Instruction for HIPAA Privacy Compliance
Organization Name
HIPAA INFORMATION AND
TRAINING MANUAL
TABLE OF CONTENTS
Privacy Official
Privacy Official Job Description
Privacy Policies for Protected Health Information
Privacy Procedures for Protected Health Information
Process for Notice of Privacy Practices
Notice of Privacy Practices
Notice of Practice Practices Acknowledgement Initial Uses
Use and Disclosures of Protected Health Information
Patient Authorization for Use Disclosure of PHI
Patients Right to Inspect
Request to Access PHI
Access and Inspect PHI Granted
Denial of Access to PHI
Request to Amend PHI
Denial to Amend PHI
Patients Right to Make a Complaint
Protecting and De-Identifying PHI
"Safe Harbor"
De-Identification Checklist "Safe Harbor"
Marketing
Process for Handling Business Associate Contract
Business Associate Contract Provisions
Business Associate Contract List
Employee Responsibility to PHI
HIPAA Training: Agenda
HIPAA Training: Q & A
Confidentiality Policy
Confidentiality and Non-Disclosure Agreement
HIPAA Test and Key
Certificate of Completion
Section One – Privacy Official
__________________________________________ will maintain an established Privacy Official, complete with job description and make the information available to all patients
Procedure
At the present time, the Privacy Official is as named on page 1 of this manual. A written notice has been or is to be provided to all patients and employees. She is responsible for implementing all requirements connected with HIPAA compliance. In the event that there is a change in our current Privacy Official, a written notice from __________________________________________ will be given to all patients and employees.
The current Privacy Official and each subsequent Privacy Official must have a signed job description outlining his/her responsibilities as Privacy Official. He/She are to be tested exactly the same as all other employees. All documentation of his/her records as Privacy Official must be maintained in his/her employee file.
In the event the Privacy Official fails to comply with the policies and procedures established by __________________________________________, a memo will be written from the administration outlining the infraction. Depending on the degree of the infraction, the administration may recommend a warning or immediate dismissal. Three written warnings are also grounds for immediate dismissal.
No Protected Health Information can be used or disclosed, made available to the patient or amended by the patient without the direct knowledge and approval of the Privacy Official. Each use and disclosure must have the Privacy Official's or her designee's signature on the approval and documented in the patient file, as well as, the master logbook.
Per the approval of the Privacy Official, each use and disclosure is to be documented as stated above. The exception to that are the ultrasounds that are sent directly from __________________________________________ and remain the property of __________________________________________. The associate/exam doctors prepare the ultra sounds or copies when requested. A master log is to be kept in the nurse’s manager’s office on all ultra sounds that are sent out. The master log is to be reviewed and the documentation is placed on the individual patient log.
Section 2: Job Description
__________________________________________
Position Title: Privacy Official
General Duties: Coordinate all activities of __________________________________________ relating to maintaining the privacy of individual protected health information consistent with federal and state law.
Responsibilities:
Provides development guidance and assists in the identification, implementation, and maintenance of __________________________________________ health information privacy policies and procedures in coordination with __________________________________________ management and legal counsel.
Works with __________________________________________’s senior management to establish __________________________________________ Privacy Oversight Committee.
Performs initial and periodic information privacy risk assessments and conducts related ongoing compliance monitoring activities in coordination with the entities other compliance and operational assessment functions.
Works with senior management, to ensure that __________________________________________ has and maintains appropriate privacy and confidentiality consent, authorization forms, and information notices and materials reflecting current Pregnancy Alternatives Center and legal practices and requirements.
Oversees, directs, delivers, or ensures delivery of initial and privacy training and orientation to all employees, volunteers, professional staff, contractors, alliances, business associates, and other appropriate third parties.
Participates in the development, implementation, and ongoing compliance monitoring of all business associate agreements, to ensure all privacy concerns, requirements, and responsibilities are addressed.
Establishes with management a mechanism to track access to protected health information, within the purview of __________________________________________ and as required by law and to allow qualified individuals to review or receive a report on such activity.
Works cooperatively with management in overseeing patient rights to inspect, amend, and restrict access to protected health information when appropriate.
Establishes and administers a process for receiving, documenting, tracking, investigating, and taking action on all complaints concerning __________________________________________ 's privacy policies and procedures in coordination and collaboration with other similar functions and, when necessary, legal counsel.
Ensures compliance with privacy practices and consistent application of sanctions for failure to comply with privacy policies for all individuals in __________________________________________'s workforce and volunteer department, extended workforce, and for all business associates, in cooperation with administration, and legal counsel as applicable.
Initiates, facilitates and promotes activities to foster information privacy awareness within __________________________________________ and related entities.
Reviews all system-related information security plans throughout __________________________________________'s network to ensure alignment between security and privacy practices, and acts as a liaison to the information systems department.
Works with all __________________________________________ personnel involved with any aspect of release of protected health information, to ensure full coordination and cooperation under __________________________________________’s policies and procedures and legal requirements
Maintains current knowledge of applicable federal and state privacy laws and accreditation standards, and monitors advancements in information privacy technologies to ensure __________________________________________ adaptation and compliance.
Serves as information privacy consultant to __________________________________________ for all departments and appropriate entities.
Cooperates with the Office of Civil Rights, other legal entities, and __________________________________________ officers in any compliance reviews or investigations.
Works with __________________________________________ administration, legal counsel, and other related parties to represent __________________________________________'s information privacy interests with external parties (state or local government bodies) who undertake to adopt or amend privacy legislation, regulation, or standard.
Qualifications:
Familiarity with clinical and administrative functions of the practice. Willingness to learn on a fast track about laws and regulations relating to privacy of health information. High integrity. Very detail-oriented. Strong organizational and communications abilities. Can work well with other practice personnel.
Name: _
Signature: _
Date accepting responsibilities: _
Section 3: Privacy Policies and Procedures for Protected Health Information __________________________________________
All __________________________________________ policies and procedures are in place and effective on or before January 1, 2011.
Procedure
All policies and procedures of __________________________________________ are to be written and maintained in this office manual. As new policies and procedures are established they are to be written and the manual is to be updated with an effective date of the additional policies and/or procedures.
__________________________________________ will maintain policies and procedures that are consistent with the HIPAA Privacy Standards and all state laws for the state of Washington for execution of the HIPAA compliance regulations. __________________________________________ will maintain the policy of whichever law is more stringent, federal vs. state; will be the standard for this clinic.
Procedure
It is understood that when adopting new policies and procedures that are established by __________________________________________ for the purpose of protecting patient health care information the Privacy Official must review the HIPAA Privacy Standards and all laws for the state of Washington for compliance requirements. __________________________________________ will make certain that whichever law is more stringent is followed.
__________________________________________ will maintain a current Privacy Manual in the clinic.
Procedure
This Protected Health Information Office Manual is to be maintained by the Privacy Official. All written policies are previously found in this section. Each subsequent section includes policies noted from the first section and procedures of how to handle specific policies. This manual will be updated periodically.
Section 4: Privacy Policies and Procedures for Protected Health Information __________________________________________
All __________________________________________ policies and procedures are in place and effective on or before January 1, 2011.
__________________________________________ and its employees will protect the following information according to the Health Insurance Portability and Accountability Act.
• Names
• Patient diagnosis or prognosis
• Recommendations and the treatment the patient is to or has received.
• All geographic subdivision smaller than a state, including street address, city, county, precinct, zip code, and their geocodes.
• All dates directly relating to the individual (birth date, admission date,
dates of all treatments, discharge date, date of death)
• Telephone numbers
• Fax numbers
• Electronic mail address
• Social security numbers
• Medical record numbers
• Health plan numbers
• Health plan benefits and financial obligations for their treatment. m. Account numbers
• Certificate/license numbers
• Vehicle identifiers and serial numbers, including license plate numbers
• Device identifiers and serial numbers
• Web Universal Resource Locators (URL's)
• Internet Protocol (IP) address numbers
• Biometric identifiers, including finger and voiceprints
• Full face photographic, diagnostic images and any comparable images
• Any other unique identifying numbers, characteristic, or code
__________________________________________ will maintain a Notice of Privacy Practices that is posted in plain view for all to see. This Notice of Privacy Practices must describe how __________________________________________ will use and disclose the patient's Protected Health Information. This Notice is made available to every existing patient on or before January 1, 2011. This notice is also made available to all new patients at the time of their enrollment. Any revisions of the notice must be made available to all patients within 60 days of the revision.
__________________________________________ will be required to abide by the terms of the notice.
However, __________________________________________ has the right to revise the notice as long as the revisions are provided to the patients.
__________________________________________ will maintain a current Privacy Manual in the clinic.
If and when __________________________________________ maintains a web page a privacy notice will be made available electronically on that website.
If and when __________________________________________ maintains their own email capability, they will transmit a notice via e-mail if the individual requests, but a written acknowledgement must be obtained at the time services are first rendered.
A log will be maintained of any and all health care professional that will be or has been authorized to enter information into a patient's chart or records, all staff that will need access to the patient's health information, and who may share in this information.
__________________________________________ will maintain a staff that is fully trained and tested on all HIPAA compliance regulations. __________________________________________ will retrain and retest the staff no less than every year in order to guarantee the understanding of what is required for the complete protection of the patient's Protected Health Information.
__________________________________________ will maintain a policy for appropriate staff sanctions for failure to comply with the policies and procedures established by __________________________________________. Documentation of all staff sanctions will be maintained.
__________________________________________ will maintain an established Privacy Official, complete with job description and make the information available to all patients
No Protected Health Information can be used or disclosed, made available to the patient or amended by the patient without the direct knowledge and approval of the Privacy Official. Each use and disclosure must have the Privacy Official's signature on the approval and documented in the patient file, as well as, the master log book.
__________________________________________ will maintain policies and procedures that are consistent with the HIPAA Privacy Standards and all state laws for the state of Washington for execution of the HIPAA compliance regulations. __________________________________________ will maintain the policy of whichever law is more stringent, federal vs. state; will be the standard for this clinic.
Provide every patient with a written copy of our Notice of Privacy Practices for our clinic and make available to all people, upon request, a written copy of that notice.
Receive a written acknowledgement from each patient that they have received the Notice of Privacy Practices for our clinic. If the patient refuses to sign the acknowledgment, the Privacy Official will document the attempt and then the clinic will thereafter use and disclose the individual's protected health information for treatment, payment and healthcare operations. This acknowledgment is to be maintained in the patients file.
Provide each patient with a full disclosure of how our clinic may use his or her Protected Health Information, complete with a signed authorization maintained in his or her file.
Understand that uses and disclosures of the patient's Protected Health Information for the purpose of Treatment, Payment, or Healthcare Operations do not have to include authorization from the patient. The patient does not have the right to object to these uses or disclosures.
Treatment: __________________________________________ will use and disclose the patient's protected health information to provide, coordinate, or manage the patient's health care and any related services. This includes the coordination or management of the patient's health care with a third party that has already obtained the patient's permission to have access to the patient's protected health information. For example, __________________________________________ would disclose the patient's protected health information, as necessary, to a home health agency that provides care to the patient. __________________________________________ will also disclose protected health information to other doctors who may be treating the patient when __________________________________________ have the necessary permission from the patient to disclose the patient's protected health information. For example, the patient's protected health information may be provided to a doctor to whom the patient has been referred to ensure that the doctor has the necessary information to diagnose or treat the patient. In addition, __________________________________________ may disclose the patient's protected health information from time-to-time to another doctor or health care provider (e.g., a specialist or laboratory) who, at the request of the patient's doctor, becomes involved in the patient's care by providing assistance with the patient's health care diagnosis or treatment to the patient's doctor.
Payment: The patient's protected health information will be used, as needed, to obtain payment for the patient's health care services. This may include certain activities that the patient's health insurance plan may undertake before it approves or pays for the health care services __________________________________________ recommends for the patient such as; making a determination of eligibility or coverage for insurance benefits, reviewing services provided to the patient for medical necessity, and undertaking utilization review activities. For example, obtaining approval for a hospital stay may require that the patient's relevant protected health information be disclosed to the health plan to obtain approval for the hospital admission.
Healthcare Operations: __________________________________________ may use or disclose, as needed, the patient's protected health information in order to support the business activities of the patient's doctor's practice. These activities include, but are not limited to, quality assessment activities, employee review activities, training of students, licensing, marketing and fund raising activities, and conducting or arranging for other business activities. __________________________________________ may use a sign-in sheet at the registration desk where the patient will be asked to sign their name and indicate their doctor's name. __________________________________________ may also call the patient by name in the waiting room when the patient's doctor is ready to see the patient. However, if __________________________________________ wishes to use or disclose the patient's protected health information, as necessary, to contact the patient to remind the patient of the patient's appointment, specific authorization from the patient must be received.
