as an ORGANIZATION contact. As a condition of my relationship with THE ORGANIZATION, I understand that I must sign and comply with this agreement.By signing this document I understand and agree that:I will use and disclose Patient Information and/or confidential information only if such disclosure complies with THE ORGANIZATION policies and only to the extent such use or disclosure is required for the performance of my job.My personal access code(s), user ID(s), access key(s), and password(s) used to access computer systems or other equipment are to be kept confidential at all times.I will not access or view any information other than that which is required for me to do my work with THE ORGANIZATION. If I have any question about whether access to certain information is required for me to do my work with THE ORGANIZATION, I will immediately ask for clarification.I will not discuss any information pertaining to an organization or its patients in an area where unauthorized individuals may hear such information (for example, in hallways, on public transportation, at restaurants, and at social events or with my family members). I understand that it is not acceptable to discuss any organizational information in public areas even if specifics such as a patient’s name are not used.I will not make inquiries about any ORGANIZATIONAL information for any individual or party who does not have proper authorization to access such information.I will not make any unauthorized transmissions, copies, disclosures, inquiries, modifications, or purging of patient information or confidential information (in any form or media). Such unauthorized transmissions include, but are not limited to, removing and/or transferring patient information or confidential information from THE ORGANIZATION’s computer system to unauthorized locations. I will not make any unauthorized transmissions, copies, disclosures, inquiries, modifications, or purging of client information, vendor information or ORGANIZATION written or cloud materials. Such unauthorized transmissions include, but are not limited to, removing and/or transferring (in any form or media) client information or ORGANIZATION written, cloud materials or information from THE ORGANIZATION’s domain to unauthorized locations such as a personal computer hard drive, an external hard drive, or other storage media. OPTIONAL AND SUBJECT TO STATE LAW: During the period of my relationship with THE ORGANIZATION, and for twenty-four (24) months thereafter, I will not, for myself or on behalf of any other person or entity, in any way compete with the business then done or intended to be done by THE ORGANIZATION, including calling upon any customer of THE ORGANIZATION for the purpose of soliciting or providing to such customer any products or services which are the same as or similar to those provided or intended to be provided by THE ORGANIZATION. Customers of THE ORGANIZATION shall include customers of THE ORGANIZATION existing upon the termination of my working relationship with THE ORGANIZATION, all former customers of THE ORGANIZATION and all potential customers contacted or solicited by THE ORGANIZATION during the period of my working relationship with THE ORGANIZATION.OPTIONAL AND MAY BE SUBJECT TO STATE LAW I further agree that all products, processes, know-how, inventions or devices, or any improvements to any of the foregoing (“Inventions”), discovered or developed during the course of my working relationship with THE ORGANIZATION which are (a) related to THE ORGANIZATION’s business (b) in the course of development by THE ORGANIZATION or (c) made with the use of THE ORGANIZATION’s time, materials or facilities, shall, in each case, belong to THE ORGANIZATION. I hereby assign and transfer to THE ORGANIZATION all right, title and interest to any and all such Inventions. I agree promptly to disclose to THE ORGANIZATION all such Inventions, whether patentable or not. I agree to execute such instruments and assignments and to take such other action, at THE ORGANIZATION’s expense, as may be necessary or desirable to vest title in such Inventions to THE ORGANIZATION or to obtain letters patent and copyrights for the benefit of THE ORGANIZATION.Upon termination of my work relationship with THE ORGANIZATION, I will immediately return to THE ORGANIZATION all ORGANIZATION property (e.g. keys, documents, ID badges, etc.) and ORGANIZATION documents and information and remove any client or vendor contact information from my personal phone.SUBJECT TO STATE LAW: In the event of a breach or threatened breach of any of the terms of this Agreement, THE ORGANIZATION shall be entitled to an injunction restraining me from committing any breach of this Agreement without showing or proving any actual damages and without diminishing any other right or remedy which THE ORGANIZATION may have at law or in equity to enforce the provisions of this Agreement. I waive any right I may have to require THE ORGANIZATION to post a bond or other security with respect to obtaining or continuing any injunction or temporary restraining order and, further, release THE ORGANIZATION and its officers and directors from and waive any claim for damages against them which I may have with respect to THE ORGANIZATION obtaining any injunction or restraining order pursuant to this Agreement.This Agreement shall be binding upon and inure to the benefit of the parties hereto and their respective successors, assigns, legal representatives, heirs and distributes. This Agreement shall be governed by and construed in accordance with the laws of the State of New York. If any restrictions on me shall for any reason be held by a court of competent jurisdiction to be excessively broad as to duration, activity or subject, such restriction shall be construed so as to be limited or reduced to be enforceable to the extent compatible with applicable law as it shall then appear, it being understood that by the execution of this Agreement the parties hereto regard the restrictions contained herein as reasonable and compatible with their respective rights. Subject to the prior sentence, the total invalidity or unenforceability of any provision in this Agreement shall not affect any other provision hereof, and this Agreement shall be construed as if such invalid or any unenforceable provision were omitted._________________________________________________________________Signature of employee/physician/student/volunteerDate________________________________________________Printed Name Business Associates Business Associates PolicyBusiness Associates Policy and ProceduresPolicy: The organization treats privacy safeguards and the extension of such to its business associates in the same manner specified in the Security Rule. The organization complies with the referenced security rule references for privacy where the term electronic protected health information can be substituted with protected health information. Security measures are to include measures to protect privacy. § 160.103 subcontractor means: ‘‘a person to whom a business associate delegates a function, activity, or service, other than in the capacity of a member of the workforce of such business associate.’’ § 164.306(e) Covered entities and business associates must review and modify security measures as needed to ensure the continued provision of reasonable and appropriate protection of electronic protected health information, and update documentation of such security measures accordingly.Section 164.308(b) expressly provides that a covered entity is not required to enter into a business associate agreement with a business associate that is a subcontractor; rather, this is the obligation of the business associate that has engaged the subcontractor to perform a function or service that involves the use or disclosure of protected health information.§ 164.314(a)(2)(i) Contracts must require a business associate to comply with the Security Rule, to ensure any subcontractors enter into a contract or other arrangement to protect the security of electronic protected health information; and with respect to the reporting of security incidents by business associates to covered entities, to report to the covered entity breaches of unsecured protected health information as required by § 164.410 of the breach notification rules.§ 164.314(a)(2)(iii) Provides that the requirements of this section for contracts or other arrangements between a covered entity and business associate would apply in the same manner to contracts or other arrangements between business associates and subcontractors required by the proposed requirements of § 164.308(b)(4). For example, under these provisions, a business associate contract between a business associate and a business associate subcontractor would need to provide that the subcontractor report any security incident of which it becomes aware, including breaches of unsecured protected health information as required by § 164.410, to the business associate. This would mean that if a breach of unsecured protected health information occurs at or by a second tier subcontractor, the subcontractor must notify the business associate subcontractor with which it contracts of the breach, which then must notify the business associate which contracts with the covered entity of the breach, which then must notify the covered entity of the breach. The covered entity then notifies the affected individuals, the Secretary, and, if applicable, the media, of the breach, unless it has delegated such responsibilities to a business associate.Section 164.502(a) and (b)—Permitted and Required Uses and Disclosures and Minimum NecessarySection 13404 of the HITECH Act creates direct liability for impermissible uses and disclosures of protected health information by a business associate of a covered entity ‘‘that obtains or creates’’ protected health information ‘‘pursuant to a written contract or other arrangement described in § 164.502(e)(2)’’ and for compliance with the other privacy provisions in the HITECH Act.Section 13404(a) of the HITECH Act creates direct liability for uses and disclosures of protected health information by business associates that do not comply with its business associate contract or other arrangement under the Privacy Rule. Section 13404(a) applies the other privacy requirements of the HITECH Act directly to business associates just as they apply to covered entities. Section 13404(b) applies the provision of § 164.504(e)(1)(ii) regarding knowledge of a pattern of activity or practice that constitutes a material breach or violation of a contract to business associates. Section 13404(c) applies the HIPAA civil and criminal penalties to business associates§ 164.514(f)(1)(i) demographic information relating to an individual includes names, addresses, other contact information, age, gender, and dates of birth , this final rule also allows covered entities to use and disclose department of service information, treating physician information, and outcome information for fundraising purposesSection 13406(b) of the HITECH Act requires the Secretary to provide by rule that a Covered Entity provide the recipient of any fund raising communication with a clear and conspicuous opportunity to opt out of receiving further fundraising communicationsSection 13402(b) of the HITECH Act requires a business associate of a covered entity that accesses, maintains, retains, modifies, records, destroys, or otherwise holds, uses, or discloses unsecured protected health information to notify the covered entity when it discovers a breach of such information.Section 164.410(b) requires that a business associate provide notice of a breach of unsecured protected health information to a covered entity without unreasonable delay and in no case later than 60 days following the discovery of a breach.Section 164.410(c)(1) requires business associates, to the extent possible, to provide covered entities with the identity of each individual whose unsecured protected health information has been, or is reasonably believed to have been, breached. § 164.410(c)(2) requires a business associate to provide the covered entity with any other available information that the covered entity is required to include in the notification to the individual under § 164.404(c), either at the time it provides notice to the covered entity of the breach or promptly thereafter as information becomes available.Implementation Specification: ?RequiredRisk Level: ?lowFinancial Impact: ?n/aPolicy: ?It is the policy of the organization to assure that any partners or business associates with access to PHI agree to adhere to the necessary measures to assure privacy and security of PHI. ??See the following Business Associates Agreement. ?The organization maintains copies of this agreement signed by BOTH the organization and the Business Associate. The agreement is reviewed annually and updated as necessary. See log section for a business associates list.The HIPAA Privacy and Security Rules permit a covered entity to disclose protected health information to a business associate, and allow a business associate to create, receive, maintain, or transmit protected health information on its behalf, provided the covered entity obtains satisfactory assurances in the form of a contract or other arrangement