qwertyuiopasdfghjklzxcvbnmqwertyui opasdfghjklzxcvbnmqwertyuiopasdfgh jklzxcvbnmqwertyuiopasdfghjklzxcvb HIPAA RESOURCE MANUAL nmqwertyuiopasdfghjklzxcvbnmqwer Bullitt County and Louisville Metro Health Departments tyuiopasdfghjklzxcvbnmqwertyuiopas 1/1/2012 Marilyn Loy, Vickie Trevino, and Robyn Dickerson dfghjklzxcvbnmqwertyuiopasdfghjklzx cvbnmqwertyuiopasdfghjklzxcvbnmq wertyuiopasdfghjklzxcvbnmqwertyuio pasdfghjklzxcvbnmqwertyuiopasdfghj klzxcvbnmqwertyuiopasdfghjklzxcvbn mqwertyuiopasdfghjklzxcvbnmqwerty uiopasdfghjklzxcvbnmqwertyuiopasdf ghjklzxcvbnmqwertyuiopasdfghjklzxc vbnmqwertyuiopasdfghjklzxcvbnmrty uiopasdfghjklzxcvbnmqwertyuiopasdf ghjklzxcvbnmqwertyuiopasdfghjklzxc
TABLE OF CONTENTS ADMINISTRATIVE HIPAA Privacy Officer.. o Function/Role o Compliance Administrative Requirements o Business Associate Agreements (Sample). 4 5 6 Subpoenas and Court Orders. 9 Training... o Checklist for Basic HIPAA Training o Checklist for Basic Health Records Training o Confidentiality Agreement (Sample) 14 15 16 STAFF SUPPORT Documentation/Medical Record o Legal Documentation Standards o Form(s).. Authorization for Release. Records Certificate/Certification... HIPAA Acknowledgment. HIPAA Privacy Notice.. o Frequently Asked Question o 18 Identifiers.. 18 20 21 22 23 24 25 General Open Records Act... o KRS 214.420 Records declared confidential. o KRS 214.625 - Consent for medical procedures and tests including HIV infection -- Physician's responsibility -- Confidentiality of results -- Exceptions -- Disclosure -- Network of voluntary HIV testing programs Minimum Necessary.... References... 27 28 29 33 35 2
ADMINISTRATIVE SECTION 3
HIPAA PRIVACY OFFICER Function/Role The HIPAA Privacy Officer is the head of the chair for the department s HIPAA committees. His responsibility includes monitoring the regulatory requirements under the HIPAA law, creating HIPAA Privacy programs and introducing policies promoting compliance. The officer is the liaison to the department and educates the department heads and managers to implement compliance. The HIPAA Privacy Officer aids the department in preparing legal documents and forms. When departments are out of compliance the officer makes contingency plans for medical information that may include information backup plans, disaster recovery, emergency mode, operation plans and applications for critical information analysis. S/he provides training and relevant information for HIPAA privacy. In this capacity a Privacy Officer is responsible for providing both leadership and staff with appropriate privacy training, education and "state of privacy" reviews so that everyone is qualified in the performance of their privacy duties and up to date on the latest privacy trends. When independent contractors provide medical services to an organization---the HIPAA compliance officer verifies such contractors follow all privacy regulations and creates Business Associate Agreements as deemed necessary. 4
COMPLIANCE Administrative Requirements HHS recognizes that covered entities range from the smallest provider to the largest, multi-state health plan. Therefore the flexibility and scalability of the Rule are intended to allow covered entities to analyze their own needs and implement solutions appropriate for their own environment. What is appropriate for a particular covered entity will depend on the nature of the covered entity s business, as well as the covered entity s size and resources. Privacy Policies and Procedures. A covered entity must develop and implement written privacy policies and procedures that are consistent with the Privacy Rule. Privacy Personnel. A covered entity must designate a privacy official responsible for developing and implementing its privacy policies and procedures, and a contact person or contact office responsible for receiving complaints and providing individuals with information on the covered entity s privacy practices. Workforce Training and Management. Workforce members include employees, volunteers, trainees, and may also include other persons whose conduct is under the direct control of the entity (whether or not they are paid by the entity). A covered entity must train all workforce members on its privacy policies and procedures, as necessary and appropriate for them to carry out their functions. A covered entity must have and apply appropriate sanctions against workforce members who violate its privacy policies and procedures or the Privacy Rule. Mitigation. A covered entity must mitigate, to the extent practicable, any harmful effect it learns was caused by use or disclosure of protected health information by its workforce or its business associates in violation of its privacy policies and procedures or the Privacy Rule. Data Safeguards. A covered entity must maintain reasonable and appropriate administrative, technical, and physical safeguards to prevent intentional or unintentional use or disclosure of protected health information in violation of the Privacy Rule and to limit its incidental use and disclosure pursuant to otherwise permitted or required use or disclosure. For example, such safeguards might include shredding documents containing protected health information before discarding them, securing medical records with lock and key or pass code, and limiting access to keys or pass codes. See additional guidance on Incidental Uses and Disclosures. Complaints. A covered entity must have procedures for individuals to complain about its compliance with its privacy policies and procedures and the Privacy Rule. The covered entity must explain those procedures in its privacy practices notice. Among other things, the covered entity must identify to whom individuals can submit complaints to at the covered entity and advise that complaints also can be submitted to the Secretary of HHS. Retaliation and Waiver. A covered entity may not retaliate against a person for exercising rights provided by the Privacy Rule, for assisting in an investigation by HHS or another appropriate authority, or for opposing an act or practice that the person believes in good faith violates the Privacy Rule. A covered entity may not require an individual to waive any right under the Privacy Rule as a condition for obtaining treatment, payment, and enrollment or benefits eligibility. Documentation and Record Retention. A covered entity must maintain, until six years after the later of the date of their creation or last effective date, its privacy policies and procedures, its privacy practices notices, disposition of complaints, and other actions, activities, and designations that the Privacy Rule requires to be documented. Fully-Insured Group Health Plan Exception. The only administrative obligations with which a fully-insured group health plan that has no more than enrollment data and summary health information is required to comply are the (1) ban on retaliatory acts and waiver of individual rights, and (2) documentation requirements with respect to plan documents if such documents are amended to provide for the disclosure of protected health information to the plan sponsor by a health insurance issuer or HMO that services the group health plan. 5
