How To Use A Health Infrmatin

Transcription

1 HIPAA PRIVACY AND SECURITY POLICY AND PROCEDURES FOR THE PRACTICE OF WEISS CHIROPRACTIC EFFECTIVE: SEPTEMBER 1, 2013 Page 1

2 POLICY AND PROCEDURES CONTENTS General Overview / Cverage... 2 Designated Recrd Set... 2 Designatin f Cmpliance, Privacy and Security Officers... 4 HIPAA Cmpliance Officer Duties... 4 HIPAA Privacy Officer Duties... 5 HIPAA Security Officer Duties... 6 HIPAA Cntact Persn Duties... 6 HIPAA Ntice f Privacy Practices... 7 Minimum Necessary Uses and Disclsures f PHI... 8 PHI Use and Disclsure... 9 Use and Disclsure f Psychtherapy Ntes Patient Access t their PHI Amendment f PHI Accunting fr Disclsure f PHI Restrictins n Use f PHI Cmmunicatin Methds with and n Behalf f Patients Security Management Administrative Safeguards Physical Safeguards Technical Safeguards Mitigatin f Knwn Harm frm an Imprper Disclsure f PHI Cmpliant Prcedures Marketing Business Assciates Staff Training and Management Fax, Phtcpy and f PHI Page 2

3 General Overview Individual patient privacy has always been an imprtant issue t this practice. Weiss Chirpractic respects the privacy f patient infrmatin and has enacted this plicy and prcedure t ensure that private patient infrmatin is secure and nt inapprpriately used r disclsed. This plicy is designed t cmply with the Health Insurance Prtability and Accuntability Act f 1996 (HIPAA). The relatinship this practice has with its patients is a prfessinal ne which is abslutely cnfidential, and it is essential that it be prtected. It is als the plicy f this Practice t respect Patient s rights regarding their PHI which includes, but is nt limited t, their right t access their PHI. Prtected Health Infrmatin (PHI) may be used r disclsed nly as permitted by this Privacy and Security Plicy and Prcedure, the HIPAA Privacy and Security Standards and state law. PHI is essentially any infrmatin that des r may identify smene and that relates in any way either t the prvisin f health care r payment fr health care. This plicy is designed t give guidance n hw Weiss Chirpractic staff may use r disclse PHI nce it has been determined that the use r disclsure is permissible. It is Weiss Chirpractic s intent t make a gd faith effrt t cmply with mandated federal and state privacy and security laws. Weiss Chirpractic recgnizes that such laws are mdified and updated frm time t time and therefre reserves the right t make apprpriate changes t this plicy t remain in cmpliance. Cverage This plicy applies t all full-time, part-time and temprary Weiss Chirpractic staff, including any vlunteers r students in training. Designated Recrd Set In rder t cmply with HIPAA s Privacy and Security Standards, this ffice designates the fllwing recrds t be ur designated recrd set fr purpses f patients rights t access and t amend their prtected health infrmatin: The patient s clinical chart, hard cpy r electrnic including: reprts f screening and diagnstic tests, ntes n examinatins, cnsultant reprts, x-rays, histry and medicatin reprts, PCP referrals/scripts, hmecare instructins, and all ther clinical infrmatin. The patient s billing recrds, hard cpy r electrnic including: insurance claims, remittance advice frm insurance cmpanies, electrnic fund depsit receipts, bills t patients, evidence f payment by patients, cllectin recrds, referrals t cllectin agencies r attrneys, reprts t cnsumer credit agencies fr unpaid balances, and all ther billing, claim, payment and cllectin recrds. Order and receipt frms specific t a particular patient, hard cpy r electrnic, including: durable equipment rders, patient pick up recrds, and any ther recrds relating t supplies and treatment. Designated Recrd Set Exclusins Written requests nt used t make a decisin cncerning the patient will be handled in accrdance with state law. Dcumentatin and Recrd Retentin Our practice will maintain in written and/r electrnic frm all dcumentatin required by the HIPAA Privacy and Security Rules and state law fr seven years frm the date f last medical r health care services. Fllwing that time, inactive patient recrds will be purged and destryed. A minr patient s recrds will be kept in accrdance with state law. All revisins t HIPAA cmpliance plicies will be dcumented. Cpies f the riginal plicies (prir t the Page 3

4 mdificatins) will be maintained fr six years frm the date the new plicy ges int effect. All written and electrnic cnfidential infrmatin, whether prtected health r cnsumer reprting related, is shredded, pulverized, burned, degaussed, r verwritten as apprpriate in accrdance with ur Destructin Plicy. Designatin f Cmpliance, Privacy and Security Officers In rder t cmply with HIPAA s Privacy and Security Standards, this ffice has designated a Cmpliance Officer, Privacy Officer and a Security Officer. The practice has als appinted a Cntact Persn wh will be respnsible fr receiving, and where apprpriate, respnding t patient requests and cmplaints relating t the discharge f the Practice f its bligatins under its HIPAA Cmpliance Plan. A HIPAA Cmpliance Officers lg will be maintained. When and if it is apprpriate, Shannn M. Schryer will delegate specific respnsibilities within the Cmpliance Officer duties t designated individuals. Key Respnsibilities HIPAA Cmpliance Officer Duties Determine the infrmatin t be included in the HIPAA Ntice f Privacy Practices. Receive, investigate, substantiate r discredit patient privacy cmplaints, Business Assciate privacy vilatin reprts, and emplyee privacy vilatin reprts. Cmmunicate results with thse parties invlved. Cnduct the annual HIPAA Cmpliance Audit. Mitigate and crrect prblems identified thrugh investigatin f privacy r security cmplaints and reprts f vilatin. Develp slutins t patient s requests fr cnfidential methds f cmmunicatin. Determine hw t implement patient s requests t restrict the way prtected health infrmatin is handled fr treatment, payment, and/r health care peratins. Determine whether t hnr patient requests t amend their wn prtected health infrmatin. Research and reslve any and all issues related t HIPAA cmpliance. Create and enfrce emplyee disciplinary plicy related t breach f HIPAA cmpliance requirements. Rescind Business Assciate cntracts, as needed. When cnfidential data need t be discarded, determine mst effective methd fr destrying infrmatin cntained n, hardware, sftware, electrnic media, and written recrds and update the Destructin Plicy accrdingly. Key Respnsibilities HIPAA Privacy Officer Duties Assist in develping the plicies, prcedures and frms required fr the Practice s HIPAA Cmpliance Plan. Ensure crrect cdes are used with electrnic transactins. Manage prcess t ensure cmpliant when submitting t Medicare. Create recrd retentin schedule and purging schedule including the fllwing: Mnitr and audit patient recrd retentin and purging activities accrding t the schedule. Ensure shredding equipment is available fr destrying discarded cnfidential infrmatin and peridically mnitr trash t ensure cnfidential dcuments are being handled prperly. Page 4