that the business associate will appropriately safeguard the information. ?A “business associate” is expressly designated as (1) a Health Information Organization, E-prescribing Gateway, or other person that provides data transmission services with respect to protected health information to a covered entity and that requires routine access to such protected health information; and (2) a person who offers a personal health record to one or more individuals on behalf of a covered entity.A business associate includes a “subcontractor that creates, receives, maintains, or transmits protected health information on behalf of the business associate.” ?A subcontractor means: “a person to whom a business associate delegates a function, activity, or service, other than in the capacity of a member of the workforce of such business associate.” ?Thus, a subcontractor is a person to whom a business associate has delegated a function, activity, or service the business associate has agreed to perform for a covered entity or business associate. ?A subcontractor is then a business associate where that function, activity, or service involves the creation, receipt, maintenance, or transmission of protected health information.The Organization will obtain satisfactory assurances required by the Rules from their business associates, and business associates must do the same with regard to subcontractors, and so on, no matter how far ‘‘down the chain’’ the information flows. This ensures that individuals’ health information remains protected by all parties that create, receive, maintain, or transmit the information in order for a covered entity to perform its health care functions. For example, the covered entity may contract with a business associate (contractor), the contractor may delegate to a subcontractor (subcontractor 1) one or more functions, services, or activities the business associate has agreed to perform for the covered entity that require access to protected health information, and the subcontractor may in turn delegate to another subcontractor (subcontractor 2) one or more functions, services, or activities it has agreed to perform for the contractor that require access to protected health information, and so on. Both the contractor and all of the subcontractors are business associates under the final rule to the extent they create, receive, maintain, or transmit protected health information.The Organization will comply with the guidance provided for the designation and requirements of a Business Associate as follows. The Organization’s written contract between a covered entity and a business associate must:(1) establish the permitted and required uses and disclosures of protected health information by the business associate;(2) provide that the business associate will not use or further disclose the information other than as permitted or required by the contract or as required by law;(3) require the business associate to implement appropriate safeguards to prevent unauthorized use or disclosure of the information, including implementing requirements of the HIPAA Security Rule with regard to electronic protected health information; and safeguards for protected health information as required by the privacy rule (4) require the business associate to report to the covered entity any use or disclosure of the information not provided for by its contract, including incidents that constitute breaches of unsecured protected health information;(5) require the business associate to disclose protected health information as specified in its contract to satisfy a covered entity’s obligation with respect to individuals' requests for copies of their protected health information, as well as make available protected health information for amendments (and incorporate any amendments, if required) and accountings;(6) to the extent the business associate is to carry out a covered entity’s obligation under the Privacy Rule, require the business associate to comply with the requirements applicable to the obligation;(7) require the business associate to make available to HHS its internal practices, books, and records relating to the use and disclosure of protected health information received from, or created or received by the business associate on behalf of, the covered entity for purposes of HHS determining the covered entity’s compliance with the HIPAA Privacy Rule;(8) at termination of the contract, if feasible, require the business associate to return or destroy all protected health information received from, or created or received by the business associate on behalf of, the covered entity;(9) require the business associate to ensure that any subcontractors it may engage on its behalf that will have access to protected health information agree to the same restrictions and conditions that apply to the business associate with respect to such information; and(10) authorize termination of the contract by the covered entity if the business associate violates a material term of the contract. ?Contracts between business associates and business associates that are subcontractors are subject to these same requirements.Business Associates’ Roles and LiabilityA business associate is directly liable under the Privacy Rule for uses and disclosures of protected health information that are not in accord with its business associate agreement or the Privacy Rule.A business associate is directly liable for failing to disclose protected health information when required by the Secretary to do so for the Secretary to investigate and determine the business associate’s compliance with the HIPAA RulesA business associate is directly liable for failing to disclose protected health information to the covered entity, individual, or individual’s designee, as necessary to satisfy a covered entity’s obligations with respect to an individual’s request for an electronic copy of protected health information. See § 164.502(a)(3) and (a)(4). A business associate is directly liable for failing to make reasonable efforts to limit protected health information to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request. See § 164.502(b). Business associates are directly liable for failing to enter into business associate agreements with subcontractors that create or receive protected health information on their behalf. See § 164.502(e)(1)(ii). As was the case under the Privacy Rule before the HITECH Act, business associates remain contractually liable for all other Privacy Rule obligations that are included in their contracts or other arrangements with covered entities.Security Incident Reporting - Business Associates and SubcontractorsA business associate contract between a business associate and a business associate subcontractor must provide that the subcontractor report any security incident of which it becomes aware, including breaches of unsecured protected health information as required by § 164.410, to the business associate. If a breach of unsecured protected health information occurs at or by a second tier subcontractor, the subcontractor must notify the business associate subcontractor with which it contracts of the breach, which then must notify the business associate which contracts with the covered entity of the breach, which then must notify the covered entity of the breach. The covered entity then notifies the affected individuals, the Secretary, and, if applicable, the media, of the breach, unless it has delegated such responsibilities to a business associate.Fundraising‘‘[p]ermissible fundraising activities include appeals for money, sponsorship of events, etc. They do not include royalties or remittances for the sale of products of third parties (except auctions, rummage sales, etc.).’’Individuals can opt out of fundraisingIndividuals can opt back in (for example: a CE could include as part of its newsletter a phone number for individuals to call to be put back on fundraising list)The method for an individual to elect not to receive further fundraising communications should not cause the individual to incur an undue burden or more than a nominal cost (e.g. writing a letter would be considered an undue burden).The scope of opt out (whether it applies to all future fundraising communication or to a specific fundraising claim) is left to the discretion of covered entityIf an individual does opt out then the individual's choice to opt out must be treated as a revocation of authorization under 164.508 of the HIPAA Privacy Rule.A Covered Entity may not condition treatment based on an individual opting out of fundraising communications.A Covered Entity that intends to contact an individual to raise funds must include a statement to that effect in its Notice of Privacy Practices.Once opted out, a Covered Entity must take "reasonable measures" to ensure that no further fundraising communication is provided to the individualNotification of Breach by a Business AssociateBusiness associates to provide breach notification to covered entities without unreasonable delay and in no case later than 60 days from discovery of the breach.Business associates to provide covered entities with the identity of each individual whose unsecured protected health information has, or is reasonably believed to have been, affected by the breach. A business associate is required to notify the covered entity of the breach of unsecured protected health information so that the covered entity can notify affected individualsA breach shall be treated as discovered by a business associate as of the first day on which such breach is known to the business associate or, by exercising reasonable diligence, would have been known to the business associate.Business associates, to the extent possible, to provide covered entities with the identity of each individual whose unsecured protected health information has been, or is reasonably believed to have been, breachedBusiness associates could provide the covered entity with immediate notification of the breach and then follow up with the required information when available but without unreasonable delay and within 60 days.Business associates must information even if it becomes available after notifications have been sent to affected individuals or after the 60-day period has elapsed.Business associates and covered entities have the flexibility to set forth specific obligations for each party, such as who will provide notice to individuals and when the notification from the business associate to the covered entity will be required, following a breach of unsecured protected health information, so long as all required notifications are provided and the other requirements of the final rule are metParties should consider which entity is in the best position to provide notice to the individual, which may depend on circumstances, such as the functions the business associate performs on behalf of the covered entity and which entity has the relationship with the individual. Parties should ensure that the individual does not receive notifications from both the covered entity and the business associate about the same breach, which may be confusing to the individual.Breach - Burden of ProofWhen a covered entity or business associate knows of an impermissible use or disclosure of protected health information, it should maintain documentation that all required notifications were made, or, alternatively, to demonstrate that notification was not required: (1) Its risk assessment demonstrating a low probability that the protected health information has been compromised by the impermissible use or disclosure or (2) the application of any other exceptions to the definition of ‘‘breach.’’Approval: ??????????????????????????????Date of Approval: Reviewed: ????????????????????????????Date(s) of Review:Business Associates Decision Tree-28702023431500The process for determining a business associate is as follows:The process for determining if a person, business or agency is a covered health care provider is as follows:Listing of Typical Business AssociatesHealth Information ExchangeData Storage ProvidersBilling service/agencyCollection agencyAccountant/consultant who needs access to PHIAnswering serviceLockbox serviceTranscription servicePractice management software vendorElectronic medical records software vendorHardware maintenance serviceData shredding servicesOther independent contractors who provide business/administrative services on-siteBusiness Associate AgreementSAMPLE BUSINESS ASSOCIATE AGREEMENTThis Business Associate Agreement (“the Agreement”) is entered into this day of ____, 20 ____, by and between (“Business Associate”), a New York [ENTITY TYPE], with its principal place of business at _________________________, and (“Covered Entity”), a New York [ENTITY TYPE], with its principal place of business at ________________________. The Business Associate and Covered Entity are referred to herein individually as “Party” and collectively as “the Parties”.BACKGROUNDCovered Entity is required by law to comply with the Standards for Privacy of Individually Identifiable Health Information at 45 CFR Part 160 and Part 164, Subparts A and E (“the Privacy Rule”), the Security Standards for the Protection of Electronic Health Information at 45 CFR Parts 160 and 164, Subparts A and C (“the Security Rule”), and the Data