__________________________________________ will share the patient's protected health information with third party "business associates" that perform various activities (e.g., billing, and transcription services) for the practice. Whenever an arrangement between __________________________________________ and a business associate involves the use or disclosure of the patient's protected health information, __________________________________________ will have a written contract that contains terms that will protect the privacy of the patient's protected health information.
__________________________________________ may use or disclose the patient's protected health information, as necessary, to provide the patient with information about treatment alternatives or other health-related benefits and services that may be of interest to the patient. __________________________________________ may also use and disclose the patient's protected health information for other marketing activities. For example, the patient's name and address may be used to send the patient a newsletter about our practice and the services __________________________________________ offer. __________________________________________ may also send the patient information about products or services that __________________________________________ believes may be beneficial to the patient. The patient may contact our Privacy Contact to request that these materials not be sent to the patient.
__________________________________________ may use or disclose the patient's demographic information and the dates that the patient received treatment from the patient's doctor, as necessary, in order to contact the patient for fundraising activities supported by our office. If the patient does not want to receive these materials, they are to contact our Privacy Official and request that these fundraising materials not be sent to the patient.
This is a list of other uses and disclosures that may be made without the patient's consent, authorization or opportunity to object.
Required By Law: __________________________________________ may use or disclose the patient's protected health information to the extent that the use or disclosure is required by law. The use or disclosure will be made in compliance with the law and will be limited to the relevant requirements of the law. The patient will be notified, as required by law, of any such uses or disclosures.
Public Health: __________________________________________ may disclose the patient's protected health information for public health activities and purposes to a public health authority that is permitted by law to collect or receive the information. The disclosure will be made for the purpose of controlling disease, injury or disability. __________________________________________ may also disclose the patient's protected health information, if directed by the public health authority, to a foreign government agency that is collaborating with the public health authority.
Communicable Diseases: __________________________________________ may disclose the patient's protected health information, if authorized by law, to a person who may have been exposed to a communicable disease or may otherwise be at risk of contracting or spreading the disease or condition.
Health Oversight: __________________________________________ may disclose protected health information to a health oversight agency for activities authorized by law, such as audits, investigations, and inspections. Oversight agencies seeking this information include government agencies that oversee the health care system, government benefit programs, other government regulatory programs and civil rights laws.
Abuse or Neglect: __________________________________________ may disclose the patient's protected health information to a public health authority that is authorized by law to receive reports of child abuse or neglect. In addition, __________________________________________ may disclose the patient's protected health information if __________________________________________ believe that the patient have been a victim of abuse, neglect or domestic violence to the governmental entity or agency authorized to receive such information. In this case, the disclosure will be made consistent with the requirements of applicable federal and state laws.
Food and Drug Administration: __________________________________________ may disclose the patient's protected health information to a person or company required by the Food and Drug Administration to report adverse events, product defects or problems, biologic product deviations, track products; to enable product recalls; to make repairs or replacements, or to conduct post marketing surveillance, as required.
Legal Proceeds: __________________________________________ may disclose protected health information in the course of any judicial or administrative proceeding, in response to an order of a court or administrative tribunal (to the extent such disclosure is expressly authorized), in certain conditions in response to a subpoena, discovery request or other lawful process.
Law Enforcement: __________________________________________ may also disclose protected health information, so long as applicable legal requirements are met, for law enforcement purposes. These law enforcement purposes include (1) legal processes and otherwise required by law, (2) limited information requests for identification and location purposes, (3) pertaining to victims of a crime, (4) suspicion that death has occurred as a result of criminal conduct, (5) in the event that a crime occurs on the premises of the practice, and (6) medical emergency (not on the Practice's premises) and it is likely that a crime has occurred.
Coroners. Funeral Directors. and Organ Donation: __________________________________________ may disclose protected health information to a coroner or medical examiner for identification purposes, determining cause of death or for the coroner or medical examiner to perform other duties authorized by law. __________________________________________ may also disclose protected health information to a funeral director, as authorized by law, in order to permit the funeral director to carry out their duties. __________________________________________ may disclose such information in reasonable anticipation of death. Protected health information may be used and disclosed for cadaveric organ, eye or tissue donation purposes.
Research: __________________________________________ may disclose the patient's protected health information to researchers when an institutional review board that has reviewed the research proposal and established protocols to ensure the privacy of the patient's protected health information has approved their research.
Criminal Activity: Consistent with applicable federal and state laws, __________________________________________ may disclose the patient's protected health information, if __________________________________________ believes that the use or disclosure is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public. __________________________________________ may also disclose protected health information if it is necessary for law enforcement authorities to identify or apprehend an individual.
Military Activity and National Security: When the appropriate conditions apply, __________________________________________ may use or disclose protected health information of individuals who are Armed Forces personnel (1) for activities deemed necessary by appropriate military command authorities;
(2) for the purpose of a determination by the Department of Veterans Affairs of the patient's eligibility for benefits, or (3) to foreign military authority if the patient are a member of that foreign military services. __________________________________________ may also disclose the patient's protected health information to authorized federal officials for conducting national security and intelligence activities, including for the provision of protective services to the President or others legally authorized.
Workers' Compensation: The patient's protected health information may be disclosed by us as authorized to comply with workers' compensation laws and other similar legally-established programs.
Inmates: __________________________________________ may use or disclose the patient's protected health information if the patient is an inmate of a correctional facility and the patient's doctor created or received the patient's protected health information in the course of providing care to the patient.
Required Uses and Disclosures: Under the law, __________________________________________ must make disclosures to the patient and when required by the Secretary of the Department of Health and Human Services to investigate or determine our compliance with the requirements of Section 164.500 et. seq.
Understand that __________________________________________ may use and disclose the patient's protected health information in the following instances. The patient has the opportunity to agree or object to the use or disclosure of all or part of the patient's protected health information. If the patient is not present or able to agree or object to the use or disclosure of the protected health information, then the patient's doctor may, using professional judgment, determine whether the disclosure is in the patient's best interest. In this case, only the protected health information that is relevant to the patient's health care will be disclosed.
Others Involved in The Patient's Healthcare: Unless the patient objects, __________________________________________ may disclose to a member of the patient's family, a relative, a close friend or any other person the patient identify,
the patient's protected health information that directly relates to that person's involvement in the patient's health care. If the patient is unable to agree or object to such a disclosure, __________________________________________ may disclose such information as necessary if __________________________________________ determines that it is in the patient's best interest based on our professional judgment. __________________________________________ may use or disclose protected health information to notify or assist in notifying a family member, personal representative or any other person that is responsible for the patient's care of the patient's location, general condition or death. Finally, __________________________________________ may use or disclose the patient's protected health information to an authorized public or private entity to assist in disaster relief efforts and to coordinate uses and disclosures to family or other individuals involved in the patient's health care.
Emergencies: __________________________________________ may use or disclose the patient's protected health information in an emergency treatment situation. If this happens, the patient's doctor shall try to obtain the patient's consent as soon as reasonably practicable after the delivery of treatment. If the patient's doctor or another doctor in the practice is required by law to treat the patient and the doctor has attempted to obtain the patient's consent but is unable to obtain the patient's consent, he or she may still use or disclose the patient's protected health information to treat the patient.
Communication Barriers: __________________________________________ may use and disclose the patient's protected health information if the patient's doctor or another doctor in the practice attempts to obtain consent from the patient but is unable to do so due to substantial communication barriers and the doctor determines, using professional judgment, that the patient intend to consent to use or disclosure under the circumstances.
Marketing: __________________________________________ may use and disclose the patient's protected health information for marketing purposes such as newsletters, direct contact, birthday cards, informational and educational materials etc.
It is the responsibility of __________________________________________ to understand the patient's rights. Following is a statement of patient's rights with respect to the patient's protected health information and a brief description of how the patient may exercise these rights.
The patient has the right to inspect and copy the patient's protected health information. This means the patient may inspect and obtain a copy of protected health information about the patient that is contained in a designated record set for as long as __________________________________________ maintain the protected health information. A "designated record set" contains medical and billing records and any other records that the patient's doctor and the practice use for making decisions about the patient. Under federal law, the patient may not inspect or copy the following records; psychotherapy notes; information compiled in reasonable anticipation of, or use in, a civil, criminal, or administrative action or proceeding, and protected health information that is subject to law that prohibits access to protected health information. Depending on the circumstances, a decision to deny access may be reviewable. In some circumstances, the patient may have a right to have this decision reviewed. The patient must contact our Privacy Official if they have questions about access to the patient's medical record.
The patient has the right to request a restriction of the patient's protected health Information. This means the patient may ask us not to use or disclose any part of the patient's protected health information for the purposes of treatment, payment or healthcare operations. The patient may also request that any part of their protected health information not be disclosed to family members or friends who may be involved in the patient's care or for notification purposes as described in this Notice of Privacy Practices. The patient's request must state the specific restriction requested and to whom the patient wants the restriction to apply. The doctor is not required to agree to a restriction that the patient may request. If the medical staff and Medical Director believe it is in the patient's best interest to permit use and disclosure of the patient's protected health information, the patient's protected health information will not be restricted. If the patient's doctor does agree to the requested restriction, __________________________________________ may not use or disclose the patient's protected health information in violation of that restriction unless it is needed to provide emergency treatment. With this in mind, please discuss any restriction the patient wish to request with the patient's doctor. The patient may request a restriction by submitting a written request to the Privacy Official.
The patient has the right to request to receive confidential communications from us by alternative means or at an alternative location. __________________________________________ will accommodate reasonable requests. __________________________________________ may also condition this accommodation by asking the patient for information as to how payment will be handled or specification of an alternative address or other method of contact. __________________________________________ will not request an explanation from the patient as to the basis for the request. Please make this request in writing to our Privacy Official.
The patient may have the right to have the patient's doctor amend the patient's protected health information. This means the patient may request an amendment of protected health information about the patient in a designated record set for as long as __________________________________________ maintains this information. In certain cases, __________________________________________ may deny the patient's request for an amendment. If __________________________________________ denies the patient's request for amendment, the patient has the right to file a statement of disagreement with us and we may prepare a rebuttal to the patient's statement and will provide the patient with a copy of any such rebuttal. Please contact our Privacy Official to determine if the patient has questions about amending the patient's medical record.
The patient has the right to receive an accounting of certain disclosures __________________________________________ has made, if any, of the patient's protected health information. This right applies to disclosures for purposes other than treatment, payment or healthcare operations as described in this Notice of Privacy Practices. It excludes disclosures __________________________________________ may have made to the patient, to family members or friends involved in the patient's care, or for notification purposes. The patient has the right to receive specific information regarding these disclosures that occurred after April 14, 2003. The patient may request a shorter timeframe. The right to receive this information is subject to certain exceptions, restrictions and limitations.
The patient has the right to obtain a paper copy of this notice from us, upon request, even if the patient has agreed to accept this notice electronically.
Patient has the right to make a complaint to the Secretary of the United States Department of Health and Human Services and to your privacy official if they believe their rights have been violated without fear of retaliation from our clinic. The address of the Secretary of the United States Department of Health and Human services and how and when the Privacy official may be reached must be made available to the patient.
Minimum Necessary Requirements: __________________________________________, the doctors, and staff, must at all times make every reasonable effort to limit use, disclosure of, and request for Protected Health Information to the minimum necessary to accomplish the intended purpose. __________________________________________ , the doctors, and staff are allowed the flexibility to address their unique circumstances, the rule requires __________________________________________ , the doctors, and staff to make their own assessment of what Protected Health Information is reasonably necessary for a particular purpose, given the characteristics of __________________________________________ , and to implement policies and procedures accordingly. This standard calls for an approach consistent with the best practices and guidelines already used by __________________________________________ when sharing patient care information.
Designated Record Set: In accordance with the standards of implementation specifications of 45 C.F.R. § 164.524, Provider may grant an individual access to inspect and obtain a copy of protected health information about the individual in a designated record set.
Our policy:
A. The designated record set that is subject to access by an individual is as follows:
a. Medical Records
b. Billing Records
B. The titles of the persons or office responsible for receiving and processing requests for access by individuals are as follows:
C. Privacy Official Is:
If the Privacy Official is not available you may speak with you can reach the Privacy Official at:
Name of Organization
Address:
City, State, Zip Code
Hours of Operation:
A message may be left for our privacy official any time the clinic is open and your call will be returned within 7 business days.
