NORTH CAROLINA COMMUNITY CARE INC. Privacy Policy Manual

NORTH CAROLINA COMMUNITY CARE INC. Privacy Policy Manual 0

Contents Contents... 1 Privacy Policy... 2 Privacy Official Policy... 3 Privacy Safeguards Policy... 5 Workforce Policy... 9 Business Associates Policy... 11 Privacy Complaints Policy... 12 Privacy Incidents Policy... 13 Breach Notification Policy... 15 De-Identification and Limited Data Set Policy... 19 Legal Occurrences Policy... 22 Research Policy... 24 Use and Disclosure Policy... 25 Sanctions Policy... 29 Figure 1 Fax Cover Sheet... 31 Figure 2 Visitor Control Log... 32 Figure 3 Pledge of Confidentiality... 33 Figure 4 Confidentiality Agreement... 34 Figure 5 Privacy Incident Form... 38 Figure 6 Incident Reponse... 47 Figure 7 Incident Log... 49 Figure 8 Disclosure Log... 50 1

Privacy Policies Purpose This Policy Manual has been developed for the Community Care of North Carolina to provide policies that will allow for compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rules and HITECH. Roles and Responsibilities The CCNC Privacy Officer provides the oversight for the use and disclosure of health information and serves as the primary point of contact for privacy related issues within the organization. Policy 1. CCNC will develop and implement policies in order to protect the privacy of protected health information that is created, received, and maintained during its regular course of business. 2. Policies will be reasonably designed to comply with state and federal laws, taking into account the scope of the requirement and the nature of activities undertaken that relates to protected health information. The Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule will be the primary resource for these privacy policies. Policies, procedures, and privacy documentation required by the HIPAA Privacy Rule will be maintained in writing. 3. Policies will address essential administrative privacy requirements so CCNC will use and/or disclose protected health information in a confidential and secure manner. 4. All policies will be located in the CCNC HIPAA Privacy Policy and Procedure Manual, which will be maintained by the Privacy Officer and placed in a folder available to all staff on the CCNC N Drive. 5. Policies and Procedures will be modified as necessary. Policy revisions shall be documented and maintained for at least 6 years. Enforcement, Auditing, and Reporting 1. Any workforce member found to have violated the policies herein may be subject to corrective action, up to and including termination of employment. NC COMMUNITY CARE NETWORKS, INC. Approval Date: 12/10/12 POLICIES AND PROCEDURES MANUAL Effective Date: 12/11/12 Revision History: 5/11/12

Privacy Official COMMUNITY CARE OF NORTH CAROLINA Eff. Date: 12/11/12 POLICIES AND PROCEDURES MANUAL Rev. History: 5/29/12 Purpose CCNC is committed to safeguarding the confidentiality of protected health information (PHI) to ensure that any patient information created, received, or maintained by the organization is only used or disclosed in accordance with federal and state regulations. This policy addresses the requirement of the Health Insurance Portability and Accountability Act (HIPAA) Privacy rule to designate a Privacy Officer to serve as the primary point of contact for privacy related issues for CCNC. Roles and Responsibilities CCNC will ensure a Privacy Officer maintains the development and implementation of policies and procedures that conform to the privacy regulations and other state and federal laws that protect patient information. Policy The CCNC Privacy Officer provides the oversight for the use and disclosure of health information and serves as the primary point of contact for privacy related issues within the organization. CCNC is a business associate of the Division of Medical Assistance (DMA). As such, CCNC is required to have a Privacy Officer in place to ensure that the permissible exchange of health information is taking place based on contractual agreements and federal/state requirements. The following is a list of responsibilities set forth for the Privacy Officer: 1. Develop policy and procedures for implementation of the HIPAA Privacy regulation requirements. 2. Maintain current knowledge of applicable federal and state privacy laws and accreditation standards. 3. Monitor advancements of emerging privacy technologies to ensure that the organization is positioned to adapt and comply with these advancements. 4. Establish and recognize best practices relative to the management of the privacy of health information. 5. Serve as a liaison to DMA/DHHS or CCNC Network staff, as necessary. 6. Perform initial and annual information privacy risk assessment and conduct related ongoing compliance monitoring activities in coordination with applicable directives. 7. Document and report findings as required. 8. Ensure a mechanism is in place within CCNC for receiving, documenting, tracking, investigating, and taking action on all complaints concerning the organization s privacy policies and procedures in coordination and collaboration with legal counsel, when necessary. 9. In collaboration with the Security Officer, institute a mechanism to audit access to protected health information, within the scope of organizational policy and as required by law, and allow qualified individuals to review or receive a report on such activity as needed. 3