Breach Notification Rule, 45 CFR Part 164, Subpart D (collectively, the “HIPAA Rules”).Business Associate is required by law to comply with certain provisions of the HIPAA Rules.Covered Entity and Business Associate are also required to comply with applicable state law and regulations governing the privacy and security and breach notification requirements related to personal information, as such may be amended from time to time (collectively, “State Laws”).The Parties wish to enter into or have entered into a services agreement, (“the Services Agreement”), under which Business Associate will provide certain services to, or on behalf of, Covered Entity.Under the Services Agreement, Business Associate will have or may have access to Covered Entity’s Protected Health Information created, received, maintained or transmitted by Business Associate on behalf of Covered Entity (“PHI”).In consideration of the Parties’ obligations under the Services Agreement, and for other good and valuable consideration, the receipt and sufficiency of which is hereby acknowledged, the Parties enter into this Agreement, as an addendum to the Services Agreement.DEFINITIONS; INTERPRETATION- Except as otherwise defined herein, any and all capitalized terms in this Agreement shall have the definitions set forth in the HIPAA Rules and the HITECH Act. In the event of any inconsistency between the provisions of this Agreement, the Services Agreement, and the requirements of the HIPAA Rules, the HIPAA Rules shall control. Any ambiguity in this Agreement shall be resolved in favor of a meaning that permits the parties to comply with the HIPAA Rules. All references to the HIPAA Rules are deemed to include all amendments to such rules contained in the HITECH Act and its implementing regulations, and any subsequently adopted amendments or regulations, as are applicable to this Agreement.OBLIGATIONS AND ACTIVITIES OF BUSINESS ASSOCIATE - Business Associate agrees:To not use or disclose PHI other than as permitted or required by this Agreement, applicable State Laws, or as Required by Law. To implement appropriate administrative, physical and technical safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to Electronic PHI, to prevent the use or disclosure of PHI other than as provided for by this Agreement.Pursuant to the HITECH Act and its implementing regulations, to comply with all applicable requirements of the Privacy Rule.To not directly or indirectly receive remuneration in exchange for any PHI, nor engage in any communication involving PHI which might be deemed to be Marketing under the HIPAA Rules, without the express written consent of the Covered Entity.To report to Covered Entity any use or disclosure of PHI, of which it becomes aware, which is not in compliance with the terms of this Agreement, including but not limited to Breaches of Unsecured PHI or personal information, and any security incident of which it becomes aware.Following the discovery of a Breach of PHI, to notify the Covered Entity of such Breach pursuant to the terms of 45 CFR §164.410, and cooperate in the Covered Entity’s Breach analysis procedures and risk assessment, if requested. A Breach shall be treated as discovered by Business Associate as of the first day on which such Breach is known to Business Associate or its workforce or, by exercising reasonable diligence, would have been known to Business Associate or its workforce. Business Associate will provide such notification to Covered Entity without unreasonable delay and in no event later than five (5) calendar days after discovery of the Breach. Such notification shall contain the information required by 45 C.F.R. §164.410. To mitigate, to the extent practicable, the harmful effect caused by Business Associate’s use or disclosure of PHI which is in violation of this Agreement or by any Breach of PHI by Business Associate, its employees, agents or subcontractors, and to provide notice to Covered Entity of such mitigation efforts.To make its internal practices, books, and records relating to the use and disclosure of PHI, available to the Secretary of Health and Human Services, at a reasonable time and in a reasonable manner or as designated by the Secretary, for purposes of the Secretary determining Covered Entity’s compliance with the HIPAA Rules.To ensure that its employees and agents are aware of and agree to the same restrictions and conditions which apply to Business Associate with respect to PHI.In accordance with 45 CFR 164.502(e)1)(ii) and 164.308(b)(2), if applicable, ensure that any subcontractors that create, receive, maintain, or transmit PHI on behalf of the Business Associate agree to the same restrictions, conditions, and requirements that apply to the Business Associate with respect to such information.To the extent the Business Associate is to carry out one or more of Covered Entity’s obligation(s) under Subpart E of 45 CFR Part 164, comply with the requirements of Subpart E that apply to the Covered Entity in the performance of such obligation(s).AVAILABILITY OF PHI -Business Associate agrees:To make PHI available to the Covered Entity (or, at the direction of the Covered Entity, to the individual) to the extent and in the manner necessary for Covered Entity to satisfy the access requirements of Section 164.524 of the Privacy Rule.If Business Associate maintains Electronic PHI, it agrees to make such EPHI electronically available to the applicable individual in the format required by the HIPAA Rules and as directed by the Covered Entity.To make PHI available for amendment and incorporate any amendments to PHI in accordance with the requirements of Section 164.526 of the Privacy Rule. To document disclosures of PHI by Business Associate and maintain an accounting of such disclosures, as required under the HIPAA Rules and in guidance provided by OCR, and to provide such documentation and accounting to Covered Entity, upon Covered Entity’s specific request, to permit it to respond to a request by an Individual for an accounting of PHI disclosures, as required by Section 164.528 of the Privacy Rule and Section 13405(c)(3) of the HITECH Act. Business Associate shall cooperate with Covered Entity in providing any accounting required on a timely basis.To comply with any requests for restrictions on certain disclosures of PHI, to which Covered Entity has agreed and of which Business Associate is notified by Covered Entity, or which are required by the HITECH Act.PERMITTED USES AND DISCLOSURES OF PHI BY BUSINESS ASSOCIATEExcept as otherwise limited in this Agreement, Business Associate may use or disclose PHI to perform the functions, activities or services for, or on behalf of, Covered Entity as specified in the Services Agreement, provided that such use or disclosure would not violate the Privacy Rule if performed by Covered Entity. Business Associate may use or disclose PHI as Required by Law.Business Associate agrees to use and disclose the minimum necessary PHI in performing its obligations under the Services Agreement.NOTICE OF MATERIAL LIMITATIONS OR RESTRICTIONSCovered Entity shall notify Business Associate of any material limitations or restrictions it has agreed to or is required to abide by under 45 CFR 164.522, to the extent such limitations or restrictions may affect Business Associate’s use or disclosure of PHI.TERM AND TERMINATIONTerm. The Term of this Agreement shall be effective on the date set forth above, and shall be coterminous with the term of the Services Agreement, unless earlier terminated as provided for herein.Termination. Upon Covered Entity becoming aware of a violation of this Agreement by Business Associate, or reasonably believes that Business Associate will be in violation of this Agreement, Covered Entity may:Immediately terminate this Agreement and the Services Agreement if Covered Entity determines that Business Associate has breached a material term of this Agreement; orAlternatively, in Covered Entity’s sole discretion, provide notice and an opportunity for Business Associate to cure the violation, not to exceed ten (10) days, and terminate this Agreement and the Services Agreement if Business Associate does not cure within such time; orIf neither termination nor cure is feasible, take such action as may be allowed or required by the HIPAA Rules.Effect of TerminationExcept as provided in paragraph b, below, upon termination of this Agreement for any reason, Business Associate shall return or destroy, at Covered Entity’s option, all PHI. Business Associate shall insure compliance with this requirement by its subcontractors, if any. Any such destruction shall comply with the applicable guidance of HHS in effect at the time of such destruction and Business Associate shall provide to Covered Entity a certification attesting to such compliance.Should Business Associate conclude that returning or destroying any PHI is not feasible, Business Associate shall immediately notify Covered Entity in writing of the circumstances upon which it bases this conclusion. Upon Covered Entity’s written concurrence that such return or destruction of PHI is infeasible, Business Associate shall extend the protections of this Agreement to such PHI, and shall limit its further uses and disclosures to those purposes that necessitate Business Associate continuing to maintain this PHI. The obligation of Business Associate under this provision shall survive termination of this Agreement, shall continue for as long as Business Associate maintains the PHI, and shall continue to bind Business Associate, its agents, contractors, successors and assigns, for however long the PHI is held by any of them.MISCELLANEOUSExcept as expressly stated herein or in the HIPAA Rules, the Parties do not intend to create any rights in any third parties. The Business Associate is not the agent of the Covered Entity and the Covered Entity does not control, supervise or instruct the Business Associate or any of its subcontractors. None of the provisions of this Agreement are intended to create, nor will they be deemed to create, any relationship between the Parties other than that of independent parties contracting with each other solely for the purposes of implementing the provisions of this Agreement and the Services Agreement.Any breach of this Agreement by Business Associate may cause irreparable harm to the Covered Entity. Therefore, Covered Entity may seek any legal remedy, including an injunction or specific performance for such harm, without bond, security or necessity of demonstrating actual damages.Business Associate shall indemnify Covered Entity, its owners, employees and representatives, for any losses, fines, penalties, costs or damages incurred as a result of Business Associate’s breach of any provision of this Agreement or violation of any State Laws.This Agreement may be amended or modified only in a writing signed by the Parties. The Parties intend, however, that this Agreement comply with all applicable laws and regulations and that the requirement of any new or amended law or regulation affecting this Agreement be incorporated herein at such time as it becomes effective. Notwithstanding the foregoing, the Parties agree to take such action to amend this Agreement from time to time as is necessary for either Party to comply with any requirement of federal or state law or regulation, or any amendments thereto. Should a Party believe in good faith that any provision of this Agreement fails to substantially comply with the then-current requirements of law, that Party shall notify the other Party in writing, specifying the purported non-compliance and proposed revision(s). The Parties shall negotiate in good faith, for a period of up to fifteen (15) calendar days, to so amend the terms of this Agreement. If, after such 15-day period, the Parties cannot agree to an acceptable amendment(s), then either Party can terminate the Agreement upon written notice to the other Party, with such termination being effective immediately upon receipt. No Party may assign its respective rights and obligations under this Agreement without the prior written consent of the other Party. No change, waiver or discharge of any liability or obligation hereunder on any one or more occasions shall be deemed a waiver of any continuing or other liabilities or obligations, nor shall they prohibit enforcement of any liabilities or obligations on any other occasionsAny notice required or permitted under this Agreement shall be given in writing and delivered by hand, via overnight delivery service, or via registered or certified mail, return receipt requested, to the following, and any change in address shall be noticed as provided for herein:Covered Entity: _____________________________ _____________________________ _____________________________Business Associate: __________________________________________________________ _____________________________This Agreement shall be governed by the laws of the state of New York, and the venue and exclusive jurisdiction over any legal disputes between the Parties arising under this Agreement shall be in the state and federal courts of the state of New York. Should any provision of this Agreement be held invalid or unenforceable by a court of competent jurisdiction, the remaining provisions will continue in full force and effect. ‘This Agreement is the entire agreement of the Parties related to its subject matter and supersedes all prior agreements, both written and oral, between the Parties, related thereto.IN WITNESS WHEREOF, the Parties have executed this Agreement as of the day and year first written above.