CREATIVE SOLUTIONS IN HEALTHCARE, INC. Privacy Policy

Transcription

1 CREATIVE SOLUTIONS IN HEALTHCARE, INC. Privacy Policy Amended as of February 12, 2010 on the authority of the HIPAA Privacy Officer for Creative Solutions in Healthcare, Inc.

2 TABLE OF CONTENTS ARTICLE I. Introduction 1 A. Purpose and Application 1 B. Policy Effective Date 1 ARTICLE II. Definitions 1 ARTICLE III. Summary of Policies 4 ARTICLE IV. Minimum Necessary Rule 6 A. General Rule 6 B. Criteria for Determining Minimum Necessary 6 C. Exceptions to Minimum Necessary Requirement 6 ARTICLE V. Safeguarding Protected Health Information 7 A. General Rule 7 B. Physical Security 7 C. Electronic Security 8 D. Security of Specific Materials and Communications 10 E. Remote Access to PHI 14 F. Authorization Required 14 ARTICLE VI. Individuals Rights Regarding Protected Health Information 15 A. Privacy Notice 15 B. Access to Protected Health Information 15 Page 2

3 ARTICLE I. INTRODUCTION A. Purpose and Application This HIPAA Privacy Policy ( Privacy Policy or Policy ) reflects practices that have been adopted by Creative Solutions in Healthcare, Inc. ("CSH") to protect the Protected Health Information (PHI) of it's Plan Participants medical information. This Privacy Policy is intended to comply with the Health Insurance Portability and Accountability Act of 1996 ( HIPAA ), as it pertains to health information privacy, and in conformity with the Health Information Technology for Economic and Clinical Health Act ( HITECH ) as part of the American Recovery and Reinvestment Act of The United States Department of Health and Human Services (HHS) issued complex HIPAA privacy regulation referred to as the Privacy Rule. Modifications to the Privacy Rule are expected from time to time, some of which may require amendment of this Policy. The Privacy Policy applies only to PHI that is created or received by CSH. All employees of CSH who perform healthcare functions, hereinafter referred to as Responsible Employees, are bound by this Policy. Business Associates who perform activities on behalf of CSH must also comply with this Policy, all applicable federal and state laws, and as set forth in their Business Associate contracts if applicable. B. Policy Effective Date This Policy is effective as of the HIPAA Compliance Date, and HITECH Compliance Dates, respectively. ARTICLE II. DEFINITIONS 1. ARRA the American Recovery and Reinvestment Act of 2009 which enacted Title VIII of the ARRA, known as the Health Information Technology for Economic and Clinical Health Act (HITECH). 2. Authorization an Individual s specific written permission. 3. Breach (of security or privacy) a use or disclosure of unsecured PHI in violation of the HIPAA Privacy Rule. PHI may not be used or disclosed without the individual s prior written authorization. 4. Business Associate a third party agent who creates or receives PHI on the covered entity s behalf; a person or entity, other than an employee of CSH or of a Health Plan, who performs or assists in the performance of a function or activity involving the use or disclosure of PHI from or on behalf of CSH. Such functions or activities include, but are not limited to, claims processing or administration, data analysis, utilization review, quality assurance, billing, benefit management, repricing, and other professional services. Business Associate also includes all employees of the Business Associate who perform or assist in the performance of functions on behalf of CSH. A list of Business Associates is maintained by the Privacy Officer. Business Associates must comply directly with HIPAA s Security Rules and 3

4 comply with the business associate provisions of HIPAA s Privacy Rules, and ensure that their Business Associate agreements conform to the new mandates of the HITECH Act. Business Associates must notify the covered entity of any breach and provide the identity of all affected individuals. 5. Company Creative Solutions in Healthcare, Inc.. 6. Covered Entity a health plan, a health care clearinghouse, or a Health Care Provider that transmits health information in electronic form in connection with a Transaction covered under HIPAA. 7. De identified Information health information that does not include any of the following identifiers of the Individual or the Individual s relatives, employers, or household members: (a) name; (b) geographic subdivision smaller than a state (except for the initial three digits of a zip code if, according to the current publicly available data from the Bureau of the Census, the geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people, and the initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000); (c) (d) (e) (f) (g) (h) (i) (j) month and day of birth and other personal dates; telephone number; fax number; e mail address; social security number; medical record number; CSH beneficiary number; account number; (k) certificate or license number; vehicle identifier (including serial or license plate number); (l) (m) (n) device identifier; serial number; Web Universal Resource Locator; Internet Protocol address number; (o) biometric identifier; 4