10. Oversee, direct, and ensure delivery of initial privacy training and orientation to all employees, volunteers, contractors, business associates, and other appropriate third parties. Subsequently records results in accordance with the organization s training documentation requirements. 11. Create a process to ensure annual refresher training is conducted in order to maintain workforce awareness and to introduce any changes to privacy policies. 12. Initiate, facilitate, and promote activities to foster information privacy awareness within the organization and related entities. 13. Serve as the advocate for the confidentiality and privacy of health information. 14. Understand the content of health information in its clinical and business context. 15. Understand the decision-making processes throughout the organization that rely on health information. 16. Identify and monitor the flow of information within the organization and throughout the local healthcare networks. 17. Review all system-related information security plans throughout the organization s network to ensure alignment between security and privacy practices and act as a liaison to the information systems department. 18. Collaborate with other information systems staff and healthcare professionals to ensure appropriate security measures are in place to safeguard protected health information. Standard Operating Procedures Procedures associated with this policy can be found in the document titled Privacy Operating Procedures. 4

Privacy Safeguards COMMUNITY CARE OF NORTH CAROLINA Eff. Date: 12/11/12 POLICIES AND PROCEDURES MANUAL Rev. History: 5/28/12 Purpose To establish privacy safeguards that protect from unauthorized use or disclosure and to further protect such information from tampering, loss, alteration, or damage. Many of the safeguards necessary to protect electronic data containing protected health information are included in the Security Policies. Roles and Responsibilities The CCNC Privacy Officer will implement appropriate administrative, physical and technical safeguards to avoid unauthorized use or disclosure of protected health information. Policy CCNC will put into place appropriate administrative, physical, and technical procedure that will safeguard protected health information that is generated, received, and/or maintained at CCNC. Administrative Safeguards 1. Minimum Necessary. Workforce members must make every effort to reasonably limit uses or disclosures of PHI to the minimum necessary to accomplish the intended purpose of the use (internal to the organization) or disclosure (external to the organization). Workforce members will be identified by their role and level of access to PHI needed to carry out their job function. Categories or levels of access will be identified and workforce members will have access to PHI in accordance with the level of access to PHI necessary to perform their job function. All levels of access will be documented based on job function and workforce members will be limited to the information necessary to perform their job functions only. Workforce members should review requests for information on an individual, case-by-case basis to determine the types and amounts of information that constitute the Minimum Necessary in each instance. Before fulfilling such a request, the workforce member should consult with his/her Privacy Officer for guidance before using or disclosing information if it is not a routine use or disclosure of PHI. 2. Mail. Before protected health information is disclosed for any purpose, workforce members must ensure that the disclosure is prudent and the following requirements have been considered: a. The recipient has been verified; b. The disclosure is permitted for treatment, payment or healthcare operations; 5

c. The disclosure is authorized by the patient; d. The disclosure does not violate a communications or use and disclosure; e. restriction that the patient has requested and the agency has granted; or f. The disclosure is required or permitted by law. Hard copy or electronic media for distribution outside of CCNC will be either hand delivered or mailed using the United States Postal Service, courier service or other delivery service such as FedEx. 3. Fax. All outgoing faxes must be accompanied by the CCNC approved Fax Cover sheet. Incoming faxes that contain confidential health information are to be removed promptly to prevent unintentional exposure of confidential information. The Fax Cover Sheet 1 template must also contain the following which must be filled in: a. Sender s name, mailing address, e-mail address, telephone number and fax number; b. Recipient s name, telephone number and fax number; c. Number of pages being transmitted including the cover sheet; d. Instructions for verification of fax receipt (pre-printed on the sheet). 4. Email. Workforce members will not transmit e-mails containing protected health information to persons within CCNC, to business associates, or to other covered entities (e.g., health plans, health care providers). If it is essential for the efficiency of business operations to send protected health information via e-mail, the following requirements must be met: a. Email has a password protected 7-zip attachment (See Security Policy); b. Email has been sent via secure messaging with encrypted mobile device requirement or CMIS messaging; c. Document has been shared via CCNC Secure folder (I or N drive) or IC Share File. Passwords will not be inserted into e-mail messages or other forms of electronic communication without proper encryption. Passwords for e-mail attachments will be provided to recipients by phone. In the event of a misdirected e-mail with a file attachment that contains individually identifying health information, the recipient must be contacted immediately and will be asked to delete the e-mail and attachment. -Misdirected e-mails are considered accidental disclosures and must be accounted for with an Incident Report. 5. Oral Communication/Phone. Workforce members are responsible for conducting all conversations regarding patient information in a location and manner which should prevent them from being overheard by others. (E.g. in a private office, in a soft voice) Workforce members should not disclose protected health information when phone calls are received unless they can confirm the identity the caller through voice recognition or by calling back to validate the number and person calling. 6

