How To Protect Your Health Information In The United States

Transcription

1 El Paso Integrated Physicians Group Policy Name Policy Number HIPAA Compliance Program OP95 Effective Date 4/1/2014 Supersedes Policy Dated 9/20/2013 References: HIPAA, 2009 Hitech Act Amendments. Decision Health HIPAA Program builder and HIPAA Answer Book. POLICY All staff, contract providers and business associates of El Paso Integrated Physicians Group, P.A. (EPIPG) are required to comply with the requirements of HIPAA and other federal and state laws concerning the protection of private health information (PHI). Violations of HIPAA and other related laws may result in very stiff penalties PROCEDURE 1. Privacy Officer: EPIPG. shall assign a Privacy Officer. A copy of that assignment shall be maintained in the records of the practice. The Privacy Officer is responsible for the development of policies and procedures related to HIPAA and other privacy requirements. The Privacy Officer shall also oversee compliance activities related to privacy issues and shall service as the contact person for handling complaints related to HIPAA 2. Security Officer: EPIPG shall assign a Security Officer. A copy of that assignment shall be maintained in the records of the practice. The Security Officer is responsible for conducting and maintaining an assessment of information systems within the practice and resolving any security weaknesses that may be identified. The Security Officer is also responsible for conducting staff training related to information security and HIPAA requirements. 3. Annual Security Risk Analysis and Management Plan: Each year the Security Officer is responsible to conduct an extensive security risk analysis and develop a management plan to address the various risks. This process shall be documents in a Security Risk Analysis and Management Plan that shall be provided to the Practice Administrator. The plan shall address physical and electronic risks to information and ensure that all information related activities are in compliance with governmental requirements. 4. Notice of Privacy Practices: Each patient is to be provided a copy of EPIPG s Notice of Privacy Practices (NPP) upon the patient s first visit to our practice. HIPAA requires that, except in emergencies, we must make a good faith effort to obtain written acknowledgement that the patient received the NPP. If a signature is unable to be obtained or the patient refuses to sign, then the staff member responsible for providing the NPP must document why he/she could not obtain the signature. It is not necessary to obtain a new written acknowledgement after making a change to the NPP. When a new NPP is issued, it shall be updated on the EPIPG website(s). It shall also replace the old notices posted in the clinic. In addition, the new NPP notices shall be made available to patients as they return to the clinic for subsequent visits. The NPP will be provided upon asking to anyone who requests it, not just patients. Copies of all versions of the NPP must be retained for a minimum of six years. 5. Minimum Necessary Standard: Reasonable efforts are required to limit use and disclosure of individually identifiable protected health information (PHI) to the minimum

2 level necessary to comply with requests and meet the needs of the patient. To that end, it is expected that each employee and associate of EPIPG access, use, and disclose only the minimum amount of information necessary to accomplish their assigned tasks. The EMR system has been designed to limit access to those functions necessary to carry out the responsibilities of a specific role within the practice. However, the ability to access information within the system does not constitute a right to access or use that information. Access is allowed only if directly relevant to a specific role and to a patient for which an individual is legitimately involved. The following shall serve as guidelines for necessary access: A. Provider Staff: Provider staff shall limit their access to patients for which they have active involvement or for which they have been requested to review records for medical or operational reasons. Providers have generally unlimited access to the records for patients that are under their care or for which a medical consult has been requested. The only exception might be a private note within the EMR that may only be accessed by the producer of that note. They are to have limited access when accessing charts for other purposes, that access being limited to only the purpose for which they must review the chart. An example may be the conduct of a quality review. B. Medical Assistants and Other Clinical Staff (including residents/students): Medical Assistants shall limit their medical record access to patients for which they have active involvement, and only at such times as they are actively addressing the patient s needs. They may only access patient records while they are on duty in their assigned clinic. They may access records for their own provider or while covering for another provider. They may not access the charts of any patients for which they are not actively involved in assisting a provider, unless they have been assigned an administrative task by a supervisor or manager that requires such access. They may not access records of a friend, relative or staff member unless they are assisting their assigned provider in the care of that individual. This does not limit the ability to enter a telephone encounter if called by a relative or friend. C. Front Office Staff: Front office staff shall limit access to those areas of the chart necessary to complete scheduling, registration, out-processing and related functions. Members of the Front Office staff should not view progress notes or other clinical areas of the patient record, unless there is a necessity to obtain information on behalf of a patient or a member of the clinical staff. Front Office staff may not access records of a friend, relative or staff member unless they are actively involved in scheduling, registering or otherwise processing that record. D. Business Office Staff: Business Office staff generally shall operate within the claims area of the EMR software and should not routinely access clinical records accept as necessary to check coding or to obtain documents required by a third party payor. Business Office staff may not access records of a friend, relative or staff member unless they are actively involved in billing/collection activities, obtaining authorizations or otherwise engaged in assigned responsibilities related to that record. E. Administrative & IT Staff: The Administrator, the IS Coordinator, the President and the technical staff at Velocity (the EMR system host) are the only personnel authorized unlimited access to the EMR system. Each of these individuals is involved and/or responsible for all aspects of EMR system operations. The IS Coordinator and Velocity staff members are not authorized to use PHI as a function