5 (p) (q) full face photographic image; or any other unique identifying number, characteristic, or code. Health information is also De identified Information if a person with appropriate knowledge of and experience with generally accepted statistical and scientific principles and methods for rendering information not individually identifiable determines that the risk is very small that the information could be used, alone or in combination with other reasonably available information, by an anticipated recipient to identify an individual who is a subject of the information; provided that the results of the analysis that justify such determination are documented by such person. 8. Designated Record Set records that include PHI maintained by or for a Health Plan that pertains payment, claims adjudication, medical or case management, and other information used to make healthcare related decisions about Individuals. 9. Electronic Health Record electronic record of health related information on an individual that is created, gathered, managed and consulted by authorized health care clinicians and staff. 10. Electronic Transmissions includes transactions using all forms of electronic media. Such transactions include the transfer of information over the Internet (wide open), Extranet (using Internet technology to link a business with information only accessible to collaborating parties), leased lines, dial up lines, and private networks. Electronic Transmissions include magnetic tape, disk, or compact disc media. 11. Encryption the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key, and such confidential process or key that might enable decryption has not been breached. 12. Health Care Operations activities related to the covered entity's functions as a health care provider and include general administrative and business functions necessary for the ocvered entity to remain a viable business. 13. Health Care Provider a person or entity that provides, bills for, and/or is paid for providing medical or health services. 14. HHS The United States Department of Health and Human Services, the agency charged with interpreting and enforcing the Privacy Rule. 15. HIPAA the Health Insurance Portability and Accountability Act of 1996 (as amended), and the regulations promulgated thereunder. 16. HIPAA Compliance Date April 14, 2003, or such other date as set forth under the HIPAA regulations or other HHS guidance, or any related legislative or regulatory action. 17. HITECH the Health Information Technology for Economic and Clinical Health Act enacted February 17,

6 18. Individual a person who is the subject of the PHI. 19. Minimum Necessary the standard described in this Policy to limit PHI that is accessed, requested, used, disclosed, created, or transmitted. 20. Notice a written description of CSH s uses and disclosures of Individuals PHI that satisfies the requirements of and is distributed. 21. Privacy Rule The provisions of HIPAA that address health information privacy and security. 22. Protected Health Information (PHI) individually identifiable health information that (i) relates to the past, present, or future physical or mental condition of an Individual, provision of health care to an Individual, or payment for such health care; (ii) can either identify the Individual, or there is a reasonable basis to believe the information can be used to identify the Individual. ARTICLE III. SUMMARY OF POLICIES The following policies are hereby adopted by CSH: 1. CSH will not use or disclose PHI other than as permitted or required by this Policy, or as required by law; 2. CSH will ensure that any agents to whom CSH provides PHI agree to be bound by the same requirements with respect to such PHI; 3. CSH will report to CSH any affected individuals, any use or disclosure in violation of this Policy about which CSH becomes aware; 4. CSH, in the event of a breach of security, will promptly notify each affected individual that such secure PHI may have become compromised or unsecured; 5. In the event that a breach involves 500 or more individuals, CSH will notify the Department of Health and Human Services contemporaneously with the notification of the affected individuals; 6. In the event that the breach in the security of PHI involves fewer than 500 individuals, CSH shall keep a log and produce such log to the Department of Health and Human Services no later than March 1 of the following calendar year; 7. In the event that the breach in the security of PHI involves 500 or more individuals from the same state or jurisdiction, CSH will notify prominent media outlets serving the state or jurisdiction contemporaneously with notifying the affected individuals in the form of a press release; 8. Notices of any breach of security or privacy will be delivered as soon as reasonably possible but not more than sixty days after discovery of the breach; 6