Physical Safeguards 1. Workstation. Workforce members will ensure protected health information is secured when staff is not available to monitor the area by: a. Locking material in a file cabinet; b. Removing the information from sight and placing in a desk drawer; c. Clearing information from the computer screen when it is not actually being used; d. Locking the keyboard when leaving the office; e. Turning off computer when not in use; f. Relocating the workstation or repositioning the computer monitor so only the authorized user can view it; or g. Clearing information from the computer screen when it is not actually being used, turning off computer when not in use, or by locking (Ctrl + Alt + Delete) their monitor when they leave their office, even for a brief period of time; h. Establish precautions to prevent conversations regarding patient information from being overheard by others; i. Ensure that confidential information is reasonably protected to prevent inadvertent disclosures this may include placing a cover sheet over records sitting on a desk or positioning a patient s information so that the confidential information is not visible. 2. Visitor Access Control. The receptionist will ensure that all visitors sign-in on the Visitors Sign in Sheet 2 and receive a Visitors Badge when entering the building. Where there is no receptionist, hosts will direct visitors to sign in at the reception desk to obtain a visitor badge. All visitors will sign the Pledge of Confidentiality Form 3 prior to participating in activities exposing sensitive information. See the Human Resources Policy on Visitor Control. 3. Disposal of PHI. Workforce members are responsible for ensuring that all confidential information, in paper format, that is ready for disposal be placed in the locked shred bins or immediately shredded in the office. Technical Safeguards (See Security Policies) 1. Passwords. Workforce members are responsible for protecting their passwords and should never reveal them to anyone, including a supervisor, family member or co-workers. In special cases where a user is required to divulge his/her personal password such as for system support, the user must immediately change the password: a. Passwords should never be included in email messages or unencrypted files; b. Passwords should never be stored in a location readily accessible to others (e.g. Desk drawer, note on computer, under the key board, etc.). 2. Mobile Devices. Workforce members should recognize that there are security risks associated with using mobile devices. Sharing confidential information using the text, email or other modes of data transmission on a mobile device should be avoided unless such communication methods are encrypted in accordance 7

with CCNC Security Policies. Video and camera functions on mobile devices should never be used in areas where patient information is visible. 6. Thumb Drives. Workforce members must ensure that any equipment and devices which display memory connect to another system or transfer data must be protected from unauthorized access to health information. Iron Key flash drives are provided by the IT department for transferring sensitive information. Standard Operating Procedures Procedures associated with this policy can be found in the document titled Privacy Operating Procedures. 8

Workforce COMMUNITY CARE OF NORTH CAROLINA Eff. Date: 12/11/12 POLICIES AND PROCEDURES MANUAL Rev. History: 5/28/12 Purpose To ensure all workforce members make reasonable efforts to protect PHI from intentional or unintentional use or disclosure that is in violation of policies. Roles and Responsibilities The CCNC Privacy Officer will ensure all workforce members are aware of reasonable efforts to protect (PHI) from intentional or unintentional use or disclosure that is in violation of policies and/or procedures. Policy CCNC will put into place appropriate Privacy awareness, training, and mitigation of unsecured breaches. Confidentiality Statement 1. All workforce members and contractors will sign a Confidentiality Agreement 4 acknowledging their understanding of CCNC privacy policies and procedures and the consequences of any violation. This Agreement will be signed before a new employee or contractor is given access to CCNC systems and equipment. The CCNC Privacy Officer maintains copies of all Confidentiality Agreements. These agreements must be maintained for at least as long as the individual is an active member of the workforce. HIPAA Training 1. The Privacy Officer will ensure that all members of the workforce and extended workforce are trained on basic HIPAA privacy policies and procedures. Basic privacy training must include awareness of the vulnerabilities of the health information in CCNC s possession and procedures that must be followed to ensure the protection of that information as necessary for each individual to carry out his/her required job functions, including possible consequences for violation of privacy policies or procedures. New employees and contractors should complete the training within 30 days of employment. In the event that substantial changes are made to privacy policies or procedures the Privacy Officer is responsible for training workforce members on the new policies/procedures within a reasonable period of time. The Privacy Officer will maintain documentation of all training for at least six years from the last date of the individual s active participation as a member of the workforce. The training log documents: a. Training material, b. Name and title of each staff trained c. Date of training/refresher 9

d. Type of training (e.g. basic privacy, name of specific policy/procedure) Employee Status Changes 1. CCNC will ensure that all records of workforce members are updated promptly after a change in status. The following departments will update records as needed; a. Human Resources b. Managers and supervisors c. System Administrators d. Information Technology Standard Operating Procedures Procedures associated with this policy can be found in the document titled Privacy Operating Procedures. 10

Business Associates COMMUNITY CARE OF NORTH CAROLINA Eff. Date: 12/11/12 POLICIES AND PROCEDURES MANUAL Rev. History: 5/28/12 Purpose To ensure all individuals or organizations who perform specific functions, activities or services for Community Care of North Carolina (CCNC) that involve the sharing of protected health information are appropriately identified according to the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule as a business associate; and to further ensure that agreements are developed to support such contractual relationships, as appropriate. Roles and Responsibilities CCNC will identify persons or entities that provide specific function, activities, or services that involve the use, creation, or disclosure of protected health information. Policy CCNC will review all contractors to determine whether the participant will be acting in the role of a Business Associate. External contract organizations will be required to sign the same agreement. Information that can be shared with any business associate is limited to that which is necessary to perform the duties/tasks identified in the business associate agreement. CCNC will train contractors acting in the role of employees on CCNC HIPAA Privacy and Security policies and procedures. CCNC will not train external contract organizations. CCNC will maintain Business Associate agreements for six years from the date of contract termination. 11

