Cohen Veterans Network
HIPAA Tool-Kit for Military Family Clinics
2017
1
TABLE OF CONTENTS
THE HIPAA TOOL KIT
FOR CLINICS, PHYSICIAN GROUPS AND HEALTH CARE PROVIDERS
HIPAA COMPLIANCE POLICIES AND FORMS
SECTION I. HIPAA PRIVACY COMPLIANCE
SECTION A: POLICIES AND FORMS IMPLEMENTING INDIVIDUAL RIGHTS
1.PATIENT REQUESTS FOR RECORDS
POLICY: PATIENT REQUESTS FOR RECORDS
FORM: REQUEST FOR RECORDS
FORM: NOTICE THAT MORE TIME IS NEEDED
FORM: NOTICE OF GRANT OF REQUEST FOR RECORDS
FORM: NOTICE OF DENIAL OF REQUEST FOR RECORDS
FORM: INTERNAL NOTICE OF REVIEW OF DENIAL OF REQUEST FOR RECORDS
2.PATIENT REQUESTS TO AMEND RECORDS
POLICY: PATIENT REQUESTS TO AMEND RECORDS
FORM:NOTICE THAT MORE TIME IS NEEDED
FORM:NOTICE OF GRANT OF REQUEST TO AMEND RECORDS
FORM:NOTICE OF DENIAL OF REQUEST TO AMEND RECORDS
FORM:NOTICE OF REBUTTAL TO STATEMENT OF DISAGREEMENT
3.PATIENT REQUESTS FOR ACCOUNTING OF DISCLOSURES
POLICY:PATIENT REQUESTS FOR ACCOUNTING OF DISCLOSURES
FORM: NOTICE THAT MORE TIME IS NEEDED
FORM: GRANT OF REQUEST FOR ACCOUNTING OF DISCLOSURES
4.PATIENT REQUESTS FOR RESTRICTION OF USES AND DISCLOSURES FOR TREATMENT, PAYMENT AND HEALTH CARE OPERATIONS
POLICY:PATIENT REQUESTS FOR RESTRICTION OF USES AND DISCLOSURES FOR TREATMENT, PAYMENT AND HEALTH CARE OPERATIONS
FORM: AGREEMENT TO REQUEST RESTRICTION IN USE AND DISCLOSURE OF PROTECTED HEALTH INFORMATION
FORM: DENIAL OF REQUEST FOR RESTRICTION OF USE AND DISCLOSURE OF PROTECTED HEALTH INFORMATION
5.PATIENT REQUESTS FOR CONFIDENTIAL COMMUNICATIONS
POLICY: PATIENT REQUESTS FOR CONFIDENTIAL COMMUNICATIONS
FORM:GRANT OF REQUEST FOR CONFIDENTIAL COMMUNICATIONS
FORM: DENIAL OF REQUEST FOR CONFIDENTIAL COMMUNICATIONS
6.NOTICE OF PRIVACY PRACTICES
POLICY: NOTICE OF PRIVACY PRACTICES
FORM: NOTICE OF PRIVACY PRACTICES
SECTION B: POLICIES AND FORMS IMPLEMENTING RESTRICTIONS ON USE AND DISCLOSURE OF PROTECTED HEALTH INFORMATION
7.USE AND DISCLOSURE OF PROTECTED HEALTH INFORMATION REQUIRING PATIENT AUTHORIZATION
POLICY:USE AND DISCLOSURE OF PROTECTED HEALTH INFORMATION REQUIRING PATIENT AUTHORIZATION
FORM: AUTHORIZATION TO USE OR DISCLOSE PROTECTED HEALTH INFORMATION
8.USE AND DISCLOSURE OF PROTECTED HEALTH INFORMATION FOR TREATMENT, PAYMENT AND HEALTH CARE OPERATIONS
POLICY: USE AND DISCLOSURE OF PROTECTED HEALTH INFORMATION FOR TREATMENT, PAYMENT AND HEALTH CARE OPERATIONS
9.USE AND DISCLOSURE OF MENTAL HEALTH INFORMATION
POLICY: USE AND DISCLOSURE OF MENTAL HEALTH INFORMATION
10.DISCLOSURES OF PROTECTED HEALTH INFORMATION RELATING TO COMMUNICABLE DISEASES
POLICY: DISCLOSURES OF PROTECTED HEALTH INFORMATION RELATING TO COMMUNICABLE DISEASES