All patient records must be de-identified before shredding or viewing by non-authorized persons.
__________________________________________ will only market to those patients who have agreed to receive marketing materials. Marketing materials may include a gift of nominal value to the patient or for the patient to distribute. __________________________________________ will not sell or distribute their mailing list.
Health information and educational information sent to the patients is not considered marketing.
Section 5: Process for Notice of Privacy Practices
As stated in the Privacy Policies and Procedures for Protected Health Information.
__________________________________________ will maintain a Notice of Privacy Practices that is posted in plain view for all to see. This Notice of Privacy Practices must describe how __________________________________________ will use and disclose the patient's Protected Health Information. This Notice is made available to every existing patient on or before April 14, 2003. This notice is also made available to all new patients at the time of their enrollment. Any revisions of the notice must be made available to all patients within 60 days of the revision.
Initial compliance process: Must be completed on or before ___________________
Run two labels for each patient on our mailing list (current patients only). Make a copy of the Notice of Privacy Practices and Acknowledgment for __________________________________________. Place one label on the top of the Notice of Privacy Practices and on the label on the Acknowledgement. Attach the two documents to the patient chart. Be sure that it cannot fall off. When the patient enters for care, hand them the two documents with the instruction to read the acknowledgement, what needs to be initialed, sign and return to the front desk before they sign in. The date you receive the acknowledgment is to be written on the patient chart above the date in the date of service column. Each patient must have this signed before they are allowed to be seen by January 1, 2011. Any "opt out" processes the patient has requested on the acknowledgment must be logged and MUST be honored. A copy of the Acknowledgment must be maintained in their permanent file.
Make a copy, frame or cover with plastic laminate, a copy of the Notice of Privacy Practices and post in the waiting room.
Ongoing compliance process: For all new patients after the initial compliance process is completed.
When a new patient enters the office, this process must be completed before they sign in. Hand them the two documents with the instruction to read the acknowledgement, what needs to be initialed, sign and return to the front desk before they sign in. The date you receive the acknowledgment is to be written on the patient chart above the date in the date of service column. Any "opt out" processes the patient has requested on the acknowledgment must be logged and MUST be honored. A copy of the Acknowledgment must be maintained in their permanent file.
Maintain a copy, framed or covered with plastic laminate, of the Notice of Privacy Practices posted in the waiting room.
Provide every patient with a written copy of our Notice of Privacy Practices for our clinic and make available to all people, upon request, a written copy of that notice.
Whenever a patient requests a copy of the Notice of Privacy Practices, they are entitled to receive a copy. Acknowledgment must be signed and placed in the patient file.
Receive a written acknowledgement from each patient that they have received the Notice of Privacy Practices for our clinic. If the patient refuses to sign the acknowledgment, the Privacy Official will document the attempt and then the clinic will thereafter use and disclose the individual's protected health information for treatment, payment and healthcare operations. This acknowledgment is to be maintained in the patient's file.
If a patient refuses to sign the acknowledgment, the GA is to document the refusal directly on the acknowledgement, sign and notify the Privacy Official. The Privacy Official will further document the refusal by signing and dating the GA's documentation.
__________________________________________ will be required to abide by the terms of the notice. However, __________________________________________ has the right to revise the notice as long as the revisions are provided to the patients.
Whenever new processes or procedures are established in the office, review the Notice of Privacy Practices so that these new processes or procedures are consistent with the notice. If the process or procedure is not consistent a new Notice of Privacy Practices must be written and distributed to all existing and future new patients.
If and when __________________________________________ maintains a web page that Notice will be made available electronically.
If and when __________________________________________ maintains their own email capability, they will transmit a notice via e-mail if the individual requests, but a written acknowledgement must be obtained at the time services are first rendered.
At the current time __________________________________________ does maintain a web page and email capability. The website contains a written privacy notice.
Section 6: Notice of Privacy Practices
__________________________________________
Effective ___________________
To our patients. This notice describes how health information about you, as a patient of this practice, may be used and disclosed, and how you can get access to your health information. This is required by the Privacy Regulations created as a result of the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
Our commitment to your privacy
Our center is dedicated to maintaining the privacy of your health information. __________________________________________ is required by law to maintain the confidentiality of your health information. __________________________________________ realizes that these laws are complicated, but we must provide you with the following important information:
Use and disclosure of your health information in certain special circumstances:
The following circumstances may require us to use or disclose your health information:
Treatment: to provide, coordinate or manage your health care and related services. __________________________________________ may consult with other health care providers regarding your treatment and coordinate and manage your health care with others. __________________________________________ may use or disclosure protected health information about your treatment activities of another health care provider.
Payment: __________________________________________ may use or disclose protected health information so that __________________________________________ can bill and collect payment for the treatment and services provided to you. Before providing treatment or services, __________________________________________ may share details with your health plan concerning the services you are scheduled to receive for payment approval.
Health Care Operations: __________________________________________ may use or disclosure protected health information to allow us to improve the quality of care __________________________________________ provides and to reduce health care costs, which may include training programs for our staff.
Cooperating with outside legal entities
To public health authorities and health oversight agencies that are authorized by law to collect information.
Lawsuits and similar proceedings in response to a court or administrative order.
If required to do so by a law enforcement official.
When necessary to reduce or prevent a serious threat to your health and safety or the health and safety of another individual or the public. __________________________________________ will only make disclosures to a person or organization able to help prevent the threat.
If you are a member of U.S. or foreign military forces (including veterans) and if required by the appropriate authorities.
To federal officials for intelligence and national security activities authorized by law.
To correctional institutions or law enforcement officials if you are an inmate or under the custody of a law enforcement official.
For Workers Compensation and similar programs.
Your rights regarding your health information:
Communications. You can request that __________________________________________ communicate with you about your health and related issues in a particular manner or at a certain location. For instance, you may ask that __________________________________________ contact you at home, rather than work. __________________________________________ will accommodate reasonable requests.
You can request a restriction in our use or disclosure of your health information for treatment, payment, or health care operations. Additionally, you have the right to request that __________________________________________ restrict our disclosure of your health information to only certain individuals involved in your care or the payment for your care, such as family members and friends. __________________________________________ is not required to agree to your request; however, if we do agree, we are bound by our agreement except when otherwise required by law, in emergencies, or when the information is necessary to treat you.
You have the right to inspect and obtain a copy of the health information that may be used to make decisions about you, including patient medical records and billing records, but not including psychotherapy notes. You must submit your request in writing to our Privacy Official.
You may ask us to amend your health information if you believe it is incorrect or incomplete, and as long as the information is kept by or for our practice. To request an amendment, your request must be made in writing and submitted to our Privacy Official. You must provide us with a reason that supports your request for the amendment.
Right to a copy of this notice. You are entitled to receive a copy of this Notice of Privacy Practices. You may ask us to give you a copy of this Notice at any time. To obtain a copy of this notice, contact our Privacy Official.
Right to file a complaint. If you believe your privacy rights have been violated, you may file a complaint with our practice or with the Secretary of the Department of Health and Human Services. To file a complaint with our practice, contact our Privacy Official. All complaints must be submitted in writing. You will not be penalized for filing a complaint.
Right to provide an authorization for other uses and disclosures. Our practice will obtain your written authorization for uses and disclosures that are not identified by this notice or permitted by applicable law.
In accordance with the standards of implementation specifications of 45 C.F.R. § 164.524, Provider may grant an individual access to inspect and obtain a copy of protected health information about the individual in a designated record set.
__________________________________________’s policy:
1. The designated record set that is subject to access by an individual is as follows:
a. Medical Records b. Billing Records
2. The titles of the persons or offices responsible for receiving and processing requests for access by individuals are as follows:
Privacy Official: _____________________________
__________________________________________ also uses protected health information for the following reasons: (you may opt out of this authorization). Special initial authorization is required and attached.
Marketing; internal referral board, testimonials, pictures on bulletin board, sending newsletters or information unrelated to healthcare and other marketing materials.
If you have any questions regarding this notice or our health information privacy policies, please contact:
If ____________ is not available you make speak with ________________.
You can reach the Privacy Official at:
Name of Organization
Address
City, State, Zip Code
Telephone
Hours Available:
A message may be left for our privacy official any time the clinic is open and your call will be returned within 7 business days.
Section 7: Notice of Privacy Practices Acknowledgement Initial Uses Authorization Form
__________________________________________
Effective: ____________________
Initial Acknowledgement and Uses
I hereby acknowledge that I have been presented with a copy of __________________________________________ Notice of Privacy Practice.
Additional uses for which I must give my authorization:
I understand that __________________________________________ may use my protected health information for the following reasons: (I may opt out of this authorization). Special authorization is required.
Marketing; internal referral board, testimonials, pictures on bulletin board, sending newsletters or information unrelated to healthcare and other marketing materials.
I understand that I may revoke this authorization at any time by notifying __________________________________________ in writing. However, if I choose to do so, I understand that my revocation will not affect any actions taken by __________________________________________ before receiving my revocation.
We reserve the right to change the Notice of Privacy Practices as necessary. The most current Notice will be placed on display in the office at all times.
I also understand that I may refuse to authorize the above uses and that my refusal to sign in no way affects my treatment or payment.
Print Patient Name: _____________________________________________________________
Signature Patient/Personal Representative: _________________________________________
Relationship of Personal Representative: ______________________________________
Date of Signature: _________________
Section 8: Uses and Disclosures of Protected Health Information __________________________________________
Understand that uses and disclosures of the patient's Protected Health Information for the purpose of Treatment, Payment, or Healthcare Operations do not have to include authorization from the patient. The patient does not have the right to object to these uses or disclosures.
A list of other uses and disclosures that may be made without the patient's consent, authorization or opportunity to object is maintained in the office HIPAA privacy manual.
Understand that __________________________________________ may use and disclose the patient's protected health information in the following instances. The patient has the opportunity to agree or object to the use or disclosure of all or part of the patient's protected health information. If the patient is not present or able to agree or object to the use or disclosure of the protected health information, then the patient's doctor may, using professional judgment, determine whether the disclosure is in the patient's best interest. In this case, only the protected health information that is relevant to the patient's health care will be disclosed. (see policies for complete list)
Procedure
When using or disclosing protected health information, refer to the office manual for reference guide to what is __________________________________________’s responsibility to the patient when doing so.
If the use or disclosure is for treatment, payment or healthcare operations, maintain a log to document the use or disclosure.
All other uses and disclosures except those provided by law must have approval from the patient. You will get this approval by having the patient sign a "Patient Authorization for Use/Disclosure of Health Information" form.
Provide each patient with a full disclosure of how our clinic may use his or her Protected Health Information, complete with a signed authorization maintained in his or her file.
Provide each patient with a full disclosure of how our clinic may disclose his or her Protected Health Information, complete with a signed authorization maintained in his or her file.
This disclosure is provided in the Notice of Privacy Practices.
The patient has the right to receive an accounting of certain disclosures __________________________________________ has made, if any, of the patient's protected health information. This right applies to disclosures for purposes other than treatment, payment or health care operations as described in this Notice of Privacy Practices. It excludes disclosures __________________________________________ may have made to the patient, to family members or friends involved in the patient's care, or for notification purposes. The patient has the right to receive specific information regarding these disclosures that occurred after January 1, 2011. The patient may request a shorter timeframe. The right to receive this information is subject to certain exceptions, restrictions and limitations.
Procedure
In order to facilitate a full accounting of how our clinic used and disclosed the patients protected health information, a log must be maintained of all uses/disclosures on each patient. __________________________________________ maintains a separate log for; uses, disclosures, and incoming protected health information.
Disclosure log documentation must include:
• Date of disclosure
• Type of disclosure (complete record set, treatment chart, billing records)
• Purpose (why is the information being disclosed?)
• Information being disclosed. Exactly what information was disclosed?
• Who received the information? Name of person or entity that received the
information
• Was it requested? Yes or NO
• Who requested it? Name of person who requested the information
• Rule (treatment, payment, operations, other)
• May include comments
Uses log documentation must include:
• Date of use
• Type of use: (treatment, payment, operations, other)
• Purpose (why is the information being used?)
• Information being used (patient chart, billing records, complete record set)
• Person who accessed the information (doctor name, CA name)
• Category (provider, etc)
• Rule (treatment, payment, operations, other)
• Where is the PHI being stored?