BUSINESS ASSOCIATE AGREEMENT (SAMPLE) Local Health Department This Agreement is entered into by and between ( Health Care Provider ) and Business Associate to set forth the terms and conditions under which protected health information (PHI), as defined by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and Regulations enacted hereunder, created or received by ( Business Associate ) on behalf of ( Health Care Provider ) may be used or disclosed. This Agreement shall commence on (Date) and the obligations herein shall continue in effect so long as Business Associate uses, discloses, creates or otherwise possesses any protected health information created or received on behalf of ( Health Care Provider ) and until all protected health information created or received by Business Associate on behalf of ( Health Care Provider ) is destroyed or returned to ( Health Care Provider ) pursuant to Paragraph 15 herein. 1) ( Health Care Provider ) and Business Associate hereby agree that Business Associate shall be permitted to use and/or disclose protected health information created or received on behalf of ( Health Care Provider ) for the following purposes: a) Completing and submitting health care claims to health plans, Clearinghouses, and other third party payers. b) Collection of fees for ( Health Care Provider ). c) Establishing and maintaining Business Management Programs for ( Health Care Provider ). d) Introducing, maintaining, and programming Electronic Medical Record Systems for ( Health Care Provider ). e) Introducing, maintaining, and programming compatible Dictation Systems for ( Health Care Provider ). It is to be understood by all parties that the permitted uses and disclosures must by within the scope of and necessary to achieve, the obligations and responsibilities of Business Associate in performing on behalf of, or providing services to, the Health Care Provider. 2) Business Associate may use and disclose protected health information created or received by Business Associate on behalf of ( Health Care Provider ) if necessary for the proper management and administration of Business Associate or to carry out. legal responsibilities, provided that any disclosure is: a) Required by law, or b) Business Associate obtains reasonable assurances from the person to whom the protected health information is disclosed that (i) the protected health information will be held confidentially and used or further disclosed only as required by law or for the purpose for which it was disclosed to the person; and (ii) Business Associate will be notified of any instances of which the person is aware in which the confidentiality of the information is breached. 3) Business Associate hereby agrees to maintain the security and privacy of all protected health information in a manner consistent with California State and Federal laws and regulations, including the Health insurance Portability and Accountability Act of 1996 ( HIPAA ) and regulations hereunder, and all other applicable law. 4) Business Associate further agrees not to use or disclose protected health information except as expressly permitted by this Agreement, applicable law, or for the purpose of managing Business Associate own internal business processes consistent with Paragraph 2 herein. 6
5) Business Associate shall not disclose protected health information to any member of its workforce unless Business Associate has advised such person (employee) of Business Associate privacy and security obligations and policies under this Agreement, including the consequences for violation of such obligations. Business Associate shall take appropriate disciplinary action against any member of its workforce who uses or discloses protected health information in violations of this Agreement and applicable law. 6) Business Associate shall not disclose protected health information created or received by Business Associate on behalf of ( Health Care Provider ) to a person, including any agent or subcontractor of Business Associate but not including a member of Prime Clinical Systems. Inc. s own workforce, until such person agrees in writing to be bound by the provisions of the Agreement and applicable California State or Federal law. 7) Business Associate agrees to use appropriate safeguards to prevent use or disclosure of protected health information not permitted by this Agreement or applicable law. 8) Business Associate agrees to maintain a record of all disclosures of protected health information, including disclosures not made for the purposes of this Agreement. Such record shall include the date of the disclosure, the name and, if known, the address of the recipient of the protected health information, the name of the individual who is the subject of the protected health information, a brief description of the protected health information disclosed, and the purpose of the disclosure. Business Associate shall make such record available to an individual who is the subject of such information or ( Health Care Provider ) within five (5) working days of a request and shall include disclosures made on or after the date which is six (6) years prior to the request or April 14, 2003, whichever date is later. 9) Business Associate agrees to report to ( Health Care Provider ) any unauthorized use or disclosure of protected health information by Business Associate or its workforce or subcontractors and the remedial action taken or proposed to be taken with respect to such use or disclosure. 10) Business Associate agrees to make its internal practices, books, and records relating to the use and disclosure of protected health information received from ( Health Care Provider ) or created or received by Business Associate on behalf of ( Health Care Provider ), available to the Secretary of the United States Department of Health and Human Services, for purposes of determining the Covered Entity s compliance with HIPAA. 