FORM: CERTIFICATION OF PROPER USE
11.DISCLOSURES OF PROTECTED HEALTH INFORMATION RELATING TO GENETIC TESTING
POLICY: DISCLOSURE OF PROTECTED HEALTH INFORMATION RELATING TO GENETIC TESTING
12.USE AND DISCLOSURE OF ALCOHOL AND DRUG ABUSE RECORDS
POLICY: USE AND DISCLOSURE OF ALCOHOL AND DRUG ABUSE RECORDS
FORM: PATIENT NOTICE OF CONFIDENTIALITY OF ALCOHOL AND DRUG ABUSE PATIENT RECORDS
13.DISCLOSURES OF PROTECTED HEALTH INFORMATION REQUIRED BY LAW
POLICY: DISCLOSURES OF PROTECTED HEALTH INFORMATION REQUIRED BY LAW
14.DISCLOSURES OF PROTECTED HEALTH INFORMATION TO GOVERNMENT OFFICIALS
POLICY: DISCLOSURES OF PROTECTED HEALTH INFORMATION TO GOVERNMENT OFFICIALS
15.INTRODUCTION: DISCLOSURES TO LAW ENFORCEMENT OFFICIALS
POLICY: DISCLOSURES TO LAW ENFORCEMENT OFFICIALS
16.USES AND DISCLOSURES OF PROTECTED HEALTH INFORMATION TO CORRECTIONAL INSTITUTIONS AND OTHER OFFICIALS WITH CUSTODY OVER INMATE
POLICY: USES AND DISCLOSURES OF PROTECTED HEALTH INFORMATION TO CORRECTIONAL INSTITUTIONS AND OTHER OFFICIALS WITH CUSTODY OVER INMATE
17.DISCLOSURES OF PROTECTED HEALTH INFORMATION RELATING TO MILITARY, NATIONAL SECURITY AND INTELLIGENCE ACTIVITIES
POLICY: DISCLOSURES OF PROTECTED HEALTH INFORMATION RELATING TO MILITARY, NATIONAL SECURITY AND INTELLIGENCE ACTIVITIES
FORM: CERTIFICATION OF PROPER USE
FORM: CERTIFICATION OF PROPER USE ― INTELLIGENCE AND NATIONAL SECURITY
18.DISCLOSURES OF PROTECTED HEALTH INFORMATION IN JUDICIAL AND ADMINISTRATIVE PROCEEDINGS
POLICY:DISCLOSURES OF PROTECTED HEALTH INFORMATION IN JUDICIAL AND ADMINISTRATIVE PROCEEDINGS
19.USE AND DISCLOSURE OF PROTECTED HEALTH INFORMATION CONCERNING DECEDENTS
POLICY: USE AND DISCLOSURE OF PROTECTED HEALTH INFORMATION CONCERNING DECEDENTS
20.DISCLOSURES OF PROTECTED HEALTH INFORMATION FOR ORGAN, EYE AND TISSUE DONATION
POLICY: DISCLOSURES OF PROTECTED HEALTH INFORMATION FOR ORGAN, EYE AND TISSUE DONATION
21.USES AND DISCLOSURES OF PROTECTED HEALTH INFORMATION IN RESEARCH
POLICY: USES AND DISCLOSURES OF PROTECTED HEALTH INFORMATION IN RESEARCH
22.DISCLOSURES OF PROTECTED HEALTH INFORMATION TO AVERT A SERIOUS THREAT TO HEALTH OR SAFETY
POLICY: DISCLOSURES OF PROTECTED HEALTH INFORMATION TO AVERT A SERIOUS THREAT TO HEALTH OR SAFETY
23.DISCLOSURE OF PROTECTED HEALTH INFORMATION FOR FDA REPORTING
POLICY: DISCLOSURE OF PROTECTED HEALTH INFORMATION FOR FDA REPORTING
24.DISCLOSURES AUTHORIZED BY WORKERS’ COMPENSATION OR SIMILAR PROGRAMS
POLICY:DISCLOSURES AUTHORIZED BY WORKERS’ COMPENSATION OR SIMILAR PROGRAMS
25.USE OF PROTECTED HEALTH INFORMATION IN FUNDRAISING