Privacy Complaints COMMUNITY CARE OF NORTH CAROLINA Eff. Date: 12/11/12 POLICIES AND PROCEDURES MANUAL Rev. History: 5/28/12 Purpose To ensure all complaints relating to patient confidentiality are investigated within a reasonable timeframe. Roles and Responsibilities The CCNC Privacy Officer shall facilitate a process for patients to file a complaint regarding CCNC s privacy policies or the handling of protected health information by CCNC. Policy CCNC will investigate all complaints relating to breaches of confidentiality within one business day after a complaint is received. Patients or their legal representatives may file formal complaints with CCNC or with the Secretary of Health and Human Services, if they believe their privacy rights have been violated. CCNC will not intimidate, threaten, coerce, discriminate against, or take any other form of retaliatory action against any patient filing a complaint or inquiring about how to file a complaint. CCNC may not require patients to waive their rights to file a complaint as a condition for participating in any program. Standard Operating Procedures Procedures associated with this policy can be found in the document titled Privacy Operating Procedures. 12

Privacy Incident COMMUNITY CARE OF NORTH CAROLINA Eff. Date: 12/11/12 POLICIES AND PROCEDURES MANUAL Rev. History: 5/28/12 Purpose To establish requirements for reporting, documenting, and investigating a known or suspected action or adverse event resulting from unauthorized use or disclosure of protected health information. Roles and Responsibilities Workforce members should report any event or circumstance that is believed to be an inappropriate use or disclosure of a patient s protected health information to the Privacy Officer. The Privacy Officer investigates a suspected privacy incident and attempts to resolve it and prevent future occurrences. Policy CCNC s Privacy Officer immediately investigates and attempts to resolve all reported suspected privacy incidents wherein the protected health information of a patient has not been used or disclosed in accordance with CCNC s privacy policies. The Privacy Officer completes the Privacy and Security Incident Report Form 5 when a privacy or security incident is suspected of breach. This form holds documentation of the privacy incident and the attempted resolution that ensures the incident has been remediated. Each incident will be evaluated to determine if additional workforce training is needed. Unintentional/Inadvertent Disclosure 1. Unintentional access of PHI by the workforce or person acting under authority of the Covered Entity or Business Associate, if acting in good faith and within the their scope of authority and the information is not use or disclosed in violation of the privacy rule is considered an inadvertent disclosure and an exception to the Notification requirements. If there is disclosure by a person authorized to access PHI operated by another person authorized to access PHI at the level as the covered entity or business associate and the information received is not further used or disclosed in violation of the Privacy Rule, this is considered an inadvertent disclosure and is not considered a breach under this Act. The following are exemptions to a breach; a. Any unintentional acquisition, access or use of PHI by a workforce member or person acting under the authority of a Covered Entity (CE) or Business Associate (BA) if such acquisition, access, or use was made in good faith and within the scope of authority and does not result in further use or disclosure in a manner not permitted under the Privacy Rule. An example might be leaving PHI on the copy machine and someone who should not have access to PHI picks up the information, sees who printed the material and hands the material to the intended recipient. No malice or ill intent 13

was involved. b. Any inadvertent disclosure by a person who is authorized to access PHI at a CE or BA to another person authorized to access PHI at the same CE or BA and the information received as a result of such disclosure is not further used or disclosed in a manner not permitted under the Privacy Rule. c. A disclosure of PHI where a CE or BA has a good faith belief that an unauthorized person to whom the disclosure was made would not reasonably have been able to retain such information. Incident Response The Privacy Officer will recommend sanction for confirmed violations to Department Management, considering the following factors: 1. The facts of the investigation: a. The nature of the violation, b. The severity of the violation c. Whether the violation was intentional or unintentional, and d. Whether the violation indicates a pattern or practice of improper use or disclosure of private data. 2. Earlier precedents set; 3. Any approved sanction guidelines established. CCNC does document and retain documentation of Privacy Incidents, the record is in no way considered a part of a patient s record and is intended only to keep track of the types of incidents that are occurring and the sanctions being applied based on the type of incident. All incidents are documented on the Incident Response Form 6 to be signed by the individual and the official. This form is maintained on file and logged in the Incident database. Incidents that are suspected as breaches shall have risks determined on the Privacy and Security Incident Report and documented in the Privacy and Security Incident Log 7 Standard Operating Procedures Procedures associated with this policy can be found in the document titled Privacy Operating Procedures. 14