• May include comments
Incoming Protected Health Information Log must include:
• Date of Incoming PHI
• Type of Information received i.e. patient chart, ultra sounds
• Purpose of the information. Usually for treatment purposes
• What information was received? Exactly what was sent
• Category of Information. i.e. Provider information needed
• Rule (treatment, payment, operations, other)
• Location of PHI (where is the PHI being maintained)
• May Include other comments (specifically state the entire record w
Section 9: Patient Authorization for Use Disclosure of Health Information
__________________________________________
Patient Name: _
Patient Social Security Number: _
I authorize __________________________________________, medical staff to use/disclose the following protected health information.
(Specifically detail including dates of service)
This information is to be disclosed to (name and address of where information is to be sent):
This information is being used or disclosed because:
( ) at the request of the individual
( ) other (describe below)
I understand that if the person or entity receiving this information is not required to protect my health information, they may disclose my protected health information without my authorization.
I understand that I may revoke this authorization at anytime by notifying __________________________________________ in writing.
This authorization expires on: _
Signature Patient/Personal Representative: _
Relationship of Personal Representative: _
Date of Signature: _
Copy I n Patient File
Section 10: Patient's Right to Inspect and Amend Protected Health Information
__________________________________________
The patient has the right to inspect and copy the patient's protected health information.
Procedure
The patient must request access to the protected health information in writing, addressed to the Privacy Official. The patient must complete the form "Request of Access to Protected Health Information". We have 30 days to respond to the request. The response is to be from the privacy official using appropriate form "Access and Inspect Protected Health Information Granted" or "Denial of Access to Protected Health Information"
The patient has the right to request a restriction of the patient's protected health information.
Procedure
Any request for restrictions of the patient's protected health information is to be in writing to the privacy official. No specific form is required.
The patient has the right to request to receive confidential communications from us by alternative means or at an alternative location.
Procedure
Any such requests are to be made in writing to the Privacy Official. No specific form is required.
The patient may have the right to have the patient's doctor amend the patient's protected health information.
Procedure
The patient must request to amend their protected health information in writing,' addressed to the Privacy Official. The patient must complete the form "Request of Access to Protected Health Information". We have 30 days to respond to the request. The response is to be from the privacy official using appropriate form "Amend Protected Health Information Granted" or "Denial to Amend Protected Health Information"
Section 11: Request to Access Protected Health Information
__________________________________________
Print Patient Name: _
Print Current Date:
Dear Privacy Official,
I am requesting access to my protected health information maintained in this clinic. I am requesting that this information be:
1 ) _______________________________________________________________
2.) _______________________________________________________________
3. _______________________________________________________________
4.) _______________________________________________________________
Complete patient medical records
Complete billing records
Complete accounting of all uses of PHI
Complete accounting of all disclosures of my PHI.
Other (please describe)
I understand that this information or applicable denial will be made available to be within 30 days from the date of this request.
Patient Signature: _______________________________________________________________
Date of request: ________________________________________________________________
Copy In Patient File
Section 12: Access and Inspect Protected Health Information Granted
__________________________________________
Patient Name: __________________________________________________________________
Date: ______________________________
__________________________________________ has received your written request dated _______ requesting to access your protected health information. We have processed and granted this request.
Please contact me so that we can make arrangements for you to access and review your records. If you would prefer to have a copy mailed to you, please contact our Privacy Official:
_____________________
If _________________is not available you make speak with __________________.
You can reach the Privacy Official at:
__________________________________________
Address: __________________
Address: __________________
Telephone Number:
Hours Available: _______________________________
A message may be left for our privacy official any time the clinic is open and your call will be returned within 7 business days.
If you have any questions, please feel free to call anytime.
Privacy Official's Signature: _____________________________________________________
Date: _______________________________________
Copy In Patient File
Section 13: Denial of Access to Protected Health Information
__________________________________________
Print Patient Name: ________________________________________________________
Print Date: ___________________________________
We have received and processed your request for access to your protected health information dated: ____________________________
Your request is denied based on the following grounds:
(Review policy and insert appropriate denial legally available)
Please understand that you do not have a right to request a review of the denial.
If you believe that this decision was incorrect, you may make a complaint to our privacy official:
Privacy Official: _______________
If ______________________ is not available you make speak with _______________________.
You can reach the Privacy Official at:
__________________________________________
Address: _______________________
Address: _______________________
Telephone Number: ______________________
Hours Available: ___________________________________________
A message may be left for our privacy official any time the clinic is open and your call will be returned within 7 business days.
No adverse action will be taken against you for filing the complaint.
Privacy Official: ___________________________________________________________
Privacy Official's Signature: __________________________________________________
Date of denial notice:
--------
Section 14: Request to Amend Protected Health Information
__________________________________________
Patient Name: __________________________________________________________________
Patient's Social Security Number: _______________________
Patients DOB: ______________________________________
Date: _____________________________________________
Dear Privacy Official:
I am requesting to amend my protected health information maintained in this center.
Notice:
YOU HAVE THE RIGHT TO REQUEST CERTAIN INFORMATION THAT __________________________________________ MAINTAINS IN YOUR RECORD BE AMENDED. WE ARE NOT REQUIRED TO GRANT YOUR REQUEST.
The information that I identify as being incorrect or incomplete is:
The information/record should state:
I am requesting this amendment because:
If my request is granted, I understand that you will make every effort to notify individuals and organizations I have identified below. In so doing, I am giving you permission for you to send them a copy of the amendment.
Amended information is to be sent to:
Name: ________________________________________________________________________
Address: ______________________________________________________________________
City, State, Zip: _________________________________________
Patients Signature: _______________________________________ Date: _________________
Copy In Patient File
Section 15: Denial to Amend Protected Health Information
__________________________________________
Patient Name:__________________________________________________________________
Date:_________________________________________
We have received and processed your request to amend to your protected health
information dated: ________________________ . Your request is denied based on the
following grounds:
(Review policy and insert appropriate denial legally available)
If you believe that this decision was incorrect, you have the right to submit a written statement in disagreement of the denial. Submit your disagreement to our privacy official.
Privacy Official: ____________________________
If ________________________is not available you make speak with _____________________.
You can reach the Privacy Official at:
__________________________________________
Address: _______________________________
Address: _______________________________
Telephone Number: _________________________
Hours Available: ________________________________________
A message may be left for our privacy official any time the clinic is open and your call will be returned within 7 business days.
You may submit in writing a request that we provide a copy of your request to amend phi and a copy of this denial with any future disclosures of the health information that contained the information you requested to amend. No adverse action will be taken against you for filing the complaint.
You may also make a complaint to the Secretary of the United States Department of Health and Human Services:
If you have any questions please feel free to contact the Privacy Official.
Privacy Official's Signature:_____________________________________________________
Date: _______________________________________
Copy In Patient File
Section 16: Amend Protected Health Information Granted
__________________________________________
Patient Name: ______________________________________________________________
Date:______________________________________________
We have received and processed your request to amend to your protected health
information dated: ________________________ . Your request is approved and your
records are amended with the appropriate information appended to the original records. All amended information will be sent to all parties that previously received the information.
If further information in requested, please contact:
________________________
If _________________________is not available you make speak with ____________________.
They can be reached at:
__________________________________________
Address: _______________________________
Address: _______________________________
Telephone Number: _______________________
Hours Available: _________________________________________
A message may be left for our privacy official any time the clinic is open and your call will be returned within 7 business days.
Privacy Official's Signature: ______________________________________________________
Date of denial notice: ___________________________________________________________
Copy In Patient File
Section 17: Patients Right to Make a Complaint
__________________________________________
Patient has the right to make a complaint to the Secretary of the United States Department of Health and Human Services and to your privacy official if they believe their rights have been violated without fear of retaliation from our clinic. The address of the Secretary of the United States Department of Health and Human services and how and when the Privacy official may be reached must be made available to the patient.
Procedure
If the patient states they would like to make a complaint, the Privacy Official must be called immediately. The Privacy Official may handle the complaint. However, if the patient specifically states they want to make a complaint to the United States Department of Health and Human Services, the patient must be given the address to send the complaint. Administration is to be notified immediately.
Section 18: Protecting and De-Identifying Patient Health Information
__________________________________________
__________________________________________ and its employees will protect the following information according to the Health Insurance Portability and Accountability Act.
• Name
• Patient diagnosis or prognosis
• Recommendations and the treatment the patient is to or has received.
• All geographic subdivision small than a state, including street address, city, county, precinct, zip code, and their geocodes.
• All dates directly relating to the individual (birth date, admission
date, dates of all treatments, discharge date, date of death) f. Telephone numbers
• Fax numbers
• Electronic mail address
• Social security numbers
• Medical record numbers
• Health plan numbers
• Health plan benefits and financial obligations for their treatment. m. Account numbers
• Certificate/license numbers
• Vehicle identifiers and serial numbers, including license plate numbers
• Device identifiers and serial numbers
• Web Universal Resource Locators (URL's)
• Internet Protocol (IP) address numbers
• Biometric identifiers, including finger and voiceprints
• Full face photographic, diagnostic images and any comparable images
• Any other unique identifying numbers, characteristic, or code
Procedure
Anytime anyone from __________________________________________ is discussing information with a patient other than name, request for today's co-pay and/or next visit appointment time and date, the patients are to be moved away from other patients for these discussions. These discussions include but are not limited to insurance benefits available to them, payment options, long term recommendations for treatment, collection issues, and special appointment such as special exams or referral or report of findings information.
No information other than the patient name is to be available for viewing by anyone other than employees or doctors at __________________________________________ .
Do not leave charts unattended at any time on the top counters.
During the times the clinic is closed, all patient records are to be locked in file cabinets, desk drawers or private offices/room to restrict access by unauthorized people.
Only __________________________________________ employees authorized to enter information into the patient's chart record is allowed to. Each person is to be made aware of what level of access they have and sign a form documenting they are aware of this requirement.
At all times doctors and staff must keep their voices low when discussing patient protected health information with anyone, be it phone calls, directly with the patient or their representative, other health care providers or other employees.
All computers must be password protected. Minimum necessary requirements must be reviewed in deciding how much access each employee is allowed.
Patient paper records are to be shredded when being destroyed.
__________________________________________ understands that the law requires maintenance of all HIPAA documentation of compliance for a minimum of 6 years, but because all other patient records must be maintained for 10 years, this clinic requires that these compliance documents be maintained for 10 years, also.
All patient records must be de-identified before shredding or viewing by non-authorized persons.
Procedure
Everyone must use the De-identification Checklist "Safe Harbor" form when de-identifying patient information.
You must be able to say yes or true to both statements before "safe-harbor" is to apply.
We do not believe that the information remaining in the file could be used in combination with other available information to re-identify the individual.
All identifiers listed below must be removed from the patient's file.
• Names
• All geographic subdivision small than a state, including street address, city, county,
precinct, zip code, and their geocodes
• All dates directly relating to the individual (birth date, admission date, discharge date, date of death
• Telephone numbers
• Fax numbers
• Electronic mail address
• Social security numbers
• Medical record numbers
• Health plan beneficiary numbers
• Account numbers
• Certificate/license numbers
• Vehicle identifiers and serial numbers, including license plate numbers
• Device identifiers and serial numbers
• Web Universal Resource Locators (URL's)
• Internet Protocol (IP) address numbers
• Biometric identifiers, including finger and voiceprints
• Full face photographic images and any comparable images
• Any other unique identifying numbers, characteristic, or code
De-identifying patient information is required when it is time to destroy the file. Each state law has a requirement as to how long you need to maintain the file. When it is time to destroy the file, you must de-identify the patient information by using a black felt tip pen that you cannot read through. Then you must shred the file.
__________________________________________ may get involved with some types of research or discussions about patient care, etc. just for the sake of discussions about healthcare. In such events, you must de-identify the file before you can allow this file to be viewed by any unauthorized person.
Section 19: Using the De-identification Checklist "Safe Harbor"
__________________________________________
De-identifying patient information is required when it is time to destroy the file. Each state law has a requirement as to how long you need to maintain the file. When it is time to destroy the file, you must de-identify the patient information by using a black felt tip pen that you cannot read through. Then you must shred the file.
__________________________________________ may get involved with some types of research or discussions about patient care, etc just for the sake of discussions about healthcare. In such events, you must de-identify the file before you could allow this file to be viewed by any other doctors, etc.