[Business Associate][Covered Entity]By:________________________By:_______________________Title:________________________Title: _______________________MarketingHITECH Act section 13406(a) limits the health-related communications that may be considered health care operations and thus, that are exempted from the definition of "Marketing" under the HIPAA Privacy Rule, to the extent that a Covered Entity has received direct or indirect payment in exchange for making the communication.PolicyFor marketing communications that involve financial remuneration, the covered entity must obtain a valid authorization from the individual before using or disclosing protected health information for such purposes, and such authorization must disclose the fact that the covered entity is receiving financial remuneration from a third party.The authorization must make clear that the individual may revoke the authorization at any time he or she wishes to stop receiving the marketing material.Marketing means "to make a communication about a product or service that encourages recipients of the communication to purchase or use the product or service" The Organization acknowledges three exceptions as follows: (1) certain health care operations ("HCOs") are excluded except where the Covered Entity receives financial remuneration for the communication such as: (a) describing a health-related product or service that is provided by the Covered Entity; (b) case management and coordination; (c) contacting persons about alternatives; and (d) similar functions (i.e. to the extent that these activities are not considered treatment); (2) communications regarding refill reminders or a biologic that is currently prescribed; and (3) An arrangement between a Covered Entity and any other entity in which the Covered Entity discloses Protected Health Information to the other entity, in exchange for remuneration, to make a communication about its own product or services that encourages a purchase, because such an activity, under HITECH Act 13405(d) is to be considered a prohibited "sale" of Protected Health Information.Authorization is REQUIRED for ALL treatment and HCOs communications where the Covered Entity receives financial remuneration for making the communications from a third party whose product or service is being marketed.A standalone exception for refill reminders remains in place under the HITECH Act.The Organization will seek the advice of legal counsel before marketing of any type to its patients.Approval:Date of Approval:Reviewed:Date(s) of Review:Workforce TerminationImplement procedures for terminating access to protected health information when the employment of a workforce member ends or as required by determinations made as specified in paragraph Implementation SpecificationImplementation Specification: ?AddressableRisk Level: ?mediumFinancial Impact: ? Privacy Officer ResponsibilityProcedurePrior to the individual’s departure, the System Administrator or Privacy Officer will:Contact a locksmith to change the organization locks, if necessary.Circulate new security keypad code numbers and office keys to pertinent organization members, if necessary.Approval:Date of Approval:Reviewed:Date(s) of Review:Policy, Procedure, and Agreement ReviewI have read and reviewed the following policies, procedures, and agreements:Privacy PolicyIllustrations of Situations Requiring/Not Requiring AuthorizationPrivacy ProceduresFacilities Policy and ProceduresData BreachTraining PolicyWorkforce Confidentiality AgreementBusiness Associates Policy and AgreementWorkforce TerminationApproval:Date of Approval:Reviewed:Date(s) of Review:FORMSNotice of Privacy Practices<Organization Name>This notice describes how your medical information as a patient of this practice may be used and disclosed and how you can get access to this information.Please review it carefully.The privacy of your medical information is important to us. You may be aware the U.S. government regulators established a privacy rule, the Health Insurance Portability & Accountability Act (“HIPAA”) governing protected health information (“PHI”). PHI includes individually identifiable health information including demographic information and relates to your past, present or future physical and mental health or condition and related health care services. This notice tells you about how your PHI may be used, and about certain rights that you have.Use and Disclosure of Protected InformationFederal law provides that we may use your PHI for your treatment, without further specific notice to you, or written authorization by you. For example, we may provide laboratory or test data to that specialist. Federal law provides that we may use your medical information to obtain payment for our services without further specific notice to you, or written authorization by you. For example, under a health plan, we are required to provide the health insurance company with a diagnosis code for your visit and a description of the services rendered.Federal law provides that we may use your medical information for health care operations without further specific notice to you, or written authorization by you. For example, we may use the information to evaluate the quality of care you received from us, or to conduct cost-management and business planning activities for our practice.We may use or disclose your medical information, without further notice to you, or specific authorization by you, where:required for public health purposesrequired by law to report child abuserequired by a health oversight agency for oversight activities authorized by law, such as the Department of Health, Office of Professional Discipline or Office of Professional Medical Conductrequired by law in judicial or administrative proceedingsrequired for law enforcement purposes by a law enforcement official required by a coroner or medical examinerpermitted by law to a funeral directorpermitted by law for organ donation purposespermitted by law to avert a serious threat to health or safetypermitted by law and required by military authorities if you are a member of the armed forced of the U.S.required for national security, as authorized by lawrequired by correctional institutions or law enforcement officials if you are an inmate or under the custody of a law enforcement officialotherwise required or permitted by law.Certain types of uses and disclosures of protected health information require authorization, these include:uses and disclosures of psychotherapy notesuses and disclosures of PHI for marketing purposes; anddisclosures that constitute the sale of PHI.Other uses and disclosures not described in this Notice of Privacy Practices will be made only with an individual’s authorization.State Specific Laws<INSERT STATE SPECIFIC LAWS> For example:New York State provides additional protection for information regarding HIV/AIDS. We will continue to follow NY State law with respect to such information. We will also continue to follow considerations of confidentiality under state law for minors when treated for certain conditions (for example, minors do not need parental permission to consent to treatment for sexually transmitted diseases, pregnancy, drug abuse and others. The minor’s personal health information is not allowed to be released, except as outlined in this notice, without the written authorization of the minor).We may contact you by mail or phone, at your residence, to remind you of appointments or to provide information about treatment alternatives. Unless you instruct us otherwise, we may leave a message for you on any answering device or with any person who answers the phone at your residence.Minors<INCLUDE ONLY IF ORGANIZATION TREATS MINORS> For divorced or separated parents: each parent has equal access to health information about their unemancipated child(ren), unless there is a court order to the contrary that is known to us or unless it is a type of treatment or service where parental rights are restricted.We can release your medical information to a friend or family member that is involved in your medical care. For example, a babysitter or relative who is asked by a parent or guardian to take their child to the pediatrician’s office may have access to this child’s medical information. We prefer to have written authorization from the parent or guardian for someone else to accompany the child, and may make reasonable attempts to obtain this authorization.You can make reasonable requests, in writing, for us to use alternative methods of communicating with you in a confidential manner. A separate form is available for this purpose.Other uses or disclosures of your medical information will be made only with your written authorization. You have the right to revoke any written authorization that you give.Rights That You HaveYou have the right to request restrictions on certain uses or disclosures described above. Except as stated below, we are not required to agree to such restrictions.You have the right to request confidential communications. You have the right to request that our practice communicate with you about your health and related issues in a particular manner or at a certain location e.g. at home and not at work. Such requests must be made in writing to your physician. Our practice will accommodate reasonable requests.You have the right to inspect and obtain copies of your medical information (a reasonable fee will be charged).You have the right to request amendments to your medical information. Such requests must be in writing, and must state the reason for the requested amendment. We will notify you as to whether we agree or disagree with the requested amendment. If we disagree with any requested amendment, we will further notify you of your rights.You have the right to request an accounting of any disclosures we make of your medical information. This is a list of certain non-routine disclosures our practice has made of your health information for non-treatment, payment or health care operations purposes. An accounting does not have to be made for disclosures we make to you, or to carry out treatment, payment or health care operations, or as requested by your written authorization, or as permitted or required under 45 CFR 164.502, or for emergency or notification purposes, or for national security or intelligence purposes as permitted by law, or to correctional facilities or law enforcement officials as permitted by law, or disclosures made before April 14, 2003.You have the right to restrict certain disclosures of Protected Health Information to a health plan, for carrying out payment or health care operations, where you pay out of pocket in full for the healthcare item or service (only healthcare providers are required to include such a statement; other covered entities may retain the existing language indicating that a Covered Entity is NOT required to agree to a requested restriction.)You are required to notify a Business Associate and a downstream Health Information Exchange of the restrictionA family member or other third party may make the payment on your behalf and the restriction will still be triggeredYou have a right to, or will receive, notifications of breaches of your unsecured patient health information.All requests must state a time period, which may not be longer than six (6) years from the date of disclosure.You have a right to receive a paper copy of our notice of privacy policies.You have a right to receive electronic copies of health information.Obligations That We HaveWe are required by law to maintain the privacy of protected health information and to provide individuals with notice of our legal duties and privacy practices. We are required to abide by the terms of this notice as long as it is currently in effect.We reserve the right to revise this notice, and to make a new notice effective for all protected health information we maintain. Any revised notice will be posted in our office, and copies will be available there.We will inform you of our intentions to raise funds and your right to opt out of receiving such communications.If you believe these privacy rights have been violated, you may file a written complaint with our Privacy Officer or with the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR). We will provide the address of the OCR Regional Office upon your request. No retaliation will occur against you for filing a anization Contact InformationIF YOU HAVE QUESTIONS ABOUT THIS NOTICE, PLEASE CONTACT:Organization Name:Address:Telephone Number:Contact Person:Approval:Date of Approval:Reviewed:Date(s) of Review:Receipt of Notice of Privacy Practices Written Acknowledgement Form.Receipt of Notice of Privacy PracticesWritten Acknowledgement FormI, ______________________________________, have received a copy of <organization’s name> ’s Notice of Privacy Practices in the form attached hereto. (Organizations must include the form of NPP provided to the patient in the patient’s chart.)Printed Name:________________________________________________Signature: ________________________________________________Date: ______________________ Patient Authorization for Use and Disclosure of Protected Health InformationPatient Authorization for Use and Disclosure of Protected Health Information By signing this authorization, I authorize <ORGANIZATION> to use and/or disclose certain protected health information (PHI) about me to _________________________. This Name of entity to receive this informationauthorization permits <ORGANIZATION> to use and/or disclose the following individually identifiable health information about me (specifically describe the information to be used or disclosed, such as date(s) of services, type of services, level of detail to be released, origin of information, etc.):________________________________________________________________________________________________________________________________________________________.I understand that any part of my protected health information that is categorized as “psychotherapy notes” will not be included under this authorization.The information will be used or disclosed for the following purpose:____________________________________________________________________________.If the above is left blank, purpose shall be “at the request of the individual.”The purpose(s) is/are provided so that I can make an informed decision whether to allow release of the information. This authorization will expire on _____________________________.