Breach Notification COMMUNITY CARE OF NORTH CAROLINA Eff. Date: 12/11/12 POLICIES AND PROCEDURES MANUAL Rev. History: 5/28/12 Purpose To provide guidance for implementation of the American Recovery and Reinvestment Act (ARRA)/Health Information Technology for Economic and Clinical Health Act (HITECH or the Act). In addition, this policy will provide direction on the breach notification requirements of the Act to covered entities when unauthorized access, acquisition, use and/or disclosure of an organization s protected health information (PHI) occurs. The Office of Civil Rights will be responsible for the enforcement of both the Privacy and Security Acts of the HIPAA regulation. Roles and Responsibilities The CCNC Privacy Officer will ensure breaches of unsecured PHI are investigated and properly reported. Policy CCNC s Privacy Officer immediately investigates and attempts to resolve all reported suspected privacy incidents wherein the protected health information of a patient has not been used or disclosed in accordance with CCNC s privacy policies. The Privacy Officer completes the Privacy Incident Form when a privacy incident is suspected or has been reported. This form holds documentation of the privacy incident and the attempted resolution that ensures the incident has been remediated. Each incident will be evaluated to determine if additional workforce training is needed. Breach Notification Rule 1. Upon the discovery of a breach of unsecured protected health information (see definitions), Covered Entities are required to notify each individual whose unsecured PHI may have been, or is reasonably believed to have been accessed, acquired, used, or disclosed as a result of a breach of unsecured PHI. If the covered entity also has business associates, the business associates are also required to notify the covered entity of the discovery of a breach or potential breach of unsecured PHI. 2. Unsecured PHI. PHI that is not rendered unusable, unreadable or undecipherable to unauthorized individuals using technology or methodology specified by the Secretary. Examples of specified methods include: a. Electronic PHI has been encrypted as specified in the HIPAA Security rule by the use of an algorithmic process to transform data into a form in which there is a low probability of assigning 15

meaning without the use of a confidential process or key and such confidential process or key that might enable decryption has not been breached. To avoid a breach of the confidential process or key, these decryption tools should be stored on a device or at a location separate from the data they are used to encrypt or decrypt. The following encryption processes meet this standard. i. Valid encryption processes for data at rest (i.e. data that resides in databases, file systems and other structured storage systems) are consistent with NIST Special Publication 800-111, Guide to Storage Encryption Technologies for End User Devices. ii. Valid encryption processes for data in motion (i.e. data that is moving through a network, including wireless transmission) are those that comply, as appropriate, with NIST Special Publications 800-52, Implementations; 800-77, Guide to IPsec VPNs; or 800-113, Guide to SSL VPNs, and may include others which are Federal Information Processing Standards FIPS 140-2 validated. b. The media on which the PHI is stored or recorded has been destroyed in the following ways: i. Paper, film, or other hard copy media have been shredded or destroyed such that the PHI cannot be read or otherwise cannot be reconstructed. ii. Redaction is specifically excluded as a means of data destruction. iii. Electronic media have been cleared, purged, or destroyed consistent with NIST Special Publications 800-88, Guidelines for Media Sanitization, such that the PHI cannot be retrieved. 3. Breach. A breach of PHI occurs when the acquisition, access, use or disclosure of PHI that is not permitted under HIPAA occurs and poses a significant risk of financial, reputational or other harm to the individual. 4. Breach Notifications. Once the breach has been discovered, a Breach Investigation Team (broadly defined as the Privacy and Security Officer but may contain additional personnel, as needed) will initiate a breach investigation outlined in the procedures for this policy. 5. Providing Information to DMA. As a Business Associate of DMA, CCNC is required to report to DMA certain data elements so that they may notify the patients impacted by a breach. The risk assessment page of the Privacy Incident Form will be used for reporting to DMA. 6. Providing Information to other Payors. As a Sub Business Associate of other Payors, CCNC is required to report to the covered entity certain data elements so that they may notify the patients impacted by a breach. CCNC must be prepared to give the covered entity the necessary information so they may fulfill their obligation to notify patients involved in a breach. Examples of Breaches of Unsecured Protected Health Information 1. Stolen lost laptop or lost flash drive containing unsecured protected health information that is not encrypted, per policy. 2. Misdirected e-mail of listing of drug seeking patients to an external group list. The information in the email is not encrypted using 7-zip, as required by policy. 16

3. Lost flash drive containing database of patients participating in a disease management and compliance study. This was a personal flash drive, not a company issued flash drive so it was not encrypted or secured in any manner. 4. Individual accessing the health record of divorced spouse for information to be used in a custody hearing. 5. Workforce members accessing electronic health record for information on friends or family members out of curiosity/without a business-related purpose. 6. Misdirected fax of patient records to a local grocery store instead of the requesting provider s fax. (This is why you verify the fax number before you send any documentation and verify it was received AFTER it was faxed.) 7. Intentional and non-work related access by staff member of neighbor s information. Sanctions enforced by Federal Law Violation Category Each Violation All such violations of an identical type in a calendar year Did Not Know $100 - $50,000 $1,500,000 Reasonable Cause $1,000 - $50,000 $1,500,000 Willful Neglect Corrected $10,000 - $50,000 $1,500,000 Willful Neglect Not Corrected $50,000 $1,500,000 1. North Carolina Identity Theft Protection Act (NCITPA). In addition to the HITECH Breach requirements, the NCITPA requires in 75-65 that Any business that owns or licenses personal information of residents of North Carolina or any business that conducts business in North Carolina that owns or licenses personal information in any form (whether computerized, paper, or otherwise) will provide notice to the affected person that there has been a security breach following discovery or notification of the breach. Examples of identifiers under this act include; a. SSN s or Employee Identification Number (EIN s), b. Driver s License, State ID Card, or Passport Numbers, c. Checking and Saving Accounts, d. Credit and Debit Card numbers, e. PIN codes, 17