5 Cnduct due diligence when use third party vendr t destry unneeded cnfidential dcuments (e.g. check references, accreditatin status, r cnfidentiality plicies, etc.) Manage the practice s Business Assciates by securing and maintaining the fllwing; Secure the required Business Assciate Agreement/Cntract frm each individual r entity. Maintain these Agreements/Cntracts and update as necessary. Ensure return f PHI frm Business Assciate when cntract terminated/services cnclude. Ntify Business Assciates f any updates t ur privacy and security plicies as may be required by law. If BA is handling duties f access, amendment and accunting f disclsures, btain peridic updates/cpy f their lgs and perfrm an audit. Serve as the staff cntact pint fr reprting evidence f ptential vilatins by Business Assciates; update Dctrs/Bard f Directrs as needed. Reprt t Dctrs/Bard f Directrs mitigatin status f imprper use/disclsures by Business Assciates and maintain assciated lg. Handle and maintain Business Assciate Inapprpriate Disclsure Lg. Maintain the Business Assciate Cntact and Data Access Lg with renewal dates and amendment prvisins. Prvide input n apprpriate Business Assciate cntract wrding. Establish a wrkfrce training schedule n privacy standards and security awareness. Mnitr the training prgram t make certain that it ccurs regularly and that the training is effective. Maintain Emplyee Training Lg (Keep recrds fr 6 years). Serve as the staff cntact pint fr reprting evidence f ptential vilatins by staff. Maintain lg f emplyee HIPAA Emplyee Vilatins Lg. Recmmend apprpriate mitigatin f staff privacy and security plicy vilatins. Reprt t Dctrs/Bard f Directrs status f imprper staff use/disclsures. Mnitr the peratins f the Practice t make certain that the Practice s HIPAA Cmpliance Plan is being prperly implemented. Determine t what extent the Practice s HIPAA Cmpliance Plan needs mdificatin r amendment, and develp and implement thse mdificatins r amendments. Dcument actual practices annually and review the practice and any changes with staff. Maintain dcumentatin f nging cmpliance effrts. Key Respnsibilities HIPAA Security Officer Duties Implement, manage and enfrce infrmatin security directives as mandated by HIPAA and HITECH. Ensure the nging integratin f infrmatin security with practice strategies and requirements. Ensure all access cntrl, disaster recvery, business cntinuity, incident respnse and infrmatin risk management needs f the rganizatin are prperly addressed. Page 5

6 Lead infrmatin security awareness and training initiatives t educate emplyees abut infrmatin risks and dcument emplyee participatin. Issue regular emplyee reminders t emplyees regarding security requirements. These reminders are dcumented in the Gd Faith Effrts Cmpliance Lg. Perfrm regular audits t ensure infrmatin systems are adequately prtected and meet HIPAA certificatin requirements. Test and revise cntingency and disaster recvery plans at least every six mnths t include data restratin, a backup cmputer with prper sftware, temprary wrk lcatins and plans fr hw t cmmunicate with staff and patients. Crdinate all activities related t restratin, cmmunicatin and peratins in event f emergency. Lead an incident respnse team t cntain, investigate, and prevent cmputer security breaches and ensure situatin descriptins and reslutins are bth dcumented apprpriately. Hld thers and yurself accuntable fr fllwing established infrmatin security plicies and prcedures including daily back up f data that is then stred ff-site. Use the Hardware and Sftware Inventry and Destructin Lg t maintain the list f all sftware, cmputers, PDAs, phnes and ther medical devices that cntain prtected health infrmatin. Lg, mnitr and update passwrds and permitted access fr each emplyee (r maintain verride access thrugh administratr rle). Assign and delete user ids as needed. Facilitate regular passwrd changes fr all staff. Ensure deactivatin/change prcess is cmpleted immediately upn terminatin f an emplyee. Review and determine apprpriateness f nn-sanctined sftware requested fr dwnlad by emplyees. Use the Questins t Ask Sftware and Hardware Vendrs guidelines where applicable. Crdinate apprpriate destructin f electrnic recrds and equipment that cntain prtected health infrmatin. Use the Hardware and Sftware Inventry and Destructin Lg and/r the Recrd Retentin and Purge Lg as apprpriate t recrd these activities. Key Respnsibilities Receives and Respnds t: HIPAA Cntact Persn Duties Patient cmplaints using the Patient Cmplaint frm r the OCR Health Infrmatin Privacy Cmplaint frm, if applicable. Patient recrd requests using the Patient Recrd Access Request frm. Patient requests fr amendments and/r crrectins t Medical Recrds using the Patient Request(s) Regarding Health Care Recrds frm. Maintains the fllwing lgs: Patient Cmplaint Lg. Reprt f Nn-Rutine Disclsures. Patient Request Lg. Page 6