11) Within thirty (30) days of a written request by ( Health Care Provider ), Business Associate shall allow a person who is the subject of protected health information, such person s legal representative, or ( Health Care Provider ) to have access to and to copy such person s protected health information in the format requested by such person, legal representative, or practitioner unless it is not readily producible in such format, in which case it shall be produced in standard hard copy format. 12) Business Associate agrees to amend, pursuant to a request by ( Health Care Provider ), protected health information maintained and created or received by Business Associate, on behalf of the Practitioner. Business Associate further agrees to complete such amendment within thirty (30) days of a written request by ( Health Care Provider ), and to make such amendment as directed by ( Health Care Provider ). 13) In the event Business Associate fails to perform the obligations under this Agreement, ( Health Care Provider ) may, at its option: 7
a) Require Business Associate to submit to a plan of compliance, including monitoring by ( Health Care Provider ) and reporting by Business Associate, as ( Health Care Provider ), in its sole discretion, determines necessary to maintain compliance with this Agreement and applicable law. Such plan shall be incorporated into this Agreement by amendment hereto: and b) Require Business Associate to mitigate any loss occasioned by the unauthorized disclosure or use of protected health information. c) Immediately discontinue providing protected health information to Business Associate with or without written notice to Business Associate 14) ( Health Care Provider ) may immediately terminate this Agreement and related agreements if ( Health Care Provider ) determines that Business Associate has breached a material term of this Agreement. Alternatively, ( Health Care Provider ) may choose to (i) provide Business Associate with ten (10) days written notice of the existence of an alleged material breach; and (ii) afford Business Associate an opportunity to cure said alleged material breach to the satisfaction of ( Health Care Provider ) within (10) days. Business Associate s failure to cure shall be grounds for immediate termination of this agreement. ( Health Care Provider ) s remedies under this Agreement are cumulative, and the exercise of any remedy shall not preclude the exercise of any other. 15) Upon termination of this Agreement, Prime Clinical Systems shall return or destroy all protected health information received from ( Health Care Provider ), or created or received by Business Associate on behalf of ( Health care Provider ) and that Business Associate maintains in any form, and shall retain no copies of such information. If the parties mutually agree that return or destruction of protected health information is not feasible, Business Associate shall continue to maintain the security and privacy of such protected health information in a manner consistent with the obligations of this Agreement and as required by applicable law, and shall limit further use of the information to those purposes that make the return or destruction of the information infeasible. The duties hereunder to maintain the security and privacy of protected health information shall survive the discontinuance of this Agreement. 16) ( Health Care Provider ) may amend this Agreement by providing ten (10) days prior written notice to Business Associate in order to maintain compliance with California State or Federal law. Such amendment shall be binding upon Business Associate at the end of the ten (10) day period and shall not require the consent of Business Associate Business Associate may elect to discontinue the Agreement within the ten (10) day period, but Business Associate duties hereunder to maintain the security and privacy of PROTECTED HEALTH INFORMATION shall survive such discontinuance. ( Health Care Provider ) and Business Associate may otherwise amend this Agreement by mutual written agreement. 17) Business Associate shall, to the fullest extent permitted by law, protect, defend, indemnify and hold harmless ( Health Care Provider ) and his/her respective employees, directors, and agents ( Indemnities ) from and against any and all losses, costs, claims, penalties, fines, demands, liabilities, legal actions, judgments, and expenses of every kind (including reasonable attorneys fees, including at trial and on appeal) asserted or imposed against any Indemnities arising out of the acts or omissions of Business Associate or any of Business Associate s employees, directors, or agents related to the performance or nonperformance of this Agreement. -------------------------------------------------------------------------------- ------------------------------- ( Health Care Provider ) Date --------------------------------------------------------------------------------- ------------------------------ Business Associate Date 8
SUBPOENAS AND COURT ORDERS (KRS 422.300 through KRS 422.330) The Two (2) Types Of Subpoenas 1. Subpoena The subpoena is a command to appear at a certain time and place to give testimony upon a certain matter. A subpoena is valid if it: a. Is issued by the court clerk or other authorized officer, but usually not the presiding officer of the court: b. States the name of the court and the title of the action; and c. Commands the person to whom it is directed to attend and give testimony at a time and place for a specified party. 