7 9. Notices of any breach of security or privacy of PHI shall state (a) a brief description of the incident including the date and date discovered; (b) the types of unsecured PHI involved in the breach; such as social security number, date of birth, and diagnosis; (c) the steps the affected individuals can take to reduce the risk of harm from the breach; (d) a brief description of CSH s or other covered entity s investigation and efforts to mitigate harm to the affected individual; (e) steps taken to prevent a recurrence of the breach; and (f) contact information for obtaining additional information; 10. CSH will make PHI available to the individual to which it refers or inspection or copying; 11. CSH will make PHI available for amendment and will incorporate any amendments into PHI; 12. CSH will make PHI available to provide an accounting of disclosures; 13. CSH will accommodate an individual s written requests for access to his or her individual electronic protected health information, and will, upon written request by that individual, send a copy of their electronic health record to a third party; 14. CSH, upon an individual s written request, will not disclose PHI for payment or health care operations if the individual has paid out of pocket for the service; 15. CSH shall provide an accounting of disclosures of electronic health records for treatment, payment, and health care operations during the three year period preceding the request of an individual; 16. CSH will not sell or otherwise disseminate PHI without valid authorization from the individual; 17. CSH will make its internal practices and records related to the use and disclosure of PHI available to HHS for purposes of determining compliance with the Privacy Rule; 18. CSH shall make every effort when feasible to store all PHI in electronic PHI form, and shall utilize technology to store and encrypt such information as specified in the HIPAA Security Rule by the use of an algorithmic process to transform data into a form in which there is low probability of assigning meaning without use of a confidential process or key, and such confidential process or key that might enable decryption has not been breached; 19. The media on which the PHI is stored or recorded shall be destroyed by either shredding for paper, film or other hard copy media, or electronic media shall have been cleared, purged or destroyed such that it cannot be retrieved; 20. CSH will destroy all non electronic PHI maintained by CSH and will retain no copies when no longer retained (and, if not feasible, will limit further use and disclosure to the purposes that make return or destruction infeasible); and ARTICLE IV. MINIMUM NECESSARY RULE 7

8 A. General Rule A Responsible Employee or Business Associate is permitted to use, request, disclose, access, receive, create, and/or transmit (collectively, use or disclose ) PHI for purposes set forth in this Policy. When using and disclosing PHI to or from any person, a Responsible Employee or Business Associate must make reasonable efforts to use and disclose only the Minimum Necessary amount of PHI to achieve the particular purpose, and use limited data sets to accomplish the same business purpose for use of the PHI. In addition to limiting the PHI to limited data sets for PHI, a Responsible Employee or Business Associate must take steps to ensure that only the person(s) needing the PHI for the intended purpose receives it. This duty applies regardless of whether such recipients are other Responsible Employees, Business Associates, or other persons to whom the Responsible Employee or Business Associate is required, permitted, or authorized to disclose PHI. If a Responsible Employee or Business Associate is the recipient of PHI, he or she should process, copy, or record such PHI without disclosing it to others, unless such disclosure is necessary for the intended and permitted purpose. CSH, Responsible Employee or Business Associate shall comply with the directives of the Secretary of HHS which may be issued from time to time, for guidance on the minimum necessary standard. Prior to any disclosure of PHI in response to a request, the Responsible Employee or Business Associate must take reasonable steps to verify the identity and authority of the person requesting such information. B. Criteria for Determining Minimum Necessary The following criteria apply in determining whether a proposed Transaction involving PHI complies with the Minimum Necessary requirement: 1. whether the intended use or disclosure of the PHI is necessary for Payment, and Health Care Operations, or another permitted function under this Policy to which the Minimum Necessary rule applies; 2. whether the intended purpose could be served adequately if fewer people were permitted access to (e.g., to use or receive disclosure of) the PHI; 3. whether the intended purpose could be served adequately if less PHI is used or disclosed; and 4. whether the method for transmitting the PHI reasonably ensures that it is received only by the intended recipient. C. Exceptions to Minimum Necessary Requirement The Minimum Necessary rule does not apply to the following Transactions: 8