{Expiration Date or Defined Event}I do not have to sign this authorization in order to receive treatment from <ORGANIZATION>. In fact, I have the right to refuse to sign this authorization. When my information is used or disclosed pursuant to this authorization, it may be subject to re-disclosure by the recipient and may no longer be protected by the federal HIPAA Privacy Rule. I have the right to revoke this authorization in writing except to the extent that the practice has acted in reliance upon this authorization. My written revocation must be submitted to the Privacy Officer at:Organization Name:Address:Telephone Number:Privacy Officer:_____________________________________________________________Printed Name of Patient or Legal Guardian Date_____________________________________________________________Signature of Patient or Legal Guardian DatePATIENT/GUARDIAN TO BE PROVIDED WITH A SIGNED COPY OF AUTHORIZATION Authorization for Use and Disclosure of Psychotherapy NotesBy signing this authorization, I authorize <ORGANIZATION> to use and/or psychotherapy notes about me to _________________________. This authorization permits <ORGANIZATION> Name of entity to receive this informationto use and/or disclose the following individually identifiable health information about me (specifically describe the information to be used or disclosed, such as date(s) of services, therapist, etc.):________________________________________________________________________________________________________________________________________________________.The information will be used or disclosed for the following purpose:____________________________________________________________________________.If the above is left blank, purpose shall be “at the request of the individual.”The purpose(s) is/are provided so that I can make an informed decision whether to allow release of the information. This authorization will expire on _____________________________.{Expiration Date or Defined Event}I do not have to sign this authorization in order to receive treatment from <ORGANIZATION>. In fact, I have the right to refuse to sign this authorization. When my information is used or disclosed pursuant to this authorization, it may be subject to re-disclosure by the recipient and may no longer be protected by the federal HIPAA Privacy Rule. I have the right to revoke this authorization in writing except to the extent that the practice has acted in reliance upon this authorization. My written revocation must be submitted to the Privacy Officer at:Organization Name:Address:Telephone Number:Privacy Officer:_____________________________________________________________Printed Name of Patient or Legal Guardian Date_____________________________________________________________Signature of Patient or Legal Guardian DatePATIENT/GUARDIAN TO BE PROVIDED WITH A SIGNED COPY OF AUTHORIZATION Authorization for Use and/or Disclosure of PHI for Marketing, Fundraising, Publication, or Public RelationsThe PHI that may be used or disclosed is from:The PHI may be used by or disclosed to:Person, class of persons, or organizationPerson, class of persons, or organizationAddressAddressAttn:PhoneAttn:PhoneThe following protected health information may be disclosed: Circle all that apply: My Name Address Diagnosis Treatments Prognosis Photograph(s)Physician or care-giver’s name and specialty Treating Department or Clinic Testimonial(s)Other (specify) _____________________I further authorize the disclosure of the following information which may be included in the protected health information listed above. (Circle all that are approved.) Mental HealthSubstance AbuseHIV/AIDS This Health Information is being used or disclosed for: (Circle all that apply) Marketing ActivitiesFundraising/Promotional Activities Public Relations Activities Educational Purposes Other (Explain): ________________________________________________I understand that, by federal law, ORGANIZATION may not use or disclose protected health information without authorization except as provided in the ORGANIZATION’s Notice of Privacy Practices. By signing this Authorization, I am giving permission for the uses and disclosures of the described protected health information. I hereby release the ORGANIZATION and its employees from any and all liability that may arise from the release of information as I have directed.I understand that I have the right to revoke this authorization in writing except to the extent that the practice has acted in reliance upon this authorization. My written revocation must be submitted to the Privacy Officer at:Organization Name:Address:Telephone Number:Privacy Officer:I understand that I may refuse to sign this Authorization, and that the institutions or individuals named above cannot deny or refuse to provide treatment, payment, enrollment in a health plan, or eligibility for benefits if I refuse to sign.I understand that information disclosed pursuant to this Authorization may no longer be protected by the federal medical privacy law and could be disclosed by the person or agency that receives it.I have the right to receive a copy of the Health Information released. This authorization will expire on _____________________________. {Expiration Date or Defined Event}I have read and understand the information on this authorization form._____________________________________________________________Printed Name of Patient or Legal Guardian Date_____________________________________________________________Signature of Patient or Legal Guardian DateRequest for Limitations and Restrictions of Protected Health Information. Request for Limitation and Restrictions of Protected Health InformationPATIENT PLEASE NOTE: THE PRACTICE IS NOT REQUIRED TO AGREE TOYOUR REQUEST UNLESS YOU HAVE PAID FOR THE SERVICE IN FULL, CASH, AND THE DISCLOSURE WOULD BE TO YOUR HEALTH PLAN FOR PAYMENT OR HEALTH CARE OPERATIONS. PLEASE SEE OUR NOTICE OF PRIVACY PRACTICES FOR MORE INFORMATION REGARDING SUCH REQUESTS.Patient Name __________________________________________ Date of Birth ____________________Patient Address: Street_________________________________________________________Apartment # ______City, State, Zip __________________________________________________Type of protected health information (PHI) to be restricted or limited: _________________________________________________________________________________________________How would you like use and (or disclosure of) your PHI restricted?_____________________________________________________________________________________________________________________________________________________________________________________________________________________Printed Name of Patient or Legal Guardian Date_____________________________________________________________Signature of Patient or Legal Guardian DateRequest to Inspect and Copy Protected Heath Information Request to Inspect and Copy Protected Health InformationPatient Name __________________________________________ Date of Birth ____________________Patient Address: Street_________________________________________________________Apartment # ______City, State, Zip __________________________________________________I understand and agree that I am financially responsible for the following fees associated with my request: copying charges, including the cost of supplies and labor, and postage related to the production of my information. I understand that the charge for this service is $______ per page, with a minimum charge of $_______. (The entity must check with its applicable state laws and regulations regarding the amounts that can be legally charged for such copies – additionally, there are certain situations in which fees cannot be charged at all – i.e. for continuation of treatment….)_____________________________________________________________Printed Name of Patient or Legal Guardian Date_____________________________________________________________Signature of Patient or Legal Guardian DatePatient Denial LetterDatePatient’s NameAddressCity, State, ZipDear ________________:In accordance with the Final Rule for the Standards for Privacy of Individually IdentifiableHealth Information (Privacy Rule) issued by the U.S. Department of Health and Human Servicespursuant to the Health Insurance Portability and Accountability Act of 1996 (HIPAA),ORGANIZATION is unable to honor your request to inspect and obtain a copy of your protected health information (PHI) for the following reason(s):____________________ does not possess the information requested. [Insert location of PHI, if known][You have requested psychotherapy notes, as defined in the Privacy Rule, and we are not required to allow you to inspect and obtain a copy of your psychotherapy notes.The Privacy Rule does not require the practice to permit you to inspect and obtain a copy of the requested information because it has been compiled in anticipation of, or for use in a civil, criminal or administrative action or proceeding.The Privacy Rule does not require the practice to permit you to inspect and obtain a copy of the requested information because it is subject to or exempted by the Clinical Laboratory Improvements Amendments (CLIA) of 1988.The Privacy Rule does not require the practice to permit you to inspect and obtain a copy of the requested information because the information was obtained from someone other than a healthcare provider under a promise of confidentiality and the access requested would be reasonably likely to reveal the source of the information.The Privacy Rule does not require the practice to permit you to inspect and obtain a copy of the requested information because the information was/is being created or obtained in the course of on- going research that includes treatment and you agreed to the denial of access when you consented to participate in the research. Your right of access will be reinstated upon the completion of the research.The requested information is contained in records subject to the federal Privacy Act, 5 U.S.C. §552a, and this denial meets the requirements of that law. (The Privacy Act of 1974 protects personal information about individuals held by the federal government.)A licensed healthcare professional has determined in his/her professional judgment that access to the requested information is reasonably likely to endanger your life or physical safety or the life or physical safety of another person.The requested information makes reference to another person and a licensed healthcare professional has determined, in the exercise of reasonable judgment, that the requested access is reasonably likely to cause substantial harm to such other person.You are the personal representative of the subject of the requested information, and a licensed healthcare professional has determined, in the exercise of professional judgment, that the requested information should not be provided to you .If access to requested information has been denied for any of the last three reasons listed above, you have the right to have the denial reviewed by another licensed healthcare professional who did not participate in this denial. If you choose to have this denial reviewed, please submit a written request to our Privacy Officer at:Organization Name:Address:Telephone Number:Privacy Officer:Our Privacy Officer will respond with a written decision within a reasonable period of time whether or not to ultimately grant or deny access to your PHI as originally requested. You may file a written complaint with our Privacy Officer or with the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR). We will provide the address of the OCR Regional Office upon your request. No retaliation will occur against you for filing a Complaint. File the complaint within 180 days of the alleged violation.Very truly yours,_______________________________Name of Practice Representative_______________________________TitleRequest for Correction/Amendment of Protected Health InformationRequest for Correction/Amendment of Protected Health InformationPatient Name __________________________________________ Date of Birth ____________________Patient Address: Street_________________________________________________________Apartment # ______City, State, Zip __________________________________________________Type of Entry to be Amended: Visit noteNurse noteHospital notePrescription informationPatient historyOther ____________________________Please explain how the entry is inaccurate or incomplete.