f. Electronic identification numbers, electronic mail names or addresses, g. Digital Signatures, h. Biometric Data, fingerprints, i. Passwords, j. Parent s legal surname prior to marriage. In addition, the business must notify without unreasonable delay the Consumer Protection Division of the Attorney General's Office of the nature of the breach, the number of consumers affected by the breach, steps taken to investigate the breach, steps taken to prevent a similar breach in the future, and information regarding the timing, distribution, and content of the notice. Notice to individuals must include a description of the following: a. The incident in general terms; b. The type of Personal Information subject to breach; c. General acts of the business to protect information from further breaches; d. A telephone number that a person may call for further information; e. Advice that directs the person to remain vigilant in reviewing account statements and monitoring free credit reports; f. A telephone number for the business providing the notice; g. Toll-free numbers and addresses for the national credit reporting agencies; and h. Toll-free numbers, addresses and web site addresses for the Federal Trade Commission and the North Carolina Attorney General s Office along with a statement that individuals can learn about preventing identity theft from these sources.) Submit the notice to the North Carolina Consumer Protection Division of the Attorney General using the form found at the following link. http://ncdoj.gov/getdoc/50dc89a8-8b26-48b6-88f2-3e30cd19f09f/nc-security-breach-reporting-form-2009.aspx Standard Operating Procedures Procedures associated with this policy can be found in the document titled Privacy Operating Procedures. 18

De-Identification and Limited Data Sets COMMUNITY CARE OF NORTH CAROLINA Eff. Date: 12/11/12 POLICIES AND PROCEDURES MANUAL Rev. History: 5/28/12 Purpose The purpose of this policy is to define methods by which CCNC may remove specific elements from health information so the resulting information will not be considered protected health information. HIPAA defines data elements allowed in deidentified and limited data sets. Roles and Responsibilities The CCNC Privacy officer will determine if the desired data set meets the intended purposes of the use and disclosure as permitted by Federal and/or state laws. Policy CCNC will de-identify health information whenever protected health information is not necessary to accomplish the intended purpose for the use or disclosure of health information or when use or disclosure of protected health information is not permitted by federal or state laws. CCNC will determine if a limited data set would meet the intended purpose of the use or disclosure. When a limited data set is deemed appropriate, CCNC will enter into a data use agreement with the recipient of the information. When information cannot be de-identified or included in a limited data set, CCNC will ensure that disclosure of the health information is permitted by law and is in accordance with CCNC Privacy Policies. Individual Identifiers 1. For the purposes of Privacy Policies, the following elements are considered individual identifiers if they apply to patients or relatives, guardians, employers, or household members of patients. If the elements below are associated with health information, the information becomes protected health information that must be protected from improper use or disclosure: a. Names, b. All geographic subdivisions smaller than a State, including street address, city, county, precinct, ZIP Code, and their equivalent geo codes, except for the initial three digits of a ZIP Code if, according to the current publicly available data from the Bureau of the Census the geographic unit formed by combining all ZIP Codes with the same three initial digits contains more than 20,000 people; and the initial three digits of a ZIP Code for all such geographic units containing 20,000 or fewer people is changed to 000. c. All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates 19

(including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older, d. Telephone numbers, e. Fax numbers, f. Electronic mail addresses, g. Social Security Numbers, h. Medical record numbers, i. Health plan beneficiary numbers, j. Account numbers, k. Certificate/license numbers, l. Vehicle identifiers and serial numbers, including license plate numbers, m. Device identifiers and serial numbers, n. Web Universal Resource Locators (URLs), o. Internet Protocol (IP) address numbers, p. Biometric identifiers, including finger and voice prints, q. Full face photographic images and any comparable images, r. Any other unique identifying number, characteristic, or code that can be re-identified. 2. De-Identified. Protected health information is considered de-identified when elements have been removed that could identify an individual and there can be no reasonable basis to believe that the information may be used, with or without other available information, to identify an individual. Deidentified health information may be used and shared as necessary in the performance of work, unless federal or state laws otherwise restrict the information. Health information that has been considered deidentified does not meet the de-identification criteria if a code or other means of record identification designed to enable coded or otherwise de-identified information to be re-identified. Limited Data Set 1. When a limited data set is deemed appropriate for a use or disclosure, CCNC will enter into a data use agreement with the recipient of the information unless state or federal law permits the use or disclosure, which negates the need for such an agreement. When limited data sets are used or disclosed with an appropriate data use agreement executed an authorization is not required for the use or disclosure of a limited data set; and Limited data sets do not need to be included in an accounting of disclosures. To qualify as a limited data set the following identifiers for patients can be associated with health information: a. State, county, city or town, ZIP Code, b. Birth date, admission date, discharge date, date of death, c. Age, and/or d. Unique identifying number, characteristic, or code exclusive of identifiers such as Social Security Numbers, account numbers, medical record numbers, health plan beneficiary numbers etc., 2. Re-Identification. A code may be assigned or another means of identification to allow information that has been deidentified to be re-identified within CCNC provided that: a. The code or other means of identification is not derived from or related to information about the individual and is not otherwise capable of being translated so as to identify the individual (examples would be codes containing a Social Security Number or health plan beneficiary numbers); 20

