HIPAA Privacy Compliance Checklist

Transcription

1 HIPAA Privacy Compliance Checklist A Compliance Self-Assessment Tool

2 HIPAA PRIVACY CHECKLIST The Health Insurance Portability and Accountability Act of 1996 (HIPAA) sets forth standards for the protection of certain health information. The Privacy Rule standards under HIPAA have been established to address the use and disclosure of individual s health information by organizations such as medical practices and also define the patient s privacy rights to understand and control how their information is used. Each standard is a requirement that the covered entity must comply with respect to an individual s protected health information. Within each standard are implementation specifications that outline details regarding how the standard is to be implemented by the covered entity. How to Use the HIPAA Privacy Checklist The checklist provides a detailed review of each of the compliance requirements under the HIPAA Privacy Rule. The check list has been designed to help practices easily understand what is required of them and evaluate if they are compliant. Each section includes: Review of required standards Implementation specifications under each standard Guidance and easy to understand explanations Assessment guidelines to ensure appropriate compliance Reference for applicable forms. The complete AAPC Physician Service Compliance Toolkit contains over 70 forms that are ready to use or can be customized for your specific medical practice. Forms referenced in the checklist correspond to the applicable forms provided in the Compliance Toolkit. Legal Notice The HIPAA Compliance Checklist does not constitute legal advice, and we are not acting as your attorney. The materials being provided are for informational purposes only and should not be used as a substitute for the advice of competent legal counsel.

3 Notification of Privacy Practice HIPAA Regulation: (a)(1) An individual has a right to adequate notice of the uses and disclosures of protected health information that may be made by the medical practice and of the individual's rights and the practice's legal duties with respect to protected health information. Required elements (b)(1) The NPP is required to notify the patient how the clinic may use and disclose their information. This should include: Every practice is required to provide its patients with a written Notice of Privacy Practice (NPP). The NPP must be written in plain language that is easy to understand and must contain certain required elements according to the HIPAA Privacy Rule. Notice of Privacy Practices Notice of Privacy Practice Acknowledgement A description and one example of the types of uses and disclosures allowed by the practice. A description of each of the purposes allowed by the practice to use or disclose PHI without the individual's written authorization. A statement that other uses and disclosures will be made only with the individual's written authorization and they may revoke such authorization. The NPP is required to include information regarding the patient s rights. Patient rights that should be specified include: Right to receive a copy of the NPP Right to request a restriction on the use / disclosure of PHI Right to know that the clinic is not required to agree with a request to restrict PHI Right to inspect and copy their PHI Right to request an amendment of their PHI Right to request an accounting of PHI disclosures Right to request confidential communication The NPP must also include information regarding the practice s legal duties with respect to protecting patient information. Elements must include: Information regarding the practice s legal duties to protect PHI Statement indicating the practice is required to abide by the NPP A statement that the practice may revise the NPP and how they will notify patients of any revisions A statement that individuals may file a complaint regarding privacy, how to file, and that the practice will not retaliate for such actions. Contact information of the practice Effective date of the NPP The NPP contains the necessary information to meet the use and disclosure Privacy Rule requirements. The NPP contains the necessary information to meet the Privacy Rule requirements to notify patients of their rights. The NPP contains the necessary information to meet the covered entities duties for Privacy Rule requirements.

4 The NPP must contain the following statement as a header or otherwise prominently displayed: Provision of notice (c)(2) Practices are required to provide a good faith effort to obtain a written acknowledgement of each patient that they have received a copy of the NPP. Documentation (e) The practice must document compliance with the notice requirements by retaining copies of the notices issued to patients or any written acknowledgments of good faith efforts to obtain such written acknowledgment. THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY. The notice may also be provided by if requested by the patient. If the patient refuses to sign the NPP, a clinic may NOT withhold treatment. In these cases, the clinic should note in the chart the patient declined and reason. If NPPs are ed an electronic return receipt can serve as the signature. If NPPs are mailed to patients, the practice should use a return receipt and have the patient mail back the signed NPP or bring it to the practice at the next appointment. The NPP contains an appropriate header. The practice has a written Notice of Privacy Practice that is provided on or prior to the first delivery of service. A copy of the NPP is prominently displayed in the clinic. A copy of the NPP is posted on the practice s website (if applicable). The practice maintains a copy of written acknowledgement of the NPP by the patients. Use and Disclosure of PHI Requiring Patient Authorization HIPAA Regulation: Practices are required to obtain a signed authorization to release protected health information for uses other than treatment, payment, healthcare operations, or as required by law. Elements required to be included in an authorization form (c) PHI Use and Disclosure Authorization Psychotherapy Use and Disclosure Authorization Revocation of Authorization to Use PHI Authorizations must be documented on a form that includes specific elements required by HIPAA. Elements required to be on an authorization form include: A description of PHI authorized for release Name of the clinic or individuals authorized to release the PHI Name of the clinic or individual authorized to receive the PHI Purpose of releasing the PHI Indication the patient may revoke the authorization Indication that treatment is not conditional on signing the authorization (except for research participation or if approval is needed prior to providing insurance coverage) The practice uses an authorization form to obtain approval to use or disclose PHI for all non-tpo related purposes. Authorization forms contain each of the required elements specified by the HIPAA Privacy Rule and is written in plain easy to understand language.