7 HIPAA Ntice f Privacy Practices In rder t cmply with the HIPAA Privacy and Security Standards, it is the plicy f this ffice t: Make available a HIPAA Ntice f Privacy Practices t every patient at his/her first appintment r similar encunter. Only Shannn M. Schryer has the authrity t change the ntice. The frnt ffice persn is respnsible fr having the HIPAA Ntice f Privacy Practices available and must ask the patient t sign an Acknwledgment f Receipt f HIPAA Ntice f Privacy Practices All signed Acknwledgments are placed in each respective patient s chart. If the patient pts nt t sign, the frnt ffice persn must make a nte f the fact that the patient was asked and refused. Nte the patient s refusal t sign in the space prvided n the Acknwledgment frm. Refusing t sign the acknwledgment frm des nt preclude ur ffice frm prviding services t the patient. It is nt necessary t give a ntice t a patient every time he/she cmes int the practice. If we make a change t the ntice, we will infrm patients and make cpies f the new versin available. We will retain the riginal versin f the ntice (and any subsequent changes) fr six years after the new versin is published. At every patient encunter, the frnt ffice persn must lk in the patient s chart t determine if the patient has previusly signed an Acknwledgment. If yes, it is nt necessary t ffer that patient anther HIPAA Ntice f Privacy Practices unless we have changed ur HIPAA Ntice f Privacy Practices since the date f the Acknwledgment. Our mst current ntice will always have an effective date n the frnt. If n, then it is necessary t distribute a ntice and ask fr signature n an Acknwledgment. Pst ur HIPAA Ntice f Privacy Practices in a clear and prminent lcatin where it is reasnable t expect patients seeking service frm us will be able t read the ntice. Keep cpies f the HIPAA Ntice f Privacy Practices in the ffice s that patients and visitrs may take ne, if they wish. Use and disclse prtected health infrmatin in a manner that is cnsistent with HIPAA and with ur HIPAA Ntice f Privacy Practices. If we change ur ntice, the revised ntice will apply t all prtected health infrmatin we have, nt just prtected health infrmatin we generate r btain after we have changed the ntice. Minimum Necessary Uses and Disclsures f PHI In rder t cmply with HIPAA s Privacy and Security Standards, it is the plicy f this ffice t use r disclse nly the minimum amunt f prtected health infrmatin necessary t accmplish the purpse fr the use r disclsure, under the cnditins and exceptins described in this plicy. Peple in the fllwing jb categries will nly have access t the kind r amunt f prtected health infrmatin indicated: All dctrs, technicians, and the ffice manager: any and all prtected health infrmatin, including the entire clinical chart, necessary fr treatment purpses. Data Entry/Accunting: any and all prtected health infrmatin, including the entire clinical chart, necessary fr accunting purpses. Receptinist: any and all prtected health infrmatin, including the entire clinical chart, necessary fr assisting patients with their inquiries and accmplishing their required assignments. Page 7

8 We will keep all clinical charts, emplyee ntes, lab reprts, cnsumer reprting infrmatin, faxes, billing recrds, etc. secure when they are nt in use by securing them in the recrds clset which is nly accessible by staff and is lcked when we are nt in the ffice. When we send ut r receive cnfidential data, whether thrugh fax, mail r hand delivery, we will ensure the data is kept secure. When faxing phtcpying r ing recrds, all staff members must adhere t the ffice Fax, Phtcpy and Prcedures. Inactive patient files will be secured in the recrd clset. Only authrized staff will have access t this secure strage. We require that all cmputers be turned ff r passwrd-prtected screen savers engaged when the user is away frm the wrkstatin. All staff is prhibited frm brwsing at smene else s wrkstatin r using smene else s cmputer passwrd. Emplyees are prhibited frm talking abut ur patients in public areas. All emplyees are required t sign an Emplyee Cnfidentiality Agreement, indicating their cmmitment t access nly the minimum amunt f prtected health infrmatin necessary fr them t d their jbs, and t abide by the restrictins listed. Vilatin f this agreement is grunds fr disciplinary actin, up t and including terminatin f emplyment. Whenever we receive a request frm a third party fr prtected health infrmatin abut ne f ur patients, r whenever we intend t make a disclsure f prtected health infrmatin abut ne f ur patients, we will disclse nly the minimum necessary amunt f prtected health infrmatin necessary t satisfy the purpse f that disclsure. This des nt apply in the fllwing cases: The patient has authrized the disclsure r the disclsure is fr treatment purpses (fr example, disclsures t a cnsultant r fllw-up health care prvider). A written request received frm a private agency that accredits health care prviders, health care prviders fr the purpse f cnducting utilizatin review, peer review and quality assurance, legal representatives f a health care prvider in pssessin f the medical recrd fr the purpse f securing legal advice, an administratr f a deceased persn s estate, and health care prviders previusly prviding treatment t the extent that the recrds pertain t the prvided treatment. We will disclse nly the indicated prtected health infrmatin in respnse t the fllwing rutine kinds f disclsures that we make: Regular inquiries are received frm insurance cmpanies, managed care rganizatins (e.g. Blue Crss, Cigna, Harvard Pilgrim, etc.), emplyers, wrkers cmpensatin insurance carriers, attrneys, cllectin agencies, transcribers, referring physicians, Scial Security disability determinatins, Veterans Administratin determinatins and the State Industrial Cmmissin. Rutine disclsures cnsisting f the <SPECIFY THE TYPE OF ROUTINE DISCLOSURE AND THE PHI THAT WILL BE DISCLOSED>. We will rely upn the representatins f the fllwing third parties that they have requested nly the minimum amunt f prtected health infrmatin necessary fr their purpses: Anther health care prvider r health plan. A public fficial, like a law enfrcement fficer with prper authrizatin and/r curt rder. Prfessinals prviding services t us (such as attrneys r accuntants). Dr. Weiss is respnsible fr determining the minimum amunt f prtected health infrmatin necessary fr us t disclse in situatins that are nt rutine. In making this determinatin, Dr. Weiss will cnsider the reasn fr the disclsure, whether it falls int any f the circumstances described abve in this plicy, and the prtected health infrmatin that we have in ur pssessin. Whenever we request prtected health infrmatin abut ne f ur patients frm smene else, we will ask fr nly the minimum necessary amunt f prtected health infrmatin necessary fr us t accmplish the intended purpse. Page 8