2. Subpoena Duces Tecum A subpoena duces tecum is a subpoena with the added command to bring along certain documents or papers pertinent to the issues of a controversy. NOTE: For additional resources Refer to HIPAA privacy regulations 164.512(e) and (f). Non-Court Order A subpoena not signed by the judge or hearing officer. If the subpoena is not a Court Ordered subpoena, a HIPAA approved Authorization for Disclosure signed by the client should accompany the subpoena or the requesting party would need to provide reasonable assurance prior to disclosing patient records. Court Order A court order is a command signed by the presiding judge of the court. Before disclosing privileged medical information as covered by state laws (STDs, HIV, HANDS, etc.), if the courtorder does not specify those records are required; the LHD should contact the judge to discuss the need for disclosure of those privileged records. Power To Issue The power to subpoena is given by statute to judges, clerks of courts, referees, arbitrators, municipal corporations, legislative committees, various boards and commissioners including the State Board of Medical Licensure. Responding To A Subpoena Recipient is the person named in the subpoena to appear or produce documents or other materials. A subpoena may be served by any person over eighteen (18) years of age by personally delivering a copy to the person to whom it is directed. Mail Service is not appropriate. The service of a subpoena must be made to the person named in the subpoena. Service is valid when it is served within the territorial jurisdiction of the court that issued it. State - a subpoena issued by a state district or circuit court is valid only within the boundaries of the state in which the court is located. 9
Federal - A subpoena issued by a federal court is valid within the federal court district or within one hundred (100) miles of the location where the witness is required to attend, even though the place of service may be outside of the federal court district. Responsibility Of Recipient The named recipient at the local health department should require proper service. When a subpoena is received through the mail, is sent from outside the court s jurisdiction, or is served improperly in any other way, the recipient should notify the attorney who initiated the subpoena of improper service. A form letter may be prepared to respond to such occasions. Contempt Of Court Failure to respond to a subpoena in Kentucky is punishable as contempt of court. Failure to compensate the witness for expenses is not sufficient grounds for failure to respond to a subpoena. The Custodian Of Medical Records As Witness When medical record information is subpoenaed, the custodian of medical records, i.e., either the medical record director or someone else with knowledge of the recipient s record maintenance procedures, will be asked to testify as to the authenticity of the medical records either through deposition, appearance at court or written certification. Deposition A deposition is the testimony of a party or witness, made under oath but not in open court and written down or videotaped to be used during discovery or trial proceedings. The deposition is a means of pretrial discovery. It may direct the response to questions and/or production of records related to the case. The attorney issuing the subpoena for a deposition to discover medical records usually will call the medical record custodian to set a time and place for the disposition. Those present at the deposition are the following: 1. Custodian of medical records. 2. Attorney requesting the deposition. 3. Opposing attorney, and 4. Court reporter or person with a video camera commissioned to record the deposition proceedings. The medical record custodian will be sworn in and questioned in the same manner as if appearing in court. The attorney who issued the subpoena will be given the copy of the record when and if it is requested. If an attorney objects to the answering of a question during a deposition, the question is still answered. Whether or not an answer given during deposition will be introduced in court will be determined by the judge at a later time. Appearance In Court Prior to appearance in court, the medical record custodian should: 1. Make a clear copy of the record, 2. Number the pages on the copy, and 3. Read through the entire record for familiarity with the terms should it become necessary that portions have to be read in court at the deposition. 10
On the day appearance in court is requested, the medical record custodian should: 1. Call the attorney who subpoenaed the record and verify the time to be present, and 2. Bring the original and the copy of the record along to court. Upon arrival at the court the medical record custodian should: 1. Acknowledge the custodian s presence to the subpoenaing attorney or the clerk of court. 2. Wait in the designated area until requested to take the witness stand and do not reveal the contents of the records to anyone until directed to do so by the judge. The reasons a medical record custodian is asked to serve as a witness are to identify the record and answer questions needed to make the record admissible in court. Questions that must be answered positively for admissibility are: 1. Was the record made in the regular course of business; and 2. Was it the regular course of business to make such records at or near the time of the matter recorded? When serving as a witness in court or at a deposition, the medical record custodian should answer questions briefly and directly. In addition to the two questions stated above, other usual questions are: 1. What is your full name and title? 2. For which facility do you work? 3. Do you have in your possession the medical records of? In the event an attorney asks, do you have ALL the records of? the custodian must think of the filing system used and determine if ALL records were brought, including the HANDS record if filed separately. The medical record custodian may read parts of the record if asked, but may not interpret any medical information in the record. I am not qualified to answer that, is a perfectly acceptable response when questions fall beyond the area of competence. All answers are subject to cross examination(s) in a court of law. If any attorney objects to a question, the question should not be answered until the judge rules whether or not the question is to be answered. Procedure For Mailing Records To Court KRS 422.300 through KRS 422.330 provide for the mailing or personal delivery of a certified copy of the medical record to the clerk of court, unless the record contains information regarding sexually transmitted diseases, HANDS, mental health or drug and alcohol abuse. In this event, the judge must be notified that privileged information on a specific patient is not subject to subpoena. To comply with these statutes, the custodian of medical records or person charged with such responsibility shall promptly notify in writing the attorney causing service of the subpoena of the recipient s decision to submit a certified copy. Also included would be the cost of reproducing the record. 11
