TEXAS COLON & RECTAL SURGEONS, LLP HIPAA AND TEXAS LAW PRIVACY POLICIES AND PROCEDURES ADOPTED EFFECTIVE APRIL 1, 2003

Transcription

1 TEXAS COLON & RECTAL SURGEONS, LLP HIPAA AND TEXAS LAW PRIVACY POLICIES AND PROCEDURES ADOPTED EFFECTIVE APRIL 1, 2003 UPDATED EFFECTIVE SEPTEMBER 1, 2012 Any questions about the following policies and procedures should be directed to management. All policies and procedures are subject to change at any time. All changes or updates will be communicated in writing by fax or interoffice mail. It is the responsibility of each employee to be knowledgeable of and comply with the current policies and procedures of the practice.

2 TCRS HIPAA AND TEXAS LAW PRIVACY POLICIES AND PROCEDURES ADMINISTRATIVE REQUIREMENTS Designation of a Privacy Officer and Contact Person One or more persons will be appointed to fulfill the role of Privacy Officer as required by HIPAA. The duties and responsibilities of such person(s) include, but are not limited to: 1. Maintaining the formal and written TCRS HIPAA AND TEXAS LAW PRIVACY POLICIES AND PROCEDURES (collectively, Policies ), updating those policies as appropriate, and performing a comprehensive annual review of the policies to ensure the provisions are HIPAA and Texas law compliant; 2. Creating compliance reports and maintaining such records relating to HIPAA compliance in such time and manner and containing such information as the Secretary of Health and Human Services may deem necessary to determine the status of compliance; 3. Maintaining and monitoring policies and developing, coordinating, and participating in training of all employees of HIPAA and Texas law compliant policies and procedures that require (i) all new employees to be trained on these Policies upon commencement of work but in no event later than the 60 th day after the employee is hired, (ii) that such training is tailored based on the employee s scope of employment and TCRS course of business, (iii) all employees to receive updated training at least once every 2 years, (iv) each employee who receives training or attends a training program must sign, electronically or in writing, a statement verifying the employee s attendance at the training program, and (v) TCRS retains and maintains the employee s signed statement; 4. Monitoring effectiveness of compliance efforts; 5. Performing annual audits to identify areas that represent significant risk of compliance violations and recommending and/or taking corrective action; and 6. Maintaining and monitoring all Business Associate Agreements, ensuring that our Business Associates are acting in compliance with those agreements, and continually monitoring business relationships to determine which individuals and entities are our Business Associates. One or more persons will also be designated to fulfill the role of Contact Person as required by HIPAA. This person may be, but is not required to be, the same individual designated as Privacy Officer. The duties and responsibilities of such person(s) include, but are not limited to: 1. Creating and maintaining a reporting system that encourages employees and others to submit compliance concerns; TCRS HIPAA and Texas Law Privacy Policies Page 2 of 24

3 2. Addressing reports of compliance violations and maintaining a log of all incident reports; 3. Ensuring that all incidents of potential HIPAA and Texas law compliance violations are investigated, results of the investigation are documented, and action is taken to correct any compliance violation. TCRS HIPAA AND TEXAS LAW PRIVACY POLICIES AND PROCEDURES ADMINISTRATIVE REQUIREMENTS Employee Training Section (b) of HIPAA provides that a covered entity must train all members of its workforce on the policies and procedures with respect to protected health information required by this subpart as necessary and appropriate for the members of the workforce to carry out their function within the covered entity. To comply with HIPAA s and Texas Law training requirements, each member of our workforce will receive comprehensive training that will cover: 1. the importance of maintaining confidentiality of protected health information; 2. consequences of breaches of patient privacy, including personal harm to patients, lawsuits, loss of trust, employee sanctions, and civil/criminal penalties; 3. practical procedures for protecting protected health information; 4. employee participation in the enforcement of information access control, including access on a need-to-know basis, appropriate releases of information, verbal conversations, and computer system access issues; and 5. procedures for reporting compliance violations. Training will be provided to employees no later than the appropriate HIPAA and Texas law compliance deadlines. Thereafter, new employees will be provided training within a reasonable time upon commencement of work but in no event later than the 60 th day after the employee is hired. Subsequent training will occur as needed to review existing policies and procedures, and to introduce any changes to the current Policies, and as otherwise required by law. All employees will be retrained at least once every two years. Training will be tailored based on the employee s scope of employment and TCRS course of business We will maintain documentation of training provided to all employees signed by the employee (either in writing or electronically). TCRS HIPAA and Texas Law Privacy Policies Page 3 of 24