POLICY: USE OF PROTECTED HEALTH INFORMATION IN FUNDRAISING
26.USE OF PROTECTED HEALTH INFORMATION IN MARKETING
POLICY: USE OF PROTECTED HEALTH INFORMATION IN MARKETING
27.SALE OF PROTECTED HEALTH INFORMATION
POLICY: SALE OF PHI
28.FACILITY DIRECTORY (PATIENT CENSUS) DISCLOSURES
POLICY: FACILITY DIRECTORY (PATIENT CENSUS) DISCLOSURES
FORM: FACILITY DIRECTORY OPT-OUT
29.DISCLOSURES OF PROTECTED HEALTH INFORMATION TO FAMILY MEMBERS AND TO OTHERS INVOLVED IN PATIENT’S CARE
POLICY: DISCLOSURES OF PROTECTED HEALTH INFORMATION TO FAMILY MEMBERS AND TO OTHERS INVOLVED IN PATIENT’S CARE
30.DISCLOSURES OF PROOF OF STUDENT IMMUNIZATIONS
POLICY: DISCLOSURES OF PROOF OF STUDENT IMMUNIZATIONS
FORM: DOCUMENTATION OF AGREEMENT TO DISCLOSE PROOF OF IMMUNIZATION
31.WORKFORCE MEMBER CONFIDENTIALITY AGREEMENT
POLICY: WORKFORCE MEMBER CONFIDENTIALITY AGREEMENT
FORM: WORKFORCE MEMBER CONFIDENTIALITY AGREEMENT
32.VERIFICATION OF IDENTITY AND AUTHORITY OF REQUESTOR OF PROTECTED HEALTH INFORMATION
POLICY: VERIFICATION OF IDENTITY AND AUTHORITY OF REQUESTOR OF PROTECTED HEALTH INFORMATION
FORM: VERIFICATION OF IDENTITY AND AUTHORITY OF GOVERNMENT OFFICIAL REQUESTING ACCESS TO PROTECTED HEALTH INFORMATION
33.USING, DISCLOSING AND REQUESTING THE MINIMUM NECESSARY AMOUNT OF PROTECTED HEALTH INFORMATION
POLICY: USING, DISCLOSING, AND REQUESTING THE MINIMUM NECESSARY AMOUNT OF PROTECTED HEALTH INFORMATION
34.IDENTIFYING PROTECTED HEALTH INFORMATION
POLICY: IDENTIFYING PROTECTED HEALTH INFORMATION
35.USING AND DISCLOSING LIMITED DATA SETS
POLICY:USING AND DISCLOSING LIMITED DATA SETS
FORM:DATA USE AGREEMENT
SECTION II: HIPAA ADMINISTRATIVE REQUIREMENTS
36.PRIVACY COMPLAINTS
POLICY: PRIVACY COMPLAINTS
FORM: PRIVACY COMPLAINT
37.MITIGATION OF HARM RESULTING FROM USE OR DISCLOSURE OF PROTECTED HEALTH INFORMATION
POLICY: MITIGATION OF HARM RESULTING FROM USE OR DISCLOSURE OF PROTECTED HEALTH INFORMATION
38.SANCTIONS FOR NON-COMPLIANCE
POLICY: SANCTIONS FOR NON-COMPLIANCE
39.PROHIBITION OF INTIMIDATING OR RETALIATORY ACTS
POLICY: PROHIBITION OF INTIMIDATING OR RETALIATORY ACTS
40.PRIVACY AND SECURITY AWARENESS AND TRAINING
POLICY: PRIVACY AND SECURITY AWARENESS AND TRAINING
SECTION III: HIPAA BUSINESS ASSOCIATES
41.BUSINESS ASSOCIATE AGREEMENTS
POLICY: BUSINESS ASSOCIATE AGREEMENTS
FORM:BUSINESS ASSOCIATE AGREEMENT
SECTION IV: HIPAA BREACH NOTIFICATION COMPLIANCE
42.HITECH ACT MANDATORY BREACH REPORTING POLICY
POLICY: REPORTING BREACHES OF PROTECTED HEALTH INFORMATION
FORM: BREACH REPORTING LOG
FORM: PATIENT BREACH NOTIFICATION LETTER
SECTION V: HIPAA SECURITY COMPLIANCE......