____________________________________________________________________________________________________________________________________________________________________________________________________________________________________Please specify what the entry should say to be more accurate or complete._________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________Printed Name of Patient or Legal Guardian Date_____________________________________________________________Signature of Patient or Legal Guardian DateRequest for Correction/Amendment of Protected Health InformationRequest for Correction/Amendment of Protected Health InformationOrganization ResponseDate __________________Name of Staff Member Completing Form _________________________________________Staff Member Title __________________________________Amendment has been: AcceptedDeniedDenied in part, Accepted in partIf denied (in whole or in part)*, check reason for denial:PHI was not created by this organization.PHI is not available to the patient for inspection in accordance with the law.PHI is not a part of patient’s designated record set.PHI is accurate and ments from healthcare provider who provided service:____________________________________________________________________________________________________________________________________________________________________________________________________________________________________Attention Organizations: There are some situations in which you do not have the right to deny such a request and, at the very least, must include the patient’s request for amendment as part of the patient record even if they do not agree.*If your request has been denied, in whole or in part, you have the right to submit a written statement disagreeing with the denial to the practice, Attn: {Name of Privacy Officer {practice address}. If you do not provide us with a statement of disagreement, you may request that we provide to you copies of your original request for amendment, our denial, and any disclosures of the protected health information that is the subject of the requested amendment. Additionally, you may file a complaint with our Privacy Officer [insert name or title, and telephone number] or with the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR). We will provide the address of the OCR Regional Office upon your request. No retaliation will occur against you for filing a complaint.. File the complaint within 180 days of the alleged violation.Request for an Accounting of Certain Disclosures of Protected Health Information Request for an Accounting of Certain Disclosures of Protected Health Information for Patient Name __________________________________________ Date of Birth ____________________Patient Address: Street_________________________________________________________Apartment # ______City, State, Zip __________________________________________________As a patient, you have the right to receive an accounting of certain non-routine disclosures of your identifiable health information made by our practice for non-Treatment, Payment or Operations (“TPO”) purposes. Your request must state a time period that may not be more than six (6) years prior to the date of this request and may not include dates before April 14, 2003. The first list you request within a 12- month period will be provided free of charge. For additional lists during the same 12-month period, you may be charged for the costs of providing the list; however the practice will notify you of the cost involved and you may choose to withdraw or modify your request.If we use or maintain an electronic health record with respect to the PHI, the accounting must include disclosures made for TPO of our Practice but only for a time period of up to three (3) years prior to the date of the patient’s request. If we had acquired an electronic health record as of January 1, 2009, we need only provide an accounting of TPO disclosures made by us from such record on and after January 1, 2014. If we acquired an electronic health record after January 1, 2009, we must provide an accounting of TPO disclosures made by us from such record on and after the later of the following: (i) January 1, 2011; or (ii) the date that we acquire an electronic health record.In order to provide this accounting to our patients, our Practice will maintain a log or record of all disclosures, other than those under Section 2 above, of a patient’s PHI, for a six (6) year period (or for three (3) years if an electronic health record is used or maintained), and will maintain such log or record in the patient’s medical record, along with a copy of every accounting made to a patient.To request an accounting of disclosures for non-TPO purposes made by the practice, you must submit your request in writing to {Insert Name, Address, Phone Number of Privacy Officer}._____________________________________________________________Printed Name of Patient or Legal Guardian Date_____________________________________________________________Signature of Patient or Legal Guardian DatePatient Complaint FormPatient Complaint FormOur organization values the privacy of its patients and is committed to operating our organization in a manner that promotes patient confidentiality while providing high quality patient care.If the staff at <Organization> have fallen short of this goal, we want you to notify us. Please be assured that your complaint will be kept confidential. Please use the space provided below to describe your complaint. It is our intent to use this feedback to better protect your rights to patient confidentiality._____________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________Printed Name of Patient or Legal Guardian Date_____________________________________________________________Signature of Patient or Legal Guardian Phone NumberFax Letter with Disclaimer Form Review The Privacy Officer’s initials at the bottom of this page indicate that the Privacy Officer has read and reviewed each of the following forms:Privacy NoticeReceipt of Notice of Privacy Written Acknowledgement FormRequest for Limitation and Restrictions of Protected Health InformationAuthorization for Use and Disclosure of Psychotherapy NotesAuthorization for Use and/or Disclosure of PHI for Marketing, Fundraising, Publication, or Public RelationsRequest to Inspect and Copy Protected Health InformationPatient Denial LetterRequest for Correction/Amendment of Protected Health InformationRequest for Correction/Amendment of Protected Health Information Organization ResponseRequest for an Accounting of Certain Disclosures of Protected Health Information for Non-TPO PurposesPatient Complaint FormFax Letter with DisclaimerApproval:Date of Approval:Reviewed:Date(s) of Review:LOGSPrivacy Officer Incident LogDate ReceivedDate Investigation CompleteNature of ComplaintResults of InvestigationSanctionsFacility Maintenance LogDateMaintenance IssueHow AddressedDate ResolvedNotes / Privacy Officer InitialsTraining Documentation LogAs a member of <ORGANIZATION>’s workforce, I agree to adhere to the practice’s policies and procedures regarding patient privacy and the security of patient protected health information (PHI). I have received a copy of the practice’s policies, and have reviewed and understand these policies. DateNameTitleSignatureBusiness Associate LogBusiness AssociateStart DateAgreement SignedAmendment HITECHRemote AccessKey – Physical AccessSecurity Official InitialsWorkforce Termination RecordTaskName of Individual Completing TaskDate Task CompletedNotesPrivacy Officer InitialsContact a locksmith to change the locks, if necessarySecure a full computer backupRecover external hard drivesKeys – outside doorsKeys- inside doorsSecure booksSecure written recordsChange security keypad code numbersCirculate new keypad code numbers and keys to officeChange applicable passwords to the computer workstation, network, and all email/internet accounts to prevent access through outside meansPrepare pre-termination and post-termination audit trails documenting employers workstation/password activity pre and post terminationConduct limited audit of patient information and financial information. (Contingent upon employee’s degree of access.)Data Breach RecordEvent TypeTime & Date Event Occurred# of Persons AffectedCommunication To:Date of CommunicationMethod of CommunicationLog and Record ReviewI have read and reviewed the following logs and records:Privacy Officer Incident LogFacility Maintenance LogTraining Documentation LogBusiness Associate LogWorkforce Termination RecordData Breach RecoApproval:Date of Approval:Reviewed:Date(s) of Review:JOB DESCRIPTIONSINSERT JOB DESCRIPTIONSPRIVACY RISK ANALYSIS The organization conducts periodic risk assessments consistent the same standard specified in the Security Rule. §164.308(a)(1): Security Management Process §164.308(a)(1)(ii)(a) - Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity. ??§164.308(a)(8) Evaluation - Perform a periodic technical and nontechnical evaluation, based initially upon the standards implemented under this rule and subsequently, in response to environmental or operational changes affecting the security of electronic protected health information, which establishes the extent to which an entity s security policies and procedures meet the requirements of this subpart.Implementation Specification: ?RequiredRisk Level: ?ModerateFinancial Impact: ?n/aAnalyze the controls that have been implemented, or are planned for implementation: Detailed in IT section. The organization conducts a risk analysis annually or when there is a change to the organization environment or a significant advance in technology applicable to the organization. CMS recommends that the resulting risk assessment should be approved by management. ? This manual reflects ?the initial evaluation per the HIPAA Privacy Rule – “Perform a periodic technical and nontechnical evaluation, based initially upon the standards implemented under this rule and subsequently, in response to environmental or operational changes affecting the privacy of protected health information that establishes the extent to which an entity’s privacy policies and procedures meet the requirements of this subpart.” ???Included in this manual are audit results that were not corrected at the time of the manual creation. ??The covered entity will address all areas of the audit results. Each policy has a level of risk assigned to it based on the likelihood of a threat occurrence and resulting impact if the threat occurred. Approval:Date of Approval:Reviewed:Date(s) of Review:AUDIT/RISK ANALYSIS.The organization’s HIPAA Privacy Manual is missing the following information, policy or procedure.As part of your periodic required Privacy Risk Analysis, these identified items must be addressed. The Organization will include the documentation of how the deficiency was addressed. SectionDocumentItem(s) Missing**** ??Your manual is not complete until all documents in the log section are filled out completely or electronic versions of such logs are updated.Approval:Date of Approval:Reviewed:Date(s) of Review:GLOSSARYAccess: ?The ability or the means necessary to read, write, modify, or communicate data/information or otherwise use any system resource that creates, maintains, or transmits PHI.Access Authorization: Process by which rules are established for granting and/or restricting access to a user, terminal, transaction, program, or process for the purpose of creating, maintaining, or transmitting PHI. ?For example, the billing staff usually only needs access to the current visit notes, not the entire clinical record.Administrative Safeguards: Formal documented practices to protect PHI. ?This includes the selection and execution of measures and the management of personnel as it relates to protecting PHI.Affiliated Covered Entity: Legally separate covered entities that are affiliated may designate themselves as a single Covered Entity for purposes of HIPAA Privacy and Security if they meet the requirements of 45 CFR §164.105(b).Audit Trail: Data collected and potentially used to facilitate a disclosure audit to include the who (login ID), what (read-only, modify, delete, add, etc.), and when (date/time stamp) disclosed information. Authentication: Corroboration that a person is the one he or she claims to be.Authorization: The permission granted by a patient, or the patient’s Personal Representative, to use PHI for specified purposes or to disclose PHI to a third party specified by the individual. Authorization Form: A form that a healthcare provider must obtain from the individual patient or patient’s legal guardian in order to use or disclose the individual’s protected health information (PHI) for purposes other than for