4 TCRS HIPAA AND TEXAS LAW POLICIES AND PROCEDURES ADMINISTRATIVE REQUIREMENTS Employee Sanctions HIPAA compliance violations are serious matters and we will respond in a manner consistent with the severity of the violations, the degree of intent or carelessness of responsible employees, and the probability that future violations will occur. Disciplinary actions will be decided upon after the Privacy Officer and/or Contact Person has investigated the Incident Report, interviewed responsible employees and any other person with knowledge of the violation, determined damage caused by the violation, and consulted with the responsible employee s supervisor. Disciplinary actions may take the following forms: 1. Employee Training The responsible employee may receive additional training for minor infractions, with documentation of such training added to the employee s personnel file. 2. Oral Reprimand The responsible employee may receive an oral reprimand concerning the violation. Documentation of such reprimand will be added to the employee s personnel file. 3. Written Reprimand The employee may receive a memorandum documenting the nature of the written admonishment, with a copy of such memorandum to the employee s personnel file. The memorandum should include the time, date and nature of the compliance violation, directions for correcting behavior causing the compliance violation, and future consequences if the behavior is not corrected. 4. Suspension The employee may be suspended for an appropriate period of time without pay. Documentation of such suspension will be added to the employee s personnel file. 5. Termination Employment may be terminated for HIPAA compliance violations. The employee will be notified in writing of the reason for termination, and copies of such writing will be added to the employee s personnel file. TCRS HIPAA AND TEXAS LAW POLICIES AND PROCEDURES ADMINISTRATIVE REQUIREMENTS Documentation One of the major components of HIPAA and Texas law compliance is adequate documentation of all communications, actions, activities or designations as required to be documented under HIPAA. We are required to pay specific attention to documentation of the following: TCRS HIPAA and Texas Law Privacy Policies Page 4 of 24

5 1. Notice of Privacy Practices We are required to provide a document entitled Notice of Privacy Practices to each patient, which includes a description of the potential uses and disclosures of such patient s health information by us for purposes of treatment, payment or health care operations. Employees shall document compliance with the notice requirements by retaining copies of the notices issued and any written acknowledgements or receipt of the notice or documentation of good faith efforts to obtain such written acknowledgement. 2. Requested Restrictions of Uses and Disclosures of PHI Individuals have the right to request us to restrict uses or disclosures of PHI to carry out treatment, payment or health care operations. We are not required to agree to such restrictions, but we must document the restrictions if we do agree. 3. Information Concerning Individuals Access to PHI Individuals have rights to inspect and obtain copies of PHI as long as the information sought is maintained in a designated record set. Employees shall document the designated record sets that are subject to access by individuals and the titles of the persons or offices responsible for receiving and processing requests for access by individuals. 4. Requests for Amendment of PHI Individuals have the right to request an amendment of their PHI. Employees shall document the titles of the persons or offices responsible for receiving and processing requests for amendments by individuals. 5. Accounting of Disclosures of PHI Individuals have the right to receive an accounting of disclosures of PHI made by us in the six years prior to the date on which the accounting is requested. Employees must document and retain: a. the date of disclosure; b. the name of the entity or person who received the PHI and the address of such entity or person, if known; c. a brief description of the PHI disclosed; d. a brief statement of the purpose of the disclosure that reasonably informs the individual of the basis for the disclosure; e. a copy of any written accounting provided to an individual; and f. the titles of the persons or offices responsible for receiving and processing requests for an accounting by individuals. 6. Other Documentation Employees shall also maintain documentation of: a. any signed authorization; b. any employee sanctions as a result of a HIPAA compliance violation; and c. all complaints of compliance violations, and the results of any investigation. TCRS HIPAA and Texas Law Privacy Policies Page 5 of 24

