Checklist for HIPAA Privacy Policy

Transcription

1 Checklist for HIPAA Privacy

2 Verification of the Identity and Authority of the Client Requesting Disclosure of PHI There are a number of situations in which members of the workforce of the organization may disclose PHI. Disclosures of PHI must be made in accordance with the applicable organization policies. In each case, the member of the workforce making the Disclosure must verify the patient requesting the information is authorized to receive it as set forth by the HIPAA Privacy Act (45 CFR (h)). Safeguarding Transmission of PHI to External Vendors or Entities The purpose is to ensure that PHI transmitted outside of the organization to other businesses under contract with the organization is protected and limited to that information needed for providing clinical and administrative services. This policy is intended to act as a guide to transmitting data efficiently while maintaining confidentiality of PHI. Confidentiality of Health Information Related to Minors The purpose is to ensure that organization s employees abide by the rules and regulations set forth by state law related to confidentiality of health information for minors. Designation of Record Sets The purpose is to designate what is considered a record set of the organization for purposes of accessing and amending PHI. Minimum Necessary This policy establishes the general rule regarding the minimum necessary limitation on the Use or Disclosure of PHI as set forth by the HIPAA Privacy Rule (45 CFR (b), (d)). Revocation of an Authorization The purpose is to ensure that the organization s employees abide by the requirements set forth by the HIPAA Privacy Rule (45 CFR ) as well as policies developed by the organization. Copyright. All rights reserved. ecfirst

3 Routine and Recurring Disclosures of PHI The purpose is to establish disclosures of PHI that are routine and recurring. Safeguarding PHI The Privacy Rule permits certain incidental uses and disclosures of PHI to occur when the covered entity has in place reasonable safeguards and minimum necessary policies and procedures to protect an individual s privacy. This policy establishes guidelines to help safeguard PHI from being seen, heard or disclosed to those who are not authorized to see or hear it as set forth by the HIPAA Privacy Rule 45 CFR (a)(1)(iii) as well as other policies developed by the organization. Use and Disclosure of PHI for Treatment, Payment and Health Care Operations This policy sets forth the circumstances in which the organization and its personnel may use and disclose PHI for treatment, payment, and Health Care Operations (TPO), and when patient authorization is required to do so. Access to PHI Patients have a right to inspect or to receive a copy of their PHI in the organization s records as set forth by the HIPAA Privacy Rule (45 CFR ). Some exceptions apply, as defined further in this policy. Accounting of Disclosures Patients have the right to receive an accounting of disclosures of their PHI as set forth by the HIPAA Privacy Rule (45 CFR ). Requests to Amend Records The purpose of this policy is to describe the process for a patient to amend their record. Use and Disclosure of PHI Requiring Patient Authorization There are a number of situations in which members of the organization s workforce may disclose PHI. Disclosures of PHI must be made in accordance with the applicable the organization s policies. In each case, the member of the workforce making the disclosure Copyright. All rights reserved. ecfirst

4 must verify the individual requesting the information is authorized to receive it as set forth by the HIPAA Privacy Act (45 CFR (h)). Use and Disclosure of Mental Health Information The purpose of this policy is to describe the appropriate use and disclosure of mental health information. Disclosures of PHI Relating to Communicable Diseases This policy describes when the organization s personnel may disclose a patient s PHI relating to a communicable disease. Uses and Disclosures of PHI for Health Oversight Activities This policy describes when the organization s personnel may disclose a patient s PHI for the purposes of health oversight activities. Disclosures of PHI to Law Enforcement Officials This policy sets forth requirements that the organization s personnel will meet before disclosing a patient s PHI to law enforcement officials. Disclosures of PHI Relating to Judicial and Administrative Proceedings This policy sets forth the rules for the organization s personnel to disclose PHI in connection with judicial and administrative proceedings. Use or Disclosure of PHI for Marketing Purposes This policy describes the reasons for which patients can be contacted, and PHI is used or disclosed, for marketing purposes that is conducted by or on behalf of the organization. Disclosure of Proof of Student Immunizations to School The purpose of this policy is to describe the situations in which the organization may disclose proof of immunization to schools in the states that have school entry or similar laws. Copyright. All rights reserved. ecfirst

5 Facility Directory (Patient Census) Disclosures for Inpatients The purpose is to set forth the information the organization s personnel may include in the Facility Directory, and to whom this information may be disclosed. Access, Use, Disclosure and Safeguarding PHI in the Conduct of Research The purpose of this policy is to describe the access, use, disclosure and safeguarding of PHI in the conduct of research. Use or Disclosure of PHI for Fundraising Purposes This policy describes the reasons for which the organization may provide fundraising communications and the scenarios in which a patient s PHI is used or disclosed for fundraising purposes. Use or Disclosure for Sale of PHI This policy describes the reasons for which patients can be contacted, and PHI is used or disclosed for sale, conducted by or on behalf of the organization, according to section Uses and Disclosures of PHI Concerning Decedents The purpose is to protect the privacy rights of the organization s patients who are deceased and to provide procedures and guidance for the use and disclosure of a deceased individual's PHI. Identifying PHI This policy sets forth the criteria for determining when information held by the organization should be treated as PHI. Patient Requests for Restriction of Uses and Disclosures for Treatment, Payment and Health Care Operation The purpose of this policy is to describe the process for patient requests for restriction of uses and disclosures for Treatment, Payment and Health Care Operations. Copyright. All rights reserved. ecfirst

6 Patient Requests for Confidential Communications The purpose of this policy of is to describe patient requests for confidential communications. Management of Patient Privacy Complaints The purpose is to establish a complaint process through which the organization s patients may resolve concerns about the privacy and confidentiality of their health information. Mitigation of Harm Resulting from Unauthorized Use or Disclosure of PHI The purpose is to establish a procedure to mitigate, to the extent practicable, any harmful effect that results from an unauthorized use or disclosure of PHI. Prohibition of Intimidating or Retaliatory Acts The purpose is to provide guidance to the organization s patients and personnel regarding prohibition of intimidation or retaliatory acts. Confidentiality Agreement for Workforce Member The purpose is to require each member of the organization s workforce to follow confidentiality requirements and to sign the Acknowledgement of Confidentiality form. Notice of Privacy Practices The purpose is to ensure that the organization abides by the requirements set forth by the HIPAA Privacy Rule (45 CFR ), state and federal laws regarding a Notice of Privacy Practices. Sample Notice of Privacy Practices The Notice of Privacy Practices describes how medical information about a patient may be used and disclosed and how the patient can get access to this information. Reporting PHI Privacy Breach (Security Incidents) The purpose is to establish a process for reporting a breach of PHI privacy or a PHI (or electronic PHI EPHI) security incident to the affected organization. Copyright. All rights reserved. ecfirst

7 Personal Representative The purpose is to define a Personal Representative for the organization s purposes. Facsimile Transmission of PHI The purpose is to ensure that the organization s employees safeguard PHI when transmitting PHI by facsimile. De-identification of PHI The purpose of this policy is to accurately describe which identifiers are removed from the health information so that the health information cannot be traced to a specific individual and the organization can use the de-identified health information without patient authorization. This policy is based on Section (a) of the HIPAA Privacy Rule. HIPAA Privacy Definitions The purpose is to provide the organization s employees with the HIPAA Privacy Definitions for terms that may appear in the HIPAA Privacy Policies. Figure 1: Checklist for HIPAA Privacy Compliance. Copyright. All rights reserved. ecfirst

8 Corporate Office 295 NE Venture Drive Waukee, IA United States Toll Free: x17 Phone: x17 Fax: Copyright. All rights reserved. ecfirst