9 1. disclosure to or requests by a Health Care Provider for treatment purposes; 2. disclosure to the Individual 3. disclosures to the Secretary of Health and Human Services 4. uses and disclosures required by law including disclosures necessary to comply legal or law enforcement purposes; and 5. uses and disclosures for which the Individual has given authorization. ARTICLE V. SAFEGUARDING PROTECTED HEALTH INFORMATION A. General Rule When using or disclosing PHI, a Responsible Employee or Business Associate must take reasonable steps to safeguard the PHI and keep it confidential, and to ensure that it is not intentionally or unintentionally used or disclosed for a purpose or in a manner inconsistent with this Policy. Any breach of security of PHI must be reported to the Privacy Officer, who will (1) act as necessary to maintain the security of any PHI including electronic PHI, (2) take such action as he or she deems appropriate to prevent any similar breach in the future, (3) take steps necessary to mitigate any damages caused by the breach, (4) impose appropriate sanctions against the Responsible Employee accountable for the breach, and (5) notify the affected individuals and federal and/or state authorities or media outlets as the incident may warrant. If the Privacy Officer determines that sanctions against the Responsible Employee causing such breach are warranted, he or she will consult with the individual s supervisor. All sanctions issued for a breach of this Policy, and any applicable sanctions and actions taken to prevent similar breaches, will be documented by the Privacy Officer. No Business Associate is permitted to create or receive PHI on behalf of a Health Plan unless the Business Associate has certified that it maintains reasonable procedures to safeguard PHI. B. Physical Security PHI in physical form (e.g., printed material, notes, computer disks and other physical storage media) to the extent it exists and has not been destroyed, will be maintained and stored by CSH on its premises and/or on the premises of a Business Associate that has certified that it maintains reasonable procedures to safeguard PHI. In the case of electronic PHI, (ephi), CSH shall implement technological safeguards and when feasible encryption processes and software to protect ephi. 1. Building Access 9

10 Access to premises on which Health Plan PHI is maintained or stored will be restricted. Persons regularly employed on the premises will be issued and display identification cards or electronic or photographic key cards, or will otherwise be required to register with building security personnel, in a manner that permits the identification and screening of persons entering the building. Identification or key cards, pass keys, or other means of access will be issued and maintained in accordance with building security policies. Visitors entering the building will also be required to sign in and show valid identification to building security personnel in accordance with building security policies so as to permit identification and screening of others entering the building. Entry will be denied to any person who does not have legitimate business on the premises. 2. Protection of PHI Stored in Physical Form When not required to be readily available for use by a Responsible Employee or Business Associate, and to the extent such PHI cannot be immediately destroyed, or shredded after use, PHI maintained in physical form must be stored in a locked filing cabinet, locked office or similarly secure repository dedicated to the storage of PHI. The Privacy Officer will maintain a log of such filing cabinets, offices or similar repositories where PHI is stored and, for each such filing cabinet, office or repository, (1) the general nature of the PHI stored therein, (2) each Responsible Employees maintaining keys, and (3) the Responsible Employees (by general job description or title) authorized to access such stored PHI in the normal course of their duties. A Responsible Employee may access a filing cabinet, office or repository in which PHI is stored only if he or she is authorized to do so or is acting under the direct supervision of such a Responsible Employee. Duplicate keys will be maintained for each such filing cabinet, office or similar repository to assure that the PHI will be available for access when needed. Responsible Employees must take reasonable steps to secure PHI in physical form when not in use. PHI must not be visible when a Responsible Employee is away from his or her work area for a significant amount of time. If a Responsible Employee shares a work area with someone who is not a Responsible Employee, PHI maintained in physical form must be stored in a locked filing cabinet, office or similar repository dedicated to the storage of PHI. The Privacy Officer will monitor the Responsible Employees authorized to access such stored PHI in the normal course of their duties. A Responsible Employee may access a filing cabinet, office, or repository in which PHI is stored only if he or she is authorized to do so or is acting under the direct supervision of such a Responsible Employee. C. Electronic Security ephi, or PHI in electronic form (e.g., e mail, databases, and computer files containing PHI) will be maintained and stored in a secure manner and in conformity with HITECH and all such rules promulgated by the Department of Health and Human Services. Electronic backup systems must be secured in accordance with HITECH and safeguarded through the use of technology including if possible encryption programs to protect the ephi, and in conformity with CSH s communication systems policies. PHI and ephi may be maintained or stored by a Business Associate that has certified that it maintains the required technical safeguards including encryption technology pursuant to Federal Law. Electronic Transmissions containing PHI must, to the extent reasonably possible, be protected to prevent interception by parties other than the 10