6 Documentation that is required to be maintained under HIPAA is to be retained for a period of six (6) years from the date of its creation or the date when it was last in effect, whichever is later. TCRS HIPAA AND TEXAS LAW POLICIES AND PROCEDURES ADMINISTRATIVE REQUIREMENTS Mitigation We shall mitigate, to the extent practicable, any harmful effect that is known to us relating to a use or disclosure of PHI in violation of these Policies or the requirements of HIPAA or Texas law by us or any of our business associates. Each violation of these Policies or the HIPAA regulations or Texas law shall be disclosed to the Contact Person, who shall evaluate the course of action to mitigate damage caused by such violation on a case-by-case basis. We shall provide notification to any individual in the event we discover an unauthorized use or disclosure of the individual s unsecured PHI (i.e., unencrypted PHI). The notification shall be written in plain language and shall be provided in the following form: (1) Written notice. (i) Written notification by first-class mail to the individual at the last known address of the individual or, if the individual agreed to electronic notice and such agreement has not been withdrawn, by electronic mail. The notification may be provided in one or more mailings as information is available. (ii) If we know the individual is deceased and have the address of the next of kin or personal representative of the individual, written notification by first class mail to either the next of kin or personal representative of the individual. The notification may be provided in one or more mailings as information is available. (2) Substitute notice. In the case in which there is insufficient or out-of-date contact information that precludes written notification to the individual, a substitute form of notice reasonably calculated to reach the individual shall be provided. Substitute notice need not be provided in the case in which there is insufficient or out-of-date contact information that precludes written notification to the next of kin or personal representative of the individual. (i) In the case in which there is insufficient or out-of-date contact information for fewer than 10 individuals, then such substitute notice may be provided by an alternative form of written notice, telephone, or other means. (ii) In the case in which there is insufficient or out-of-date contact information for 10 or more individuals, then such substitute notice shall: (A) Be in the form of either a conspicuous posting for a period of 90 days on the home page of our website, or conspicuous notice in major print or broadcast media in geographic areas where the patients affected by the breach likely reside; and (B) Include a toll-free phone number that remains active for at least 90 days where an individual can learn whether the individual s unsecured PHI may be included in the breach. (3) Additional notice in urgent situations. In any case deemed by the Privacy Officer to require urgency because of possible imminent misuse of unsecured PHI, we may provide information to TCRS HIPAA and Texas Law Privacy Policies Page 6 of 24

7 individuals by telephone or other means, as appropriate, in addition to notice provided under this paragraph. For a breach of unsecured PHI involving more than 500 residents, we shall, following the discovery of the breach, notify prominent media outlets serving Texas. We shall provide such notification without unreasonable delay and in no case later than 60 calendar days after discovery of a breach. In addition, we shall, following the discovery of a breach of unsecured PHI involving more than 500 residents, notify the Secretary of Health and Human Services (HHS) as specified on the HHS website. For breaches of unsecured protected health information involving less than 500 individuals, we shall maintain a log or other documentation of such breaches and, not later than 60 days after the end of each calendar year, provide notification to the Secretary of HHS, for breaches occurring during the preceding calendar year, in the manner specified on the HHS website. In all of our business associate agreements, we shall require a business associate to, following the discovery of a breach of unsecured PHI, promptly notify us of such breach. A business associate shall be required to provide such notification to us without unreasonable delay and in no case later than 60 calendar days after discovery of a breach. The notification shall include, to the extent possible, the identification of each individual whose unsecured PHI has been, or is reasonably believed by the business associate to have been, accessed, acquired, used, or disclosed during the breach. In addition, the business associate shall provide us with any other available information that we are required to include in a breach notification to our patients. If a law enforcement official states to us or one of our business associates that a breach notification would impede a criminal investigation or cause damage to national security, we and the business associate shall: (a) If the statement is in writing and specifies the time for which a delay is required, delay such notification for the time period specified by the official; or (b) If the statement is made orally, document the statement, including the identity of the official making the statement, and delay the notification temporarily and no longer than 30 days from the date of the oral statement, unless a written statement is submitted during that time. We shall train all employees on the notification requirements set forth above to enable such employees to carry out their job functions. In addition, we will provide updated training to any employees which are affected by a material change in HIPAA or Texas law or our policies or procedures related to patient notification within a reasonable period of time after the material change becomes effective. We will provide a process for individuals to make complaints concerning our policies and procedures concerning patient notification of unsecured PHI. In addition, we will apply appropriate sanctions against employees who fail to comply with our privacy policies and procedures. Lastly, we will not intimidate, threaten, coerce, discriminate TCRS HIPAA and Texas Law Privacy Policies Page 7 of 24

