POLICY:
RELATED POLICIES:
All Policies in the Policy and Procedure Manual Subsection Related to HIPAA Privacy Compliance
PROCEDURE:
1.41 Treatment: provision, coordination or management of health care (care, services or supplies related to the health of an individual) and related services by or among providers, providers and third parties, and referrals from one provider to another provider.
1.42 Payment: activities undertaken by a health plan to obtain premiums or determine responsibility for coverage, or activities of a health care provider or health plan to obtain reimbursement for the provision of health care. Payment activities include billing, claims management, collection activities, eligibility determination and utilization review.
1.43 Health Care Operations: activities of a covered entity to the extent such activities are related to covered functions including quality assessment and improvement activities; credentialing health care professionals; insurance rating and other insurance activities related to the creation or renewal of a contract for insurance; conducting or arranging for medical review, legal services and auditing functions (including compliance programs); business planning such as conducting cost-management and planning analyses for managing and operating the entity including formulary development and administration, development or improvement of methods of payment or coverage policies; business management and general administrative activities; due diligence in connection with the sale or transfer of assets to a potential successor in interest, if the potential successor is a covered entity or will become a covered entity; consistent with privacy requirements, creating de-identified health information, fundraising for the benefits of the covered entity, and marketing for which an individual authorization is not required.
1.6 Minimum Necessary Standard. The organization shall make all reasonable efforts not to use or disclose more than the minimum amount of protected health information necessary to accomplish the intended purpose of the use or disclosure.
1.7 Business Associate. A business associate is a person or entity that provides certain functions, activities, or services for, or to a covered entity (healthcare provider, health plan, healthcare clearinghouse), involving the use and/or disclosure of PHI. A covered entity may be a business associate of another covered entity.
2. Responsibility for Privacy of Protected Health Information. Everyone in the organization as well as associated covered entities and business associates shares a responsibility to ensure the integrity and confidentiality of clients’ protected health information and to protect against any unauthorized use or disclosure of such information.
2.1 Privacy Officer. The chief executive shall designate a privacy officer for the organization who will oversee all ongoing activities related to the development, implementation, maintenance and adherence to the organization’s policies and procedures related to the privacy and security of PHI in all forms. The privacy officer will work closely with others in the organization to assure compliance with all federal and state laws and regulations related to information privacy and security.
3. Privacy Standards.
3.1 Notice of Privacy Practices. Under HIPAA, each client has the right to receive notice of the organization’s policies regarding its uses and disclosures of PHI, the individual’s rights under the Privacy Standards, and the organization’s legal obligations regarding PHI. The organization shall prepare and distribute a Notice of Privacy Practices, written in plain language, to each client. The organization shall also document that the client has received such notice.
3.2 Uses and Disclosures of Protected Health Information for Treatment, Payment and Health Care Operations. The agency may use and disclose PHI without client consent or authorization for the purposes of treatment, payment and health care operations. Such uses and disclosures are subject to:
3.3 Uses and Disclosures of PHI When the Individual Has the Opportunity to Agree or Object. The individual shall be granted the opportunity to agree or object to use and disclosure of limited information for a facility directory (if one exists) and for use and disclosure to a significant other involved in the client’s care or as a potential recipient of notification of the client’s status in the event of an emergency or disaster. The individual’s agreement or objection in these circumstances may be verbal and does not require documentation. (Although documentation of a person to notify in an emergency or disaster might be a good idea.)
3.4 Uses and Disclosures for Which Consent, Authorization or Opportunity to Object is Not Required. The organization may use and disclose PHI without the consent or authorization of the client for the following:
3.41 Disclosures by Whistleblowers and Workforce Member Crime Victims. Subject to some limitations, the agency may not be held in violation of the Privacy Rule because a member of its workforce or a person associated with a business associate of the agency used or disclosed PHI that such person believed was evidence of a civil or criminal violation; or, to a report of a breach of professional standards or problems with quality of care. Likewise, the agency will not be held in violation if a worker who is the victim of a crime discloses PHI to law enforcement officials. The agency’s sanctions for unauthorized use or disclosure of PHI will not apply to whistleblowers or crime victims as long as the actions were performed in good faith and the amount of information disclosed was consistent with HIPAA implementation standards.