5 Patient signature and date Expiration dates of authorization Providing copies to patients (C)(3), (4) Copies of any authorization document are required to be provided to the patient. Patients are provided copies of their signed authorizations forms. Psychotherapy notes (a)(2) Revoking an authorization (b)(5) Patients are allowed to revoke their authorization at any time. This must be done in writing. A practice must obtain authorization to use or disclose Psychotherapy Notes unless they are used for treatment by the originator of the notes, for training purposes, or for defense in legal cases. Authorization for psychotherapy notes must be obtained in writing using a separate form from any other authorizations. The practice uses a revocation of authorization form to document any patient requests to revoke authorization to use or disclose PHI. Authorizations for psychotherapy notes are obtained in writing using a unique form. Marketing (a)(3) Marketing is defined as communication about a product or service that encourages the recipient to buy something. Authorization is required for any use or disclosure of PHI related to market efforts. Some marketing activities do not require authorization. These include: Face-to-face communication with the patient Reminders of prescription refills General health promotional things such as (but not limited to) annual mammogram reminders, cholesterol screening etc. Appropriate authorization is obtained from the patient in writing prior to using PHI for marketing efforts. Fundraising activities (f) Practices must obtain authorization before using PHI for any fundraising related activities. An exception to this is granted for practices conducting fundraising activities on their own behalf, as long as the information is limited to demographic information and the practice notifies the patient that they may opt out of any such solicitations. Appropriate authorization is obtained from the patient in writing prior to using PHI for any fundraising efforts.

6 Use and Disclosure of PHI Requiring an Opportunity to Agree or Object HIPAA Regulation: HIPAA Privacy Rules allows a medical practice to make certain uses or disclosures of PHI without obtaining a written authorization, provided that the individual is informed in advance of the use or disclosure and has the opportunity to agree to or object to the use. Agreement can be communicated verbally. Facility directories (a) A practice may use patient information to maintain an inpatient directory. The only information that is allowed to be disclosed in the facility s directory is the patient name, general condition, religious affiliation and physical location. This standard typically applies to inpatient settings The patient directory (if applicable) only lists appropriate information allowed under HIPAA Privacy. Disclosing PHI to family members and friends (b) A practice is allowed to share PHI with family members, relatives, close friends or any other person indentified by the patient to the extent the information is necessary for the patients care or payment related to services. Providers and clinical staff should not assume that PHI can be disclosed because the person(s) came with the patient for appointment. It s best practice to ask the patient s permission prior to exam. Patient PHI may also be used in order to help identify, locate or notify family members or their care taker to inform them of the patient s location, general condition or death. Providers only share patient PHI with family members, relatives or close friends after receiving appropriate consent from the patient. Disaster relief efforts (b)(4) PHI may also be disclosed to public or private organizations which are authorized to assist in disaster relief efforts. Information is only to be used for the purposes of locating family members or person s responsible for care of the individual. The only information that is allowed to be disclosed is the patient name, general condition, religious affiliation and physical location. Patient PHI disclosed for purposes of disaster relief efforts is limited to only what is allowed under HIPAA Privacy. Limitations on information that can be shared when the patient is not present (b)(3) In situations where a patient is not able to agree or object (e.g. the patient is not present, incapacitated or in an emergency) the provider is allowed to disclose PHI, but it must be based on their professional judgment to determine if disclosing PHI is appropriate and in the best interest of the patient. Information shared under circumstance where the patient is not present is based on the physician s judgment and strictly limited to information relevant to the other person s involvement with the patient.