8 against, or take other retaliatory action against any individual for the exercise by the individual of any right established, or for participation in any process provided for under HIPAA or Texas law, including the filing of a complaint. In addition, we will not require individuals to waive their rights under HIPAA or Texas law as a condition of the provision of treatment. TCRS HIPAA AND TEXAS LAW PRIVACY POLICIES AND PROCEDURES PRIVACY STANDARDS Uses and Disclosures of PHI for Treatment, Payment or Health Care Operations We may use or disclose a patient s PHI for treatment, payment or health care operations without the consent or authorization of the patient. Uses and disclosures of PHI under this section include: 1. uses or disclosures of PHI for our own treatment, payment or health care operations; 2. disclosure of PHI for treatment activities of a health care provider; 3. disclosure of PHI to another covered entity or a health care provider for the payment activities of the entity receiving the information; 4. disclosure of PHI to another covered entity for health care operations activities of the entity receiving the information, if: a. each entity has or had a relationship with the individual who is the subject of the PHI requested; b. the protected information pertains to such relationship; and c. the disclosure is for health care operations (as defined by HIPAA) or the detection of health care fraud and abuse. 5. disclosure of PHI to an entity participating in an organized health care arrangement with us for any health care operations activities of the organized health care arrangement. If an employee is uncertain whether a certain use or disclosure is permitted, the employee shall immediately contact the Privacy Officer for consultation prior to using or disclosing such information. TCRS HIPAA and Texas Law Privacy Policies Page 8 of 24

9 TCRS HIPAA AND TEXAS LAW PRIVACY POLICIES AND PROCEDURES PRIVACY STANDARDS Other Permitted Uses and Disclosures of PHI HIPAA allows us to use and disclose PHI for a variety of other purposes without an individual s consent or authorization. Subject to certain limitations, uses and disclosures that are permitted under this policy include: 1. Required by Law We may use or disclose PHI to the extent required by law. 2. Public Health Activities PHI may be disclosed for certain public health activities, including but not limited to: a. a public health authority that is authorized by law to receive such information for the purposes of controlling disease, injury, or disability; b. a public health authority authorized by law to receive reports of child abuse or neglect; c. the Food and Drug Administration ( FDA ) for an FDA-regulated product or activity; and d. a person who may have been exposed to a communicable disease or may be at risk for contracting or spreading a disease or condition if we are or a public health authority is authorized by law to notify such person of the danger. 3. Victims of Abuse, Neglect or Domestic Violence We may disclose PHI about an individual whom we reasonably believe to be the victim of abuse, neglect or domestic violence to a government authority authorized by law to receive reports of such abuse, neglect or domestic violence. 4. Health Oversight Activities Disclosure of PHI is permitted to a health oversight official for oversight activities authorized by law, including, but not limited to: audits; civil, administrative or criminal investigations or proceedings; inspections; or licensure or disciplinary actions. 5. Judicial and Administrative Proceedings PHI may be disclosed by us in the course of any judicial or administrative proceeding as permitted by HIPAA. 6. Law Enforcement Purposes We may disclose PHI for law enforcement purposes, including, but not limited to: a. disclosures pursuant to laws requiring the reporting of certain types of wounds or other physical injuries; b. disclosures pursuant to a court order, subpoena or summons issued by a judicial officer; c. disclosures pursuant to a grand jury subpoena; d. disclosures pursuant to an administrative subpoena or summons; TCRS HIPAA and Texas Law Privacy Policies Page 9 of 24