Upon payment of the copying expenses: 1. Prepare a certification with the following information: a. Full name of the patient; b. Patient s medical record number; c. Number of pages in the medical record; and d. This statement: 2. Notarize the certification; The copies of records for which this certification is made are true and complete reproductions of the original (or microfilmed) records which are housed in (name of facility). The original records were made in the regular course of business, and it was the regular course of (name of facility) to make such records at or near the time of the matter recorded. This certification is given pursuant to KRS 422.300 KRS 422.330 by the custodian of the records in lieu of personal appearance. 3. Enclose the copies and notarized certification in an inner envelope labeled with the following: a. Copies of medical records; b. Title and number of the legal action or proceeding; c. Date of the subpoena; d. Name of the provider; e. Full name of the patient; f. Patient s medical record number, and g. Name and business phone number of the employee signing the certification. 4. Seal the envelope and enclose the inner envelope containing the copies and certification into an outer envelope and address it to the attorney causing service of the subpoena or to the clerk of the court; and 5. Promptly deliver either personally or by certified or registered mail to the addressee. If delivered personally, have the person receiving the records sign a receipt containing the following information and retain the receipt as proof of the delivery: a. Name of the facility; b. Full name of the patient; c. Patient s medical record number and; d. The date the copies were delivered. When delivered via mail, retain the receipt issued by the post office and signed by the court representative as proof of delivery. Original Record To Be Left In Court If the original record is to be left in the court, the medical record custodian should obtain a receipt from the clerk of court indicating that the record will be retained in the clerk s custody and that arrangements will be made for the return of the record when the case is terminated. 12
Microfilmed Records In Court If a subpoenaed record is on microfilm and it is necessary for the custodian to appear in court, the film containing the records should be taken to court with copies of the filmed records. If copies are legible, the filmed records ordinarily are not needed. Should the court request the viewing of film that contains records of other patients, the custodian should explain that violation of the confidentiality of other patients records is at stake. Such film should not be left with the court since the records may be needed for patient care. Upon the admission of microfilm records in court, the medical record custodian may be asked if the original records were destroyed in the regular course of business. Records are destroyed in the regular course of business when they are destroyed in a routine manner after microfilming and not for the purpose of destroying evidence. Interrogatories Interrogatories are a set or series of written questions asked by one party of another party or witness in a lawsuit. The person receiving the interrogatory is requested to answer the questions in writing and to sign an oath that all answers are correct to the best of his/her knowledge. Answers are mainly used to discover evidence; however, the answers themselves may be admitted as evidence. A recipient of a subpoena who is asked to answer an interrogatory or set of interrogatories should turn the questions over to his/her legal counsel for response. Waiver of Privilege A privilege may be waived only by the person whose information is held to be privileged. The recipient of the subpoena should never assume that a patient has waived privilege, for example, when a psychiatric patient sues his psychiatrist. Only the presiding officer of a court may determine that a patient has waived privilege. 13
Checklist: HIPAA Information, Concepts and Processes Basic HIPAA Training For New Department Staff The following information will be reviewed with each new employee during basic HIPAA training with the HIPAA Privacy Officer: The Health Department (HD) is, under HIPAA, a covered entity and must comply with HIPAA regulations in regard to Protected Health Information (PHI). The definition of Protected Health Information (PHI) under HIPAA. The role of the HD in regard to research and public health surveillance. The basic provisions of the HIPAA Privacy Rule regarding dept clients medical records & PHI. The definitions of Treatment, Payment and Healthcare Operations under HIPAA. The purpose of the Minimum Necessary Standard in regard to PHI. The fact that HIPAA regulations pre-empt state privacy laws unless a state law is more stringent. The civil penalties and criminal sanctions for misuse of PHI. The purpose for providing a HD client a copy of the HIPAA Privacy Notice and reason a signature is needed acknowledging receipt of the document. The fact that a HD client may file a complaint if they believe their privacy rights have been violated. The expectation that all HD employees even employees who do not work with clients PHI are to share work related information only when appropriate. The requirements of HD staff and observers regarding confidentiality. The review and signing of the HD Confidentiality Agreement The basic purposes and responsibility of HD staff in regard to the Security Rule and personal computers, passwords, email and faxed information. The fact that the HD has HIPAA polices regarding the following which will be reviewed with new staff who will work with PHI: The process and forms to use to release a medical record to a client or legal guardian of a minor client. The process and forms to use to release a client s medical record to someone other than the client The process and forms to use in regard to a request for an accounting of disclosures. The process and forms to use in regard to a request to amend a medical record. Questions related to HIPAA and/or the release of PHI must be directed to the immediate supervisor. The Privacy Office can be contacted directly if the supervisor is not available and a response is needed immediately. 14