11 intended recipient, or access by unauthorized users, consistent with the Information Security Policy. 1. Access to Electronic PHI Access to PHI in electronic form will be restricted to Responsible Employees who have a need to access such information in the normal course of their duties. Responsible Employees may access such electronic PHI on authorized computers including applicable procedures regarding password protection, encryption procedures, periodic back up, and virus protection. Responsible Employees with remote access to electronic PHI must protect PHI. All computer files and databases containing PHI received, created, or maintained by CSH in electronic form which require access by more than one Responsible Employee or which may be accessed by a Business Associate or Covered Participant will be maintained on a secure network. Access to files, databases, and other PHI in electronic form will be password protected and will be available only to authorized Responsible Employees or Business Associates who need to access such PHI in the course of their duties within the requirements of the HITECH Act. A Responsible Employee who discloses his or her password to another person (other than upon request to an authorized employee in the information systems department for security or systems maintenance purposes) may be subject to sanctions under this Privacy Policy and under CSH s Progressive Discipline program. Upon termination of a Responsible Employee, or upon a change or reassignment of an employee whose job functions have changed so that he or she is no longer a Responsible Employee, he or she shall be removed from authorized entry into any files, databases and other PHI maintained in electronic form. Such terminations shall be reported to an appropriate Responsible Employee in the information systems department, who will adjust such former Responsible Employee s access to electronic PHI accordingly. Employees in the Human Resources Information Technology Department may have access to files, databases and other PHI in electronic form solely as necessary for security and systems maintenance purposes. Such employees will be treated as Responsible Employees will be trained on maintaining the security of PHI. Any outside entity (including Business Associates) retained to perform information technology services will not be permitted access to any files, databases, and other PHI in electronic form, except as necessary. Such access will be approved by the Privacy Officer and will be performed under the direct supervision of authorized personnel within the information systems department. 2. Electronic Transmissions of PHI A Responsible Employee who performs Electronic Transmissions as part of his or her job functions, or a Business Associate contracted to perform Electronic Transmissions on behalf of a Health Plan, may engage in a Transaction involving the Electronic Transmission of PHI if the following conditions are met: (a) The Responsible Employee or Business Associate has determined that the Transaction is permitted under Privacy Policy; and 11

12 (b) The Responsible Employee or Business Associate has received reasonable assurances that the intended recipient has appropriate control of and access to the computer(s) receiving the Electronic Transmission. Whenever possible, an Electronic Transmission of PHI will meet the following criteria: (c) For non open networks, either access control (password protection) or encryption will be used to prevent parties other than the intended recipient from intercepting messages; and (d) Both open and non open networks will have integrity controls which ensure the validity of the information being transmitted or stored. In addition, there will be an error message which reports abnormal conditions within a system and either locally or remotely signals such abnormality; an audit trail; an authentication of the user which denies access to unauthorized users and identifies authorized users; and event reporting which documents operational irregularities or the completion of a task. D. Security of Specific Materials and Communications 1. Printed/Written Material (a) Generally Responsible Employees and Business Associates must destroy or shred printed or written material whenever possible, or be converted to ephi format, and maintained in accordance with the HITECH Act, maintain secure printed or written materials containing PHI in designated secure locations when not in use. When printed materials are in use, the Responsible Employee or Business Associate must take reasonable steps to ensure that such materials are viewable only by the Responsible Employee or Business Associate. For example, if a Responsible Employee or Business Associate has PHI in printed material on his or her desk, he or she should put away the material or otherwise make sure that PHI is not in plain view before leaving his or her immediate work area for any significant amount of time. Printed materials containing PHI that is maintained or stored at a premises must be placed in locked file cabinets after business hours. If another person enters a Responsible Employee s or Business Associate s immediate work area while the Responsible Employee or Business Associate is viewing PHI, the Responsible Employee or Business Associate should remove the PHI from the view of the other person (other than a Responsible Employee or Business Associate whose duties include the matters to which the PHI relates) if it is reasonable to do so. Under no circumstances may printed material containing PHI be removed from a Responsible Employee s work site without the approval of a Level I Responsible Employee. Printed or written material containing PHI that is (i) created or received by a Responsible Employee or Business Associate, and (ii) is not part of a Designated Record Set or otherwise necessary or intended to be part of the Individual s file, such as personal notes not required to be retained, will be shredded or placed into a locked disposal receptacle and destroyed. (b) Mail 12