43.ACCESS CONTROL AND VALIDATION PROCEDURES
44.ACCESS ESTABLISHMENT AND MODIFICATION
45.ACCOUNTABILITY
46.APPLICATIONS AND DATA CRITICALITY ANALYSIS
47.ASSIGNED SECURITY OFFICIAL
48.AUDIT CONTROLS
49.AUTHORIZATION AND SUPERVISION
50.AUTOMATIC LOGOFF
51.BUSINESS ASSOCIATE CONTRACTS AND OTHER ARRANGEMENTS
52.DATA BACKUP PLAN; DATA BACKUP AND STORAGE
53.DISASTER RECOVERY PLAN; CONTINGENCY OPERATIONS
54.DISPOSAL; MEDIA RE-USE
55.EMERGENCY ACCESS PROCEDURES
56.EMERGENCY MODE OPERATION PLAN
57.ENCRYPTION AND DECRYPTION
58.EVALUATION
59.FACILITY SECURITY PLAN
60.INFORMATION ACCESS MANAGEMENT
61.INFORMATION SYSTEM ACTIVITY REVIEW
62.LOGIN MONITORING
63.MAINTENANCE RECORDS
64.MECHANISM TO AUTHENTICATE ELECTRONIC PROTECTED HEALTH INFORMATION
65.PASSWORD MANAGEMENT
66.PERSON OR ENTITY AUTHENTICATION
67.POLICY AND PROCEDURES; TIME LIMIT; AVAILABILITY; UPDATES
68.PROTECTION FROM MALICIOUS SOFTWARE
69.RISK ANALYSIS
70.RISK MANAGEMENT
71.SECURITY INCIDENT PROCEDURES; RESPONSE AND REPORTING
72.SECURITY REMINDERS
73.TERMINATION PROCEDURES
74.TESTING AND REVISION PROCEDURES
75.TRANSMISSION SECURITY – INTEGRITY CONTROLS; ENCRYPTION
76.UNIQUE USER IDENTIFICATION
77.WORKFORCE CLEARANCE
78.WORKSTATION SECURITY
79.WORKSTATION USE
1
SECTION I. HIPAA PRIVACY COMPLIANCE
1
SECTION A: POLICIES AND FORMSIMPLEMENTING INDIVIDUAL RIGHTS
1
1.PATIENT REQUESTS FOR RECORDS
POLICY: PATIENT REQUESTS FOR RECORDS
Topic:Patient Requests for Access to and Copying of Protected Health Information
Last Revision(s):
Approval
Signature:
Date:
PURPOSE
Patients are permitted in most circumstances to inspect and obtain copies of their protected health information (“PHI”). This policy describes the Provider’s process for: (1) determining whether to provide access to and a copy of PHI to a patient or patient representative or surrogate; (2) making such disclosures; (3) denying disclosure and copying in certain circumstances; and (4) providing for appeal of that denial in certain circumstances.
POLICY
1.Definitions
a.Designated record set: The designated record set includes the patient’s medical record and any other record Provider personnel use to make decisions about a patient. The designated record set does not include quality assurance or other peer review information or documents.
b.Medical record: All records maintained for purposes of patient treatment, including reports, notes, orders, diagnoses, treatments, test results, photographs, medical images, records obtained from other providers and psychological records. The medical record includes billing records. The medical record does not include quality assurance or other peer review information or documents.
c.Minor: Any patient under the age of 18 years who is not emancipated under state law.
d.Patient: The person whose treatment occasioned the making of the medical record.
e.Psychotherapy notes: Psychotherapy notes are those recorded (in any medium) by a mental health professional documenting or analyzing the contents of conversation during a private counseling session or a group, joint, or family counseling session and, that are separated from the rest of the individual’s medical record. These are records that are kept as private records of a mental health professional.
Psychotherapy notes do not include medical records and do not include records of medication prescription and monitoring, counseling session start and stop times, the modalities and frequencies or treatment furnished, results of clinical tests, and any summary of diagnosis, functional status, the treatment plan, symptoms, prognosis and progress to date.
f.Representative: An individual who is authorized, either by the patient or by State law, to make health care treatment decisions for the patient when the patient is unable to do so.
2.Right to Inspect and Copy Records
Except as set forth in this policy, a patient or patient’s representative is entitled to inspect or have copies made of PHI in the designated record set.
3.Processing Requests for Inspection and Copies
a.Written request: A request for a patient’s designated record set or any part of the designated record set must be in writing. A person may ask for a record request form by telephone. If this occurs, obtain the requestor’s address and mail the request form. Alternatively, have the requestor fax a written request containing the elements included on the Provider’s request form. Do not require the requestor to come to the Provider’s facility in person to make a request.
b.Route to appropriate personnel: [Insert title or job function of person(s) who will handle, such as “Office Manager” or “administrative staff”] will handle requests for the medical record, and [insert title or job function of person(s) who will handle] will handle requests for the billing record.
c.Log in request: Upon receipt of a written request for all or part of a patient’s designated record set, log in the request in [insert name of Provider’s calendaring system]. Log in a reminder that a response must be made thirty days after the date of receipt.
d. Identification: Upon receipt of a written request, obtain identification from the requestor or confirm that such identification has already been obtained. [The Provider should insert its current procedure for obtaining identification.] If the requestor is not the patient, follow the procedures set forth in Section 4, below.
e.Psychiatric or psychological records: Before copying or otherwise providing access to the designated record set, conduct a review of the records to determine whether the record set contains records of psychiatric or psychological care or treatment for a mental disorder or serious mental illness.