7 Use and Disclosure of PHI That Do Not Require Authorization or an Opportunity to Agree or Object. HIPAA Regulation: , HIPAA Privacy Regulations allows medical practices to use and disclose a patient s protected health information under a number of circumstances that do not require authorization from the patient. The following section outlines these allowable uses and disclosures. Use and Disclosure to Carry Out Treatment, Payment or Healthcare Operations (TPO) A practice may use and disclose PHI for treatment, payment or healthcare operations without the consent or authorization of their patient. Treatment: Treatment includes employees of the practice or individuals who work for the practice that use PHI in order to treat the patient or assist in treatment of the patient such as ordering or interpreting lab tests, prescribing medications, communicating with a hospital or others who may assist in the care of the patient. Disclosure of PHI for non-treatment related reasons is not allowed without appropriate authorization. Other non-tpo allowances HIPAA privacy regulations allow practices to use or disclose PHI for the following purposes without a signed authorization or opportunity for the patient to reject. HIPAA requires each of these uses be identified in the practice s Notice of Privacy Practice. Notice of Privacy Practices Payment: Payment includes disclosing PHI in order to bill and collect payment for medical services. Activities include, but are not limited to: Establishing insurance eligibility and coverage Billing and collections Review of PHI for medical necessity Disclosing PHI to third party agencies for billing services or collections. Operations: Practice can use and disclose PHI that is necessary to operate their business. For example, scheduling appointments, healthcare training, evaluating quality of care. Non-TPO Allowances: The disclosure is required by law (a) To public health organizations responsible for collecting data (e.g. disease, injuries, birth, death, public health surveillance, public health investigations) (2) To report child abuse or neglect cases to appropriate authorities To report or track FDA related events such as drug recalls (b)(1) To monitor workplace medical surveillance or other OSHA activities (b)(2) To report suspected abuse, neglect or domestic violence to appropriate authorities. In most cases the practice is required to information the patient that they have reported or intend to report this information. (c)(2) For health oversight activities required by law (e.g. licensure, government benefit programs, inspections) (d) In response to judicial proceedings or other law Disclosure of PHI for non-payment related reasons is not allowed without appropriate authorization. Disclosure of PHI for non-operational related reasons is not allowed without appropriate authorization. As required by HIPAA, the practice has included these uses in its Notice of Privacy Practices to patients.

8 enforcement purposes such as subpoenas, warrants or other lawful purposes (e), (f) For cadaveric organ or tissue donations (g) For research subject to approval by an institutional review board (j) To report serious threat to public health and safety For workers compensation cases For specialized government functions deemed appropriate by government authorities (k) Other Requirements Relating to Uses and Disclosures of Protected Health Information HIPAA Regulation: Additional restrictions related to how a practice can use patient protected health information includes the following: De-identification of PHI (a) For information to be considered de-identify, a practice must remove the following identifiers: A practice may use PHI to create information that is not individually identifiable. This is referred to as de-identified information. Once information has been de-identified, it is no longer subject to HIPAA regulation. Minimum necessary disclosure (d) General compliance to the HIPAA Privacy standard requires that a practice restricts the use or disclosure of patient protect health information to the minimum necessary amount of information needed to accomplish the intended purpose of the request. Names Street address, county, city, and zip code details. Any specific dates related to birth, death or medical care. (the year is permitted to be retained). Phone, fax numbers, and addresses Social Security Numbers Any other identifying element such as (but not limited to) certificate or license numbers, IP addresses, biometric identifiers such as fingerprints, photographs etc. As part of fulfilling the implementation of the minimum necessary standard, practices are required to identify and document those staff within the practice that need access to PHI based on their job responsibilities and the categories or type of information those individuals or job positions require. The practice removes all specified data elements required by HIPAA before using or disclosing de-identified information. i.e. 45 year old non-smoker. Job descriptions for each position of the clinic identify the type of PHI necessary in order to fulfill that job responsibility. Each staff is given access to PHI based on their assigned job responsibility according to their job description. Non-routine requests for PHI need to be reviewed on an individual basis and should be limited accordingly. The practice may rely on the judgment of the individual making the request to determine the minimum necessary information. The practice has a formal process in place to review and approve all non-routine requests for disclosure of PHI.