Section 20: De-identification Checklist "Safe Harbor"
__________________________________________
Say yes to both statements before "safe-harbor" is to apply.
True False We do not believe that the information remaining in the file
could be used in combination with other available information to re-identify the individual.
True False All identifiers listed below have been removed from the
patient's file.
• Names
• All geographic subdivision small than a state, including street address, city, county, precinct, zip code, and their geocodes
• All dates directly relating to the individual (birth date, admissions date,
discharge date, all dates of treatment, death date)
• Telephone numbers
• Fax numbers
• Electronic mail address
• Social security numbers
• Medical record numbers
• Health plan beneficiary numbers
• Account numbers
• Certificate/license numbers
• Vehicle identifiers and serial numbers, including license plate numbers
• Device identifiers and serial numbers
• Web Universal Resource Locators (URL's)
• Internet Protocol (IP) address numbers
• Biometric identifiers, including finger and voiceprints
• Full face photographic images and any comparable images
• Any other unique identifying numbers, characteristic, or code
Signed by Privacy Official: ______________________________________________________
Date: ________________________________________________________________________
0.
1.
2.
Section 21: Marketing
__________________________________________
__________________________________________ may use and disclose the patient's protected health information for marketing purposes such as newsletters, direct contact, birthday cards, etc.
__________________________________________ will only market to those patients who have agreed to receive marketing materials. Marketing materials may include a small gift to the patient or for the patient to distribute. __________________________________________ will not sell or distribute their mailing list.
Procedure
Marketing materials are to be sent to those patients that have signed an acknowledgment and initialed their authorization to do so. All patients that have not been in the office to receive the notice and acknowledgment, are to be sent a post card stating that they are on the mailing list of __________________________________________ to receive marketing materials. The patient is to call the clinic if they want their name taken off the mailing list.
Health information and educational information sent to the patient are not considered marketing.
Section 22: Process for Handling Business Associate Contracts
__________________________________________
__________________________________________ will share the patient's protected health information with third party "business associates" that perform various activities (e.g., billing, and transcription services) for the practice. Whenever an arrangement between __________________________________________ and a business associate involves the use or disclosure of the patient's protected health information, __________________________________________ will have a written contract that contains terms that will protect the privacy of the patient's protected health information.
Procedure
• Make a list of all Business Associates that you have that has access to or may come
into contact with protected health information.
• Make a copy of the Business Associate Agreement Provision form.
• Send a copy to each of them on or before January 1, 2011.
• You are not required by law to receive an acknowledgement.
• Keep a list of all Business Associate Agreement you have sent out.
• Make sure each has an expiration date and keep note of when these need to be updated or renewed.
• Each new Business Associate you get must receive an Agreement to be logged on the sheet before they are allowed to commence the working relationship.
Section 23: BUSINESS ASSOCIATE AGREEMENT PROVISIONS
__________________________________________
__________________________________________
BUSINESS ASSOCIATE AGREEMENT
This Agreement is entered into by and between __________________________________________, (“Health Care Provider”) and____________________________________________________________________________ (“Business Associate”) to set forth the terms and conditions under which “protected health information” (PHI), as defined by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and Regulations enacted hereunder, created or received by (“Business Associate”) on behalf of (“Health Care Provider”) may be used or disclosed.
This Agreement shall commence on _______________ and the obligations herein shall continue in effect so long as Business Associate uses, discloses, creates or otherwise possesses any protected health information created or received on behalf of (“Health Care Provider”) and until all protected health information created or received by Business Associate on behalf of (“Health Care Provider”) is destroyed or returned to (“Health Care Provider”) pursuant to Paragraph 15 herein.
1) (“Health Care Provider”) and Business Associate hereby agree that Business Associate shall be permitted to use and/or disclose protected health information created or received on behalf of (“Health Care Provider”) for the following purposes:
a) Completing and submitting health care claims to health plans, Clearinghouses, and other third party payers.
b) Collection of fees for (“Health Care Provider”).
c) Establishing and maintaining Business Management Programs for (“Health Care Provider”).
d) Introducing, maintaining, and programming Electronic Medical Record Systems for (“Health Care Provider”).
e) Introducing, maintaining, and programming compatible Dictation Systems for (“Health Care Provider”).
f) Completing and submitting results of audits, surveys and the like for (“Health Care Provider”)
It is to be understood by all parties that the permitted uses and disclosures must be within the scope of and necessary to achieve, the obligations and responsibilities of Business Associate in performing on behalf of, or providing services to, the Health Care Provider.
2) Business Associate may use and disclose protected health information created or received by Business Associate on behalf of (“Health Care Provider”) if necessary for the proper management and administration of Business Associate or to carry out legal responsibilities, provided that any disclosure is:
a) Required by law, or
b) Business Associate obtains reasonable assurances from the person to whom the protected health information is disclosed that (i) the protected health information will be held confidentially and used or further disclosed only as required by law or for the purpose for which it was disclosed to the person; and (ii) Business Associate will be notified of any instances of which the person is aware in which the confidentiality of the information is breached.
3) Business Associate hereby agrees to maintain the security and privacy of all protected health information in a manner consistent with Idaho State and Federal laws and regulations, including the Health insurance Portability and Accountability Act of 1996 (“HIPAA”) and regulations hereunder, and all other applicable law.
4) Business Associate further agrees not to use or disclose protected health information except as expressly permitted by this Agreement, applicable law, or for the purpose of managing Business Associate own internal business processes consistent with Paragraph 2 herein.
5) Business Associate shall not disclose protected health information to any member of its workforce unless Business Associate has advised such person (employee) of Business Associate privacy and security obligations and policies under this Agreement, including the consequences for violation of such obligations. Business Associate shall take appropriate disciplinary action against any member of its workforce who uses or discloses protected health information in violations of this Agreement and applicable law.
6) Business Associate shall not disclose protected health information created or received by Business Associate on behalf of (“Health Care Provider”) to a person, including any agent or subcontractor of Business Associate but not including a member of its own workforce, until such person agrees in writing to be bound by the provisions of the Agreement and applicable Idaho State or Federal law.
7) Business Associate agrees to use appropriate safeguards to prevent use or disclosure of protected health information not permitted by this Agreement or applicable law.
8) Business Associate agrees to maintain a record of all disclosures of protected health information, including disclosures not made for the purposes of this Agreement. Such record shall include the date of the disclosure, the name and, if known, the address of the recipient of the protected health information, the name of the individual who is the subject of the protected health information, a brief description of the protected health information disclosed, and the purpose of the disclosure. Business Associate shall make such record available to an individual who is the subject of such information or (“Health Care Provider”) within five (5) working days of a request and shall include disclosures made on or after the date.
9) Business Associate agrees to report to (“Health Care Provider”) any unauthorized use or disclosure of protected health information by Business Associate or its workforce or subcontractors and the remedial action taken or proposed to be taken with respect to such use or disclosure.
10) Business Associate agrees to make its internal practices, books, and records relating to the use and disclosure of protected health information received from (“Health Care Provider”) or created or received by Business Associate on behalf of (“Health Care Provider”), available to the Secretary of the United States Department of Health and Human Services, for purposes of determining the Covered Entity’s compliance with HIPAA.
11) Within thirty (30) days of a written request by (“Health Care Provider”), Business Associate shall allow a person who is the subject of protected health information, such person’s legal representative, or (“Health Care Provider”) to have access to and to copy such person’s protected health information in the format requested by such person, legal representative, or practitioner unless it is not readily producible in such format, in which case it shall be produced in standard hard copy format.
12) Business Associate agrees to amend, pursuant to a request by (“Health Care Provider”), protected health information maintained and created or received by Business Associate, on behalf of the Practitioner. Business Associate further agrees to complete such amendment within thirty (30) days of a written request by (“Health Care Provider”), and to make such amendment as directed by (“Health Care Provider”).
13) In the event Business Associate fails to perform the obligations under this Agreement, (“Health Care Provider”) may, at its option:
a) Require Business Associate to submit to a plan of compliance, including monitoring by (“Health Care Provider”) and reporting by Business Associate, as (“Health Care Provider”), in its sole discretion, determines necessary to maintain compliance with this Agreement and applicable law. Such plan shall be incorporated into this Agreement by amendment hereto: and
b) Require Business Associate to mitigate any loss occasioned by the unauthorized disclosure or use of protected health information.
c) Immediately discontinue providing protected health information to Business Associate with or without written notice to Business Associate
14) (“Health Care Provider”) may immediately terminate this Agreement and related agreements if (“Health Care Provider”) determines that Business Associate has breached a material term of this Agreement. Alternatively, (“Health Care Provider”) may choose to (i) provide Business Associate with ten (10) days written notice of the existence of an alleged material breach; and (ii) afford Business Associate an opportunity to cure said alleged material breach to the satisfaction of (“Health Care Provider”) within (10) days. Business Associate’s failure to cure shall be grounds for immediate termination of this agreement. (“Health Care Provider”)’s remedies under this Agreement are cumulative, and the exercise of any remedy shall not preclude the exercise of any other.
15) Upon termination of this Agreement, Business Associate shall return or destroy all protected health information received from (“Health Care Provider”), or created or received by Business Associate on behalf of (“Health care Provider”) and that Business Associate maintains in any form, and shall retain no copies of such information. If the parties mutually agree that return or destruction of protected health information is not feasible, Business Associate shall continue to maintain the security and privacy of such protected health information in a manner consistent with the obligations of this Agreement and as required by applicable law, and shall limit further use of the information to those purposes that make the return or destruction of the information infeasible. The duties hereunder to maintain the security and privacy of protected health information shall survive the discontinuance of this Agreement.
16) (“Health Care Provider”) may amend this Agreement by providing ten (10) days prior written notice to Business Associate in order to maintain compliance with Idaho State or Federal law. Such amendment shall be binding upon Business Associate at the end of the ten (10) day period and shall not require the consent of Business Associate. Business Associate may elect to discontinue the Agreement within the ten (10) day period, but Business Associate duties hereunder to maintain the security and privacy of PROTECTED HEALTH INFORMATION shall survive such discontinuance. (“Health Care Provider”) and Business Associate may otherwise amend this Agreement by mutual written agreement.
17) Business Associate shall, to the fullest extent permitted by law, protect, defend, indemnify and hold harmless (“Health Care Provider”) and his/her respective employees, directors, and agents (“Indemnities”) from and against any and all losses, costs, claims, penalties, fines, demands, liabilities, legal actions, judgments, and expenses of every kind (including reasonable attorney fees, including at trial and on appeal) asserted or imposed against any Indemnities arising out of the acts or omissions of Business Associate or any of Business Associate’s employees, directors, or agents related to the performance or nonperformance of this Agreement.
-------------------------------------------------------------------------------- -------------------------------
(“Health Care Provider”) Date
--------------------------------------------------------------------------------- ------------------------------
Business Associate Date
_
Section 24: Business Associate Contract List (Acknowledgement is Not Required)
__________________________________________
|Name: |Name: |
|Address: |Address: |
|City/St/Zip: |City/St/Zip: |
|Contact |Contact |
|Person: |Person: |
|Contract |Contract |
|Expires: |Expires: |
|Name: |Name: |
|Address: |Address: |
|City/St/Zip: |City/St/Zip: |
|Contact |Contact |
|Person: |Person: |
|Contract |Contract |
|Expires: |Expires: |
|Name: |Name: |
|Address: |Address: |
|City/St/Zip: |City/St/Zip: |
|Contact |Contact |
|Person: |Person: |
|Contract |Contract |
|Expires: |Expires: |
|Name: |Name: |
|Address: |Address: |
|City/St/Zip: |City/St/Zip: |
|Contact |Contact |
|Person: |Person: |
|Contract |Contract |
|Expires: |Expires: |
Section 25: Employee Responsibilities to Protected Health Information
__________________________________________
Minimum Necessary Requirements: __________________________________________, the doctors, and staff, must at all times make every reasonable effort to limit use, disclosure of, and request for Protected Health Information to the minimum necessary to accomplish the intended purpose. __________________________________________ , the doctors, and staff are allowed the flexibility to address their unique circumstances, the rule requires __________________________________________ , the doctors, and staff to make their own assessment of what Protected Health Information is reasonably necessary for a particular purpose, given the characteristics of __________________________________________ , and to implement policies and procedures accordingly. This standard calls for an approach consistent with the best practices and guidelines already used by __________________________________________ when sharing patient care information.
Procedure
At all times, employees are required to abide by the above policy. All other policies and procedures are established to accomplish the above policy. Your complete cooperation is expected.