10 e. disclosures for purposes of identifying or locating a suspect, fugitive, material witness or missing person; f. disclosures in response to a law enforcement official s request about an individual who is or is suspected of being a victim of a crime; g. disclosures to a law enforcement official for the purpose of alerting such law enforcement agency of the death of the individual if we have a suspicion that the death may have resulted from criminal conduct; or h. disclosures of information we believe in good faith constitutes evidence of criminal conduct that occurred on the premises. 7. Decedents We may disclose PHI to a coroner or medical examiner for purposes of identifying a deceased person, determining a cause of death, or other duties as authorized by law. We may also disclose PHI to funeral directors as necessary to carry out their duties with respect to the decedent. 8. Organ or Tissue Donation We may use or disclose PHI to organ procurement organizations or other entities for the purpose of organ or tissue donation or transplantation. 9. Research Purposes We may use or disclose PHI for research purposes if certain HIPAA requirements are met. 10. Serious Threat to Health or Safety PHI may be used or disclosed if we believe in good faith that the use or disclosure is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public, and the disclosure is to a person reasonably able to prevent or lessen the threat. 11. Specialized Government Functions Uses and disclosures of PHI are permitted for certain government functions, including military and veterans activities, national security and intelligence activities, protective services for the President and others, medical stability determinations, correctional institution situations, and activities relating to government programs providing public benefits. Prior to any disclosure of PHI, we must verify the identity of a person requesting such PHI and the authority of such person to have access to the PHI if the identity and the authority of the individual is not known to us. In most cases, knowledge of the requestor may take the form of: 1. a known place or business; 2. a known address; 3. a known phone or fax number; or 4. a known human being. TCRS HIPAA and Texas Law Privacy Policies Page 10 of 24

11 If obtaining documentation, statements, or representations, whether oral or written, from the person requesting PHI is a condition of such disclosure, we must also obtain such documentation, statements, or representation prior to disclosing PHI to the requestor. Any time an employee is uncertain whether a certain use or disclosure is permitted or whether the identity of the requesting party has been sufficiently verified, the employee shall immediately contact the Privacy Officer for consultation prior to using or disclosing such information. TCRS HIPAA AND TEXAS LAW PRIVACY POLICIES AND PROCEDURES PRIVACY STANDARDS When Authorizations are Required and What is Required of Authorization Forms As a general rule, we shall require an authorization for any use or disclosure of PHI not otherwise permitted under these Policies or by law. HIPAA contains additional standards for uses and disclosures of PHI for two specific purposes: 1. Psychotherapy Notes We shall obtain an authorization for any use or disclosure of psychotherapy notes, except for: a. the use by the originator of the psychotherapy notes for treatment; b. the use or disclosure of the PHI by us for our own training programs for mental health providers to practice or improve counseling skills; or c. the use or disclosure of PHI by us to defend ourselves in a legal action or other proceeding brought by the subject of the PHI. 2. Marketing Activities We shall obtain an authorization for any use or disclosure of PHI for marketing purposes, except for: a. face-to-face communications made by us to an individual; b. a promotional gift of nominal value provided by us; c. communications for treatment of an individual by us, including case management or care coordination for the individual, or to direct or recommend alternative treatments, therapies, health care providers, or settings of care to the individual; d. To describe a health-related product or service (or payment for such product or service) that is provided by us, or included in a plan of benefits of ours, including communications about our participation in a health care provider network or health plan network; replacement of, or enhancements to, a health plan; and health-related products or services available only to a health plan enrollee that add value to, but are not part of, a plan of benefits; and a. For case management or care coordination, we may contact individuals with information about treatment alternatives, and related TCRS HIPAA and Texas Law Privacy Policies Page 11 of 24

12 functions to the extent these activities do not fall within the definition of treatment. If an employee is unsure whether an authorization is required for a particular use or disclosure of PHI, the employee shall contact the Privacy Officer for consultation. In order to be valid, authorizations must be written in plain language and shall include each of the following elements: 1. a description of the information to be used or disclosed identifying the information in a specific and meaningful fashion; 2. the name or other specific identification of the person(s), or class of persons, authorized to make the requested use or disclosure; 3. the name or other specific identification of the person(s), or class of persons, to whom we may make the requested use or disclosure; 4. a description of each purpose of the requested use or disclosure; 5. an expiration date or an expiration event that relates to the individual or the purpose of the use or disclosure; 6. a statement adequate to place the individual on notice of his or her right to revoke the authorization in writing and a description of how the individual may revoke the authorization; 7. a statement placing the individual on notice of our ability or inability to condition treatment on the authorization; 8. a statement placing the individual on notice that the information disclosed may be subject to re-disclosure by the recipient and no longer be protected by HIPAA; 9. the individual s signature and date of signature; and 10. if signed by a representative, a description of the representative s authority to act for the individual and/or the relationship to the individual. We shall not rely on invalid authorizations. An authorization will be deemed invalid if: 1. the expiration date has passed or the expiration event has occurred; 2. the authorization was not filled out completely; 3. the authorization is revoked; 4. the authorization lacks a required element; or 5. the authorization violates requirements regarding compound authorizations. We shall not permit authorizations for the use or disclosure of PHI to be combined with any other document to create a compound authorization, except as follows: 1. an authorization for the use or disclosure of PHI for a research study may be combined with any other type of written permission for the same research study; TCRS HIPAA and Texas Law Privacy Policies Page 12 of 24

