Family MedCenters, P.A.

PRIVACY POLICIES AND PROCEDURES

MANUAL

Family MedCenters, P.A.

Privacy Policies and Procedures Manual

TABLE OF CONTENTS

SUBJECT: CONFIDENTIAL INFORMATION------ 4

SUBJECT: PRIVACY OFFICIAL------ 6

SUBJECT: MINIMUM NECESSARY STANDARD------ 7

SUBJECT: TREATMENT OF PERSONAL REPRESENTATIVES------ 9

SUBJECT: DISCLOSURE TO INDIVIDUALS------ 10

SUBJECT: DISCLOSURE OF PHI TO PERSONS INVOLVED IN AN INDIVIDUAL’S CARE------ 11

SUBJECT: USES DISCLOSURES FOR TREATMENT, PAYMENT HEALTH CARE OPERATIONS PURPOSES------ 13

SUBJECT: USES AND DISCLOSURES IN FACILITY DIRECTORIES------ 15

SUBJECT: USES AND DISCLOSURES FOR MARKETING PURPOSES------ 16

SUBJECT: USES AND DISCLOSURES FOR FUNDRAISING PURPOSES------ 17

SUBJECT: USES AND DISCLOSURES REQUIRED BY LAW------ 18

SUBJECT: DISCLOSURES FOR PUBLIC HEALTH ACTIVITIES------ 19

SUBJECT: DISCLOSURES ABOUT VICTIMS OF ABUSE, NEGLECT OR DOMESTIC VIOLENCE------ 20

SUBJECT: DISCLOSURES FOR HEALTH OVERSIGHT ACTIVITIES------ 21

SUBJECT: DISCLOSURES FOR JUDICIAL AND ADMINISTRATIVE PROCEEDINGS------ 22

SUBJECT: DISCLOSURES TO LAW ENFORCEMENT OFFICIALS FOR LAW ENFORCEMENT PURPOSES------ 24

SUBJECT: USES AND DISCLOSURES ABOUT DECEDENTS------ 26

SUBJECT: USES AND DISCLOSURES FOR ORGAN DONATION PURPOSES------ 27

SUBJECT: USES AND DISCLOSURES FOR RESEARCH PURPOSES------ 28

SUBJECT: USES AND DISCLOSURES TO AVERT THREATS------ 29

SUBJECT: USES AND DISCLOSURES FOR SPECIALIZED GOVERNMENT FUNCTIONS------ 30

SUBJECT: DISCLOSURES FOR WORKERS’ COMPENSATION------ 31

SUBJECT: DISCLOSURES TO BUSINESS ASSOCIATES------ 32

SUBJECT: DISCLOSURES OF DE-IDENTIFIED PHI------ 34

SUBJECT: AUTHORIZATIONS------ 36

SUBJECT: LIMITED DATA SET------ 38

SUBJECT: VERIFICATION REQUIREMENTS------ 39

SUBJECT: NOTICE OF PRIVACY POLICIES------ 40

SUBJECT: RIGHT TO REQUEST CONFIDENTIAL COMMUNICATIONS------ 42

SUBJECT: RIGHT TO REQUEST RESTRICTIONS------ 42

SUBJECT: RIGHT TO ACCESS PHI MAINTAINED IN A DESIGNATED RECORD SET------ 45

SUBJECT: PATIENT’S RIGHT TO AMEND PHI------ 48

SUBJECT: RECORD RETENTION------ 50

SUBJECT: ACCOUNTING FOR DISCLOSURES------ 51

SUBJECT: COMPLAINT PROCESS------ 53

SUBJECT: SANCTIONS------ 54

SUBJECT: TRAINING------ 55

SUBJECT: RETALIATORY ACTIONS------ 56

SUBJECT: E-MAIL USAGE------ 57

SUBJECT: FACSIMILE USAGE------ 59

MEDICAL RECORDS OFFICERS------ 61

COMPLAINT OFFICERS------ 62

Authorization for Use and/or Disclosure of Protected Health Information------ 63

DATA USE AGREEMENT------ 65

NOTICE OF PRIVACY PRACTICES------ 68

DOCUMENTATION OF GOOD FAITH EFFORTS------ 75

Request for Confidential Communications------76

Request for Additional Privacy Protections------77

Request for Access to Protected Health Information------78

Response to Request for Access------79

Request for Amendment of Protected Health Information------80

Response to Request for Amendment------81

Request for Accounting of Disclosures------82

EMPLOYEE ACKNOWLEDGMENT OF------ 83

SUBJECT: ACCOUNTING FOR DISCLOSURES------ 84


SUBJECT: CONFIDENTIAL INFORMATION

PURPOSE: The organization is committed to ensuring the privacy and security of patient health information and will ensure that the appropriate steps are taken to properly identify and secure individuals’ PHI.