A log will be maintained of any and all health care professionals that will be or has been authorized to enter information into a patient's chart or records, all staff that will need access to the patient's health information, and who may share in this information.
Procedure
A log will be maintained in a master logbook outlining the level of access of all employees. Document on the log that all medical staff may from time to time enter information into a patient's treatment chart and that all employees will need access to all the patient's protected health information for the purpose of treatment, payment or health care operations.
__________________________________________ will maintain a staff that is fully trained and tested on all HIPAA compliance regulations. __________________________________________ will retrain and retest the staff no less than every year in order to guarantee the understanding of what is required for the complete protection of the patient's Protected Health Information.
Procedure
A test will be compiled of all information in the Protected Health Information Office Policy Manual. Each employee will have to study the manual and be tested. They will be allowed to retake the test until the Privacy Official believes they are fully trained on the HIPAA compliance regulation policies and procedures established by __________________________________________ .
As new policies are implemented, each employee will receive a copy.
Each employee will train and test as part of their initial hiring procedure and train and retest yearly.
Documentation of their testing and successful completion will be maintained in their personnel file. Each person must sign their form that documents they were trained and understand their responsibilities and level of access of information allowed to them. The Privacy Official will also sign to document that they have been successfully trained and tested.
__________________________________________ will maintain a policy for appropriate staff sanctions for failure to comply with the policies and procedures established by __________________________________________. Documentation of all staff sanctions will be maintained.
Procedure
In the event an employee fails to comply with the policies and procedures established by __________________________________________ , a memo will be written to the employee outlining the infraction. Depending on the degree of the infraction, the Privacy Official may recommend a warning or immediate dismissal.
Section 26: HIPAA Training Agenda
__________________________________________
What is HIPAA and how does it apply to this office? __
Introduction of privacy officer and explanation of role. __
Explanation of policies and forms:
_____ Notice of Privacy Practices (NPP)
_____ Authorization for release of protected health information (PHI)
_____ Right to Confidential Communications Patient amendment of the medical record Patient access to the medical record
_____ Required uses and disclosures of PHI:
_____Accounting of disclosures
_____ Incidental uses and disclosures
_____ Patient privacy complaint
_____ Explanation of minimum necessary standard
_____ Sign confidentiality agreement.
Post test Certification
Date of training: _
Employees attending:
Person providing training:
Materials presented by: Your Solutions Now, LLC
Section 27: HIPAA Training: Q and A
What does HIPAA stand for?
The Health Insurance Portability and Accountability Action (HIPAA) of 1996 (P.L.104-191) [HIPAA] was enacted by the U.S. Congress in 1996. It was originally sponsored by Sen. Edward Kennedy (D-Mass.) and Sen. Nancy Kassebaum (R-Kan.). According to the Centers for Medicare and Medicaid Services (CMS) website, Title I of HIPAA protects health insurance coverage for workers and their families when they change or lose their jobs. Title II of HIPAA, known as the Administrative Simplification (AS) provisions, requires the establishment of national standards for electronic health care transactions and national identifiers for providers, health insurance plans, and employers.
The Administration Simplification provisions also address the security and privacy of health data. The standards are meant to improve the efficiency and effectiveness of the nation's health care system by encouraging the widespread use of electronic data interchange in the U.S. health care system.
What is a Privacy Notice?
It is really called the Notice of Privacy Practices (NPP). It is a formal document that explains-in simple terms-how, when, and why a patient's health information may be disclosed. This document is quite comprehensive and all office personnel, including all medical personnel, Medical Director and other professional employees, should read this Notice. It answers many questions regarding protected health information (PHI) and is your Center’s guide to handling your patients' PHI.
What has to be in a Notice of Privacy Practices (NPP)?
It must contain specific language as proscribed by the U.S. Department of Health and Human Services (HHS), prominently displayed in the beginning of the notice.
" THIS NOTICE DESCRIBES HOW HEALTH INFORMATION ABOUT YOU (AS A PATIENT OF THIS PRACTICE) MAY BE USED AND DISCLOSED, AND HOW YOU CAN GET ACCESS TO YOUR Individually IDENTIFIABLE HEALTH INFORMATION. PLEASE REVIEW THIS NOTICE Carefully."
It should have a statement that your office is committed to health information privacy.
You must give detailed accounting with examples of how protected health information (PHI) may be used by your practice.
You must inform the patient of his/her right to:
• Receive a copy of your Notice.
• Authorize disclosure of health information.
• Restrict certain uses and disclosures of PHI.
• Receive confidential communications.
• Inspect and copy his/her PHI.
• Amend his/her PH I.
• An accounting of PHI disclosures for other than treatment, payment, and health care operations (TPO).
• Complain about alleged privacy violations by your practice to the HSS.
You must inform the patient of your practice's obligations concerning the use and disclosure of his PHI.
A sample notice is provided in your HIPAA Privacy Office Manual, but you can edit this one to accurately reflect your practice style and needs.
Once I get this Privacy Notice written. what do I do with it?
You must make a reasonable effort to assure that each patient gets a Notice of Privacy Practice at the first office visit after January 1, 2011 and get written documentation from the patient that he/she received this notice.
You must post a notice prominently in the office.
You may distribute it via e-mail with a return receipt.
If you have a Web site, it must be on the Web site and be downloadable.
What if I forget to give the Privacy Notice to a patient when he/she comes in?
You should mail the notice to the patient ON THE SAME DAY and document why it was not given to the patient at the time of service and that the notice was mailed.
Can a patient ask to have their health related communications handled in a confidential manner?
Yes. A patient has the right to request that they receive health information from your office in a non-conforming manner, to maintain confidentiality. Generally, out of fear for personal safety, a patient may want his/her information sent to a different address or through a different method of contact. The patient should make this request to you in writing but that is not required by the regulations. The patient is not required to explain why this request is being made. Your office should accommodate reasonable requests.
What is the requirement for an authorization?
Unless release of protected health information (PHI) is allowed by other provisions of the law (for treatment, payment, and health care operations (TPO), a valid authorization is required. There are also additional requirements for authorization for release of psychotherapy notes and most marketing uses.
Are there specific elements that must be in an authorization to make it valid?
Yes, it must contain:
A description of the information to be used or disclosed that provides a clear description.
Name or other specific identification of the person(s), or class of persons, authorized to request use or disclosure of protected health information (PHI).
Name or other specific identification of the individual that the practice may make the requested use or disclosure.
An expiration date/event relating to the individual or purpose of use/disclosure.
Statement of the individual's right to revoke the authorization.
Description of how to revoke authorization.
Statement that the information disclosed may be subject to re-isclosure and no longer covered by HIPAA.
Date and signature of the individual authorizing release.
If signed by other than the individual whose records are being released, a description of the representative's authority to act for said individual.
Is there a requirement about language?
Must be in plain (easily understood) language.
Can an authorization be verbal?
To be valid, authorizations must be in writing. A fax of a signed, properly executed authorization is valid.
Can we accept a copy of an authorization instead of the original?
Copies are acceptable if they contain the required elements.
Is there a requirement to verify the identity of the individual signing the authorization?
Only if the individual signing is not the patient whose records are to be released. It is a good practice, however, to verify the authenticity of the signature. If a person presents whose identity is not known on visual sight, you should properly identify that person.
Are there any special requirements to revoke an authorization?
An individual may revoke an authorization at any time, provided the revocation is in writing, except where action has already been taken (e.g., condition of obtaining insurance coverage).
Are there special requirements for authorization for research purposes?
In addition to the core elements, the authorization must contain:
A description of the extent to which protected health information (PHI) will be used or disclosed to carry out treatment, payment, and health care operations (TPO).
A description of any PHI that will not be used or disclosed for purposes permitted.
If a practice has obtained or intends to obtain consent under uses or disclosure to carry out TPO, the authorization must refer to the consent.
Is there any easier way to obtain authorization for research purposes?
An authorization can be a part of another document, such as consent to participate in research, consent to use or disclose protected health information (PHI) to carry out treatment, payment, and health care operations (TPO), or a Notice of Privacy Practices (NPP).
Are there any exceptions to the requirement for an authorization for disclosure for marketing purposes?
ALL marketing communications require a written authorization from the patient except when a face-to-face communication is made by your practice to an individual or when the communication is a promotional gift of nominal value provided by your practice.
Under HIPAA, can patients change their medical records?
The privacy portion of HIPAA gives patients the right to request to amend their records. An individual has the right to have a practice amend protected health information (PHI) or a record about the individual in a designated record set for as long as the information is maintained in the designated record set.
Can the practice deny the request to amend the record?
The request can be denied for one of the following reasons:
The record was not created by the practice, unless the individual provides a reasonable basis to believe that the originator of the protected health information (PHI) is no longer available to act on the request.
The information is not a part of the designated record set.
It would not be available under inspection § 164.524.
It is accurate and complete.
Is there any time limitation for response to a request to amend a record?
The center must act on an individual's request for an amendment no later than 60 days after the request is received.
Are there requirements if a request to amend a record is approved?
The center must make the appropriate amendment to the protected health information (PHI) or record that is the subject of the request for amendment by identifying the records in the designated data set that are affected by the amendment and appending or otherwise providing a link to the location of the amendment.
The center must inform the individual that the amendment was accepted and obtain the individual's identification of an agreement to notify the relevant persons.
The center must make reasonable efforts to inform and provide the amendment to appropriate persons within a reasonable time.
Persons, including business associates, who the practice knows have the affected PHI and who may have relied on that information or could foreseeably rely on that information, or has been identified by the individual as needing the amendment, must receive the amendment.
Under what circumstances can I use and disclose protected health information (PHI)?
You are permitted to use or disclose PHI:
To the individual.
To carry out treatment, payment, and health care operations (TPO).
Without written authorization but with an opportunity to agree or disagree prior to the use or release (e.g., a patient directory listing).
When data is de-identified.
When public good permits the use/disclosure.
You are REQUIRED to disclose information:
To the individual who is the subject of the records (except as noted in the authorization section).
To the U.S. Department of Health and Human Services (HHS) to investigate compliance with the regulations.
When can protected health information (PHI) be disclosed without patient authorization (other than for treatment, payment. and health care operations TPO)?
Information can be disclosed without patient authorization to public health authorities and the Federal Drug Administration (FDA). It may also be released to law enforcement officials, the medical examiner or coroner after someone has died, and other instances as noted in your Notice of Privacy Practices (NPP) and as authorized by state or federal law. This is referred to as a "non-authorized" disclosure.
Do I have to tell a patient that I have disclosed his/her protected health information (PHI) without authorization?
While you do not have to tell the patient, sometimes it is appropriate to do so. In the instance where you will be reporting a communicable disease to the authorities, you could inform the patient that you are doing so.
If you make a non-authorized disclosure of PHI, you MUST keep track of this disclosure and make the list of such disclosures available to the patient upon written request for six (6) years.
You must list the date of disclosure, to whom you disclosed and for what purpose. All disclosures that are not related to treatment, payment, and health care operations (TPO) and disclosed without patient authorization outside of the organization must be accounted for.
This accounting of disclosures does not apply to any disclosure prior to January 1, 2011.
What if a patient asks for frequent accounts of disclosure?
The first request in a 12-month period is free of charge, but your center may charge for additional requests. You should have this practice clearly stated in your Notice of Privacy Practices (NPP) and you should inform the patient of the approximate charge prior to completing the additional requests for disclosure.
Can a patient restrict the use or disclosure of his/her protected health information (PHI)?
A patient has the right to REQUEST that the use and disclosure of his/her PHI be restricted for treatment, payment, and health care operations (TPO) as well as restricting disclosure to only certain people, such as certain family members only. YOU DO NOT HAVE TO AGREE TO THE PATIENT'S REQUEST. Your patient's restriction request must be in writing, be specific as to what information is covered by this request, whether it covers use, disclosure or both, and to whom these limitations apply.
If your practice agrees to the request, it must honor the request except when overriding laws or emergencies apply.
Does the medical staff have to allow patients to read their own charts?
No.
A patient has the right to read his/her own record, but you have the right refuse this request for the reasons listed below. You may also provide the patient with a chart summary instead of the actual chart. There are specific provisions under HIPAA that give patients the right to inspect or obtain a copy of their health record. In most states, this is already in place under state law.
Are there any exceptions to the provisions allowing patients to read their own charts?
Yes.
Psychotherapy notes.
Information compiled in reasonable anticipation of or for use in a civil, criminal, or administrative action proceeding.