Checklist: Health Records, Concepts and Processes Basic Health Records Training For New Department Staff The following information will be reviewed with each new employee during basic Health Records training with the HIPAA Privacy Officer: The Health Department (HD) must comply with HIPAA regulations in regard to Protected Health Information (PHI). The guidelines of the Kentucky Public Health Practice Reference, Section: Documentation/Medical Records and the Medical Records Management: Administrative Reference, Volume I. The importance of a health record The role of the HD in regard to creating and storing health records. The basics related to creating a master patient index card and the purposes it serves. The importance of Records Management. The standards as it relates to timely and legible documentation. The importance of provider signatures and when initialing is appropriate. The use of copied documents versus original documents. The importance of obtaining consents and signatures. The forms required by HIPAA as it relates to releasing PHI and the Disclosure log that must be updated with each release. The use of out guides. The process on how to respond to a request for information from a health care provider. The process on who to contact as it relates to requests from an attorney, insurance company, Cabinet for Families and Children, and the courts. Questions related to Health Records must be directed to the immediate supervisor for clarity. In the event the request is for privileged records (HIV, STD, HANDS, etc.), notify your supervisor immediately. 15
CONFIDENTIALITY AGREEMENT- HD Employees and Other Workforce Members As a member of the Health Department (HD) workforce, I may learn confidential information related to the health care of clients who receive services at this health department. Because this health department is, under the Health Insurance Portability and Accountability Act (HIPAA), a covered entity, the HD must comply with regulations promulgated by HIPAA, which include protecting the privacy of information HIPAA defines as protected health information (PHI). HD health records whether paper or electronic - are the property of the HD but our clients have a right to expect that their health records will be managed confidentially. It is the responsibility of this health department to protect the confidentiality of such information. As a member of the HD workforce, I am responsible for protecting the confidentiality of client information disclosed to me. 1. I understand I must maintain the confidentiality of all client records and protected health information (PHI) in order to comply with applicable state laws, HIPAA and other applicable federal laws. 2. I understand information, written or unwritten, including but not limited to medical, socio-economic, financial, personal and employment information, in my possession is strictly confidential and the principle of confidentiality applies to client, employee and visitor information. 3. I understand that if I have a need to discuss client information, I must not discuss that information in public places. I understand, when discussing confidential information with other members of the HD workforce, or on the phone for permitted purposes, care must be taken to be out of hearing range of other clients, visitors, or staff who do not have a need to know the information and casual discussions regarding client information are strictly prohibited. 4. I understand I am obligated to keep client information that is accidentally acquired or incidentally disclosed during my work at HD, confidential, unless doing so would cause harm or injury to someone or this health department. 5. I understand I must follow all safeguard procedures to protect the confidentiality of clients records and/or PHI. I understand that documents with client identifiers (scrap documents, unused patient labels, etc.) must be shredded. I understand that to include shielding information on my computer monitor from the view of those who do not have a need to know. 6. I understand my obligation of confidentiality will continue long after my departure from the department. I agree to follow all HD policies and procedures regarding patient privacy and I understand that any violation of these policies could result in corrective action up to and including termination as well as civil and/or criminal penalties. I have read this Confidentiality Agreement and I agree to abide by its terms. Staff (print name): Signature Date: HIPAA Privacy Officer (or designee) Signature: Date: 16
STAFF SUPPORT SECTION 17
DOCUMENTATION/MEDICAL RECORD A medical record is the documentation kept about the medical care of patients. It contains sufficient information to identify and assess patients and furnish evidence of the appropriate course of the patient s health care by the provider(s) responsible for the delivery of the health care services. Each patient receiving health care services shall have a record initiated. (Exception: anonymous HIV test/counseling patient and court-ordered HIV testing) Medical record documentation has a universal effect on organizational operation, evaluation of care and services, compliance, and reimbursement. The quality, type of care, services, on-going planning and assessment delivered to the client are determined through documentation and rely heavily on the quality and accuracy of the medical record. The medical record is also used to serve as a source document for legal proceedings. LEGAL DOCUMENTATION STANDARDS This section will review the legal documentation standards for entries in and maintaining the medical record. Health information is collected in various formats paper-based, electronic client records, and computerized client databases. The legal documentation standards have mainly applied to a paper medical record, however, most are also applicable to documentation in an electronic medical record as well. This section is divided into topics and will address the following issues: 1. Purpose of the medical record and definition of the legal medical record 2. Legal documentation standards that apply to medical records 3. Proper methods for handling errors, omissions, addendum, and late entries. I. Purpose and definition of the Legal Medical Record A patient's health record plays many important roles: A. It provides a view of the client's health history - In other words, it provides, a record of the client's health status including observations, measurements, history and prognosis, and serves as the legal document describing the health care services provided to the patient. B. The medical record provides evidence of the quality of client care by - Describing the services provided to the client Providing evidence that the care was necessary Documenting the client's response to the care and changes made to the plan of care Identifying the standards by which care was delivered Documenting adherence to standards of care and policies/procedures It provides a method for clinical communication and care planning among the individual healthcare practitioners serving the client. 18