13 2. an authorization for a use or disclosure of psychotherapy notes may only be combined with another authorization for a use or disclosure of psychotherapy notes; or 3. an authorization, other than for psychotherapy notes, may be combined with another authorization except when we condition treatment on the provision of one of the authorizations. Authorizations may be revoked in writing at any time except to the extent that we have already taken action in reliance of the authorization or the authorization was obtained as a condition of obtaining insurance coverage. We shall document and retain all signed authorizations and provide all individuals signing authorizations with a copy of such authorization. TCRS HIPAA and Texas Law Privacy Policies Page 13 of 24

14 TCRS HIPAA AND TEXAS LAW PRIVACY POLICIES AND PROCEDURES PRIVACY STANDARDS Minimum Necessary Requirement When using or disclosing PHI or when requesting PHI from another covered entity, we shall make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure or request. This minimum necessary requirement does not apply to: 1. disclosures made to the individual who is the subject of the information; 2. disclosures made pursuant to an authorization; 3. disclosures to or requests by a healthcare provider for treatment purposes; 4. disclosures required for compliance with the standardized HIPAA transactions; 5. disclosures made to HHS pursuant to a privacy investigation; or 6. disclosures otherwise required by the HIPAA regulations or by law. To enforce the minimum necessary requirement for uses of PHI by our employees, we shall: 1. identify the persons or groups of persons who need access to PHI to carry out their job function; 2. identify the type of PHI to which each person or group needs access and the conditions under which access is needed; and 3. make reasonable efforts to limit the access of its staff to only the information appropriate to accomplish the duties of job requirements. Only employees with jobs requiring access to PHI will receive such access. No supervisor will authorize any member of our workforce to access, receive, or review such information unless such employee has a need to access, receive or review such information in connection with such employee s job description. Any employee receiving PHI shall not use such information other than as required for the performance of such employee s job duties, and shall not disclose such information to any other person except where such other person is also authorized to access such information. In addition to internal uses and disclosures of PHI, we also receive requests for disclosure of PHI from outside sources. Some requests for disclosures of PHI are received on a routine or recurring basis and shall be addressed according to criteria set forth below and reviewed on an individual basis in accordance with such criteria. Criteria for routine uses and disclosures include, but are not limited to, the following: TCRS HIPAA and Texas Law Privacy Policies Page 14 of 24

15 1. Request by Patient When a patient requests a copy of his or her medical records, the patient shall sign a patient authorization form. Records are not to be released to the patient until the patient has signed and returned such form. 2. Request by Spouse, Parent, Guardian, Other Family Member Records may be released to a parent of a minor child or a legal guardian appointed by a court after such parent or legal guardian signs and returns a patient authorization form to us. If a spouse, other family member or other individual requests copies of a patient s medical records, such records may only be released to that individual after a written authorization is obtained from the patient, or if the individual is allowed to obtain the records by law (for example, the executor of a deceased patient s estate). 3. Request by a Medical Records Collection Services or Attorneys If a medical records collection service or an attorney requests copies of a patient s records, their request must be accompanied by a court-issued subpoena. If there is a court-issued subpoena or court order, we may release the records. 4. Request for Records of Deceased Individual If a request for the records of a deceased patient is received, those records may only be released to an individual representing the patient s estate or pursuant to a valid request under Texas law. Records requested by an individual representing the patient s estate should be released only upon documentation that the individual has been named as the executor or administrator of the estate, which will be either in a document known as a letters testamentary or letters of administration issued by a court or in the patient s will. If the individual requesting the patient s records cannot produce either document, the records should only be released pursuant to a court-issued subpoena or court order. If, however, a request for records is received in connection with a claim under Texas Law, such records should be released if the request is accompanied by an authorization signed by a parent, spouse, or adult child of the deceased. 5. Request by a Physician Other than the Referring or Treating Physician A patient s medical records may be released to another physician who did not refer the patient to us or who is not currently treating the patient only upon written authorization by the patient. 6. Disclosure to Insurance Company, or Billing or Collection Agency Medical records may be released to an insurance company or a billing and/or collections agency without a patient s consent or authorization in order for us to be paid for services. As with most other releases of PHI, it is required that only the minimum necessary amount of information needed by the insurance, billing or collection agency be released to that entity. Before disclosing PHI in response to a routine request, employees shall determine if the disclosure is excepted from the minimum necessary requirement. If the requested TCRS HIPAA and Texas Law Privacy Policies Page 15 of 24