9 Use of limited data sets (e) Practices may disclose PHI for research or other public health purposes using a limited data set. The limited data may be used in lieu of an authorization from the patient. Data Use Agreement For data to qualify as a limited data set it must have all direct identifiers removed that fall under the deidentification standard, with the exception of the following elements that are allowed to be retained: Town or City, state, and zip code Birth date, admission date, discharge date, date of death. If researchers need more information than what is provided in a limited data set, they may submit a waiver of authorization to the practice. Prior to disclosing a limited data set, the practice has obtained a Data Use Agreement with the entity who will be receiving the limited data set. Beyond the use of appropriate limited data sets, the practice does not disclose any PHI for research purposes without an authorized waiver from an IRB (institutional review board). Patient Rights to Request Restrictions of Their Protected Health Information HIPAA Regulation: Patients have the right to request restrictions on how their PHI can be used by the practice or how a practice should communicate with a patient. However, practices may not be required to agree to the restrictions. The following section outlines key elements associated with the practice s responsibilities regarding restriction requests. Patient requests for restrictions of use and disclosures (a)(1) Patients may request restrictions on the use of their personal health information. These restrictions must be followed if agreed upon by the provider. However, practices are not required to agree to such restrictions under certain circumstance. Request for Restriction of PHI Response to Request for Restrictions of PHI Patients may not make requests to restrict use and disclosures that are required by law or for worker compensation cases. If the provider, using professional judgment, feels a request is not in the best interest of the patient the practice is not required to comply with the request. All requests for restrictions of use and disclosure should be documented and approved by the practice. Beginning in February 2010, patients may request PHI be withheld from insurance companies if it is related to payment and healthcare operations. The practice must comply with the request as long as the patient has paid for the complete service out-of-pocket and no payment is being made by the insurance company. Note: A patient may no longer request PHI be withheld from an insurer if it is related to treatment purposes. All requests by patients for restrictions related to their protected health information are done in writing and signed by the patient. Denied requests by the practice are made in writing and provided to the patient. The practice retains a copy on file. Handling of patient requests for restrictions is in accordance with the updated HIPAA standards as of Feb Terminating a request for restrictions (a)(2) A practice may terminate its agreement to restrict the use and disclosure of patient information under the following: The patient agrees to the termination in writing The patient agrees to the termination verbally (the oral agreement must be documented). The practice notifies the patient it is terminating the agreement. In this case, the termination is only effective with respect to PHI received after the patient has been informed. Termination agreements are documented and kept on file.

10 Confidential communications (b)(1) A practice must permit and accommodate reasonable requests by individuals to receive communications of PHI from the provider by alternative means or at alternative locations. Request for Confidential Communication Response to Requests for Confidential Communication Patients have the right to request that a provider s communication with them is conducted in a specified and confidential manner. For example, this may include communicating with patients by phone at work instead of at home or communicating through . Requests that are unreasonable or may result in added costs to the practice can be denied. The practice is not allowed to inquire as to the reason for the request by the patient. All requests for confidential communication must be documented and approved by the practice. All requests by patients for confidential communication are done in writing and signed by the patient. Denied requests by the practice are made in writing and provided to the patient. The practice retains a copy on file. Patients Rights to Access Protected Health Information HIPAA Regulation: Patients right of access (a) An individual has a right to access, inspect and obtain a copy of protected health information about the individual in a designated record set, for as long as the protected health information is maintained in the designated record. Request to copy or inspect PHI A designated record set is entails records maintained by the practice that include medical or billing information, information maintained by a health plan (e.g. enrollment, payment, claims, and case management files), and information used to make decisions about the patient. Note: Information maintained, but not used to make decisions about the patient, falls outside of the designated record set and is exempt from access. The practice is required to document individual requests for access to PHI including the designated record sets and title of the person responsible for receiving and processing the request. The practice requires a patient to submit a written request to access patient information. Timely access (2) When a patient requests in writing the opportunity to inspect or copy their PHI the practice must act upon the request in a timely manner. The practice must act upon a request for access to a patient s PHI within 30 days if the PHI is accessible on-site. If the PHI is not located on-site the practice has to respond within 60 days. If the practice cannot comply with the time frame, it may extend the time by 30 days by providing a written notice to the patient prior to the 30 or 60 day deadline. Patients have a right to inspect and or obtain copies of the requested PHI. A summary of the PHI may be provided in lieu of the actual information as long as the patient has agreed in advance to receive a summary. All written requests for access to PHI are addressed within the prescribed time requirements under HIPAA Privacy Rules. NA