3.5 Uses and Disclosures Requiring Authorization. Except as specified in paragraphs 3.2, 3.3 and 3.4 above, the organization may not use or disclose protected health information without a valid authorization. The authorization is a document signed by the client that gives the organization permission to use specified health information for a specified purpose and time frame.
3.6 Minimum Necessary. The agency shall make reasonable efforts not to use or disclose more than the minimum amount of PHI necessary to accomplish the intended purpose of the use or disclosure. The organization shall take steps to determine the extent to which various classifications of workers need access to client PHI and shall limit use and disclosure of PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure or request. The organization shall also maintain policies governing both routine and non-routine use of PHI.
3.7 Business Associates. A business associate is a person who, on behalf of the organization, performs a function or activity involving the use or disclosure of PHI including claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, billing, benefit management, practice management; or, provide legal, actuarial, accounting, consulting, data aggregation, management, administrative or financial services to or for the organization where the service involves the disclosure of PHI. The organization may disclose PHI to a business associate and may allow a business associate to create or receive PHI on its behalf if the organization obtains satisfactory contractual assurance that the business associate will appropriately safeguard the information.
3.8 Client Rights Related to Protected Health Information. The HIPAA regulations contain standards that not only control the inappropriate use of PHI, but also protect and enhance the rights of individuals to access their information. The regulations provide the following rights to individuals with respect to their personal health information.
3.81 Inspect and Copy. Clients shall have the right to access their own protected health information that is maintained in record sets of the organization and its business associates. The organization may deny access to records under certain specified circumstances and shall establish and maintain a process for appeal of the denial.
3.82 Restrictions. Clients shall have the right to request restrictions on how the organization will use or disclosure their own protected health information for treatment, payment or health care operations and how their information will be disclosed or not disclosed to family members or others involved in their care.
3.83 Amendment. Clients shall have the right to amend erroneous or incomplete PHI unless the information:
The organization shall maintain a procedure for appeal if the client’s request to amend is denied. The organization shall follow the medical practice model for amending medical records in order to retain the integrity of the original entry while appending the correction.
3.84 Accounting. Clients shall have the right to an accounting of disclosures of their own protected health information that is maintained in record sets of the organization and its business associates. Such accounting shall include a period of six years prior to the request, beginning on the first date on which the organization was required to be in compliance with the HIPAA Privacy Standards (April 14, 2003).
3.85 Confidential Communications. The agency shall permit individuals to request communications of PHI at locations and by means that assure confidentiality. The request shall include a statement by the individual that the alternate means and/or alternate location for such communications are necessary to ensure his/her safety. The agency shall accommodate reasonable requests.
3.86 Request and Receive a Copy of the Privacy Notice. The individual shall be provided with a process to request and receive a written copy of the agency’s Notice of Privacy Practices.
3.87 Deceased Individuals. Subject to some limitations, the privacy protections for PHI extend to the PHI of a deceased individual and the protections remain effective until a person is deceased 50 years. Disclosures are permitted to decedent’s family members/others if:
3.88 Personal Representative. Broadly, a personal representative is someone authorized to act on behalf of another person who is the subject of the PHI.
3.881 Adults and Emancipated Minors. The agency must treat a person as a personal representative of an individual if such person is, under applicable law, authorized to act on behalf of the individual in making decisions related to health care. Authority of the representative is limited to the extent to which PHI is relevant to the matters on which the personal representative is authorized to represent the individual.
3.882 Un-emancipated Minors. Unless state law grants otherwise, a parent or legally appointed personal representative may act on behalf of an un-emancipated minor in making decisions related to health care and PHI.
3.9 De-identification and Re-identification of PHI. PHI that is de-identified according the specifications of the regulation is no longer considered PHI and is thus exempt from the other provisions of the regulation. The regulation describes two methods for de-identification of PHI. The standards also provide for the re-identification of PHI subject to some limitations.
4.1 General Policy Related to HIPAA Compliance. The agency shall develop a policy specifying the general requirements of the HIPAA Privacy Rule including appropriate use and disclosure of PHI; the rights of the individual in respect to their own PHI; and, the agency’s responsibilities to the individual and for the protection of personal health information.