treatment, payment, or healthcare operations (TPO) or for specific purposes listed in the Privacy Rule, such as public health or health oversightAvailability: The property that data or information is accessible and useable upon demand by an authorized person.”Breach: With certain exceptions, the acquisition, access, use or disclosure of PHI in a manner not permitted under the Privacy Rule which compromises the security or privacy of the PHI.Business Associate: With certain exceptions, a person or entity that is not a member of your practice’s workforce who: (1) creates, receives, maintains, or transmits PHI for a function or activity regulated by the Privacy Rule or (2) provides legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services to or for a Covered Entity, or to or for an Organized Health Care Arrangement in which the Covered Entity participates, where the provision of the service involves the disclosure of protected individually identifiable health information from such Covered Entity or Arrangement, or from another Business Associate of such Covered Entity or Arrangement, to the person. Centers for Medicare & Medicaid Services (CMS): ?The federal agency within DHSS responsible for the enforcement of the HIPAA Security Rule.Confidentiality: ?The property by which data or information is not made available or disclosed to unauthorized persons or processes.Covered Entity: ? Health plans, healthcare clearinghouses and any healthcare providers (physicians, hospitals, nursing homes, etc.) that transmit any health information in electronic form in connection with a HIPAA transaction. Criticality: ?Addresses those assets that are critical to the function of a practice and expresses the significance given to a functional failure of those important assets.Critical: ?These functions cannot be performed unless the same capabilities (i.e., computer systems) are found to replace the damaged system. ?Critical applications cannot be replaced by manual methods under any circumstances. ?Tolerance to interruption is very low and the recovery cost is very high. Data Aggregation: With respect to PHI created or received by a Business Associate in its capacity as the Business Associate of a Covered Entity, the combining of such PHI by the Business Associate with the PHI received by the Business Associate in its capacity as a Business Associate of another Covered Entity, to permit data analyses that relate to the health care operations of the respective covered entities.Data Use Agreement: An agreement that sets forth the permitted uses and disclosures oflimited data sets, including who may use or receive the data and limitations on the receivingparty’s ability to re- identify or contact the individuals who are subjects of the limited data sets.De-identified: Health information that meets the standard and implementation specifications for de-identification under 45 CFR §164.514(a) and (b) is considered not to be individually identifiable health information, i.e., de-identified.Department of Health and Human Services (DHHS or HHS): The department of the executive branch of the federal government that has overall responsibility for implementing HIPAA.Designated Record Set: A group of records maintained by or for a Covered Entity that is:the medical records and billing records about individuals maintained by or for a covered healthcare provider;the enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; orused, in whole or in part, by or for the Covered Entity to make decisions about individuals.Record means any item, collection or grouping of information that includes PHI and is maintained, collected, used or disseminated by or for a Covered Entity.Direct Treatment Relationship: ?A treatment relationship between the individual and a healthcare provider in which the provider delivers healthcare directly to an individual rather than through another healthcare provider. ?(See “Indirect Treatment Relationship” definition.)Disclosure: ?The release, transfer, provision of, access to, or divulging in any other manner of information outside the entity holding the information.Disclosure History: A list of any entities to which the Covered Entity has disclosed personallyidentifiable healthcare information for uses unrelated to treatment, payment and healthcareoperations (TPO). See Accounting.Electronic Health Record (EHR): The Electronic Health Record (EHR) is a longitudinal electronic record of patient health information generated by one or more encounters in any care delivery setting. Included in this information are patient demographics, progress notes, problems, medications, vital signs, past medical history, immunizations, laboratory data and radiology reports. The EHR automates and streamlines the clinician's workflow. The EHR has the ability to generate a complete record of a clinical patient encounter - as well as supporting other care-related activities directly or indirectly via interface - including evidence-based decision support, quality management, and outcomes reporting.Electronic Media: (1) Electronic storage material on which data is or may be recorded electronically, including, for example, devices in computers (hard drives) and any removable/transportable digital memory medium, such as magnetic tape or disk, optical disk, or digital memory card; (2) Transmission media used to exchange information already in electronic storage media. Transmission media include, for example, the Internet, extranet or intranet, leased lines, dial-up lines, private networks, and the physical movement of removable/transportable electronic storage media. Certain transmissions, including of paper, via facsimile, and of voice, via telephone, are not considered to be transmissions via electronic media if the information being exchanged did not exist in electronic form immediately before the transmission.Electronic Protected Health Information (EPHI): Protected health information (PHI) transmitted by electronic media or maintained by electronic media.Encryption: The use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key.Facility Privacy Plan: Plan to safeguard the premises and building(s) (exterior and interior) of a Covered Entity from unauthorized physical access and to safeguard the PHI therein from unauthorized physical access, tampering, and theft.Family member: An individual’s:(1) dependent; or(2) any other person who is a first-degree, second-degree, third-degree, or fourth-degree relative of the individual or of a dependent of the individual. Relatives by affinity (such as by marriage or adoption) are treated the same as relatives by consanguinity (that is, relatives who share a common biological ancestor). In determining the degree of the relationship, relatives by less than full consanguinity (such as half-siblings, who share only one parent) are treated the same as relatives by full consanguinity (such as siblings who share both parents).(i) First-degree relatives include parents, spouses, siblings, and children. (ii) Second-degree relatives include grandparents, grandchildren, aunts, uncles, nephews, and nieces.(iii) Third-degree relatives include great-grandparents, great-grandchildren, great aunts, great uncles, and first cousins.(iv) Fourth-degree relatives include great-great grandparents, great-great grandchildren, and children of first cousins.Federal Privacy Act of 1974: This Act protects personal information about individuals held by the federal government. Covered entities that are federal agencies or federal contractors that maintain records that are covered by the Privacy Act not only must comply with the Privacy Rule’s requirements but also must comply with the Privacy Act.Genetic Information: (160.103): Genetic information?means:Subject to paragraphs (2) and (3) of this definition, with respect to an individual, information about:The individual’s genetic tests;The genetic tests of family members of the individual;The manifestation of a disease or disorder in family members of such individual; orAny request for, or receipt of, genetic services, or participation in clinical research which includes genetic services, by the individual or any family member of the individual.Any reference in this subchapter to genetic information concerning an individual or family member of an individual shall include the genetic information of:A fetus carried by the individual or family member who is a pregnant woman; andAny embryo legally held by an individual or family member utilizing an assisted reproductive technology.Genetic information excludes information about the sex or age of any individual.Health Information: Any information, including genetic information, whether oral or recorded in any form or medium, created or received by a provider that relates to the past, present, or future physical or mental health condition of a patient; the provision of healthcare to a patient; or the past, present or future payment for the provision of healthcare to a patient.Health Insurance Portability and Accountability Act of 1996 (HIPAA): A federal law that allows persons to qualify immediately for comparable health insurance coverage when they change their employment relationships and which gives the U.S. Department of Health and Human Services (DHHS) the authority to: (1) mandate the use of standards for the electronic exchange of healthcare data; (2) specify what medical and administrative code sets should be used within those standards; (3) require the use of national identification systems for healthcare patients, providers, payers (or plans), and employers (or sponsors); and (4) specify the types of measures required to protect the security and privacy of personally identifiable healthcare information.Health Plan: An individual or group plan that provides or pays the cost of medical care.Healthcare: Healthcare includes, but is not limited to, the following: Preventive, diagnostic, therapeutic, rehabilitative maintenance, or palliative care, andcounseling service, assessment, or procedure with respect to the physical or mentalcondition, or functional status, of an individual or that affects the structure or function ofthe body; and sale or dispensing of a drug, device, equipment, or other item in accordancewith a prescription.Healthcare Clearinghouse: An entity that processes or facilitates the processing of health information received from another entity in a nonstandard format or containing nonstandard data content into standard data elements or a standard transaction, or that receives a standard transaction from another entity and processes or facilitates the processing of that information into a nonstandard format or nonstandard data content for a receiving entity.Healthcare Operations: Activities related to your practice’s business, clinical management and administrative duties. ?Some examples of these activities are the use of PHI or EPHI to obtain a referral, quality assurance, quality improvement, case management, training programs, licensing, credentialing, certification, accreditation, compliance programs, business management, and general administrative activities of the practice. ?Healthcare operations include the sale, transfer, merger, or consolidation of all or part of a Covered Entity with another Covered Entity, or an entity that following such activity will become a Covered Entity. and the due diligence related to such activity.Healthcare Provider: A person or organization that provides medical or health services and any other person or organization who furnishes, bills or is paid for healthcare in the normal course of business.High Vulnerability: May result in highly costly loss of major tangible assets or resources; may significantly violate, hard or impede an organization mission reputation or interests; may result in human death or serious injuryIncidental Use or Disclosure: A secondary use or disclosure of PHI that cannot reasonably be prevented, is limited in nature, and that occurs as a by-product of an otherwise permitted use or disclosure.Indirect Treatment Relationship: A relationship between an individual and a healthcare provider in which: (1) ??The healthcare provider delivers healthcare to the individual based on the orders of another healthcare provider; and (2) ??The healthcare provider typically provides healthcare services or products, reports the diagnosis or results associated with the health care directly to another healthcare provider who uses this information to provide care to the individual.Individually Identifiable Health Information (IIHI): Any health information (including demographic information) that is collected from the patient and(1) ??is created or received by a healthcare provider or other Covered Entity or employer and(2) ??that relates to the past, present or future physical or mental health or condition of an individual; OR the provision of healthcare to an individual, OR the past, present or future payment for the provision of healthcare at your practice; AND that identifies the individual or there is a reasonable basis to believe the information can be used to identify the individual.Institutional Review Board or IRB or Privacy Board: Within the provisions of the institutional review board (IRB) rules (21 CFR, Part 56) are requirements that the IRB ensure that there are adequate provisions to protect the privacy