9 PHI Use and Disclsure Our ffice will nt intimidate, threaten, cerce, discriminate against r take ther retaliatry actin against individuals wh bring issues t the attentin f the practice, r fr exercising their rights under HIPAA t ppse any act r practice made unlawful by the Standards, prvided the individual r persn has a gd faith belief that the issue at hand is unlawful and the manner f the ppsitin is reasnable and des nt invlve an unlawful disclsure f PHI. Our ffice will nt require individuals t waive their rights under the HIPAA Privacy and Security Standards as a cnditin fr receiving treatment. Patient Authrizatin Requirements In rder t cmply with HIPAA s Privacy and Security Standards, it is the plicy f this ffice t btain a signed Patient Authrizatin fr Release f PHI frm befre making a use r disclsure f prtected health infrmatin, except in thse circumstances in which HIPAA and state law d nt require such an authrizatin. As stated in the HIPAA regulatins, we will nt btain a signed patient authrizatin in the fllwing circumstances: Uses and disclsures fr treatment, payment, r health care peratins. This includes, amng ther activities: Prviding care t patients in ur ffice. Seeking assistance frm cnsultants. Making referrals f patients fr fllw-up care. Preparing and submitting claims and bills. Receiving/psting payments and cllectin effrts. Managed care credentialing. Prfessinal licensure and specialty bard credentialing. Quality assurance. Financial audits/management. Training f prfessinal and nn-prfessinal staff, including students. Office management. Fraud and abuse preventin activities. Persnnel activities. Disclsures t Business Assciates wh have signed a Business Assciate Agreement with us. Disclsures that are required by state law, prvided we disclse nly the precise prtected health infrmatin required, and nly t the recipient required. Disclsures t state, lcal r federal gvernmental public health authrities t prevent r cntrl disease, injury, r disability. Disclsures f immunizatin recrds f a student, r prspective student, t a schl when state r ther law prhibits schl admittance withut such prf. We will btain a verbal agreement frm the parent, r legal guardian. Disclsures t individuals r rganizatins under the jurisdictin f the Federal Fd and Drug Administratin ( FDA ), such as drug r medical device manufacturers, regarding the quality r safety f drugs r medical devices. Disclsures t lcal, state, r federal gvernmental agencies in rder t reprt suspected abuse, neglect, r dmestic vilence regarding adults, prvided that we: Obtain an infrmal agreement frm the patient, unless: We are required by law t reprt ur suspicins. Page 9

10 We are permitted, but nt required by law t disclse the prtected health infrmatin, and we believe that a reprt is necessary t prevent harm t ur patient r ther ptential victims. Tell the patient that we are making this disclsure, unless: Telling the patient wuld put the patient at risk fr serius harm. Smene else is acting n behalf f the patient and we think that this persn is the abuser and that telling him r her wuld nt be in the best interest f the patient. Disclsures fr a discvery request t release medical recrds can nly be made if accmpanied by a patient s written authrizatin r a curt rder t disclse the recrds. Disclsures fr health versight audits, investigatins, r disciplinary activities, prvided that we nly disclse t a federal, state r lcal gvernmental agency (r a private persn r rganizatin acting under cntract with r grant f authrity frm the gvernmental agency) that is authrized by law t cnduct versight activities. Disclsures in respnse t a curt rder, prvided that we disclse nly the precise prtected health infrmatin rdered, and nly t the persn rdered. Disclsures in respnse t a prper subpena, prvided that: The subpena is served at least ten days prir t the due date and is accmpanied by a ntice t the patient allwing him/her t file an bjectin. We make sure that either we r the persn seeking the subpenaed infrmatin makes a reasnable effrt t have the curt issue a prtective rder. The request is frm a curt rder, gvernmental agency as part f an insurance fraud r patient abuse investigatin r a grand jury criminal investigatin. Disclsures t plice r ther law enfrcement fficers regarding a crime that we think happened at ur ffice, prvided we reasnably believe the prtected health infrmatin is evidence f a crime. Disclsures t rganizatins invlved in the prcurement, banking r transplantatin f rgans in rder t facilitate dnatin and transplantatin. Uses f prtected health infrmatin t market r advertise ur wn health care prducts r services, r fr any ther marketing exceptin. Refer t the sectin n Marketing fr acceptable marketing situatins. Disclsures t a researcher with a waiver f authrizatin frm an Institutinal Review Bard (IRB) r privacy bard r t a researcher using the prtected health infrmatin nly fr a purpse preparatry t research r t a researcher nly using the prtected health infrmatin f deceased patients, prvided that the researcher gives us the assurances required by HIPAA. Disclsures regarding patients deceased 50 years r lnger. Our ffice may use r disclse a patient s PHI with the patient s ral agreement, r if the patient is unavailable, subject t all applicable requirements. If at any time a prpsed use r disclsure des nt fit exactly int ne f the exceptins t the need fr an authrizatin described in the paragraphs abve, we will btain a signed patient authrizatin befre making the use r disclsure. Prviding Infrmatin t Family and Friends f Patients Invlved in Care In rder t cmply with HIPAA s Privacy and Security Standards, it is the plicy f this ffice t give patients a chance t agree r bject t prviding prtected health infrmatin t clse family r friends wh are helping with the patient s care. A family member is defined by HIPAA as any persn wh is a first-degree, secnd-degree, third-degree, r furth degree relative f the individual r f a dependent f the individual. If we feel it is necessary r apprpriate t infrm a clse family member r friend wh is invlved in a patient s care abut certain relevant prtected health infrmatin, we will give the patient a chance t agree r bject t such disclsure befre we make it. If the patient is present r available when this need arises, we will d any f the fllwing: Get an ral agreement frm the patient that the disclsure is acceptable. Give the patient a chance t bject t the disclsure. Page 10