13 Interoffice, intercompany, or outside mail addressed to a Health Plan (or known to relate to a Health Plan) and sent to CSH must be delivered only to Responsible Employees. Any other correspondence addressed to CSH that contains PHI must be forwarded to an appropriate Responsible Employee. Mail likely to contain PHI sent to a Business Associate shall be handled and processed in accordance with guidelines established by the Business Associate to reasonably ensure compliance with the Minimum Necessary rule. If mail not addressed to a Health Plan is later determined to contain PHI, the mail must be forwarded to a Responsible Employee. Mail containing PHI should be handled and stored in accordance with the general guidelines for printed materials as discussed herein. A Responsible Employee or Business Associate must take reasonable steps to verify that the addressee is a person or persons to whom the Responsible Employee or Business Associate is required, permitted, or authorized to disclose PHI, as described in this Health Plan Privacy Policy. Thus, the Responsible Employee or Business Associate may not routinely copy other persons to whom an Individual directed his or her correspondence (whether as cc or directly) on outgoing correspondence containing PHI. Instead, the Responsible Employee or Business Associate first must consider whether the persons copied on the original correspondence are authorized to receive the PHI, keeping in mind that by merely directing correspondence to such persons, the Individual did not give Authorization for the Responsible Employee or Business Associate to disclose PHI to them. Outgoing mail should be addressed to the Individual at his or her address of record with CSH, unless the Responsible Employee or Business Associate is directed to address mail to an alternate address. Outgoing mail to a Responsible Employee or Business Associate should be sent to the Responsible Employee s or Business Associate s business address. Outgoing correspondence containing PHI mailed to a Health Care Provider, non Company health plan, or other third party should be sent to the address provided by the requestor. A Responsible Employee or Business Associate that mails material containing PHI must ensure that no PHI is visible from the outside of the envelope. Once known to contain PHI, mail must be marked confidential. CSH assume that only the person(s) to whom mail correspondence is addressed or another Responsible Employee under his or her supervision will receive and open the correspondence. (c) Faxes and Print Jobs A Responsible Employee or Business Associate must take reasonable steps to ensure that all incoming faxes and print jobs containing PHI are retrieved and viewed only by the Responsible Employee or Business Associate who is the intended recipient, or by another Responsible Employee under his or her supervision. A Responsible Employee or Business Associate who transmits a fax containing PHI must take reasonable steps to verify that the fax is addressed to a person to whom the Responsible Employee or Business Associate is required, permitted, or authorized to disclose PHI as described in this Health Plan Privacy Policy. PHI should be faxed to an Individual only upon the Individual s express request, and if the Individual represents that only he or she will have access to retrieve the fax. PHI may be faxed only to a Responsible Employee s or Business Associate s business fax number. Faxes to a Health Care 13

14 Provider, non Company health plan, or other third party should be sent to the number provided by the requestor. A Responsible Employee or Business Associate must advise third parties to send faxes to a secured fax machine accessible to the Responsible Employee or Business Associate. If a Responsible Employee or Business Associate knows that a fax containing PHI is being sent to him or her, then the Responsible Employee or Business Associate must timely retrieve the fax and safeguard the document. If a Responsible Employee or Business Associate prints a document containing PHI, then he or she must timely retrieve it and safeguard the document. Electronic Information (d) Generally All electronic PHI shall be secured such that specific security measures have been implemented such as encryption programs and other technology has been incorporated to safeguard ephi. Security measures must be in place that would make the ephi untenable, unreadable or indecipherable. Responsible Employee or Business Associate must store tapes and other physical storage media containing PHI in designated secure locations. A Responsible Employee or Business Associate must take reasonable steps to ensure that PHI displayed on his or her monitor is viewable only by the Responsible Employee or Business Associate. For example, if a Responsible Employee has PHI displayed on his or her computer screen, he or she should close the window containing the PHI and lock the computer before leaving his or her immediate work area. (e) E Mail A Responsible Employee or Business Associate who transmits mail electronically must take reasonable steps to verify that each intended recipient is a person to whom the Responsible Employee or Business Associate is required, permitted or authorized to disclose PHI as described in this Health Plan Privacy Policy. If an e mail contains PHI, the Responsible Employee or Business Associate also must take reasonable steps to verify that the intended recipient has sole access to the addressee e mail account, unless the e mail is directed to an account accessed by a number of Responsible Employees or Business Associates who are permitted to use the PHI to perform Health Plan functions. If the e mail address is a Company address, the Responsible Employee or Business Associate may assume that the recipient has sole access, or if there are multiple persons with access to CSH e mail account, that all such persons are Responsible Employees with a legitimate reason to view any incoming e mail messages. A Responsible Employee or Business Associate may not routinely copy other persons to whom an Individual directed his or her e mail (whether as cc or directly) on outgoing e mail that includes PHI. The Responsible Employee or Business Associate first must consider whether such persons copied on the original e mail are authorized to receive the PHI, keeping in mind that by merely directing correspondence to such persons, the Individual has not given his or her 14