16 disclosure is not excepted from the rule, we shall make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose of the request. As requests for the entire medical records are common, employees should be careful to review such requests and only disclose the entire record if disclosure is specifically justified as reasonably necessary to accomplish the purpose of the request. When the entire record is disclosed, we shall document reasons why the entire record was used or disclosed and retain such documentation in the patient s file. When a request for non-routine disclosure of PHI is received, the employee handling such request should immediately contact the Privacy Officer for instruction regarding the minimum necessary amount of information essential to accomplish the purpose of the disclosure. TCRS HIPAA AND TEXAS LAW PRIVACY POLICIES AND PROCEDURES PRIVACY STANDARDS Individual Rights: Right to an Accounting of Disclosures of PHI Individuals have the right to request an accounting of disclosures of PHI over a period of six years prior to the date on which the request was made. Disclosures made by us prior to April 14, 2003, are excluded from this requirement. We shall provide one accounting of disclosures to each requesting individual free of charge during any twelve (12) month period. If the same individual requests another accounting of disclosures within twelve (12) months of the first requested accounting, we may impose a reasonable, cost-based fee for each subsequent accounting during that twelve (12) month period. The requesting individual shall be notified of the amount of the fee prior to its imposition and shall be provided the opportunity to withdraw or modify the request for a subsequent accounting in order to reduce or avoid the fee. We shall provide an individual requesting an accounting of disclosures such an accounting no later than thirty (30) days after the receipt of the request. Since we maintain our medical records electronically, Texas law requires that we provide an individual with copies of their medical records, within fifteen (15) days following a valid request. In addition, Texas law requires that we provide such medical records electronically unless the individual agrees to accept such records in another form (e.g., paper). HIPAA requires that we comply with the most stringent requirements so if Texas law requires compliance within fifteen (15) days we must meet that requirement even thought HIPAA grants you thirty (30) days. All disclosures of PHI shall be included in an accounting of disclosures except for disclosures: TCRS HIPAA and Texas Law Privacy Policies Page 16 of 24

17 1. to carry out treatment, payment or health care operations; 2. to individuals of PHI about themselves; 3. incident to a use or disclosure otherwise permitted or required by HIPAA or otherwise required by law; 4. pursuant to an authorization; 5. for the facility s directory or to persons involved in the individual s care; 6. for national security or intelligence purposes; 7. to correctional institutions or law enforcement officials; or 8. as part of a limited data set. If we receive a written statement from a health oversight agency or law enforcement officials stating that releasing an accounting of disclosures to a particular individual is reasonably likely to impede the agency s activities, we shall temporarily suspend the individual s right to receive an accounting of disclosures. All accountings must include the following information concerning each disclosure: 1. date of the disclosure; 2. name of the covered entity or individual that received the information, and the address of such covered entity or individual, if known; 3. a brief description of the PHI disclosed; and 4. a brief statement of the purpose of the disclosure that reasonably informs the individual of the basis for the disclosure, or a copy of the written request for disclosure, if any. Recurring disclosures to the same entity or individual may have a summary entry. The summary entry requires all information as described above for the initial disclosure, plus a description of the interval of disclosures (weekly, monthly, etc.) or number of disclosures, and the date of the last disclosure. The above accountings shall be maintained in the patients chart in a designated chart location and shall be maintained in a current and accurate manner. TCRS HIPAA and Texas Law Privacy Policies Page 17 of 24