11 Infer frm the circumstances that the patient des nt bject. Fr example, we can reasnably infer that the patient des nt bject if the family member r friend is in the examining rm with the patient. If the patient is nt present r available when the need arises, we will use ur best judgment abut whether it is in the patient s best interest t disclse the infrmatin. An example might be when a family member r friend cmes t ur ffice t pick up x-rays that the patient requested. A parent may btain any infrmatin n their minr child(ren). Our ffice will use prfessinal judgment and ur experience with cmmn practice t make reasnable inferences f the patient s best interest in allwing a persn t act n behalf f the patient t pick up supplies, prescriptins, x-rays r ther similar frms f PHI. If we make a disclsure t a clse family member r friend under the circumstances described abve, we will nly disclse infrmatin that is relevant t the family member r friend s invlvement with the patient s care. Examples: If the patient s spuse will pick up rdered items, we will prvide the items but nt disclse any diagnses r special features f the item. If a sn r daughter will assist a patient with in-hme treatment, we will prvide infrmatin abut when and hw the treatment shuld be administered, but will nt disclse the patient s diagnsis. If smene claiming t be a family member r friend f the patient initiates cntact with us seeking infrmatin, we will: Verify the identity f the caller and his/her relatinship t the patient. Determine if he/she is invlved in the patient s care. Determine if the patient is available (by phne, , r ther cmmunicatin methd) t either agree r bject t the disclsure. If s, we will give the patient the chance t agree r bject. If the patient bjects, we will nt disclse any infrmatin t the caller. If the patient is nt available by any reasnable means, we will use ur best judgment t determine whether disclsure f infrmatin is in the patient s best interest. Persnal Representatives fr Patients In rder t cmply with HIPAA s Privacy and Security Standards, it is the plicy f this ffice t allw prperly authrized persnal representatives t stand in the shes f a patient in rder t exercise all the rights the patient culd exercise regarding the use and disclsure f prtected health infrmatin and t give any required permissin fr use r disclsure f prtected health infrmatin. Adult patients (18 and ver) and emancipated minrs: Generally, adults and certain emancipated minrs persnally handle all matters abut their prtected health infrmatin. Smetimes, hwever, they may be unable t d s because f mental incapacity. In this case, the fllwing peple may substitute fr the adult r emancipated minr t sign all permissins and exercise all rights regarding prtected health infrmatin: persns authrized by curt rder r an attrney, prviding they have prir patient authrizatin t act in that capacity. In sme states, emancipated minrs are allwed t cnsent t their wn medical r surgical care. Patients are treated as emancipated if they have been granted emancipatin by a curt, are serving in the military, are legally married, r are hmeless. It is nt expected that they wuld receive parental r curt authrizatin fr medical treatment. Unemancipated minrs (under the age f 18) Generally unemancipated minrs are nt able t handle any matters regarding their prtected health infrmatin because the law presumes them t be incapacitated. In sme states, married minrs, hmeless minrs, and minrs serving in the military are permitted t make their wn health care decisins. If nne f these circumstances apply, the fllwing peple may sign all permissins and exercise all rights regarding an unemancipated minr s prtected health infrmatin: either parent r a curt appinted guardian. If we have reasn t believe that access by a nncustdial parent wuld Page 11

12 seriusly endanger the child s r the custdial parent s physical, mental, r emtinal health, we may seek a curt rder blcking disclsure f recrds. Deceased patients The fllwing peple have the authrity t sign permissins and exercise rights regarding the prtected health infrmatin f deceased patients unless ding s vilates the knwn wishes f the deceased: the patient s spuse, an acting trustee if the patient was a beneficiary f the trust during his/her lifetime, an adult child, a parent f the deceased, an adult brther/sister, a guardian r cnservatr at the time f the patient s death. If the patient has been deceased lnger than 50 years, HIPAA des nt cnsider that infrmatin t be prtected under HIPAA Privacy and Security rules and may be disclsed withut authrizatin. In a few instances, we will nt wrk with the persnal representatives listed abve. This may happen in the fllwing cases: We think a persn claiming t be a persnal representative has r may have cmmitted dmestic vilence, abuse, r neglect against the patient, and it is nt in the patient s best interest t treat that persn as the persnal representative. We think that treating such persn as the persnal representative culd have a negative impact n a patient, and it is nt in the patient s best interest t treat that persn as the persnal representative. Befre we wrk with smene claiming t be a persnal representative, we will check ut his/her authrity. This might include checking identificatin, lking at curt r ther dcuments, and/r cnsulting ur attrney. If we are unsure f a persn s authrity t sign permissins r exercise rights regarding prtected health infrmatin, we will nt use r disclse that prtected health infrmatin until any ambiguity is reslved. Verificatin befre Disclsing PHI In rder t cmply with HIPAA s Privacy and Security Standards, it is the plicy f this ffice t verify the authrity and identity f peple r rganizatins that request us t disclse prtected health infrmatin abut ur patients, subject t the cnditins f this plicy statement. If a patient has a persnal representative wh seeks t sign an authrizatin t disclse the patient s prtected health infrmatin t a third party, r t exercise any f the rights that patients have regarding their prtected health infrmatin, we will take the fllwing steps befre we accept the persnal representative s signature r allw him/her t exercise thse rights: Ask fr cpies f any dcuments that are relevant t his/her status as persnal representative. Fr example, we will ask fr a cpy f the curt papers appinting a legal guardian, r a pwer f attrney designating smene t make health-related decisins fr an incapacitated adult. We will ask fr a picture identificatin f the persn serving as persnal representative. We will review all dcuments we receive and make sure they, in fact, authrize the persnal representative t cntrl the patient s prtected health infrmatin, and that there are n limits r expiratin dates that affect this authrity. The Privacy Officer is respnsible fr reviewing dcuments. If there are questins abut the dcuments, Dr. Weiss will wrk t reslve them. We will nt disclse any prtected health infrmatin until all questins are answered and we have prper evidence f the authrity f the persn acting as persnal representative. If we receive a request frm a third party t see r have a cpy f prtected health infrmatin fr a patient withut a signed patient authrizatin, we will take the fllwing steps befre we allw such access: Ask the requester fr evidence that he/she is affiliated with an rganizatin r gvernment agency that is authrized t have access t prtected health infrmatin withut an authrizatin. Evidence may include an fficial badge r identificatin card, an assignment n fficial letterhead, r similar items. Ask the requester fr a picture identificatin. Page 12