3 of their IT responsibilities. However, due to the nature of their role, they will have frequent access to PHI. This access is only for the purpose of addressing technical system issues and is not construed to allow for review of or disclosure of PHI. The Administrator and President have the authority to access all components of the EMR system. However, their access to PHI is limited to only that information that is necessary to perform their required functions. The Administrator and President are the only individuals with the authority to determine access level permissions for the various roles. The IS coordinator is authorized to implement those permissions within the system. 6. Authorization to Release Information: Authorizations to release information are to comply with policy OP50 on the Release of Patient Information. EPIPG has engaged the services of Datafile (an external agency) to address requests for third party information release. The terms of that relationship are outlined in a contract that requires compliance with HIPAA and related laws and regulations. Other than routine document provision to third party payors for the purpose of obtaining certifications/authorizations and payment, information requests are generally to be routed through Datafile in accordance with the provisions of our agreement. Exceptions to the use of Datafile for release of information require the approval of the Clinic Manager, Administrator or President. 7. Request to Restrict PHI to Insurance: In accordance with HIPAA and related regulations, patients have the right to request restriction of their PHI to their insurance company if they, or someone else on their behalf, pays in full for the treatment or service out of their own pocket. EPIPG s requirement is that the patient completes a Request to Restrict Disclosure to Insurance form and payment is made prior to the receipt of the treatment or service. The amount of payment shall be the amount in the Self-Pay fee schedule. If the treatment or service requires a precertification, then the patient must complete the form and payment must be made prior to the time a precertification is sought. The Notice of Privacy Practices informs the patient that the form to make such a request is at the front desk. If any member of the staff is informed by the patient of such a request, he/she is responsible to inform the patient of the process. Prior to completion of the form and payment, the patient will need to be counseled by his/her provider on the possible impact of the requested restriction, to include a possible impact to future approvals/payment for treatment by the insurer. If a patient is in an HMO that does not allow the patient to pay out of pocket for items other than cost sharing, such as copayments, you may be required to inform the patient that he/she will need to visit a non-network provider to obtain the treatment/service. If the procedure is part of a bundled service, you must inform the patient of issues related to unbundling the service and its impact, or that the patient might need to pay for the entire bundle of services in order to restrict the PHI. Counseling related to this request shall be documented in the medical record. In this event, contact the Administrator for a review of the payor s contract with the practice. It will also be necessary to make the note a confidential note. within the Billing window in the progress note by clicking either the Visit Code or Procedure Code section of the note and clicking on Confidential Note. Select Do Not Send to Insurance as the note type. Also include a Global Alert in the EMR in order to warn personnel not to send records related to the applicable treatment or service to the insurance company. In addition, the visit must be classified as Non-billable immediately in order to ensure that a claim is not produced and forwarded by the business office. Front desk personnel are to notify the Clinic Manager upon a request for this restriction. The Clinic Manager is responsible for making sure that the all components of this procedure are followed and for notifying the Administrator of the request. The Clinic Manager shall also ensure that the form is scanned into the patient