b. CCNC does not use or disclose the code (or other means of identification) for any purpose other than that originally intended; and CCNC does not disclose any methods that can be used to reidentify information that has been de-identified. 3. Data Use Agreement. CCNC will enter into a data use agreement with the limited data set recipient. The data use agreement must contain the following: a. A requirement to use or disclose such information only for the purposes of research, b. public health, or health care operation activities, c. Specifications regarding who can use or receive the limited data set, d. Specifications of the permitted uses and disclosures, e. A stipulation that the recipient will not use or disclose the limited data set for any purposes other than those specified in the data use agreement or as otherwise required by law, f. Adequate assurances that the recipient will use appropriate safeguards to prevent the use or disclosure of the limited data set for any purposes other than those specified in the data use agreement. These assurances may be addressed through language similar to that provided in the DHHS Data Use Agreement. g. Commitment by the recipient to report to DMA any use or disclosure of the information not provided for by the data use agreement of which it becomes aware, h. Assurance that any agent, including a subcontractor, to whom the recipient provides the limited data set agrees to the same restrictions and conditions that apply to the limited data set recipient with respect to such information, and i. A commitment by the recipient that they will not re-identify the information or contact any of the individuals whose data is being disclosed. 4. The minimum necessary rule. The minimum necessary rule will apply to limited data sets; therefore, only data elements that are necessary to perform the purpose(s) specified in the data use agreement should be included in the limited data set released to the recipient. When use or disclosure of protected health information is necessary for public health, research, or health care operation activities, and the particular instance of use or federal or state laws do not permit disclosure, workforce members must determine if a de-identified or limited data set would meet the intended purpose of the use or disclosure. When information cannot be de-identified, workforce members will use a limited data set, if possible, instead of disclosing protected health information. Workforce members will ensure a Data Use Agreement has been signed prior to using or disclosing a limited data set. Standard Operating Procedures Procedures associated with this policy can be found in the document titled Privacy Operating Procedures. 21

Legal Occurrences COMMUNITY CARE OF NORTH CAROLINA Eff. Date: 12/11/12 POLICIES AND PROCEDURES MANUAL Rev. History: 5/28/12 Purpose This policy establishes requirements for disclosing protected health information when responding to judicial and administrative proceedings, court orders (including protective orders), subpoenas, law enforcement, and other legal mandates. Roles and Responsibilities Disclosures of protected health information (PHI) will ensure that it is required by law. Any request for data received by an employee should be sent to the CCNC Privacy Officer for disposition. Policy Requests for disclosing protected health information including judicial and administrative proceedings, court orders (including protective orders), subpoenas, law enforcement, and other legal mandates will be referred to the CCNC Privacy Officer. Required by Law 1. The CCNC Privacy Officer will use or disclose protected health information as required by law wherein a federal, state, tribal, or local law compels CCNC to make a use or disclosure. 2. Preemption of North Carolina Law. CCNC Privacy Officer will review North Carolina and federal laws to determine if any provision is contrary to a requirement of the HIPAA or HITECH Privacy and Security Rule. a. If the state law relating to the privacy of protected health information is more stringent than a privacy regulation, state law shall not be preempted due to greater privacy protections. 3. Disclosures Requiring Authorization. The following types of disclosure required CCNC to obtain written authorization from the patient or the patient s personal representative, unless there is a court order; a. Judicial or administrative proceeding requests; b. Subpoenas; c. Law enforcement officials d. Warrants. 22

4. Disclosures not requiring authorization. The following types of disclosures may be disclosed without authorization; a. Court orders; b. Health oversight auditing, licensing, auditing, corrective action; c. Responding to law enforcement officials for crimes. 5. Accounting of Disclosures. CCNC will maintain record of disclosure for legal occurrences using the Disclosure log 8 6. Reporting. CCNC will report requests for legal disclosures of Medicaid recipients to DMA Privacy Official. Standard Operating Procedures Procedures associated with this policy can be found in the document titled Privacy Operating Procedures. 23