of research subjects and to maintain the confidentiality of research data. Integrity: ?The trait that data or information have not been altered or destroyed in an unauthorized manner.Internal Audits: The in-house review of the records of system activity (for example, logins, file accesses, security incidents) maintained by an organization.IT: ?Information technology or information technologist.Law Enforcement Official: An officer or employee of any agency or authority of the United States, a State, a territory, a political subdivision of a State or territory, or an Indian tribe, who is empowered by law to: (1) investigate or conduct an official inquiry into a potential violation of law; or (2) prosecute or otherwise conduct a criminal, civil or administrative proceeding arising from an alleged violation of law. Limited Data Set: PHI that excludes specific, readily identifiable information about theindividual patients or their relatives, employers and members of their households. TheLimited Data Set may include admission, discharge and service dates; date of death; age (including ages 90 and over) and any geographic subdivision (including town or city, state andfive digit zip code, but excluding postal addresses).Marketing: “A communication about a product or service, that encourages therecipients of the communication to purchase or use the product or service. See this Manual and 45 CFR §164.501 for a detailed explanation of Marketing.Minimum Necessary: The principle that at Covered Entity, to the extent practical, , when using or disclosing PHI, or when requesting PHI from another Covered Entity, must limit such PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure or request. HHS will issue guidance on what constitutes the “minimum necessary”.Need-To-Know: ?A principle stating that a user should have access only to the data he or she needs to perform a particular function. ?Per the Privacy ?Standard, this must be addressed within the workforce job description.Office for Civil Rights (OCR): The federal agency within DHHS responsible for the enforcement of the HIPAA Privacy Rule and Data Breach Notification RuleOperations: ?See Healthcare anized Health Care Arrangement (OHCA): A clinically integrated healthcare setting in which individuals typically receive healthcare from more than one provider, or an organized system of healthcare in which more than one Covered Entity participates and in which the participating covered entities hold themselves out to the public as participating in a joint arrangement, and participate in joint activities that include at least one of the following, as further defined in 45 CFR §160.103:A. ???Utilization reviewB. ???Quality assessment and improvement activitiesC. ???Payment activities.Password: ?A confidential numeric and/or character string used in conjunction with a user ID to verify the identity of the individual attempting to gain access to a computer system (see Authentication).Payer: ?In healthcare, an entity that assumes the risk of paying for medical treatments. ?This can be a self-pay patient, a self-insured employer, a health plan, or an HMO (also, “Payer”).Payment: ?The activities by the practice to obtain reimbursement for healthcare services. ?This includes, among others, billing, claims management, collection activities, verification of insurance coverage, and precertification of services. Personal Identification Number (PIN): ?A number or code assigned to an individual used to provide verification of identity.Personal Representative: A person who, under applicable law, has the authority to act onbehalf of an individual in making decisions related to healthcare.Physical Safeguards: Physical measures, policies and procedures to protect computer systems, written records, buildings, and equipment from fire and other natural and environmental hazards, as well as from unauthorized access.Privacy Contact: The person or persons designated by our Practice to answer questions and provide information to patients and others about our Notice of Privacy Practices and our policies and procedures, if this role is not filled by our Privacy Officer.Privacy Officer: The person designated by a Covered Entity to oversee the development and implementation of the Covered Entity’s privacy policies and procedures and, where not delegated to a Privacy Contact(s), the person who receives complaints about privacy practices and answers questions about the Covered Entity’s Notice of Privacy Practices. Protected Health Information (PHI): ?With few exceptions, includes individually identifiable health information (IIHI) held or disclosed by a practice regardless of how it is communicated (e.g., electronically, verbally, or written).Psychotherapy Notes: Notes recorded (in any medium) by a healthcare provider who is amental health professional documenting or analyzing the contents of conversation during aprivate counseling session or a group, joint, or family counseling session and that are separatedfrom the rest of the individual’s medical record. Psychotherapy notes exclude medicationprescription and monitoring, counseling session start and stop times, the modalities andfrequencies of treatment furnished, results of clinical tests, and any summary of the followingitems: diagnosis, functional status, the treatment plan, symptoms, prognosis, and progress todate.Public Health Authority (164.501): An agency or authority of the United States, a State, a territory, a political subdivision of a State or territory, or an Indian tribe, or a person or entity acting under a grant of authority from or contract with such public agency, including the employees or agents of such public agency or its contractors or persons or entities to whom it has granted authority, that is responsible for public health matters as part of its official mandate.Required Specification: An implementation specification that a Covered Entity is required to implement based on the Security Rule (e.g., covered entities are required to perform a security risk assessment).Required by Law: A mandate contained in law that compels a Covered Entity to make a use or disclosure of PHI and that is enforceable in a court of law, e.g., court orders, court-ordered warrants, subpoenas, and summons; a civil investigative demand; Medicare conditions of participation with respect to health care providers participating in the program; and statutes or regulations that require the production of information, including statutes or regulations that require such information if payment is sought under a government program providing public benefits. Research: A systematic investigation, including research development, testing, and evaluation, designed to develop or contribute to generalizable knowledge.Risk: ?"The net mission impact considering (1) the probability that a particular [threat} willexercise (accidentally trigger or intentionally exploit) a particular [vulnerability] and (2)the resulting impact if this should occur .. .. [R]isks arise from legal liability or mission lossdue to-1. Unauthorized (malicious or accidental) disclosure, modification, or destruction of information 2. Unintentional errors and omissions 3. IT disruptions due to natural or manmade disasters 4. Failure to exercise due care and diligence in the implementation and operation of the IT system.Sale of PHI: A disclosure of PHI by a Covered Entity or Business Associate, if applicable, where the Covered Entity or Business Associate directly or indirectly receives remuneration from or on behalf of the recipient of the PHI in exchange for the PHI.Secure Electronic Environment: An environment that has administrative procedures, physical safeguards, and technical security services and mechanisms in place to prevent unauthorized access to PHI.Security or Security Measures: Encompasses all of the administrative, physical, and technical safeguards used to protect PHI. Security Incident: The attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.Subcontractor: A person or entity that creates, receives, maintains or transmits protected health information on behalf of a Business Associate. Third Party Administrator (TPA): An entity that processes healthcare claims and performs related business functions for a health plan.Threat: ?An adapted definition of threat, from NIST SP 800-30, is "[t]he potential for a person orthing to exercise (accidentally trigger or intentionally exploit) a specific vulnerability."Time-Of-Day Access Control: Access to data is restricted to certain periods, e.g., Monday through Friday, 8:00 a.m. to 6:00 p.m. ?This is a function of audit controls that allows the practice to determine exactly when the system was accessed.Trading Partner: ?(see Business Associate)Treatment: ?The provision, coordination, or management of healthcare and related services by one or more healthcare providers, consultation between healthcare providers relating to a patient, or the referral of a patient for healthcare from one provider to another.Unsecured PHI: PHI that is not rendered unusable, unreadable, or indecipherable to unauthorized individuals persons through the use of a technology or methodology specified by DHHS guidance.Use: ?With respect to individually identifiable health information (IIHI), the sharing, employment, application, utilization, examination, or analysis of such information within an entity that maintains such information.User: ?A person or entity with authorized access.User ID: A unique identifier given to an individual allowing that individual access to a computer system. ?A User ID is usually accompanied by a password.Vital: Functions which cannot be performed by manual means or can be performed manually for only a very brief period. ?There is a somewhat higher tolerance for interruption, and a somewhat lower cost for recovery, provided that functions are restored within a certain time, usually only a few days. ?For applications classified as “vital,” a brief suspension of processing can be tolerated, but a considerable amount of “catching up” will be needed to restore data to current or useable form. Vulnerability: ? A flaw or weakness in system security procedures, design, implementation, or internal controls that could be exercised (accidentally triggered or intentionally exploited) and result in a security breach or a violation of the system's ?security policy. See NIST Special Publication (SP) 800-30.Workforce: ?Employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a Covered Entity or Business Associate, is under the direct control of such Covered Entity or Business Associate, whether or not they are paid by the Covered Entity or Business Associate.Workstation: ?A computer used for running software applications, storing, and transmitting data. ?In networking, workstation refers to any computer connected to a local area network.INDEXAAudit/ Risk AnalysisAUDIT/RISK ANALYSISAuthorization for Use and Disclosure of Psychotherapy NotesFORMSAuthorization for Use and/or Disclosure of PHI for Marketing, Fundraising, Publication, or Public RelationsFORMSBBusiness Associate AgreementPOLICIES AND PROCEDURESBusiness Associate LogLOGSBusiness Associates PolicyPOLICIES AND PROCEDURESBusiness Associates Decision TreePOLICIES AND PROCEDURESCConfidentialityPRIVACY RULEDData Breach Policy and ProceduresPOLICIES AND PROCEDURESData Breach RecordLOGSDescendantsPRIVACY RULEFFacilities Policy and ProceduresPOLICIES AND PROCEDURESFacility Maintenance LogLOGSFax Letter with DisclaimerFORMSGGlossaryGLOSSARYIIllustrations of Situations Requiring/Not Requiring AuthorizationPOLICIES AND PROCEDURESImmunization Consent PolicyPOLICIES AND PROCEDURESIntroductionINTRODUCTIONJJob DescriptionsJOB DESCRIPTIONSLLimitations of Use and Disclosure of PHIPRIVACY RULEListing of Typical Business AssociatesPOLICIES AND PROCEDURESLog and Record ReviewLOGSMMarketingPRIVACY RULEMarketingPOLICIES AND PROCEDURESMinimum Necessary StandardPRIVACY RULEMinorsPRIVACY RULENNotice of Privacy PracticesPRIVACY RULENotice of Privacy PracticesFORMSPPatient Authorization for Use and Disclosure of Protected Health InformationFORMSPatient Complaint FormFORMSPatient Denial LetterFORMSPatient Requested RestrictionsPRIVACY RULEPatient Requests for Electronic Copy of EPHI PolicyPOLICIES AND PROCEDURESPermissible DisclosuresPRIVACY RULEPersonal RepresentativePRIVACY RULEPrivacy Officer Incident LogLOGSPrivacy PolicyPRIVACY RULEPrivacy Procedures – PatientPOLICIES AND PROCEDURESPrivacy Risk AnalysisPRIVACY RISK ANALYSISPrivacy Officer DescriptionPRIVACY RESPONSIBILITIESPsychotherapy Notes AuthorizationPRIVACY RULERReceipt of Notice of Privacy Practices Written Acknowledgement FormFORMSRequest for an Accounting of Certain Disclosures of Protected Health InformationFORMSRequest for Correction/Amendment of Protected Health InformationFORMSRequest for Limitations and Restrictions of Protected Health InformationFORMSRequest to Inspect and Copy Protected Heath InformationFORMSSSample Immunization Consent AgreementPOLICIES AND PROCEDURESTTPOPRIVACY RULETraining Documentation LogLOGSTraining PolicyPOLICIES AND PROCEDURESUUse of PHI for TPO and Non-TPO PurposesPRIVACY RULEWWorkforce Confidentiality AgreementPOLICIES AND PROCEDURESWorkforce TerminationPOLICIES AND PROCEDURESWorkforce Termination RecordLOGS ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download