4 record. 8. Request to Restrict PHI Other Than to Insurance: Patients have the right to request restriction of their PHI. Except for the insurance provision outlined above, EPIPG is not required to grant the request, though it is required to accept and respond to the request. If EPIPG agrees to the request, it must honor it and not release the affected PHI unless it is needed to provide emergency medical treatment to the patient, and the practice must request that the released PHI not be used beyond that purpose. Requests to restrict PHI may not be used to prevent use or disclosure if HHS requests the PHI in order to determine compliance or the use disclosure is otherwise required by law or to protect public health. If a patient requests a restriction of their PHI, they will need to complete a Request to Restrict disclosure of Information (Other than to Insurance) form. The Notice of Privacy Practices informs the patient that the form is available at the front desk. If any member of the staff is informed by the patient of such a request, he/she is responsible to inform the patient of the process. After completion of the form by the patient, it is to be provided to the Clinic Manager for review and presentation to the patient s primary physician at EPIPG for review. The Clinic Manager shall then provide the form along with any feedback from the physician to the Administrator. Only the Administrator or President is authorized to make a decision concerning the request for restriction. That decision shall be document on the form and scanned into the patient record. 9. Request to Amend PHI: Patients have the right to request that amendments be made to their PHI. EPIPG is not required to grant the patient s request. If the request is not granted, the patient has the right to file an appeal or to complain about the denial. A request to amend PHI must be sent to the practice in writing. The Notice of Privacy Practices instructs patients to mail their request to EPIPG, Attn: Privacy Officer at P.O. Box 3157, El Paso, TX If a patient wishes to deliver his/her written request in person, any member of the practice may accept it and provide it to the Privacy Officer. Once received, the Privacy Officer shall ensure the request is scanned into the patient s record and review the request with the provider responsible for production of the original record, or if not available, the President. EPIPG has 60 days to respond to the request. If there is no objection to the requested modification by the Provider or President, the Privacy Officer will ask him/her to document the change. The modification shall be entered into the most appropriate location in the chart based upon the requested change. This might include an entry directly into a progress note, an addition of an amendment to the progress note using the EMR s addendum feature, or scanning a document into the patient s record. Where necessary, a reference should be made to the amendment if it is not in the same location as the original item that was modified. The Privacy Officer shall ensure that the patient is notified of the change and shall obtain information and permission necessary to notify people with whom the change should be shared. The Privacy Officer shall ensure that these notifications are made as well as notifying anyone the practice is aware of that has the information and that might rely on the unmodified information to the detriment of the patient. EPIPG may also deny an individuals request for modification if it determines that the information or record that is the subject of the request: A. Was not created by EPIPG or an EPIPG business Associate, unless the requester provides a reasonable basis to believe that the originator of the PHI is no longer available to amend it. B. Is not part of a designated record set. C. Would not be available for inspection under the rules for access.

5 D. Is accurate and complete. The standard is not perfectin, but general accuracy and completeness. In the event that the practice does not agree to the request for amendment, the Privacy Officer shall inform the requestor in writing of the basis for the denial and inform him/her that he/she has the right to submit a written statement disagreeing with the denial (with information on how to file the statement) or if the individual does not submit a statement of disagreement, he she may ask that the EPIPG provide the request for amendment and the denial with any future disclosures of the information at issue. The written notice shall also inform the individual that he/she may complain to EPIPG or HHS, including the title and phone number of the EPIPG contact person designated to receive the complaint. All documents produced in relationship to the request and denial must be scanned into the patient s record, including the initial request, EPIPG s denial, the written statement disagreeing with the denial and EPIPG s rebuttal, if produced. If EPIPG produces a rebuttal, it must also provide a copy to the patient. These documents shall also be provided with future disclosures of the PHI at issue if the individual submitted a statement of disagreement or requested that his/her request be sent with disclosures. 10. Request for Confidential Communication: Patients have the right to make reasonable requests to receive PHI by alternative means or to an alternative location. The request must be in writing. The Notice of Privacy Practices informs the patient that a form is available at the front desk. If any member of the staff is informed by the patient of such a request, he/she is responsible to inform the patient of the process. The form to be used is the Confidential Communications Request form. Once complete, the form is to be provided to the Clinic Manager. The Clinic Manager will ensure that the request is scanned into the patient record and that a global alert is created to notify staff members of the request. The Clinic Manager will also ensure that the contact information in the medical record is modified to reflect the patient s choice. 11. Business Associates Agreement: EPIPG may engage the support of business associates that perform various functions on behalf of the practice. HIPAA considers a business associate of EPIPG to be an individual or entity that performs, on behalf of EPIPG, a function regulated by HIPAA or that perform services that involve the use or disclosure of individually identifiable protected health information. An employee of EPIPG is not considered a business associate, but another covered entity can be considered a business associate of EPIPG. A business associate of EPIPG must sign a business associate agreement with EPIPG. EPIPG has a standard business associate agreement that is to be used whenever possible. Use of another business associate agreement is permitted only if approved by the President or Administrator. Contractors that do not use or disclose PHI are not required to sign a business associate agreement under HIPAA requirements. Incidental disclosure, such as that which may be experienced by a janitorial service, does not require the initiation of a business associate agreement. It is the responsibility of the President or Administrator upon establishing a business relationship to determine whether or not a business associate agreement is required and to ensure that any such agreement meets all required elements to comply with HIPAA and EPIPG risk guidelines. 12. General Protection of PHI: All members of EPIPG s staff and its business associates have a responsibility to protect patient health information. This information may be kept in both written and electronic format. Information that is written should remain under the control of a staff member or business associate at all times unless it is in a controlled area where the general public is not allowed. Information kept at a nursing station at the clinic