18 TCRS HIPAA AND TEXAS LAW PRIVACY POLICIES AND PROCEDURES PRIVACY STANDARDS Individual Rights: Right to Inspect and Copy Individuals generally have the right of access to inspect and obtain a copy of PHI about the individual in a designated record set, for as long as the PHI is maintained in the designated record set. This right of access does not include: 1. psychotherapy notes; 2. information compiled in reasonable anticipation of, or for use in, a civil, criminal or administrative action or proceeding; and 3. PHI maintained by us that is subject to the Clinical Laboratory Improvements Amendments of 1988 ( CLIA ), to the extent access would be prohibited by law, or exempt from the CLIA. We may deny an individual access without providing the individual with an opportunity for review in the following circumstances: 1. when the PHI is one of the three types excepted from the right of access, as listed above; 2. when an inmate in a correctional institution requests a copy of PHI, if obtaining such a copy would jeopardize the health, safety, security, or rehabilitation of the requesting inmate, or the safety of any person at the correctional institution; 3. when research is in progress and the individual has agreed to a temporary denial of access; 4. if the PHI was obtained from someone other than a health care provider under a promise of confidentiality and the access requested would be reasonably likely to reveal the source of the information; or 5. if the PHI sought is subject to the Privacy Act, 5 U.S.C. 552a, and the denial of access under the Privacy Act would meet the requirements of that law. We may deny an individual access to requested PHI in the following circumstances, provided that the individual is given a right to have such denials reviewed: 1. if a licensed health care professional has determined that the access requested is reasonably likely to endanger the life or physical safety of the individual or another person; 2. if the PHI makes reference to another person and a licensed health care professional has determined that the access requested is likely to cause substantial harm to such other person; or 3. the request for access is made by the individual s personal representative and a licensed health care professional has determined TCRS HIPAA and Texas Law Privacy Policies Page 18 of 24

19 that the provision of access to the personal representative is reasonably likely to cause substantial harm to the individual or another person. If access is denied on one of the three above-mentioned grounds, the individual has the right to have the denial reviewed by a licensed health care professional designated by us to act as a reviewing official and who did not participate in the original decision to deny access. Upon receiving a request for access, we shall generally grant or deny in writing such request within thirty (30) days. If the request for information is subject to of the Texas Occupations Code, the information requested shall be provided within fifteen (15) business days of the receipt of the request unless such request is denied. If it seems unclear whether the information requested should be provided in within the fifteen (15) day period under the Texas Occupations Code or the thirty (30) day period allowable under HIPAA, such information should be provided within fifteen (15) business days of the receipt of the request. TCRS HIPAA AND TEXAS LAW PRIVACY POLICIES AND PROCEDURES PRIVACY STANDARDS Individual Rights: Right to Request an Amendment An individual has the right to request that we amend his or her PHI. We require individuals to provide such requests in writing and to provide a reason to support a request amendment. We will accept or deny the request in writing within sixty (60) days of receipt of such request, but if we are unable to respond to the request within the prescribed time period, a one-time thirty (30) day extension is available if we provide the requesting individual with a written statement containing the reasons for the delay within the initial time period. If we accept the amendment in whole or in part, the following shall be done: 1. We shall make appropriate amendment to the PHI that is the subject of the request; 2. We shall timely inform the individual that the amendment is accepted and obtain the individual s identification of and agreement to have us notify the relevant persons with whom the amendment needs to be shared ( Relevant Persons ); and 3. We shall make reasonable efforts to inform and provide the amendment within a reasonable time to Relevant Persons and any other persons, including business associates, whom we know have the PHI and who may have relied or could rely on such PHI to the detriment of the individual. TCRS HIPAA and Texas Law Privacy Policies Page 19 of 24

20 We may deny the amendment if we find that the PHI that is the subject of the request: 1. was not created by us; 2. is not part of the designated record set; 3. would not be available for inspection under HIPAA; or 4. is already accurate and complete. If we deny the amendment, a written denial shall be provided to the individual in a timely fashion explaining in plain language: 1. the basis of the denial; 2. the individual s right to submit a written statement disagreeing with the denial; 3. a statement that, if the individual does not submit a statement of disagreement, the individual may request that we provide the individual s request for amendment and the denial with any future disclosures of the PHI that is the subject of the amendment; and 4. a description of how the individual may complain to us or to the Secretary of HHS. For purposes of record keeping, we must identify the PHI that is the subject of the disputed amendment and attach the individual s request for an amendment, the denial of the request, the individual s statement of disagreement, if any, and any rebuttal by us to the individual s statement, to the designated record set. TCRS HIPAA and Texas Law Privacy Policies Page 20 of 24