Research COMMUNITY CARE OF NORTH CAROLINA Eff. Date: 12/11/12 POLICIES AND PROCEDURES MANUAL Rev. History: 5/28/12 Purpose To describe how protected health information must be protected when it is accessed, used, or disclosed for research purposes. Roles and Responsibilities The CCNC Director of Evaluation will provide guidance on requests for data for evaluating a CCNC program for research and/or publication. Policy Requests for Medicaid data for research or evaluation will be referred to the CCNC Director of Evaluation to determine the needs and options of available resources. The HIPAA Privacy Rule establishes the conditions under which protected health information may be used or disclosed by covered health care components and their internal business associates for research purposes. Research is defined in the Privacy Rule as a systematic investigation, including research development, testing, and evaluation, designed to develop or contribute to generalized knowledge. The HIPAA definition of research also applies to the development of research repositories and research databases. Workforce members working with data for research purposes will follow the Policy De-Identification and Limited Data Sets. Standard Operating Procedures Procedures associated with this policy can be found in the document titled Privacy Operating Procedures. 24

Use and Disclosures COMMUNITY CARE OF NORTH CAROLINA Eff. Date: 12/11/12 POLICIES AND PROCEDURES MANUAL Rev. History: 5/28/12 DISCLOSING DATA OBTAINED FROM THE INFORMATICS CENTER PURPOSE: To provide a secure process for the disclosure of data accessed from the Informatics Center ( Data ) that is converted into any other electronic or non-electronic format, to parties that have not entered into a System Access Agreement. To ensure recipients are aware of their responsibilities regarding use and disclosure of Data. POLICY: Any organization, provider, or other entity that has executed a System Access Agreement may disclose Data (hereinafter, a Disclosing Entity ) if: a. Disclosure of Data is permitted under applicable state and federal law; b. Disclosure of Data is: i. To the individual who is the subject of the Data or to such individual s personal representative, as such term is defined under 45 C.F.R. 164.502(g); ii. For purposes of treatment, quality assessment and improvement activities, or coordination of appropriate and effective patient care, treatment, or habilitation; or iii. Otherwise required under applicable state or federal law with respect to the Disclosing Entity; and c. The Disclosing Entity obtains the individual s written authorization to disclose such Data if required under applicable state or federal law. PROCEDURE 1. Requests for Data. A Disclosing Entity may disclose Data in response to a request from an agency, entity, or provider (a Requesting Entity ), for purposes of patient care or care coordination, in accordance with the following procedures. a. The Requesting Entity must submit a signed Request for Data from the Community Care of North Carolina, Inc. Informatics Center (a Request Form ). b. The Request Form must be accompanied by a list of individuals who are the subject of the requested Data. Multiple patients may be identified. The list of patients shall not include any Protected Health Information, and shall be sent as an attachment with the Request Form. c. Upon receiving the signed Request Form, the Disclosing Entity may disclose the Data. d. The Disclosing Entity shall ensure secure transmission via encrypted email or fax. 25

e. Each Disclosing Entity shall have its own internal process for ensuring a record of each disclosure transaction is maintained for each patient. 2. Disclosures Initiated by Disclosing Entity. A Disclosing Entity may initiate a disclosure of Data to an agency, entity, or provider that has not entered into a System Access Agreement (a Receiving Entity ), in accordance with the following procedures. a. The Disclosing Entity shall provide notice of the Receiving Entity s responsibilities regarding use and disclosure of Data. The Disclosing Entity may use the Notice to Accompany Informatics Center Data Disclosures form provided by CCNC. b. The Disclosing Entity shall verify that the Receiving Entity provides care, treatment, habilitation, or rehabilitation to the individual or individuals who are the subject of the Data. c. The Disclosing Entity shall ensure secure transmission via encrypted email or fax. d. Each Disclosing Entity shall have its own internal process for ensuring a record of each disclosure transaction is maintained for each patient. 26

Use and Disclosures (Sensitive Information) COMMUNITY CARE OF NORTH CAROLINA Eff. Date: 12/11/12 POLICIES AND PROCEDURES MANUAL Rev. History: 5/28/12 Purpose This policy establishes requirements for the use of protected health information when obtaining, documenting, and disclosing behavioral health and substance abuse that is subject to Federal and State Law. Roles and Responsibilities CCNC shall enforce all users of the informatics center on the use and disclosure of sensitive information. Policy CCNC shall provide a process for handing Protected Health Information on patients that reference behavioral health or substance abuse which may be subject to Federal and State Law that have more restrictions than HIPAA. Behavioral Health Definitions under NCGS 122C: Facility: Any person at one location whose primary purpose is to provide services for the care, treatment, habilitation, or rehabilitation of the mentally ill, the developmentally disabled, or substance abusers. N. C. General Statutes 122C provides exceptions for CCNC effective January 1, 2012. Specifically 122C-52(b) permits a HIPAA covered entity or business associate receiving confidential information that has been disclosed pursuant to Section 122C may use and disclose such information as permitted or required under HIPAA. Data obtained from the Informatics Center may be disclosed without patient consent if, 1. The disclosure is permitted under HIPAA, and 2. The disclosure is permitted under the applicable System Access Agreement. See the Data Disclosure Policy. 27