DATA PRIVACY AND HIPAA POLICY AND PROCEDURES

Policy:

  1. PossAbilities recognizes the rights of program participants and agency staff to confidentiality and data privacy.
  2. All PossAbilities staff will comply with the Minnesota Data Practices Act and the Health Insurance Portability Accountability Act (HIPAA) to assure the privacy and security of data maintained by the agency.
  3. All requests for data will be complied with promptly and according to procedure.
  4. All records will be kept in a manner and condition so they are easily accessible for convenient use, regardless of the size of the record.

Responsible Authorities and Designees:

  1. PossAbilities Responsible Authority, as defined by the Minnesota Data Practices Act, is the individual designated bythe governing body as being responsible for the collection,use, and dissemination of any set of data on individuals, government data, or summary data, unlessotherwise provided by state law. PossAbilities Responsible Authority is the Executive Director.
  2. PossAbilities Designees, as defined by the Minnesota Data Practices Act, is designated by the Responsible Authority to be in charge of individual files or systems containing government data and to receive andcomply with requests for government data. PossAbilities Designees are the Fiscal Director, Human Resources staff and the Program Directors.
  3. Responsible Authorities and Designees are assigned the following duties:
  4. Preparing and updating a public document that lists, describes and classifies records/files kept by PossAbilities. This document must list the persons authorized access to the protected health information and personal data contained in records/files;
  5. Submitting protected health information and personal data privacy documents as requested to political authorities designated in the Data Practices Act;
  6. Limiting the collection and use of protected health information and personal data to that which is necessary for the administration and management of services;
  7. Limiting the collection and use of private or confidential data to the purposes stated to the individual at the time of collection;
  8. Establishing procedures to assure that protected health information and personal data on individuals is accurate, complete, current and properly safeguarded;
  9. Providing access to information as required by contract between the State of Minnesota, the County and PossAbilities;
  10. Preparing summary data from private protected health information and personal data on individuals upon request;
  11. Controlling access to protected health information and personal data when it is not classified as public to assure only authorized individuals are allowed access;
  12. Documenting when protected health information and personal data are disclosed without the individuals direct authorization or to carry out treatment, payment or health care operations;
  13. Assuring data created prior to the death of an individual retains the same legal classification (public, private, confidential) after the individual’s death as it had before the death; and
  14. Annually review agency forms used to collect protected health information and personal data about individuals to ensure that the data elements are necessary for the administration and management of services. When possible, protected health information and personal data will be clustered on forms according to classification so when photocopies are made private data can be obscured.

Procedures for Providing Notice:

  1. At the time of service initiation, the Program Directoror Coordinator will provide the participant or legal representative with a copy of PossAbilities Data Privacy & HIPAA Policy along with the Tennessen Warning.
  2. The Program Directoror Coordinator will assure the participant or the participant’s legal representative acknowledges receipt of these policies by obtaining signatures on the Participant Orientation/Training Verification form. The Program Directoror Coordinator will assure a copy of this form is placed in the participant’s individual program file.

Procedures for Obtaining Authorization for Exchange of Information for Participants:

  1. At the time of service initiation, and annually thereafter, the Program Director, Coordinator or Specialist assigned to the participant will explain the Consent to Exchange Information to the participant and/or their legal guardian and obtain their signatures on the document. The explanation must include:
  2. Why the information is being collected;
  3. How PossAbilities intends to use the information;
  4. Whether the participant may refuse or is legally required to furnish the information;
  5. What known consequences may result from either providing or refusing to disclose the information;
  6. With whom PossAbilities is authorized by law to share the information;
  7. What the participant can do if they believe the information is incorrect or incomplete;
  8. How the participant can see and get copies of the data collected about them; and
  9. Any other rights that the participant may have regarding the specific type of information collected.
  10. The Program Director, Coordinator or Specialist assigned to the person will assure a copy of the Consent to Exchange Information is given to the participant or their legal guardian and a copy is placed in the participant’s individual program file

Procedures for Handling Requests for Private Data:

  1. Only PossAbilities staff members who are Responsible Authorities or Designees may respond to requests for private data.
  2. The Responsible Authority or Designee will assure that only the following individuals are provided with access to private data:
  • The individual who is the subject of the data;
  • The legal representative of the data subject;
  • Anyone to whom the data subject has given signed informed consent to view the data;
  • Employees of PossAbilities whose job assignment requires access to the data;
  • Employees of the Minnesota Department of Human Services, county social service agencies, county case manager, county welfare agencies, human service boards, Office of the Ombudsman for Mental Health & Developmental Disabilities, persons or entities under contract with any of the above agencies and other licensed care givers jointly providing services to the participant whose work assignment requires access to the data; and
  • Anyone the law says can view the data.
  1. If the individual requesting the data is not the data subject the Responsible Authority or Designee will require proper identification and, if applicable, assure the data subject has given his/her signed informed consent for the individual to receive the data requested.
  2. If the requested data is summary data, it is considered ‘public’ even though it is derived from private records or information. The Responsible Authority or Designee is responsible for the following in regard to requests for summary data:
  3. Compiling the requested data as soon as possible;
  4. Allowing the requestor to have access to the data to compile the information for summary themselves;
  5. If the requestor is allowed access to private information in order to compile summaries they must complete a Non-Disclosure Agreement Form. The Responsible Authority or Designee will assure the Non-Disclosure Agreement Form is filed with HR files in the administration office.

Procedures for Handling Participant Requests for Access to Their Individual Records:

  1. Individual participants and/or their legal representatives have a right to access and review their individual record. Requests for access to individual participant records should be made in writing to the Program Director.
  2. The Program Director or other designated staff will be present during the review and document the review including:
  • Name(s) of individual(s) who accessed the records;
  • Date and time of review; and
  • List of any copies made from the record.
  1. Staff will make copies of any records requested by the participant or their legal representative. No one is allowed to permanently remove or destroy any portion of the participant’s record.
  2. A participant or their legal representative may challenge the accuracy or completeness of information contained in the record by following PossAbilities Grievance Policy to file a complaint.

Procedures for Handling Requests for Public Data:

  1. Only PossAbilities staff members who are Responsible Authorities or Designees may respond to written requests for public data.
  2. Access to public data is allowed during regular business hours. The requestor must be informed of when the data will be available. The request for data will be honored within 10 business days, unless circumstances require more time be allowed.

Appealing the Decision of the Designee or Responsible Authority:

  1. An individual who wishes to appeal the decision of the Designee must submit a written appeal to the Responsible Authority for the records in question. The written appeal must contain:
  • The name, address and phone number and email address of the person submitting the appeal;
  • The name of the Designee who handled the initial request;
  • A description of the nature of the dispute, including a description of the information requested or in question; and
  • A description of the desired result of the appeal.
  1. The Responsible Authority must respond to the written appeal within 10 business days.
  2. The decision of the Designee or Responsible Authority may be appealed directly to the President of the Board of Directors of PossAbilities of Southern Minnesota, Inc. 1808 3rd Avenue SE, Rochester, MN 55972; fax #: 507-281-6117.
  3. The President of the Board of Directors will respond to the written appeal within 15 business days of receiving the appeal.

Revised 9/03/14 Data Privacy & HIPAA Policy Page 1 of 4