Health Care Finance & Adlministration PoHcy Manual



Similar documents
The Health and Benefit Trust Fund of the International Union of Operating Engineers Local Union No A-94B, AFL-CIO. Notice of Privacy Practices

HIPAA POLICIES & PROCEDURES AND ADMINISTRATIVE FORMS TABLE OF CONTENTS

Notice of Privacy Practices

Notice of Privacy Practices

Connecticut Carpenters Health Fund Privacy Notice

ELKIN & ASSOCIATES, LLC. HIPAA Privacy Policy and Procedures INTRODUCTION

Population Health Management Program Notice of Privacy Practices from Piedmont WellStar HealthPlans, Inc.

SDC-League Health Fund

Schindler Elevator Corporation

CBIA Service Corporation Privacy and Security Notice

Population Health Management Program Notice of Privacy Practices

AVE MARIA UNIVERSITY HIPAA PRIVACY NOTICE

Privacy Notice Document (HIPAA)

HIPAA NOTICE OF PRIVACY PRACTICES

HIPAA NOTICE TO PATIENTS

UNITED CEREBRAL PALSY OF NORTHWEST MISSOURI NOTICE OF PRIVACY PRACTICES EFFECTIVE DATE: OCTOBER 22, 2014

Genworth Life Insurance Company Genworth Life Insurance Company of New York NOTICE OF PRIVACY PRACTICES

Salt Lake Community College Employee Health Care Benefits Plan Notice of Privacy Practices

HIPAA Notice of Patient Privacy Practices

Privacy Notice. The Plan s duties with respect to health information about you

Population Health Management Program Notice of Privacy Practices from Evolent Health

NOTICE OF PRIVACY PRACTICES Allergy Treatment Center of New Jersey, P.C. Effective Date: April 14, 2003

Dr. Adam Apfelblat 5140 Highland Road Waterford Phone: (248) Fax: (248)

NOTICE OF HEALTH INFORMATION PRIVACY PRACTICES (HIPAA)

PRIVACY NOTICE. In certain situations, we may also disclose patient information to another provider or health plan for their health care operations.

Northwest Cardiology Associates 400 W. Northwest Hwy Barrington, IL Fax HIPAA Notice of Privacy Practices ( Notice )

NOTICE OF PRIVACY POLICY. Effective:, 2013

RUTGERS POLICY. Responsible Office: RBHS Office of Ethics, Compliance & Corporate Integrity

HIPAA Privacy Notice

NOTICE OF THE NATHAN ADELSON HOSPICE PRIVACY PRACTICES

Connecticut Pipe Trades Health Fund Privacy Notice Restatement

Health Insurance Portability and Accountability Policy 1.8.4

NOTICE OF PRIVACY PRACTICES

KESWICK MULTI-CARE CENTER, INC. NOTICE OF PRIVACY PRACTICES

VALPARAISO UNIVERSITY NOTICE OF PRIVACY PRACTICES. Health, Dental and Vision Benefits Health Care Reimbursement Account

Pulmonary Associates of Richmond, Inc. Notice of Privacy Practices Page 1 of 6

NOTICE OF PRIVACY PRACTICES

Effective Date: March 23, 2016

Notice of Privacy Practices

As Required by the Privacy Regulations Created as a Result of the Health Insurance Portability and Accountability Act of 1996 (HIPAA)

HIPAA HITECH PA Physician Practices

HIPAA Omnibus Notice of Privacy Practices Effective Date: March 03, 2012 Revised on: July 1, 2015

NOTICE OF PRIVACY PRACTICES effective April 14, 2003

650 Clark Way Palo Alto, CA

LAWRENCE COUNTY MEMORIAL HOSPITAL Lawrenceville, Illinois. NOTICE OF PRIVACY PRACTICES Effective April 14, 2003 Revised May, 2013

Indiana Healthcare Physician Services Privacy Standards Notice of Health Information Practices

Guidelines Relating to Implementation of the Privacy Regulations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA)

HIGHMARK BLUE CROSS BLUE SHIELD DELAWARE NOTICE OF PRIVACY PRACTICES PART I NOTICE OF PRIVACY PRACTICES (HIPAA)