11 Fees (4) The practice may charge reasonable fees for the following: Copying costs such as supplies and labor time Postage (if the request is to be mailed) Time required preparing an explanation or summary (only if a summary is being provided in lieu of the actual information). Note: States may impose legal maximums allowed by medical practices. You should check with your State to ensure compliance. Fees charged are appropriate under HIPAA Privacy Regulations and do not exceed State legislated maximums. Denying Access (a), (d) The practice may deny an individual s request to access their PHI. Response to Request to Inspect PHI Review of Denial To Inspect PHI (a)(2) In some cases a denial falls under the category of what is known as unreviewable grounds for denial. In other words, the practice does not have to provide access to the information, and the patient does not have the right to a review of the decision to withhold the information. Information that can be withheld on grounds of unreviewable denial includes the following: Psychotherapy notes Any information related to civil, criminal or administrative proceedings Information subject to Clinical Laboratory Improvement Amendments Information acquired under a promise of confidentiality Information related to research that includes treatment may be temporarily suspended for as long as the research is in progress. A correctional institution has restricted the request believing it would jeopardize the health or safety of the individual or other inmates (a)(4) Denial for information may also fall under reviewable grounds. In these cases, the practice may withhold information, but the patient may request a review of the decision. If the decision is reversed based upon the review, the practice is required to provide access to the requested information. A practice is required to have a process in place for an independent review of decisions to withhold information. This review must be conducted by a licensed healthcare professional who was not involved in the original decision to withhold the information. The practice appropriately denies access to PHI that would be required under unreviewable grounds. The practice has a formal policy in place for independent reviews of denials for requests to access patient information. The practice promptly provides written notice to the individual regarding the determination of the review.

12 (a)(3) Information that can be withheld on grounds of reviewable denial includes the following: Any PHI a licensed healthcare professional has determined that accessing may endanger the life or safety of the individual or another person. Information that makes reference to another person (that is not a healthcare provider) and it is deemed that access may cause harm to the other person (d)(2) Any denials must be provided to the patient in writing and include a description of how the patient or individual may complain to the practice or to the Secretary of Health and Human Services. The document must include the name, title and contact information of the designated contact for the clinic to handle complaints. The practice does not provide access to requests for PHI under circumstances allowed by the HIPAA Privacy Rule. Patients are informed in writing if access to any part of their medical record information has been withheld. The form includes the necessary contact information and explanation of how to submit a complaint. Accounting for Disclosures HIPAA Regulation: Patient s have the right to request and receive an accounting of how their health information has been disclosed by the practice, or by the practice s business associates. Provisions of Accounting (c) If requested by a patient, a practice is required to provide an accounting for certain disclosures of PHI. The accounting does not need to include disclosures related to Treatment, Payment or Healthcare Operations (TPO). Note: Under 2009 health reform, a practice is now required to include ALL non-oral disclosures for (treatment and payment) in its accounting of disclosures. This only applies to practices utilizing electronic medical records and electronic data. The practice must provide one free accounting per 12- month period. Beyond this, the practice may charge a reasonable fee for administrative effort. The accounting must be provided with-in 60 days after receipt of the initial request. The request may go back as far as 6 years from the date of the request. The practice has an established policy regarding accounting disclosures. Patients are given access according to the established policy.

13 Content of the accounting (b) The accounting provided to the patient must include the following information: Date of the disclosure The name and address of the entity information was disclosed to A description of information shared The purpose of the disclosure The frequency of the disclosure Date of the last disclosure during the accounting period The report of PHI disclosures provided to a patient contains the required information by HIPAA Privacy standards. Right to an Accounting (a) Report of PHI Disclosures A practice is required to keep a recorded accounting of its disclosures of PHI. Some disclosures are not required to by logged / recorded. These include: To carry out treatment, payment and health care operations as providers Disclosures pursuant to an authorization For reporting neglect or abuse For national security purposes PHI that is part of a limited data set for research Disclosures that occurred prior to April 14, 2003 In addition, a practice may temporarily exclude logging a disclosure of PHI made to a health oversight agency or law enforcement agency as long as the entity has provided a written request to exclude the disclosure for a set period of time. Once the requested exclusion date has passed, the practice must record the disclosure. The practice maintains a record of disclosures that are required by HIPAA Privacy standards. Exceptions to reporting disclosures are clearly noted in the practices policy and procedures and are in compliance with the Privacy Rule standards. Documentation (d) Request for Accounting of Disclosure of PHI Accidental disclosures may occur such as faxing PHI to the wrong number. In these cases, the practice is required to log the disclosure and may need to notify the patient if the disclosure is potentially harmful to the patient. The practice must document and retain a written accounting of disclosures provided to an individual along with the name and title of the employee who was responsible for receiving and processing the request for disclosure. Accidental disclosures of PHI that the practice is made aware of are documented in the disclosure log including what actions were made by the practice to mitigate the incident. All requests for an accounting of disclosure are submitted in writing. The practice maintains these requests as required by HIPAA.