POLICY: The organization will establish a mechanism to protect the confidentiality of individually identifiable patient health and financial information from any unauthorized, intentional, or unintentional use or disclosure in accordance with the requirements set forth in 45 CFR 164.530.

  1. The confidential information discussed within this policy includes:
  2. Protected Health Information (“PHI”), which is defined as any individually identifiable health information in any form (verbal, written, or otherwise). Individually identifiable information is information which is:

·  Created or received by the organization;

·  Relates to past, present, or future physical or mental health or condition of an individual or past, present or future payment for an individual’s health care; and

·  Identifies the individual or could reasonably be believed to identify the individual.

  1. Other information related to this organization (i.e. employee, financial and overall business records of the organization).
  2. The health record is the property of the organization and shall be maintained to serve the patient, the health care providers, and the institution in accordance with legal, accrediting, and regulatory agency requirements. The information contained in the health record belongs to the patient, and the patient is entitled to the protected right of confidentiality in regard to this health information. All PHI shall be regarded as confidential and available only to authorized users and recipients.
  3. The types and amount of health information gathered and recorded about a patient shall be limited to that information needed for patient care.
  4. All individuals engaged in the collection, handling, or dissemination of PHI shall be specifically informed of their responsibility to protect patient data and of the penalty for violation of this trust.
  5. The collection of any data relative to a patient, whether by interview, observation, or review of documents, shall be conducted in a setting which provides reasonable privacy and protects the information from unauthorized disclosure.
  6. Patient medical records shall be stored in physically secure areas. When it is necessary for patient records to be removed from such secure locations for purposes of treatment, payment, health care operations, or any other purpose, staff shall take all reasonably necessary precautions to protect the confidentiality of such records. PHI which is stored electronically shall be maintained in both a physically and technologically secured environment according to established policies.
  7. When disposing of a document which contains PHI, the disposing party shall shred the document or place it in a secure receptacle bin to be shredded by an agent of the organization.
  8. Original source patient information, including but not limited to patient records, is not to be removed from the facility by any member of the workforce unless approved in writing by the appropriate Medical Records Officer identified on Exhibit A, attached hereto and incorporated herein by this reference; provided, however, that such information and records may be removed pursuant to a court order which is received and processed in accordance with this manual.
  9. It is the responsibility of the organization and its personnel to safeguard information of patients and to see that pertinent information is available to properly authorized individuals or parties. Access to patient information shall be limited to only those individuals who require such access in order to carry out their obligations to the organization. Any individuals who have access to the organization’s computers are held responsible for the proper use of their access code and maintaining the confidentiality of computer files. Any tampering, duplication, unauthorized or improper use or release of codes or automated system information is prohibited. Examples of the above would include, but not be limited to unauthorized access without permission and/or solicitation. Random audits of access to the organization’s computer systems may be performed at any time.
  10. Except as otherwise provided in this manual, any questions regarding, or requests for the disclosure of, medical information should be referred to the appropriate Medical Records Officer and all disclosures of medical information shall only be made in accordance with, and shall be governed by, the policies contained in this manual. All PHI is confidential and the release of such information will be closely controlled and monitored.
  11. Except as otherwise expressly provided in this manual, the organization is permitted to disclose PHI in accordance with, and in the circumstances described in, this manual. The organization shall be, and is, required to disclose PHI in the following circumstances:
  12. in response to a properly submitted and approved request made by an individual pursuant to the procedure for the Right to Access PHI Maintained in a Designated Record Set or the procedure for Accounting for Disclosures; and
  13. when required by the Secretary of the Department of Health and Human Services to investigate or determine the organization’s compliance with HIPAA.


SUBJECT: PRIVACY OFFICIAL

PURPOSE: To identify an individual responsible for establishing and implementing policies and procedures necessary to protect the privacy of PHI in accordance with state and federal laws.

POLICY: A Privacy Official will be appointed to oversee all ongoing activities related to the development, implementation, maintenance of, and adherence to the organization’s policies and procedures covering the privacy of, and access to, PHI in compliance with federal and state laws and the organization’s information privacy practices.

  1. The Privacy Official will report to the organization’s Board of Directors on a regular basis, but in no event less often than annually.
  2. The Privacy Official may serve in other job functions for the organization.
  3. The details of the Privacy Official’s position and responsibilities will be set forth in a job description which specifically identifies the duties, responsibilities and obligations of such position.


SUBJECT: MINIMUM NECESSARY STANDARD

PURPOSE: While patient information must be available to health care professionals in the process of ensuring proper care, we should avoid disclosing more patient information than needed to perform our respective duties.