13 Ask the requester t specify the legal authrity that the requester believes allws access t prtected health infrmatin. Fr example, if we are asked by a representative f a drug r medical device manufacturer t supply prtected health infrmatin relating t ur use f a particular drug r device, we will make sure the representative is truly affiliated with the drug r device manufacturer; the drug r medical device manufacturer is under the jurisdictin f the U.S. Fd and Drug Administratin; and the drug r device manufacturer is seeking the infrmatin because f a quality r safety cncern abut a prduct they manufacture as prvided in 45 CFR if the HIPAA regulatins. We will review all evidence supplied by the requester t make sure the requester has prper authrity t access prtected health infrmatin and there are n limits r expiratin dates that affect this authrity. The same prcedure fr verificatin will be fllwed as described abve. Patient Access t their PHI In rder t cmply with HIPAA s Privacy and Security Standards, it is the plicy f this ffice t allw patients t inspect and/r cpy their wn prtected health infrmatin under the cnditins stated in this plicy. If the patient has a persnal representative, the persnal representative may inspect r cpy the patient s prtected health infrmatin n behalf f the patient. We require that a patient prvides a written request t inspect r cpy his/her prtected health infrmatin. If a patient calls n the telephne asking t inspect r cpy his/her prtected health infrmatin, we will infrm the patient f the requirement t send the request in writing using the Patient Recrd Access Request frm. Our Privacy Officer and/r Patient Cntact Persn is respnsible fr handling patients requests t inspect r cpy their prtected health infrmatin using the Patient Recrd Access Request frm. We will respnd t a patient s request t inspect r cpy his/her prtected health infrmatin within 30 days f receiving the written request whether r nt the prtected health infrmatin is stred in-huse r ff-site If we need mre time, we may have ne 30-day extensin, but we must ntify the patient in writing f the extensin befre the riginal time perid expires. Use the Respnse t Patient Regarding Request t Access Recrds frm when respnding t this request. A patient wh puts his/her medical cnditin at issue by bringing a lawsuit waives the physician-patient privilege by testifying. We may deny the patient s request nly fr ne r mre f the fllwing reasns: A patient may nt inspect r cpy infrmatin if it was prepared in cnnectin with a lawsuit. A patient may nt inspect r cpy infrmatin if it is generated as part f the patient s participatin in a clinical trial and the request is made during the clinical trial. We must have infrmed the patient abut this restrictin when the patient signed up fr the clinical trial. The patient must be allwed t inspect r cpy this infrmatin when the clinical trial is ver. A patient may nt inspect r cpy infrmatin if we btained the infrmatin frm smene else wh is nt a health care prvider, and we prmised that persn his/her identity wuld remain cnfidential. A patient may nt inspect r cpy infrmatin if we, r anther health care prfessinal, determine this wuld likely endanger the life r physical safety f the patient r smene else. A patient may nt inspect r cpy infrmatin if it references smene else, and we, r anther health care prfessinal, determine that access wuld likely cause substantial harm t the ther persn. A patient s persnal representative (fr example, legal guardian, r parent f a minr) may nt inspect r cpy infrmatin abut the patient if we, r anther health care prfessinal, determines this wuld likely cause substantial harm t the patient r anther persn. A patient may nt inspect r cpy infrmatin that is nt in a designated recrd set. If we deny a patient access t his/her prtected health infrmatin, we will ntify the patient f ur decisin in writing, referencing ne f the reasns abve. Page 13

14 If the denial is based upn ne f the reasns listed abve, the patient has a right t a review f ur decisin Dr. Weiss will handle the review, lking at the infrmatin the patient wants t inspect r cpy, and decide if we were crrect in thinking the patient s circumstances meet the specificatins fr nndisclsure. If nt, the patient may inspect r cpy the infrmatin. If s, the patient may nt inspect r cpy the infrmatin. The patient may nt further questin ur decisin. When we permit a patient t inspect r cpy the requested infrmatin, we will: Prvide the infrmatin in the frm r frmat the patient requests, if we are able t reasnably prduce it that way. If we cannt, we will either agree with the patient abut anther frmat r give it t the patient in hard cpy. Allw the patient t inspect r cpy the infrmatin at ur ffice during nrmal business hurs. Within these limits, the patient may select the date and time t inspect r cpy the recrds. The Privacy Officer will stay with the patient while he/she reviews the recrds. We will charge the patient a reasnable, cst-based fee nt greater than the csts that we incur (this includes labr, cpies, and any mailing r special delivery methd the patient wants us t use). We will cllect all charges befre we make any cpies. When the patient requests that their PHI t be sent via , we will hnr their request in accrdance with ur Fax, Phtcpy and f PHI prcedure. Amendment f PHI In rder t cmply with HIPAA s Privacy and Security Standards, it is the plicy f this ffice t permit patients t request that we amend their prtected health infrmatin under the cnditins stated in this plicy. If the patient has a persnal representative, the persnal representative may exercise this right n behalf f the patient. We require all requests t amend prtected health infrmatin be in writing. If a patient calls n the telephne t request an amendment we will infrm the patient f the requirement t submit this request in writing using the Patient Request(s) Regarding Health Care Recrds frm. Dr. Weiss is respnsible fr handling patient requests t amend their prtected health infrmatin. We will nt physically alter r delete existing ntes in a patient s chart. We will infrm the patient when we agree t make an amendment. We will respnd t requests fr amendment within 60 days after we receive the written request. We may have ne 30-day extensin, if we ntify the patient we need this additinal time befre the riginal time perid expires. Use the Respnse t Patient Regarding Request t Amend Recrds frm when respnding t their request. We may deny a requested amendment nly fr ne r mre f the fllwing reasns: The infrmatin is accurate and cmplete as it is. We did nt create the infrmatin (except in cases where the riginating individual r entity that created the infrmatin is n lnger available.) The infrmatin is nt in a designated recrd set. The patient wuld nt be able t inspect r cpy the infrmatin. If we deny a request, we will ntify the patient. We will infrm the patient f the right t either submit a statement f disagreement r t have the riginal amendment request accmpany the infrmatin. If we grant the requested amendment, we will: Ntify the patient. Append r link the crrected infrmatin t the infrmatin we are hlding. Page 14