14 Amendment of Protected Health Information HIPAA Regulation: An individual has the right to request and have a practice amend their protected health information. Timely action (b) Request to Amend Patient Records A practice is required to act upon a request within 60 days. If the practice cannot complete the amendment within the 60 days, it must include a copy of the request in the patient s designated record. The Practice has policy allowing an individual to request an amendment to PHI. Requests are required in written and kept in the patient s medical record. Denying a request (b) Response to Request to Amend Patient Records A practice may review and deny an individual's request for amendment if the information: Was not created by the practice Is not part of the records maintained by the practice Is determined to be accurate and complete All denials must be provided in writing to the patient and include the reason for the denial along with an explanation of the patient s rights to submit a written statement of disagreement. The patient may request their letter of disagreement be included as a part of the designated medical record. Any denial of requests is provided in writing to the patient and a copy retained in the patient medical record. When applicable, the practice includes the statement of disagreement in any disclosure of PHI with which the disagreement relates. Accepting a request (c) Response to Request to Amend Patient Records Notice of an amendment (e) If a practice accepts the requested amendment, in whole or in part, they must comply with the following requirements: Make the appropriate amendment Inform the individual that the amendment is accepted Make reasonable efforts to inform and provide the amendment within a reasonable time to other entities or practices who received the PHI. If your practice is informed by another entity of an amendment to an individual's PHI, you must amend the protected health information in your designated record sets. Approval of requests is provided in writing to the patient and a copy retained in the patient medical record. Amendment requests received by the practice have been properly corrected in the patient records. All applicable documentation is retained by the practice.

15 Administrative Requirements HIPAA Regulation: Designation of a Security Official (a)(1) Privacy Officer Job Description A practice must designate a privacy official who is responsible for the development and implementation of HIPAA policies and procedures. The privacy officer is responsible for overseeing all activities related to developing and implementing policies and procedures associated with HIPAA compliance for the practice and ensuring the practice stays current with any changes. The practice has an assigned Privacy Officer Managing Complaints (a), (d), (g) Patient Complaint Form Handling of Patient HIPAA Complaints Employee Training (b)(1) A practice must train all members of its workforce on the policies and procedures with respect to PHI as necessary and appropriate for the members of the workforce to carry out their functions within the practice. Employee Compliance Training Log (a),(d) A practice must provide a process for individuals or patients to make complaints concerning HIPAA privacy issues. The practice is also required to have a designated contact person responsible for receiving and managing the complaints. All complaints received must be documented along with their disposition, if any (g) A practice may not intimidate, threaten, coerce, discriminate against, or take other retaliatory action against any individual who files a complaint. Tip: The practice may consider implementing an anonymous reporting system that can be used by employees or others to notify the practice of any HIPAA privacy issues or concerns. Such a system may include a drop box or contracted service for a compliance hotline. All employees are required to be trained on the provisions of the HIPAA Privacy Rule. Note: There is no current training standard required by HIPAA. Training may be conducted in a formal classroom setting, reading and signing materials, computer-based, distance learning or other methods deemed appropriate by the clinic (b)(2)(A-C) All new employees are required to be trained on HIPAA shortly after employment begins. The practice has established an individual for receiving and responding to patient complaints. The practice has a formal process in place to receive and respond to patient complaints. The practice maintains appropriate documentation of all patient complaints and actions taken by the clinic. The practice has stated in its policy and procedures clear guidelines to ensure individuals are assured no retaliatory action for good-faith reports of noncompliance. Standard training and review of associated clinic policy and procedures on HIPAA privacy rules has been provided to all employees of the clinic. Annual refresher training is conducted by the clinic as appropriate.

16 Disciplinary Policy (e) Employee Disciplinary Action Employee Confidentiality Agreement Employees whose job functions are affected by any material change to HIPAA regulations or changes to the clinic s policies or procedures (associated with HIPAA) are required to receive updated training (b)(2)(C) (ii) All HIPAA training is required to be documented by the practice (g) A practice must have a sanctions policy in place that applies appropriate disciplinary action against members of its workforce who fail to comply with the privacy policies and procedures of the covered entity. The practice must document any sanctions that are applied to an employee. All employees should receive, read and sign a confidentiality agreement indicating the employee s responsibilities and expectations for maintaining patient privacy of PHI. New employees receive HIPAA training shortly after being hired. The practice maintains a log documenting all employees training. The clinic has an established sanctions policy outlining disciplinary actions based on the severity of the HIPAA violation. Any sanctions or actions imposed by the practice on an employee have been documented, signed and dated. A copy is maintained in the employees file. All employees of the clinic have signed a Nondisclosure / Confidentiality Agreement. Mitigation of Inappropriate Disclosure (f) A practice is required by HIPAA to mitigate, to the extent practicable, any harmful effect that is known to the practice resulting from an inappropriate disclosure of PHI. HIPAA Incident & Resolution Policy and Procedures (i)(1) A practice must implement policies and procedures to protect PHI in accordance with the HIPAA Privacy Rule standards. If a violation occurs, practices are required to implement a corrective action plan that outlines the specifics of the violation, what the practice did to mitigate any damage/harm, any disciplinary action taken, and what action was taken to prevent any future incidents. The policies and procedures should be reasonably designed, taking into account the size and the type of activities of the practice to ensure compliance. The policies and procedures may be maintained in paper or electronic form. The practice maintains a corrective action plan. The practice maintains a set of policy and procedures related to HIPAA Privacy.