4.2 Designation of Privacy Official and Contact Person. The agency shall designate and document the designation of a privacy official and a contact person to whom individuals can direct questions regarding policy, procedures and compliance with the HIPAA regulations. The privacy official and the contact may be the same person.
4.3 Training Workforce Members. All individuals of the organization’s workforce and business associates shall receive training about the entities privacy policies and procedures as necessary and appropriate to carry out their job duties. Training shall also be provided to new employees and when there is a material change in the organization’s privacy practices.
4.4 Establish Safeguards for PHI. The agency shall perform a risk assessment related to the potential misuse and/or unauthorized disclosure of PHI. Based on the assessment, reasonable and appropriate administrative, technical and physical safeguards shall be implemented to protect the privacy of personal health information.
4.5 Receive and Document Complaints. The agency shall implement a process to receive and document individual complaints related to the agency’s policies and procedures to protect privacy and to the agency’s compliance with the privacy standards. The agency shall include the disposition of complaints, if any, in the documentation.
4.6 Maintain Process for Sanctions and Mitigation. The organization shall establish and apply appropriate sanctions against workers who fail to comply with privacy policies and procedures. The organization shall do all that it can to mitigate any potential harmful results of an improper use or disclosure of PHI (in violation of the HIPAA Privacy Standards) by the organization, its workforce or its business associates.
4.7 Refrain from Intimidation and Retaliation. The agency shall establish and enforce policies to prevent intimidation or retaliatory acts against any individual exercising rights or duties under HIPAA. This protection is extended to whistleblowers, participants in investigations of the agency’s compliance with regulations, individuals who complain to the agency or the Secretary about compliance issues and other similar situations.
4.8 Protect Client Rights (Waiver of Rights). The agency shall not condition the provision of or eligibility for services or benefits on an individual’s waiver of rights under the HIPAA regulations.
4.9 Maintain Required Documentation. Documentation shall be required in support of policies and procedures and all other subparts of the privacy regulations that directly list documentation as a requirement. Documentation must be kept current to reflect changes in regulatory requirements and the organization’s privacy processes.
4.91 Retention of Documentation. Documentation required under the privacy regulations shall be kept in written or electronic form for a period of six (6) years from the date of creation or from the date when it last was in effect, whichever is later.
4.10 Effect of Prior Consents and Authorizations. The agency may continue to use consents, authorizations, or other legal permissions for the use and disclosure of PHI that were in force prior to the HIPAA compliance date (April 14, 2003). If the prior consent or authorizations related to a research project, the agency may use PHI received or created either before or after the compliance date for the research purpose. However, anyone entering the project after the compliance date would be subject to the HIPAA standards for uses and disclosures related to research.
4.11 State Preemption of HIPAA Rules. Any provision of State law contrary to HIPAA is preempted unless the State laws provide more protection to health information or greater rights to the individual subject of the health information.
4.12 Develop and Implement Policies and Procedures. The agency shall develop and implement policies and procedures to comply with the HIPAA regulations to protect personal health information. The policies and procedures shall be designed to comply with the standards, implementation specifications or other requirements of the regulation and shall reflect a reasonable assessment of the agency’s needs based upon its size and the type of activities that relate to PHI.
4.121 Changes to Policies and Procedures. When a change in law affects the agency’s policies and procedures related to HIPAA regulations, the policies and procedures shall be changed consistent with the new law. If the entity reserved the right to change policies and procedures in the Notice of Privacy Practices, any change to policy and procedures would apply to PHI acquired prior to the change. If the right to change was not included in the Notice, the agency must apply old policies and procedures to the PHI acquired during the period when those policies were in effect and apply new policies and procedures to PHI acquired after the effective date of the new policies. The agency shall also provide staff and business associate training with respect to the change in policies and procedures.
5.1 Enforcement. Enforcement of the regulations shall be through investigation of complaints filed with the Secretary. Any person who believes a covered entity is not complying with the privacy regulations may file a complaint.
5.2 Penalties for Non-compliance. The agency and/or individuals may be subject to civil penalties of up to $25,000 prior to 2/18/2009. The agency and/or individuals may be subject to civil penalties of up to $1,500,000 after 2/18/2009 and criminal penalties, including prison, for knowingly and improperly disclosing or obtaining confidential healthcare information. Tougher penalties are in place for situations where personal gain, commercial advantage, or malicious harm is involved.