Protected health information (PHI) maintained by a practice subject to Clinical Laboratory Improvements Amendments (CLlA) (to the extent access to an individual would be prohibited by law).
Can the medical staff deny patients access to their charts?
Yes, in certain circumstances, which are listed below.
Correctional facility can deny part or total access.
In research situations.
If the information was obtained from someone other than a health care provider and if access would compromise an individual providing information under a promise of confidentiality.
Does the patient have the right to appeal a denial?
Yes.
They have the right to review by another licensed health professional designated by the center and who was not a part of the original decision to deny access.
Are there exceptions to the right to appeal a denial?
Yes.
There are several circumstances including correctional facilities, Clinical Laboratory Improvements Amendments (CLlA) required information, and certain research situations if access would compromise an individual providing information under a promise of confidentiality.
If access is denied. are there any other requirements to be met by the practice?
Yes.
The individual must be informed of how to make a formal complaint to the practice and the Secretary of Health and Human Services (HHS).
Can a summary of the information instead of the complete record be provided and meet the access requirement?
Yes.
If you believe the information would be difficult to interpret (e.g., billing codes) and you and the requestor agree on the charge in advance.
Can I charge patients for copies of their health care record?
Yes.
You can charge reasonable, cost-based fees. The fee, however, may only include the cost of copying (supplies and labor) and postage (if germane). The fee may not include the cost of retrieving the record.
Can I provide access to information from another health care provider that is part of my health care record?
Yes.
There is no exclusion.
Are we required to have a formal privacy complaint process related to privacy issues?
HIPAA mandates a process for individuals to complain to both the practice and the Secretary of Health and Human Services (HSS) about either the center's policies and procedures related to privacy or compliance with the policies and procedures or the requirements.
Are there specific requirements about notification?
The final Rules stipulate that covered entities have a mechanism for receiving complaints and this mechanism must be included in the Privacy Notice (specify contact person or office phone number).
Do I have to keep a record of complaints?
Yes.
You have to maintain a record of the complaints you receive and a brief description of the resolution, if there is a resolution.
Can the individual elect to complain to the Secretary of Health and Human Services (HSS) without first complaining to me, as the practice?
Individuals have the right to send their complaint directly to the Secretary of HSS. Are there specific requirements for filing a complaint with the Secretary of Health and Human Services (HSS)?
Complaints must be in writing (either on paper or electronic), must name the center, and must be filed within 180 days of when the complainant knew or should have known of the omission.
What could happen if the Secretary of Health and Human Services (HSS) found the complaint to substantiate a violation?
Efforts would be made to settle the matter informally with the practice. A compliance review of the practice might result. If the Secretary of HSS found no violation, the practice and the complainant would be notified. A practice that is found to have violated the Privacy Regulations may face civil penalties up to $100 per violation and/or criminal penalties if the practice knowingly violated the Privacy Regulations. Criminal penalties can include substantial fines as well as incarceration.
What is the intent or purpose of the privacy official?
The privacy official is responsible for implementing and overseeing the privacy policies and procedures for the practice. He/she oversees all activities related to the development, implementation, maintenance of and adherence to the practice's policies and procedures addressing privacy and access to protected health information (PHI). He/she assures compliance with HIPAA and all other federal and state rules and regulations pertaining to use and release of PHI.
Small practices may assign this role to one or more persons, while larger group practices most likely will designate a specific person to oversee the integrity of PHI. The privacy official has numerous roles such as performing a risk assessment of the practice to determine where vulnerabilities lie with respect to PHI and ensuring that privacy security measures and policies are implemented and adhered to by the practice. He or she serves as the designated contact person required by the final Rule to receive complaints and provide further information about the practice's privacy policy procedures.
What steps or activities should be privacy official take to assure compliance?
Key activities are really basic risk management techniques. A privacy official should conduct the following steps:
A. Identify the internal and external risks of disclosure of protected health information (PHI).
B. Create a plan to reduce the risk of releasing PHI in those areas identified.
C. Implement the plans.
D. Train all personnel on the practice's privacy and security of PHI.
E. Monitor the implementation and enforce appropriately any breaches of policy. Identifying the risks of disclosure is the first step so policies and procedures can be created to address the use and release of PHI. A risk assessment should be conducted to ascertain where privacy and security threats may exist. Make a list of all activities that involve the use or disclosure of PHI and evaluate whether there are policies and procedures already in place to reduce the risk of release. Once areas are identified, create a plan of action around those areas identified to reduce the risks. The plan development communicates to staff the importance to the practice of the safe and proper utilization of protected health information. Policies and procedures should be modified or developed to integrate compliance into everyday activities. Implementation of the plan should consider the needs and ability of the staff to assimilate and follow the policies and procedures. It applies to the actual health care records as well as electronic or computerized records containing PHI.
During implementation, all personnel must be trained in the relevant areas that affect their interaction with PHI. Staff must understand what information is protected, when PHI may be released, and when PHI may be in jeopardy of improper release. Training should be integrated into the practice's compliance plan including documentation of the training that has occurred. The training is germane to the responsibilities of the staff member. Changes in job descriptions or positions that allow greater access warrants additional training within a reasonable time frame following the change in responsibilities.
Monitoring is an important part of the privacy official's duties. This means actively checking to make sure the practice is adhering to the policies and procedures related to PHI. It is important to always follow your own rules to mitigate the opportunity for an error to occur but also reduce the damage if improper use or release is detected.
What if information is misused or improperly released?
HIPAA requires that health care practices provide a complaint process to individuals who feel the practice is not following their own policies and procedures. As privacy official, you need to implement this process if it is not in place already. This complaint process allows individuals to resolve complaints at both a local and a federal level.
What Qualifications and responsibilities should a privacy official's job description contain?
The Microsoft Word document attached below is a sample privacy official job description developed by the American Health Information Management Association (AHIMA).
What is the intent of the minimum necessary requirement?
The purpose of this provision is to safeguard protected health information (PHI) to the extent that when PHI is released, only the minimum amount of information needed to satisfy the request is released. You must make appropriate efforts to accomplish this limitation.
The minimum necessary standard is intended to be consistent with, and not override, professional judgment and standards, and that practices must implement policies and procedures based on their own assessment of what PHI is reasonably necessary for a particular purpose.
This standard is derived from confidentiality codes and is already in common use today within health care practices. The belief is that a sound practice would not use or disclose PHI that is not necessary to satisfy a request or effectively carry out a function. The privacy benefits of retaining the minimum necessary standard outweigh the burden to implement this standard.
Are there exceptions to the minimum necessary requirement?
As with many rules, there are times when this requirement does not apply. They are:
A. Disclosures to or requests by a health care provider for treatment.
B. Uses or disclosures made to the individual, as permitted under paragraph (a)(1 )(i) of this section or as required by paragraph (a)(2)(i) of this section.
C. Uses or disclosures made pursuant to an authorization under §(Section) 164.508.
D. Disclosures made to the Secretary of Health and Human Services in accordance with subpart C of part 160 of this subchapter.
E. Uses or disclosures that are required by law, as described by § 164.512(a).
F. Uses or disclosures that is required for compliance with applicable requirements of this subchapter.
In plainer language, the minimum necessary requirement does not apply to disclosures required by law, disclosures made to the individual or based on an authorization initiated by the individual, or requests by a health care provider for treatment purposes. In addition, disclosures are allowed as required for compliance with the regulations implementing the other administrative simplification provisions of HIPAA or disclosure to the Secretary of Health and Human Services (HSS) for purposes of enforcing this Rule.
What is the significance of an individual authorization release of protected health information (PHI)?
While additional information on authorization is noted elsewhere on this document, it is significant that all uses and disclosures made pursuant to any authorization are exempt from the minimum necessary standard.
Can information be released for continuity of care concerns to another provider without an individual authorization release of protected health information (PHI)?
While it is appropriate to release PHI to a subsequent provider, the Privacy Rule permits a center to reasonably rely on another medical practice request for PHI as the minimum necessary for the intended disclosure. The practice that holds the information retains the discretion to make its own minimum necessary determination.
What about an individual authorization release of protected health information (PHI) that includes psychotherapy notes?
The U.S. Department of Health and Human Services clarified that the final Rule does not require a medical practice to use or disclose PHI as a result of an authorization. If a practice is concerned that a request for an individual's psychotherapy records is not warranted or excessive, the practice may consult with the individual to determine whether or not the authorization is consistent with the individual's will for releasing protected health information.
The Privacy Rule does not permit a health plan or health care provider to condition coverage or treatment on an authorization to use or disclose psychotherapy notes. It is felt that these additional protections appropriately and effectively protect an individual's privacy with respect to psychotherapy notes.
What should a practice do to implement HIPAA provisions?
Requirements for implementing this standard include developing and implementing appropriate policies and procedures that reasonably minimize the amount of protected health information (PHI) used, disclosed, and requested. These policies and procedures must identify the persons or classes of persons within the practice who need access to PHI to carry out their duties, the categories or types of PHI needed, and the times when it is appropriate to access this information. For regular or recurring requests and disclosures, the policies and procedures may be standard protocols. Non-routine disclosures or requests for PHI must be reviewed on an individual basis.
What about releasing protected health information (PHI) not made in a routine and recurring manner?
A practice must implement the minimum necessary standard by developing and implementing criteria designed to limit the request for PHI to the minimum necessary to accomplish the intended purpose.
What is the intent of business associate agreements?
One of the purposes of HIPAA again is to safeguard protected health information (PHI). To the extent you have control of protected health information, you must take appropriate steps to accomplish this security. In a health care practice, many of the provisions of this rule apply to "business associates" who have contact with you and, therefore, access to PHI.
You cannot release or disclose PHI to business associates unless both parties have a business associate agreement in place. The business associate agreement must contain a confidentiality clause that holds the business associate accountable for protecting private PHI. The business associate cannot use or further disclose the information in any way that violates the Privacy Rule.
When a relationship with a business associate ends, the business associate must return or destroy all PHI within a reasonable time frame.
Who Qualifies as a business associate?
A business associate is any person with whom the practice discloses protected health information (PHI) for the purpose of carrying out, assisting in the performance of, and performing for or on behalf of, a function or activity for the practice. This includes persons or contractors who receive PHI from your practice in the course of providing a service to you. You may only disclose this confidential PHI to a business associate if the associate has taken steps to ensure the confidentiality of the information.
What types of functions do business associates typically perform?
Functions or activities typically performed that involve the use or disclosure of individually identifiable health information include claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, billing, benefit management, practice management, and reprising.
Who doesn't Qualify as a business associate?
The following do not qualify as business associates under the Privacy Rule.
Employees.
Contracted employees who perform a substantial portion of their work at your practice, such as a physical therapist.
Some government oversight agencies.
Hospitals, unless the hospital performs billing services for staff providers.
What about when information is shared for treatment purposes?
Any practice or provider may share protected health information (PHI) with a health care provider for treatment purposes without a business associate agreement so long as information is used to treat the patient and not for other unrelated usage.
Do I need a business associate agreement for my cleaning service?
You are not required to enter into a business associate agreement with your janitorial service because the performance of such service does not involve the use or disclosure of protected health information (PHI). In most cases, a janitor has incidental contact and such disclosure is permissible as long as reasonable safeguards are in place. It would be ideal to lock the records room or store records in lockable cabinets.
Since I already have an attorney-client relationship with counsel, do I need a business associate agreement?
While the Privacy Rule does not intend to interfere with this relationship and feels access to privileged protected health information (PHI) is limited, it does believe that it is appropriate to have attorneys sign a business associate agreement.
What about organizations that act merely as a conduit of protected health information (PHI)?
The rule does not require a business associate agreement with a person or organization that acts merely as a conduit of information, such as the U.S. Postal Service, certain private couriers, and their electronic equivalents. Since no disclosure is intended and the probability is small for incidental release, no agreement is necessary.
Neither are financial institutions considered business associates when it processes consumer-conducted financial transactions by debit, credit, or other payment cards, checks, or electronic funds transfers. Covered entities that initiate such payment activities must meet the minimum necessary disclosure requirements.
What about when information is shared for treatment purposes?
Any practice or provider may share protected health information (PHI) with a health care provider for treatment purposes without a business associate agreement so long as information is used to treat the patient and not for other unrelated usage.
What are the requirements for training my staff and who needs to be trained?
There are no set standards for training in the federal regulations except that all staff, including professional staff such as medical staff and the Medical Director, must be trained initially and annually about HIPAA privacy. This training must take place before January 1, 2011. All new employees must receive HIPAA training as part of their initial orientation to your practice.