17 Changes to policies and procedures (i)(2)(ii), (i)(3) Practices are required to change its policies and procedures as necessary and appropriate to comply with changes to HIPAA laws. The appointed privacy officer for the practice should be responsible for being aware of all HIPAA laws and staying abreast of any changes. If these changes materially affect the content of the Notice of Privacy Practice (NPP), the practice is required to make appropriate revisions to the NPP. The practice regularly reviews its HIPAA privacy policy and procedures and updates them as necessary. Documentation and Retention Requirements (j)(1) Practices must maintain all HIPAA related records, documents and communication. Business Associates A practice may permit a business associate to create, receive, maintain, or transmit protected health information on the practice s behalf only if the practice obtains satisfactory assurances that the business associate will appropriately safeguard the information. Business Associate Agreement Business Associate Checklist Note: Additional information regarding Business Associates can be found in the HIPAA Security Rules ( ) A practice is required to documents its policies, procedures, forms, training and any problems and resolutions related to HIPAA Privacy. The retention period required by HIPAA for all related documentation is six (6) years from the date of its creation or the date when it last was in effect, whichever is later. This requirement does not apply to medical record retention. State laws determine retention standards for medical records. A business associate is any business or individual that is not a part of the practice s workforce that provides a service for, or on behalf of the practice where PHI is shared or may be accessed. For example, this may include billing companies, consultants, EMR vendors, clearinghouses, accountants etc. A practice is required to have each business associate sign a written contract that allows them access to PHI. The contract must outline the obligations of the business associate regarding assurances for HIPAA compliance and termination provisions for the agreement. Business associate agreements are not required for the following: Treatment or payment purposes Research conducted by the practice, with the patients authorization or under an IRB (institutional review board) Courier or mail services Janitorial services provided to your practice All HIPAA related records required to be maintained are retained by the practice for a minimum of 6 years. The practice maintains a list of all Business Associates. All Business Associates of the medical practice have signed a business associate agreement.

18 Practice Safeguards The HIPAA Privacy Rule requires practices to ensure the safeguard of Protected Health Information (PHI). Practices are expected to make good faith, reasonable and appropriate effort to establish the necessary safeguards to comply with the Privacy Rule requirements. The following section outlines safeguards that a practice should have in place to help maintain compliance and ensure protection of patient information. Patient Sign In Sheets Verifying Patient Identities (h) Sign in sheets are permitted under HIPAA as long as they have limited information about the patient and do not have any identifying information, other than the patient name. The practice is required to verify the identity of any patient requesting his/her own protected health information. Examples of information that can be used to identify a patient includes, but is not limited to: Date of birth Zip code Address Mother s maiden name Last 4 digits of social security number Driver license Patient Sign-in sheets are limited to patient name, appointment time, and time of arrival. Patients who call over the phone are required to provide 2 identifying pieces of information. Phone Message and Appointment Reminders Patient Privacy Appointment reminders can still be mailed to patients, but any information should be limited to the patient s name and date / time of the appointment. No other information should be used. The practice may leave phone messages with patients regarding test results, appointment reminders or to schedule an appointment. Information left on a phone message should be limited to the patient s name, their doctor s name and phone number and date / time of the appointment. A practice should make reasonable precautions to prevent inadvertent disclosure of PHI. These safeguards are not specifically mandatory, but should be considered when evaluating if they are reasonable to implement. Appointment reminder cards contain only the patient name and date and time of an appointment. Phone messages left by the clinic are limited to the patient s name, physician contact information and date/time for an appointment. Exam rooms or clinic doors are closed before engaging in any discussion of PHI. Fax and telephone answering machines are place in a secure area where patients can not readily access them. If possible, use cubicles or dividers to help promote confidentiality when registering or checking out patients. When sending EOBs (explanation of benefits) to secondary carriers, any PHI that is not applicable to the claim is blacked out.