POLICY: The organization will establish a mechanism to ensure that only the minimum amount of PHI necessary to accomplish the specific purpose of a use or disclosure is actually used or disclosed in order to comply with the minimum necessary standard in accordance with 45 CFR 164.514(d).

  1. The organization will only request the minimum amount of PHI necessary to accomplish the specific purpose of the request and shall limit permitted disclosures to the minimum amount necessary to meet the needs and purpose of the disclosure; provided, however, that the policies and procedures contained in this Policy Number P-HIPAA-003 shall not apply to the following:
  2. Disclosures to or requests by a health care provider for treatment purposes;
  3. Uses or disclosures made to the individual who is the subject of the PHI;
  4. Uses or disclosures made pursuant to an authorization;
  5. Disclosures made to the Department of Health and Human Services in accordance with an investigation of the organization;
  6. Uses or disclosures required by law; and
  7. Uses or disclosures required for compliance with applicable laws and regulations.
  8. All proposed uses and disclosures of PHI will be reviewed by persons having an understanding of the organization’s privacy policies and practice and sufficient expertise to understand and weigh the necessary factors.
  9. The organization will only use, disclose or request an entire medical record when the entire medical record is specifically justified (which justification shall be documented) as being reasonably necessary to accomplish the purpose of the use, disclosure, or request.
  10. Within the organization, the organization’s personnel will maintain the levels of access to PHI indicated on Exhibit N, which levels of access are necessary to accomplish their duties and responsibilities.
  11. The following criteria will be used in limiting the amount of PHI requested, used, or disclosed by the organization:
  12. determination shall be made that the requesting individual has a complete understanding of the purpose for the request, use or disclosure of the PHI.
  13. The PHI requested, used, or disclosed shall be of the minimum necessary to accomplish said purpose.
  14. The organization may reasonably rely on the following requests as being a request of the minimum necessary:
  15. Requests by public officials for disclosures which are permitted by under the privacy regulations if such official represents that the information requested is the minimum necessary for the stated purpose;
  16. Requests by other covered entities; or
  17. Requests by a professional who is a member of the organization’s workforce or is a business associate of the organization, if such professional represents that the information requested is the minimum amount necessary for the stated purpose.


SUBJECT: TREATMENT OF PERSONAL REPRESENTATIVES

PURPOSE: The organization may encounter patients who cannot act on their own behalf and have personal representatives to act for them and the organization requires procedures for interacting with such personal representatives.

POLICY: The organization will establish a mechanism to provide for the treatment of personal representatives in accordance with 45 CFR 164.502(g).

  1. For purposes of this procedures manual, “personal representatives” shall be treated as the individual who is the subject of the PHI unless otherwise provided. Therefore, such person(s) shall have the right to exercise any of the individual rights afforded to the individual and the organization shall owe such person(s) the same rights and obligations to which it owes the individual.
  2. For purposes of this manual, the term “personal representatives” shall include:
  3. For adults and emancipated minors, personal representative shall include any one who is authorized by law to act on behalf of the individual with respect to decisions related to health care. Examples would include a health care power of attorney and a court-appointed guardian.
  4. For unemancipated minors, the parent, guardian, or person acting as in loco parentis (collectively referred to herein as the parent) is to be treated as the personal representative unless:
  5. The minor consents to the health care service; no other consent to such health care service is required by law, regardless of whether the consent of another person has also been obtained; and the minor has not requested that the parent be treated as the personal representative;
  6. The minor may lawfully obtain the health care service without the consent of a parent and the minor, a court, or another person authorized by law consents to such health care service;
  7. The parent assents to the confidential communication between the minor and the health care provider with respect to the health care service.
  8. If a member of the organization’s workforce receives a request for PHI from a personal representative, he or she should consult with the Privacy Official as necessary in responding to such request.

SUBJECT: DISCLOSURE TO INDIVIDUALS

PURPOSE: For the benefit of patient care and public health, the organization may need to disclose PHI about a patient to him or her.

POLICY: The organization will establish a mechanism to provide for the disclosure to patients of their PHI in accordance with 45 CFR 164.502(a).

  1. Except as otherwise provided in this manual, PHI may be disclosed to the individual who is the subject of the PHI upon request by such individual.
  2. The organization will be required to make such disclosures as described in the Procedure for Treatment of Confidential Information.

If the organization receives a request for PHI about an individual from someone other than that individual, the organization can send the requested information directly to the individual and ask the individual to forward it to the requesting party.


SUBJECT: DISCLOSURE OF PHI TO PERSONS INVOLVED IN AN INDIVIDUAL’S CARE