Privacy is very important in health care and training your staff to understand the regulations can help to avoid accidental disclosures of information and privacy complaints from patients. Annual privacy training is strongly advised for your practice. Everyone that handles protected health information (PHI) should be trained in the HIPAA regulations. Everyone who works in your office should be trained about confidentiality.
Section 28: Confidentiality Policy
Effective date of policy: January 1, 2011
All employees, staff, contractors, and agents of our practice will be trained to respect the health care information of the patients of our practice. They will treat all medical, personal, biometric, and financial information as confidential.
All employees, staff, contractors, and agents of our practice will receive confidentiality training and sign confidentiality agreements annually.
Any person who breaches this trust will be disciplined and risks immediate termination.
Section 29: __________________________________________
Confidentiality and Non-Disclosure Agreement
I, , do affirm that I will not divulge
__________________________________________ DATA TO ANY UNAUTHORIZED PERSON FOR ANY REASON. Neither will I directly nor indirectly use, or allow the use of, __________________________________________ data for any purpose other than that directly associated with my official assigned duties. I understand that ALL PATIENT INFORMATION, including financial data, is strictly confidential.
Furthermore, I will not, either by direct action or by counsel, discuss, recommend, or suggest to any unauthorized person the nature or content of any __________________________________________ information.
Violation of confidentiality is cause for disciplinary action, including immediate dismissal.
I understand that signing this document does not preclude me from reporting instances of breach of confidentiality.
Signed: _______________________________________
Date: _________________________________________
_
Section 30: HIPAA Privacy Test Overview:
__________________________________________
We have developed a short test as an adjunct to your HIPAA training. The test has 22 questions and should take approximately 10-15 minutes to complete. It may be used in many ways:
1. A pre-test to assess the base level of your staff's HIPAA knowledge.
2. A post-test to assess the effectiveness of your training.
3. Your employees can take the test as many times as necessary to assure you they have complete understanding of the material presented.
4. Print off the final test for each employee and place it in his/her employment file to demonstrate HIPAA training/competence.
As the employer, you may determine how, when, or if this test is to be used and the passing score. You may also use this test as a template upon which to develop your own practice-specific test or add any specific questions you choose
HIPAA Privacy Test - Begin
1. When a patient requests copies of his/her health care records:
a. I can set the rate at any amount I choose
b. I can charge $1.00 per copy
c. I can charge reasonable cost-based fees
d. I can charge for retrieval as well as copying fees for retrieval
2. When a patient requests access to his/her health care records:
a. I always have to provide the complete record
b. I can provide a summary if I think it is too difficult for the patient to interpret
c. I need to have the requestor agree on charges for the summary in advance
d. B and C
3. A copy of an authorization:
a. Is okay, if legible
b. Is never acceptable
c. Is acceptable if all elements are included
d. Must be notarized
4. An authorization can be revoked:
a. Only within 30 days of the original authorization
b. By telephone request
c. Under no circumstances-once authorization is given, it cannot be revoked
d. If the requested action has NOT already been taken
5. Patient complaints must first be filed with the medical office.
a. True
b. False
6. If the Secretary of Health and Human Services (HSS) validates a complaint from my center:
a. The Secretary of HSS just makes recommendations to the provider
b. There can be a $100 penalty per complaint
c. Nothing will happen unless harm to patient is proven
d. It may result in a compliance review
7. My center can respond to a request to amend a record:
a. When I get around to it
b. Within 90 days
c. Only if deemed to affect a patient's care
d. Within 60 days
8. A medical practice can refuse to amend the record:
a. Under NO circumstances
b. If you do not find it necessary for patient care
c. Only if it doesn't affect insurance coverage
d. Under specific circumstances
9. The Notice of Privacy Practices (NPP) must be:
a. Given to each patient at the first visit after January 1, 2011
b. Posted on my Web site, if I have one
c. Posted in the office
d. All of the above
10. lf I forget to give a Notice of Privacy Practices (NPP) to a patient:
a. It's no big deal
b. I can give it to him at the next visit
c. I can give it to a friend to take to him
d. I have to mail it on the date of service and document my actions
11. Once the Notice of Privacy Practices (NPP) is written:
a. It can't be changed
b. It can be changed if I have reserved this right in my notice
c. It has to be updated at least every year
d. I don't have to worry about it any more
12. Protected health information (PHI) can ONLY be given out after obtaining written authorization.
a. True
b. False
13. lf a non-authorized disclosure of protected health information (PHI) is made:
a. I must keep a record of this for six years
b. I must give the patient a full accounting upon proper request
c. There is no such thing as a non-authorized request
d. A and B
14. If a patient wants to request a restriction on the disclosure of his/her protected health information (PHI):
a. I have to agree to it
b. It must be in writing
c. Can be retroactive to cover information already released
d. The patient can not restrict disclosure of his PHI
15. Staff must be trained:
a. Annually
b. Initially, prior to January 1, 2011
c. Once is enough, and it doesn't matter when
d. Staff initial hiring and orientation process
e. A and D
16. Other than office staff:
a. No one else needs to be trained about HIPAA
b. Casual employees do not need to be trained about HIPAA
c. Contract staff, such as cleaning crews, do not need to be trained about HIPAA
d. Everyone who works in my office, including unpaid volunteers, contract employees, and casual laborers, must be trained or show documentation of training about HIPAA
17. A privacy official should conduct the following steps:
a. Identify the internal and external risks of disclosure of protected health information (PHI)
b. Create and implement a plan to reduce the risk of releasing PHI in those areas
identified.
c. Train all personnel on the practice's privacy and security of PHI.
d. Monitor the implementation and enforce appropriately any breaches of policy.
e. All the above
f. A and D only
18. With a complaint process, the government is the only mechanism to assure a health care practice's compliance with HIPAA.
a. True
b. False
19.1 don't have to worry about the minimum necessary requirement for:
a. Disclosures to or requests by a health care provider for treatment
b. Uses or disclosures made pursuant to an authorization
c. Uses or disclosures made to the individuals family
d. Disclosures made to the Secretary of Health and Human Services (HSS), pursuant to the stated rules
e. All the above
f. A and D only
20.lf an individual authorizes release of protected health information (PHI) that includes psychotherapy notes:
a. I can release this PHI
b. I don't have to consult with the patient about what information to release
c. I can condition coverage or treatment on an authorization to use or disclose psychotherapy notes
d. I am required to respond to an authorization for psychotherapy notes but I may use some discretion
e. None of the above
f. A, B, and D only
21. I don't need a business associate agreement for:
a. My employees
b. My cleaning service
c. My corporate attorney
d. Contracted employees such as a physical therapist who perform a substantial portion of their work at my practice
e. None of the above
f. A, B, and C only
22. The Privacy Rule requires the return or destruction of all protected health information (PHI) at the termination of a business associate agreement contract only where feasible or permitted by law:
a. True
b. False
Answer Key
1. When a patient requests copies of his/her health care records:
a. I can set the rate at any amount I choose
b. I can charge $1.00 per copy
c. I can charge reasonable cost-based fees - CORRECT
d. I can charge for retrieval as well as copying fees for retrieval
2. When a patient requests access to his/her health care records:
a. I always have to provide the complete record
b. I can provide a summary if I think it is too difficult for the patient to interpret
c. I need to have the requestor agree on charges for the summary in advance
d. B and C - CORRECT
3. A copy of an authorization:
a. Is okay, if legible
b. Is never acceptable
c. Is acceptable if all elements are included - CORRECT
d. Must be notarized
4. An authorization can be revoked:
a. Only within 30 days of the original authorization
b. By telephone request
c. Under no circumstances-once authorization is given, it cannot be revoked
d. If the requested action has NOT already been taken - CORRECT
5. Patient complaints must first be filed with the medical office.
a. True
b. False - CORRECT
6. If the Secretary of Health and Human Services (HSS) validates a complaint my practice:
a. The Secretary of HSS just makes recommendations to the provider
b. There can be a $100 penalty per complaint
c. Nothing will happen unless harm to patient is proven
d. It may result in a compliance review - CORRECT
7. My practice can respond to a request to amend a record:
a. When I get around to it
b. Within 90 days
c. Only if deemed to affect a patient's care
d. Within 60 days - CORRECT
e.
8. A practice can refuse to amend the record:
a. Under NO circumstances
b. If you do not find it necessary for patient care
c. Only if it doesn't affect insurance coverage
d. Under specific circumstances - CORRECT
9. The Notice of Privacy Practices (NPP) must be:
a. Given to each patient at the first visit after January 1, 2011
b. Posted on my Web site, if I have one
c. Posted in the office
d. All of the above - CORRECT
10. lf I forget to give a Notice of Privacy Practices (NPP) to a patient:
a. It's no big deal
b. I can give it to him at the next visit
c. I can give it to a friend to take to him
d. I have to mail it on the date of service and document my actions - CORRECT
11. Once the Notice of Privacy Practices (NPP) is written:
a. It can't be changed
b. It can be changed if I have reserved this right in my notice - CORRECT
c. It has to be updated at least every year
d. I don't have to worry about it any more
12. Protected health information (PHI) can ONLY be given out after obtaining written authorization.
a. True
b. False - CORRECT
13. lf a non-authorized disclosure of protected health information (PHI) is made:
a. I must keep a record of this for six years
b. I must give the patient a full accounting upon proper request
c. There is no such thing as a non-authorized request
d. A and B - CORRECT
14. lf a patient wants to request a restriction on the disclosure of his/her protected health information (PHI):
a. I have to agree to it
b. It must be in writing - CORRECT
c. Can be retroactive to cover information already released
d. The patient can not restrict disclosure of his PHI
15. Staff must be trained:
a. Annually
b. Initially, prior to April 14, 2003
c. Once is enough, and it doesn't matter when
d. Staff initial hiring and orientation process
e. A, B and D - CORRECT
16. Other than office staff:
a. No one else needs to be trained about HIPAA
b. Casual employees do not need to be trained about HIPAA
c. Contract staff, such as cleaning crews, do not need to be trained about HIPAA
d. Everyone who works in my office, including unpaid volunteers, contract employees, and casual laborers, must be trained or show documentation of training about HIPAA - CORRECT
17. A privacy official should conduct the following steps:
a. Identify the internal and external risks of disclosure of protected health information (PHI)
b. Create and implement a plan to reduce the risk of releasing PHI in those areas
identified
c. Train all personnel on the practice's privacy and security of PHI.
d. Monitor the implementation and enforce appropriately any breaches of policy.
e. All the above - CORRECT
f. A, B, and D only
18. With a complaint process, the government is the only mechanism to assure a health care practice's compliance with HIPAA.
a. True
b. False - CORRECT
19.1 don't have to worry about the minimum necessary requirement for:
a. Disclosures to or requests by a health care provider for treatment
b. Uses or disclosures made pursuant to an authorization
c. Uses or disclosures made to the individuals family
d. Disclosures made to the Secretary of Health and Human Services (HSS), pursuant to the stated rules
e. All the above
f. A, B, and D only - CORRECT
20. lf an individual authorizes release of protected health information (PHI) that includes psychotherapy notes:
a. I can release this PHI
b. I don't have to consult with the patient about what information to release
c. I can condition coverage or treatment on an authorization to use or disclose psychotherapy notes
d. I am required to respond to an authorization for psychotherapy notes but I may use some discretion
e. None of the above
f. A, B, and D only - CORRECT
21. I don't need a business associate agreement for:
a. My employees
b. My cleaning service
c. My corporate attorney
d. Contracted employees such as a physical therapist who perform a substantial portion of their work at my practice
e. None of the above
f. A, B, and D only - CORRECT
22. The Privacy Rule requires the return or destruction of all protected health information (PHI) at the termination of a business associate agreement contract only where feasible or permitted by law:
a. True - CORRECT
b. False
HIPAA Privacy Certification
................
................
In order to avoid copyright disputes, this page is only a partial summary.
To fulfill the demand for quickly locating and searching documents.
It is intelligent file search solution for home and business.
Related searches
- duckduckgo privacy browser for computer
- printable hipaa forms for patients
- hipaa compliance manual pdf
- hipaa compliance manual download
- duckduckgo privacy browser for pc
- hipaa education handout for employees
- hipaa for supervisors handout
- best email for privacy 2019
- privacy settings for windows10
- instruction for form 990 ez
- hipaa handouts for healthcare workers
- hipaa training for employees free