(1) If the record set may contain any such records, notify [insert title of administrator or member of management]. Before copying or otherwise disclosing such records, obtain physician/psychologist approval of access if feasible.
(2)If the physician/psychologist is not available within a reasonable time, contact the [insert title of administrator or member of management] to review and decide whether access can be granted or must be denied in accordance with Section 6, below.
(3)If the physician/psychologist or [insert title of administrator or member of management] advises you that patient access to all or a portion of the record should be denied, follow the instructions in Section 6, below.
- Requestors Who Identify Themselves as Patient Representatives
When the requestor is not the patient, but identifies him or herself as representing the patient, access to records and copying is permitted in the following circumstances:
(1)The requestor has a written authorization from the patient to obtain access, and the authorization meets the requirements set forth in Policy: Use and Disclose Protected Health Information Requiring Patient Authorization.
(2)The requestor is an adult patient’s guardian: Obtain a copy of the court order appointing the requestor as guardian, or a written and notarized statement that a court appointed the requestor as the patient’s guardian and that the appointment still is valid.
(3)If a guardian has not been appointed, and the requestor is the patient’s agent under a healthcare power of attorney or mental health care power of attorney. Obtain the signed, valid power of attorney naming the requestor as the patient’s agent and confirm with the patient’s physician that the patient is unable to make his or her own health care decisions.
(4)If a guardian has not been appointed and the patient does not have a health care or mental health care power of attorney, the requestor is the patient’s health care decision maker under State law. Confirm with the patient’s physician that the patient is unable to make his or her own decisions.
(5)The requestor is a minor patient’s parent or guardian.
(a)Review the records to determine whether the patient has been considered emancipated or is otherwise competent to give informed consent. If so, require written consent from the patient before providing parent or guardian access to records [or insert your present process for making this decision].
(b)[If the Provider does not allow parent or guardian access to minor reproductive health records or other types of records, insert the following: Before copying or otherwise providing access to records to the requestor, review the records to determine whether the patient received reproductive health services or other services to which the minor may give consent. If so, contact [insert title of administrator or member of management] before granting access to or copying records.]
(c)Obtain identification verifying that the requestor is the parent or guardian.
(6)The requestor is a person entitled to see the records of a deceased patient. See Policy: Uses and Disclosures of Protected Health Information Concerning Decedents.
5.Time Frames for Responding to Requests To Inspect and Copy Medical Records
a.Copies of records will be provided, or a written denial made, in response to requests from patients or their representatives for access to all or part of the patient’s designated record set within thirty days of receipt of the request.
b.If Provider personnel cannot produce the records within the time limits in paragraph 5(a), mail to the requestor a written statement explaining the delay and setting forth the date which the Provider will provide records or a response. Provider personnel may have only thirty extra days under this extension.
c.Provider personnel processing a request for access will log in these dates in [insert name ofProvider’s calendaring system].
6.Denial of Access to the Patient’s Designated Record Set
a.A decision to deny access to or copying of a patient’s designated record set, in response to a request by the patient or patient representative,may be made on the following grounds:
(1)The Provider does not maintain the records.
(2)The requestor, if not the patient, is not authorized to receive the records under paragraph 4 and the patient has not authorized the disclosure.
(3)The requestor is a parent or guardian but is not authorized to receive the records because the minor patient is emancipated, married, homeless [insert “or the records involve reproductive health care” if applicable].
(4)The records are psychotherapy notes.
(5)The information was compiled in reasonable application of civil, criminal or administrative proceedings.
(6) The information is held by the Provider under the direction of a correctional institution, and allowing an inmate to obtain his or her PHI would jeopardize the health, safety, security, custody or rehabilitation of the inmate, other inmates, or staff members at the correctional institution;
(7) The patient has agreed, as part of the research protocol, to limit his or her access to the PHI for the duration of the research project. Provider personnel will inform the patient that the right of access will be reinstated upon completion of the research;
(8) The Provider is a government Provider, and the patient would be denied access to the PHI under the Federal Privacy Act, 5 U.S.C. § 552a;
(9)The information was obtained from someone other than Provider personnel or another health care provider under a promise of confidentiality, where access to the information would be likely to reveal the identity of the source of information;
(10) A licensed health care professional determines that access is reasonably likely to endanger the life or physical safety of the individual or another person, or to cause substantial harm to such other persons;
(11) The PHI makes reference to another person (unless the person is a health care provider), and a licensed health care professional determines that access is reasonably likely to cause substantial harm to that other person.