15 Authorization for the Responsible Employee or Business Associate to disclose PHI to such persons. All e mail to an Individual should be sent to the e mail account on record with CSH or to the e mail address specifically provided by the Individual. E mail to a Responsible Employee or Business Associate must be sent to a business e mail address. Messages to a Health Care Provider, non Company health plan, or other third party should be sent to an e mail address provided by the requestor. The Responsible Employee must take reasonable steps to verify the identity of the recipient before sending communications via e mail. A Responsible Employee or Business Associate must advise third parties to send e mail containing PHI to a business e mail account accessible only by the Responsible Employee or Business Associate (and such other Responsible Employees and Business Associate employees with a legitimate need to use or access such PHI in the performance of Health Plan functions). 2. Telephonic and Other Verbal Communication (a) Generally A Responsible Employee or Business Associate must take reasonable steps to ensure that persons who do not have a legitimate need to know the content of the conversation do not overhear telephone and other verbal conversations in which PHI is discussed. For example, conferences in which PHI is discussed generally should be conducted in a closed room or in a low tone of voice unlikely to be overheard. Before engaging in a conversation in which a Responsible Employee or Business Associate may disclose PHI, the Responsible Employee or Business Associate must take reasonable steps to verify that all of the other parties on the telephone line or present for the conversation are persons to whom the Responsible Employee or Business Associate is required, permitted, or authorized to disclose PHI, as described in this Policy. If the caller is the Individual and another person is on the line, or if another person is present during an in person conversation, the Responsible Employee or Business Associate must not discus the Individual s PHI except as permitted. Recordings A Responsible Employee or Business Associate who leaves a recorded message containing PHI must take reasonable steps to verify (i) that each intended recipient is a person to whom the Responsible Employee or Business Associate is required, permitted or authorized to disclose PHI, as described in this Policy; and (ii) that the intended recipient (or the intended recipient and other persons authorized to view the PHI, e.g., a person permitted to access the Individual s PHI pursuant to an Authorization) has sole access to the answering machine. If this cannot be verified, the Responsible Employee or Business Associate must limit the message to one that does not contain PHI. A Responsible Employee or Business Associate may leave a recorded message containing PHI for another Responsible Employee or Business Associate at the Responsible 15