19 Photographs The use of photographs of patients is permitted by HIPAA as long as these are kept away from public view or appropriate patient authorization has been obtained. OB providers may hang new baby photos in a specific area, but must have written consent by their parents. Baby names should be removed from all pictures prior to displaying for public view. The practice maintains any pictures of patients in a secure file, not accessible to the public. Faxes Fax and Disclaimer Statement Fax Transmission Log s Fax and Disclaimer Statement Faxes and s are allowed to contain PHI for treatment, payment and healthcare operation (TPO) purposes. Practices are required to be able to account for where PHI has been faxed. In addition, fax cover sheets are required to have a privacy disclaimer on them. Tip: Best practice is to use a fax confirmation sheet that is maintained in the patient record that shows the front page with the faxed to information. All faxes containing PHI have a privacy disclaimer on the cover sheet. The practice maintains a fax log which is used to track / document faxes containing PHI. A confidentiality disclaimer is included at the bottom of all s sent by the practice. Electronic Transaction Code Set Rules Under HIPAA, practices are required to use standard transactions and standard code sets for electronic transmission of patient health information. The following section highlights the requirements and compliance steps for your practice. Standards for Electronic Data Interchange HIPAA adopted certain standard transactions for Electronic Data Interchange (EDI) of health care data. Under HIPAA, if a practice conducts one of the adopted transactions electronically, they must use the adopted standard. This means that they must adhere to the content and format requirements of each standard. Transaction and Code Set (TCS) Checklist The following standards apply to EDI transactions: X12N 837 (health claims or equivalent encounter information) X12N837 (Coordination of Benefits) X12N835 (Payment and Remittance Advice) X12N834 (Health Plan Enrollment and Disenrollment) X12N820 (Health Plan Premiums) X12N 270/271 (Eligibility for Health Plan Inquiry / Response) X12N 278 (Referral Certification and Authorization) X12N 276/277 (Healthcare Claim Status Inquiry / Response) In general most practices depend on their software vendors and clearinghouses when it comes to compliance with these standards. Software used by the practice manages electronic transactions using the HIPAA compliant format.

20 Diagnosis and Procedure Codes HIPAA also adopted specific code sets for diagnosis and procedures to be used in all transactions. The following are the adopted code sets for procedures, diagnoses, and drugs which are to be used by all providers. HCPCS (Ancillary Services/Procedures), CPT-4 (Physicians Procedures) CDT (Dental Terminology) ICD-9 (Diagnosis and hospital inpatient Procedures) ICD-10 (As of October 1, 2013) NDC (National Drug Codes) The practice conducts regular coding and documentation audits to ensure appropriate use of HIPAA diagnosis and code sets. Upcoming Changes Recent health reform has resulted in several modifications to HIPAA as it relates to Electronic Transaction Standards. These changes adopt new transaction standards to be used for Medicaid pharmacy subrogation and also 2 new standards for billing retail pharmacy supplies and professional services. Upcoming changes include: Update ASC X12 Version to 5010 (Jan 2012) Update NCPDP to Version D.0 (Jan 2012) New standards for Medicaid subrogation for pharmacy claims, NPDP Version 3.0 for small health plans beginning Jan ICD-10-CM (October 2013) N/A National Provider Identifier HIPAA adopted standards for unique identifiers for Employers and Providers. The purpose of the National Provider Identifier (NPI) is to standardize the way of identifying the provider of services being rendered to patients. In general, practices need only be concerned with ensuring proper use of the standard identifier on insurance forms when required. National Provider Identifier The NPI is a 10 digit number used as an identifier for all payers and all HIPAA transactions. Centers for Medicare and Medicaid are responsible for implementing and enforcing the use of NPIs. Information can be obtained from CMS on how to apply for an NPI. There are 2 types of NPIs. One for individuals such as doctors and nurse practitioners; the other is for healthcare organizations such as hospitals, labs and group practices. Any individual provider who is a sole proprietor must have both types of NPIs. Non solo practices may need to obtain separate NPIs depending if they have subparts (such as satellite offices or pharmacy). NPIs may not be changed, however, information such as names, addresses, ownership etc. may change. When a new NPI is established all partners (e.g. health plans, vendors, and business associates) must be notified of the new NPI. Each provider requiring and NPI has obtained one. Information / Documentation of the NPI have been retained and are readily available. National Employer Identifier The purpose of the National Employer Identifier is to standardize the way of identifying employers of each patient. The identifier is the tax id number provided and maintained by the IRS (EIN). All business entities are required to utilize the National Employer Identifier. The practice has obtained an appropriate EIN from the IRS. Information / Documentation of the EIN have been retained and are readily available.