15 Send the crrected infrmatin t anyne we knw wh has previusly received the incrrect infrmatin. Send the crrected infrmatin t anyne the patient requests. Accunting fr Disclsures f PHI In rder t cmply with HIPAA s Privacy and Security Standards, it is the plicy f this ffice t prvide ur patients, upn request, with an accunting f the nn-rutine disclsures we have made f his/her prtected health infrmatin during the six years preceding the request, subject t the terms and cnditins stated in this plicy. We will prvide an accunting f all f ur disclsures f a patient s prtected health infrmatin, except fr the fllwing: Disclsures fr treatment, payment, r health care peratins. Disclsures made with a signed patient authrizatin. Disclsures that are incidental t ther permitted disclsures. Disclsures t the patient persnally. Disclsures t family r friends invlved in a patient s care. Disclsures f a limited data set. Disclsures made befre April 14, In rder t be able t prvide an accunting when a patient requests ne, we will keep track f all nn-rutine disclsures that we make f ur patient s prtected health infrmatin, except fr thse disclsures listed in the paragraph abve. Only Dr. Weiss is authrized t make a disclsure f prtected health infrmatin that is nt listed abve. The Privacy Officer will dcument all these disclsures in the Reprt f Nn-Rutine Disclsures fr that particular patient. We will keep this dcumentatin fr seven years. This dcumentatin will include: The date f the disclsure. The name and address (if knwn) f the recipient receiving the prtected health infrmatin. A descriptin f the prtected health infrmatin that was disclsed. A statement f the purpse r basis fr the disclsure, r a cpy f any request fr the prtected health infrmatin that prmpted the disclsure. We require that all requests fr an accunting be in writing. If a request is made by telephne, we will advise the caller t submit it in writing t ur Privacy Officer using the Patient Request fr Accunting f PHI Disclsures frm. We will respnd t a request fr an accunting within 60 days frm ur receipt f the written request. If we are unable t prvide the accunting within this 60 day perid, we may have an additinal 30 days, prvided we ntify the patient f this delay befre the riginal 60 day perid expires. This ntice must include the reasn fr the delay and the date we will have the accunting ready. Our Privacy Officer is respnsible fr advising patients f delays. Our accunting will list all f the infrmatin described abve. If we make repeated disclsures f prtected health infrmatin abut a patient t the same persn r rganizatin fr the same purpse, ur accunting will prvide all f this infrmatin fr the first such disclsure, and then indicate the frequency f the ther disclsures, and the date f the last such disclsure. The Privacy Officer is respnsible fr generating requested accuntings and furnishing them t the patient. We will prvide patients with ne free accunting, upn request, within any 12 mnth perid. Fr additinal accuntings within any 12 mnth perid, we will charge fr the actual cst f preparing and mailing the accunting. We will require payment f this amunt in advance, befre we prepare and furnish the accunting. Page 15

16 The patient s chart will als be used t track each disclsure f PHI as needed t enable us t fulfill ur bligatin t accunt fr these disclsures. Page 16

17 Restrictins n Use f PHI In rder t cmply with HIPAA s Privacy and Security Standards, it is the plicy f this ffice t permit patients t request that we restrict the way we use sme prtected health infrmatin fr purpses f treatment, payment, r health care peratins excluding genetic infrmatin. Dr. Weiss will handle requests frm patients fr restrictins n the way we use prtected health infrmatin fr treatment, payment, r health care peratins. Generally, we will nt agree t restrictins requested by patients. In unusual circumstances, that Dr. Weiss thinks are meritrius, we may agree t a requested restrictin. When the patient has paid in full, ut-f-pcket, fr health care items r services, they have the right t request that this infrmatin nt be disclsed t their health plan. T avid an inadvertent disclsure f this type f restrictin, this ffice will request written ntice frm the patient specifying these directins. If we agree t a requested restrictin, Dr. Weiss will dcument its terms and put this dcumentatin in the patient chart. Dr. Weiss will cmmunicate the terms f the restrictin t the staff wh need t knw abut it. If ne r mre f ur business assciates needs t knw abut it, the Privacy Officer will infrm them. We will hnr any restrictin t which we have agreed; hwever, n restrictin will prevent us frm using any prtected health infrmatin in an emergency treatment situatin. If we have agreed t a restrictin but are n lnger able t hnr it, ur Privacy Officer will d either f the fllwing things: Cntact the patient t wrk ut a mutually agreeable terminatin f the restrictin. Dr. Weiss will dcument this agreement, and keep it in the patient s chart. Cntact the patient and advise that we are n lnger able t hnr the previusly agreed t restrictin. This ntice will nly apply t prtected health infrmatin we btain r generate after the ntice is given. Cmmunicatin Methds with and n Behalf f Patients In rder t cmply with HIPAA s Privacy and Security Standards, it is the plicy f this ffice t accmmdate requests frm patients t send prtected health infrmatin t them in a cnfidential way, subject t the cnditins in this plicy. If a patient requests we use a particular methd t cmmunicate with him/her in rder t preserve the cnfidentiality f his/her infrmatin, we will accmmdate the request if we are reasnably able t d s. We may accmmdate the fllwing kinds f cnfidential cmmunicatin methds: written ntice, , fax. We require that such requests be in writing. If a request cmes in by telephne, we will advise the patient hw t send the request in writing. Use the Patient Request(s) Regarding Health Care Recrds frm fr this written request. We will nt ask r require a patient t explain why he/she wants the particular cmmunicatin methd. We will charge the patient a reasnable fee t recver the cst f cmplying with the request, if apprpriate. Our Privacy Officer is respnsible fr receiving and acting upn patient requests fr cnfidential cmmunicatin methds. Page 17

18 Security Management In rder t cmply with the HIPAA Privacy and Security Standards, it is the plicy f this ffice t ensure all necessary administrative, physical and technical measures are in place t ensure the cnfidentiality, integrity and availability f electrnic prtected health infrmatin. Administrative Safeguards The Security Officer is respnsible fr cnducting an accurate and thrugh assessment f the ptential risks and vulnerabilities t the cnfidentiality, integrity, and availability f electrnic prtected health infrmatin held. A risk analysis is cnducted annually r mre ften if there are substantial changes t ur business practices, sftware r hardware. The Security Officer is respnsible fr cnducting the risk analysis. The analysis is an accurate and thrugh assessment f the ptential risk and vulnerabilities t the cnfidentiality, integrity, and availability f prtected health infrmatin held by ur practice. This includes a review f sftware security cntrl measures and plicies and prcedures. The decisin-making and selectin prcess fr enhancing security cntrls is based n the risks identified during the risk analysis. The Security Officer makes recmmendatins and Dr. Weiss decides what prcesses and plicies t adpt and implement in rder t effectively manage the risks. The security measures implemented by the Security Officer are sufficient t reduce risks and vulnerabilities t a reasnable and apprpriate level and include: Firewall, encryptin, aut-lg ff and/r passwrd prtected screensavers and anti-virus safeguards are reviewed regularly t ensure they are current. Plicies that reflect an apprpriate level f risk regarding access t prtected health infrmatin are reviewed regularly t ensure they remain apprpriate. Dr. Weiss enfrces discipline regarding failure t cmply with the security expectatins f the ffice. All staff members are required t read and sign the Emplyee HIPAA Privacy and Security Rules Acknwledgment frm. Sanctins are explained in the Emplyee Cnfidentiality Agreement which all emplyees are required t read and sign. Emplyees wh d nt cmply with the requirements utlined in this and ther plicies regarding cnfidentiality f infrmatin are subject t disciplinary actin up t and including terminatin f emplyment. The plicy cvers wners, emplyees, agents and cntractrs. Failure t cmply with requirements related t maintaining cnfidentiality may result in ntificatin t law enfrcement fficials and regulatry, accreditatin and licensure rganizatins. The Security Officer cnducts infrmatin system activity reviews which include the fllwing: A review f recrds f infrmatin system activity that is then dcumented in the ffice s Gd Faith Effrt Cmpliance Lg. The infrmatin review includes lking at audit lgs, access reprts and security incident tracking reprts. Our intent is t determine whether any electrnic cnfidential data are being used r disclsed in an inapprpriate manner. Our authrizatin prcess regarding access t electrnic prtected health infrmatin includes the fllwing: Only emplyees wh need access are granted access. A list f which emplyees have access t what data, sftware, transactins, and physical wrk areas is maintained by the Security Officer in the Emplyee Data Access Lg. Access needs are indicated as part f each psitin s jb descriptin. If an emplyee s jb duties change, the jb descriptin is revised t indicate the apprpriate wrk area, data, sftware and transactin access. Changes are dcumented in the Emplyee Data Access Lg. Page 18