16 Employee s or Business Associate s business phone number. A Responsible Employee or Business Associate may leave a recorded message containing an Individual s PHI on an Individual s home answering machine only if the answering machine message indicates that it is the answering machine for the Individual (or his or her residence), and the Individual has instructed the Responsible Employee to leave the message. If the Individual is a Company employee, the Responsible Employee or Business Associate may leave a message with PHI in the Individual s Company provided voice mail box, unless the Individual directs otherwise. A Responsible Employee or Business Associate must use only the Responsible Employee s or Business Associate s business voice mailbox for conducting Health Plan business. Such voice mailbox must be accessible only to the Responsible Employee or Business Associate (and such other Responsible Employees and Business Associate employees with a legitimate need to use or access such PHI in the performance of Health Plan functions). E. Remote Access to PHI A Responsible Employee or Business Associate who remotely accesses PHI is subject to all applicable requirements of this Policy. PHI may be remotely accessed electronically using a secured, encrypted connection. Responsible Employees and Business Associates who work remotely must restrict access to the area in which PHI is used, maintained, or stored. When not required to be readily available for use by a Responsible Employee or Business Associate, PHI maintained in physical form must be reasonably secured and must not be left in open view for any significant period of time. The Responsible Employee or Business Associate must take steps to ensure that PHI used and stored in the off site work area cannot be accessed by others, including the Responsible Employee s or Business Associate s family members. All PHI received or created by a Responsible Employee or Business Associate who is working remotely must be secured and accounted for consistent with this Health Plan Policy. If a Responsible Employee or Business Associate creates or receives any PHI that is part of the Designated Record Set, such PHI must be stored and maintained on the appropriate system or on CSH s or the Business Associate s premises. Individuals Authorizations F. Authorization Required Generally, CSH will not use or disclose PHI without an Individual s Authorization. Each such use or disclosure must be consistent with the Authorization given for that use or disclosure. A Health Plan will request an Authorization if there is a need to disclose PHI for reasons not otherwise permitted. If a Health Plan requests the Authorization then the Individual must be provided with a copy of the Authorization.. ARTICLE VI. INDIVIDUALS RIGHTS REGARDING PROTECTED HEALTH INFORMATION An Individual has a number of rights under the Privacy Rule, including the right to a privacy Notice containing the Health Plan s legal duties regarding uses and disclosures of PHI, 16

17 the right to access and amend PHI in a Designated Record Set, the right to request restrictions on uses and disclosures of PHI, and the right to an accounting of certain uses and disclosures of PHI. Under no circumstances will Health Plan enrollment or benefit payment be conditioned on an Individual s waiver of his or her rights under the Privacy Rule.. A. Privacy Notice CSH, on behalf of CSH, must notify Individuals of the Health Plan s permissible uses and disclosures of their PHI and of the Individuals rights and the Health Plan s legal duties with respect to PHI. The terms of the Notice also bind all Business Associates, to the extent the Business Associates use or disclose PHI on behalf of a Health Plan. The Notice must be provided to each Individual by the HIPAA Compliance Date and for new enrollees after the HIPAA Compliance Date at the time of enrollment. The Notice must also be posted on CSH s website where Health Plan information is available. Each covered dependent of a Covered Participant will be deemed to have received a copy of the Notice if the Notice is provided to the Covered Participant. The Notice must be revised whenever there is a material change to the uses and disclosures, Individuals rights, the Health Plan s duties, or other privacy practices stated in the Notice. Revised Notices must be distributed to Covered Participants and will be posted on CSH s website within 60 days of the material change. The Privacy Officer must maintain a copy of each version of the Notice for a period of at least six years from the date last effective. Once every three years, CSH must notify Covered Participants of their right to obtain a copy of the Notice and how to do so. If the Covered Participant agrees, delivery of the Notice may be electronic. If the Health Plan becomes aware that electronic delivery has failed, a paper copy must be provided. All Individuals have the right to request a paper copy of the Notice by making a request to the Privacy Officer.. B. Access to Protected Health Information CSH must permit an Individual to inspect and obtain a copy of his or her PHI maintained by CSH (including all Business Associates) within the Designated Record Set, except for information compiled in preparation for legal proceedings. A request for access must be made in writing and submitted to the Privacy Officer or Business Associate.. If access is granted, the Health Plan will provide timely access to the Individual s PHI in the standard form or format established by the Health Plan, unless another form or format is specifically requested by the Individual. If the form or format requested by the Individual is not readily producible, access to the PHI will be provided in form or format agreed to by the Health Plan and the Individual. If the Health Plan charges a fee to copy and/or mail the requested PHI, the Individual will be notified of the fee in advance. 1. Timing of Response and Providing Access 17

18 Within 30 days (or 60 days if the requested PHI is not maintained or accessible on site) of receiving the request, the Privacy Officer must provide either the requested access, a written denial notice, or a written notice that an extension of time is needed to respond to the request. If a decision cannot be made within 30 days (60 days) of the request, CSH can extend the time limit by up to 30 additional days, as long as the Individual is notified in writing of the reason for the delay and the additional time needed to comply before the expiration of the first 30 day (60 day) period. If a Business Associate maintains the requested information for a Health Plan, the Privacy Officer will instruct the Business Associate to provide the Privacy Officer or the requesting individual directly with copies of the PHI so that the requested access can be provided within these time frames. 18