6 should be face down or stored in such a manner that it is not easily viewed by others. Documents should not be left on printers or faxes in unsecured areas. Record repositories should be locked when not being accessed by authorized personnel. Staff members, other than providers or administrative staff should not be in possession of physical records outside of EPIPG offices without approval from a Manager, the Administrator or the President. Providers and Administrators should only be in physical possession of records outside of an EPIPG office when necessary for the business purpose they are conducting, such as transporting records between offices or records that are generated in the conduct of care outside of an EPIPG office. Any records that are removed from the office or produced outside of the office must be closely guarded to ensure against inadvertent disclosure. Information that is no longer required to be maintained should be shredded or placed in appropriate receptacles for confidential destruction. Staff must be cautious when discussing patient information in person or over the phones. These conversations should be kept as private as possible. 13. Computers and Portable Devices: The EMR system is the largest repository of EPIPG s protected health information. As such, access to the system must be closely guarded. EPIPG s system is hosted offsite by a third party which provides for numerous advantages. The servers on which our data resides are maintained in a highly secured facility and protected against both physical and cyber breach. The information that is being accessed in our EMR does not reside on our desktop or portable devices. This significantly reduces the risk of a physical data loss. The primary risk to EPIPG s electronic data lies in the safeguard of Usernames and Passwords to the network and the EMR program itself. EPIPG s policy OP35 provides specific instructions for the safeguard of information on computers and portable devices. All employees are required to be familiar and comply with the requirements of OP35 in order to protect this information resource. 14. Security Breach: HIPAA and the HITECH require that patients be notified by mail in the event a breach of unsecured (unencrypted) protected health information occurs, unless a risk assessment shows that there is a low probability that the protected health information has been compromised or the breach meets the exception of an unintended or inadvertent disclosure made by employees or authorized individuals at the same facility or where the PHI was disclosed to a person who would not reasonably be able to retain the disclosed information. A breach is defined as any unauthorized use or disclosure of unsecured PHI. In the event that a security breach occurs, the Administrator is to be immediately notified of the breach and any related details. The Administrator shall initiate a risk analysis of the breach to determine whether or not notification is required and who must receive notification. 15. Staff Education: All employees of EPIPG are required to receive and acknowledge that they understand training concerning HIPAA requirements and EPIPG security related policies and procedures. The Security Officer is required to provide training to all new employees within 14 days of the start of employment. The Security shall also provide continuing training as determined to be necessary based upon staff performance and knowledge. Security policies shall be retained on line and made available for staff review. 16. Violations: Violations of policies relating to private health information are very serious in nature. EPIPG is required to enforce these policies. Violations are categorized into three levels according to their severity.

7 A. Level I: A Level I Violation is accidental or because of a lack of privacy and security education. Examples include: Failing to sign off a computer terminal when leaving it unattended Accessing one s own record Requesting another employee to access one s own record Sharing passwords Corrective action for Level I Violations may include the following sanctions: Verbal counseling and training Written warning and training, dependent upon the severity of the violation B. Level II: A Level II Violation is a purposeful disregard of organizational policy or a repeated Level I Violation. Examples include: Accessing the record of a client without a legitimate reason Using another employee s access code without the employee s authorization Releasing patient data inappropriately Corrective action can include the following sanctions: Written warning and training Final warning and training, dependent upon the severity of the violation C. Level III: A Level III Violation is a malicious disregard of organization policies. Examples include: Releasing data for personal gain Destroying or altering data intentionally Releasing data with the intent to harm an individual or the organization Repeat Level II Violation Corrective action generally would result in termination of employment. Approval of the President is required prior to termination. DATE REVIEW/APPROVAL SIGNATURE