It provides supporting documentation for the reimbursement of services provided to the client. It is a source of data for clinical, health services, outcomes research as well as public health purposes. It serves as a major resource for healthcare practitioner education. It serves as the legal business record for a health care organization and is used in support of business decision-making. II. Legal Documentation Standards A. Defining Who May Document in the Medical Record: Anyone documenting in the medical record should be credentialed and/or have the authority and right to document as defined by facility policy. Individuals must be trained and competent in the fundamental documentation practices of the facility and legal documentation standards. All writers should be trained in and follow their agency policies and procedures for documentation (i.e. following timeframes for documentation). B. Linking each entry to the client; Client Identification on Every Page/Screen Every page in the medical record or computerized record screen must be identifiable to the client by name and medical record number. Client name and number must be on every page including both sides of the pages, every shingled form, computerized print out, etc. Computer generated labels (C and D) that contain client s name; identification number and clinic ID are available for print. All computer-generated labels contained in the Medical Record shall be printed in black ink. When double-sided forms are used, the client name and number should be on both sides since information is often copied and must be identifiable to the client. Forms both paper and computer generated with multiple pages must also have the client name and number on all pages. 19
AUTHORIZATON FOR RELEASE/ACQUISITION OF PATIENT INFORMATION The undersigned hereby authorizes Local Health Department Whose address is To release to/or procure from Facility Name Facility Address Information from the patient/clinic record of: Name Birthdate ID Number All information may be released, except privileged information which may include: HANDS, STD OR HIV/AIDS, alcohol abuse, drug abuse, psychological or psychiatric conditions, or genetic testing, etc.-unless specifically requested by the patient, parent or legal guardian: For the purpose of I understand that this authorization will expire on the following date, event or condition: I understand that if I fail to specify an expiration date or condition, this authorization if valid for the period of time needed to fulfill its purpose for up to one year, except for disclosures for financial transactions, wherein the authorization is valid indefinitely I also understand that I may revoke this authorization at any time. I understand that my information may not be protected from re-disclosure by the requester of the information. I also understand my refusal to sign this authorization will not affect my ability to obtain treatment, payment for services or eligibility for benefits. If a service is requested by a party other than the patient for the purpose of creating health information, refusal to sign this authorization may result in the service request being denied. I understand I can cancel this authorization and to do so I must send a written request to the Local Health Department Agency specifically authorized above. I understand I can obtain a copy of my health care data and to do so I must submit a written request to the Local Health Department Agency specifically authorized above. Signature of Client/Patient, Parent or Legal Guardian Date Relationship (if signature is not patient/client) Signature of Witness Date (Only required when Client/Patient, Parent or Legal Guardian signs by Mark.) 20
RECORDS CERTIFICATE PURSUANT TO KRE 902(11) Now comes the Records Custodian of the Health Department, pursuant to court order and after first having been sworn, hereby certifies that: 1) each of the attached documents were made at or near the time of the occurrence of the matters set forth in said documents by (or from information transmitted by) a person with knowledge of those matters; 2) said documents have been kept in course of the regularly conducted activity; 3) said documents were made by the regularly conducted activity as a regular practice; and 4) said documents are trustworthy and no relevant documents have been withheld. RECORDS CUSTODIAN DATE: STATE OF KENTUCKY ) COUNTY OF JEFFERSON ) Subscribed, sworn to and acknowledged before me on this day of, 2012. My Commission Expires:. NOTARY PUBLIC, STATE AT LARGE, KENTUCKY 21
HIPAA ACKNOWLEDGMENT FORM Client Name: (print) Date of Birth: By signing this form, you acknowledge the HIPAA Privacy Notice for the Health department has been presented to you. (Various languages available) Signature of Client (or another authorized person) Date Signed For Health Department Use Only Client refused to sign HIPAA Privacy Notice Acknowledgement Employee Signature: Date: 22
HIPAA PRIVACY NOTICE (SAMPLE) PLEASE READ CAREFULLY as this notice describes how medical information about you may be used and disclosed and how you can get access to this information. THIS NOTICE IS TO INCLUDE: Examples of how Protected Health Information (PHI) may be used or disclosed Other Permitted Uses and Disclosures Patient Rights Agency Responsibilities Who to contact with questions How to file a complaint with the Agency without cost or penalty How to file a complaint with the Office of Civil Rights without cost or penalty 23