19 As part f ur annual HIPAA training, emplyees are advised f the imprtance f apprpriately handling and accessing cnfidential infrmatin. They are als taught hw t handle vilatins by business assciates and hw t use the Emplyee Reprt f HIPAA Vilatin by Business Assciate frm when reprting thse HIPAA vilatins. When vendrs are wrking n r near prtected health infrmatin, we require them t sign a Business Assciate Agreement that ensures they adequately prtect the infrmatin. Our ffice cnducts backgrund checks prir t hiring emplyees t minimize the ptential fr theft r misuse f prtected health infrmatin. Our Security Officer cllects all keys and de-activates access fr all terminated emplyees as utlined in ur Emplyee Terminatin Checklist. Each de-activatin is dcumented in the Emplyee Data Access Lg. Regular reminders abut safeguarding prtected health infrmatin are shared with emplyees at staff meetings. Our ffice prhibits the use f unauthrized sftware and dwnlads as utlined in ur Internet Security Plicy. Virus prtectin sftware is in place t autmatically scan fr new viruses and dwnlad updates. Mnitring lg-in attempts and lcking ut a user after three unsuccessful attempts t lg-in. Our Security Officer manages the passwrd prcess t ensure electrnic infrmatin is safeguarded. The fllwing are requirements regarding passwrds: Each individual is issued a passwrd and sharing passwrds is prhibited. Passwrds are changed regularly. Every 3 mnths. Individuals may nly lg nt ne cmputer at a time. Misuse f passwrds will result in disciplinary actin. All staff members are trained n hw t create secure and apprpriate passwrds using ur Passwrd Tips fr Securing Electrnic Data frm. Passwrds must be unique and nt used fr any ther purpse. Our Security Officer manages security incidents by respnding immediately and mitigating damage as much as pssible. Dr. Weiss is respnsible fr determining the apprpriate curse f actin t mitigate the situatin which culd include ntifying the patients wh are affected by the incident, and/r sending ut crrected infrmatin t business assciates and thers. A security incident is defined as the unauthrized use f ur infrmatin systems in vilatin f laws r ur plicies and prcedures. All incidents, even when accidental, are reprted t the Security Officer. A prcedure is in place t dcument and track attempted breaches, ther security incidents and hw they were reslved using the Emplyee HIPAA Vilatins Lg and Business Assciate Inapprpriate Disclsure Lg. Our ffice has in place a Cntingency Plan Prcedure t respnd t emergencies r ther ccurrences that may damage systems that cntain electrnic prtected health infrmatin. The Plan includes the fllwing: A backup f the system is cmpleted at the end f each business day and stred securely ff-site in accrdance with ur Data Backup Plan. A disaster recvery plan is in place that is managed and maintained by the Security Officer and includes a listing f all hardware and sftware systems, which electrnic data are mst critical, wh t call fr help t restre data, a patient cmmunicatin plan, and a vendr and business partner cntact list with a plan t crdinate deliveries. An emergency mde peratin plan is als in place that includes the ability fr the Security Officer t access all buildings and cmputer passwrds (r administrative verride capabilities) t Page 19

20 access critical data, using the hardware and/r sftware lcated at LIFE SYSTEMS, and the identificatin f a temprary wrk site. If a situatin arises that requires use f any element f the Cntingency Plan, it is the respnsibility f the Security Officer t crdinate the implementatin. Elements f the cntingency plan are reviewed and tested every six mnths. On a regular basis, the Security Officer analyzes the elements f the Cntingency Plan prcedure t ensure the apprpriate applicatins and critical data are included in the plan. This is perfrmed annually. On a regular basis, ur Privacy and Security Officers partner t review all HIPAA-related administrative safeguards t determine if prcesses in place are still apprpriate and in cmpliance with HIPAA regulatins. Cmpliance Reviews will be cnducted nce a quarter. Physical Safeguards T ensure ur ffice is prtected frm ptential break-ins and theft f prtected health infrmatin, ur facility has the fllwing in place: Deadblt lcks n all entry drs. Lck n Recrds Clset. Our lbby is designed s ur Frnt Office persn may serve as a gatekeeper t prevent access t prtected health infrmatin by unauthrized individuals. He/she understands this is his/her rle and it is included as part f the frnt ffice jb descriptin. All changes and imprvements t ur facility that enhance security are dcumented in ur Gd Faith Effrts Cmpliance Lg. Because we are a small ffice, emplyees have access t every area f the facility and share wrkstatins. The Security Officer arranges t prperly dispse f electrnic equipment and media (this Includes fax and cpy machines) cntaining prtected health infrmatin by ensuring all data are cmpletely destryed r remved in accrdance with ur ffice s Destructin Plicy. Because we are a small ffice, accuntability fr hardware and sftware rests with Dr. Weiss. Dr. Weiss apprves all mvement f hardware. If hardware is being mved, the infrmatin n the equipment is backed-up befre it is relcated. Emplyees authrized t use laptps r ther prtable devices t stre PHI are required t secure the equipment when nt in use thrugh apprved encryptin methdlgies and ther physical safeguards. Page 20