FREQUENTLY ASKED QUESTIONS Can a physician s office FAX patient medical information to another physician s office? Answer: The HIPAA Privacy Rule permits physicians to disclose protected health information to another health care provider for treatment purposes. This can be done by fax or by other means. Covered entities must have in place reasonable and appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information that is disclosed using a fax machine. Examples of measures that could be reasonable and appropriate in such a situation include the sender confirming that the fax number to be used is in fact the correct one for the other physician s office, and placing the fax machine in a secure location to prevent unauthorized access to the information. 45 CFR164.530(c). Reference: www.hhs.gov, Administrative Reference and HIPAA Frequent Questions. Can I release immunization records via fax? Answer #1: DPH policy permits the sharing of childhood immunization information with other LHDs within and outside the state as well as other facilities or institutions which require evidence of immunizations pursuant to state law, and other providers outside of the LHD who are providing health care to the patients simultaneously or subsequently. Reference: Kentucky Public Health Practice Reference, Section: Documentation/Medical Records, July 31, 2011 Answer #2: Immunization information may be shared, without authorization from the patient or the patient s parent or guardian, if the patient is a minor, if the person or agency requesting the information provides health related or education services on behalf of the patient or has a public health interest or is an institution which requires evidence of immunizations pursuant to state law. Some of those entities that may report and exchange information under this exemption are: LHDs within and outside the state, childcare facilities, pre-schools, public and private schools and other providers outside of the LHD who are providing health care to the patients simultaneously or subsequently. Reference: Administrative Reference, Vol. 1, Medical Records Management, July 1, 2011, Section: Releasing Patient Information Can an employer obtain the results of an employees TB test the agency paid for? Answer: Health departments may be requested to issue a certification of a specific service(s) they have provided (e.g., PPDs, to meet occupational requirements). Such certification shall be issued to the patient, who then has the responsibility to advise the employer. (No results of the service(s) shall be released to other than the patient without specific consent.) HIV test results are prohibited from use in employment or eligibility determination for health or life insurance. 24
18 IDENTIFIERS PHI refers to more than health information. Individually identifiable information that could provide access to health records maintained by a covered entity is considered protected health information (PHI). The eighteen identifiers that could be considered PHI, if the information could provide access to health information, are: Names; all geographic subdivisions smaller than a state, including county, city, street address, precinct, zip code* and their equivalent geocodes; all elements of dates (except year) directly related to an individual; all ages greater than 89 and all elements of dates (including year) indicative of such age (except for an aggregate into a single category of age greater than 90); telephone numbers; fax numbers; e-mail addresses; Social Security numbers; medical record numbers; health plan beneficiary numbers; account numbers; certificate and license numbers; vehicle identifiers and serial numbers, including license plate numbers; medical device identifiers and serial numbers; Web Universal Resource Locators (URLs); Internet Protocol (IP) addresses; biometric identifiers, including finger and voice prints; full-face photographic images and any other comparable images and; any other unique identifying number, characteristic or code, except that covered entities may, under certain circumstances, assign a code or other means of record identification that allows de-identified information to be re-identified * The first 3 digits of a zip code are excluded from the PHI list if the geographic unit formed by combining all zip codes with the same first three digits is greater than 20,000 persons. 25
General SECTION 26
Kentucky Open Records Act The Kentucky Open Records Act of 1992 made access to government records a legal right with statues KRS 61.870 to 61.884. The statutes define the parameters of the law. The official purpose of Kentucky's open records laws is this, "The General Assembly finds and declares...that free and open examination of public records is in the public interest and the exceptions provided for by KRS 61.878 or otherwise provided by law shall be strictly construed, even though such examination may cause inconvenience or embarrassment to public officials or others." Under the Kentucky Open Records Act any person/organization can obtain detailed, factual information from any city/county/state office or agency. The following procedure should be used: Determine the office where the information you need is held. (A few calls to various offices maybe required.) Call the office and ask for the information. Once you are put in touch with the person having authority over said information, they will most likely ask you for a written request of via the open records act. Ask if you can send it by email to them directly. 90% of the time they will allow this since you have discussed it on the phone already. In any event, a written letter addressed to the proper office sent via certified mail (always send it certified and keep the signature receipt). Most government bodies will have their own customized form for you to complete the request. Be sure to ask for the specific format you want. You have the right to receive the document in any format it exists in. Electronic formats are especially helpful as they are searchable and easily shared. The law states they have 3 working days to respond to you directly (by phone, email, letter). Depending on the volume of information requested; short length responses are usually free, but information that is many pages in length usually will have a copying fee (no more than 10 cents/page by state law) Your local offices are required to simply allow you to view the information first, then copy it for you if you request it. If your request is not responded to in 3 working days, or they charge more than 10 cents/page copying fee, then you have the option of turning them into the Ky. State Attorney General's Office. Be sure to have documented evidence of the date of your initial request, (i.e. certified signature of receipt card for a written request or a copy of your emailed request mentioning your initial request by phone). Most people in state government are helpful with these requests, as they are well aware of the law in this matter. This Open Records Act also applies to school district issues. 27