SCHOOL DISTRICT OF BLACK RIVER FALLS HIPAA PRIVACY AND SECURITY POLICY

Cooper Dental Group Notice of Privacy Practices

HIPAA PRIVACY POLICIES AND PROCEDURES

PRIVACY HIPAA NOTICE OF PRACTICE

Graphic Communications National Health and Welfare Fund. Notice of Privacy Practices

CROSSROADS HOSPICE HIPAA PRIVACY NOTICE

Notice of Privacy Practices

Purposes for Which the Plan May Use or Disclose PHI Without Your Authorization

HIPAA PRIVACY NOTICE PLEASE REVIEW IT CAREFULLY

Sarasota Personal Medicine 1250 S. Tamiami Trail, Suite 202 Sarasota, FL Phone Fax

This Notice describes Hill-Rom s practices regarding the use of your Protected Health Information, specifically including:

Health Information Privacy Refresher Training. March 2013

Reproductive Medicine Associates of New Jersey, LLC

NOTICE OF PRIVACY PRACTICES FOR OUR PATIENTS POTOMAC PHYSICIAN ASSOCIATES, P.C.

NOTICE OF PRIVACY PRACTICES FOR ORTHOPAEDIC SURGERY & REHAB. ASSOCIATES, P.C.

ADDRESSES SYSTEM LOCATION

Chief Privacy Officer Christian Brothers Services 1205 Windham Parkway Romeoville, IL

We are required to provide this Notice to you by the Health Insurance Portability and Accountability Act ("HIPAA")

Notice of Privacy Practices

SUMMARY OF THE HIPAA PRIVACY RULE

OUR LADY OF THE LAKE, HOSPITAL INC. AND OUR LADY OF THE LAKE PHYSICIAN GROUP, LLC NOTICE OF PRIVACY PRACTICES

SOUTHLAKE DERMATOLOGY 1170 N. Carroll Ave. Southlake, TX Main Fax

MILITARY HEALTH SYSTEM NOTICE OF PRIVACY PRACTICES. Effective April 14, 2003

Notice of Privacy Practices. Human Resources Division Employees Benefits Section

NOTICE OF PRIVACY PRACTICES ILLINOIS EYE CENTER

Transcription:

Policy Number: Health Care Finance & Adlministration PoHcy Manual PURPOSE OF P This policy addresses how Health Care Finance and Administration (HCF A) will account for disclosures of Enrollee personally identifiable information (PII) and protected health information (PHI) pursuant to the Privacy Act of 1974, the Health Insurance Portability and Accountability Act of 1996 (HIP AA) and other applicable federal and state laws and regulations. POLICY HCFA shall timely respond to Enrollee requests for accounting of disclosures of PII or PHI maintained by HCFA. HCFA will provide enrollees with all the privacy rights granted by federal and state laws and regulations. DISCUSSION & LEGAL BASIS HCFA complies with HIP AA and federal and state laws and regulations in responding to Enrollee requests for Accounting of Disclosures. Pursuant to HIP AA, HCFA is not compelled to provide an accounting of PHI disclosures made: for treatment, payment or health care operations; to enrollees or their personal representatives; pursuant to an authorization; to persons involved in the enrollee's care if authorized by the enrollee; for public health, law enforcement, national security or intelligence purposes; as part of a limited data set; incidental to a use or disclosure permitted by HIPAA and HCFA policy; or more than six years prior to the date of request.

Publishing PHI or PII in a facility directory (e.g. by a hospital) is also exempt but would not generally occur in HCFA operations. Some disclosures may be temporarily exempt from disclosure if requested by a law enforcement agency or a health care oversight agency. PROCEDURE 1. The Privacy Office is responsible for receiving and processing requests for accountings of disclosures, and for responding to reports of disclosures that may not be permitted by HIPAA or by HCFA policies and procedures. 2. HCFA staff must report the following disclosures to the Privacy Office and record any disclosures of PII or PHI not otherwise permitted by either: a. an enrollee's authorization, or b. to carry out treatment, payment, or health care operations. All improper disclosures are to be reported to the Privacy and Public Records Office, Office of General Counsel. 3. The following disclosures of Enrollee PII or PHI by HCFA staff should be logged: a. Disclosures to a public health official (FDA, CDC, Bureau of Vital Statistics) such as the reporting of disease or injury (would not include DHHS staff providing treatment); b. Disclosures in response to mandatory child or elder abuse reporting laws (other than protective services staff who respond to such report) to an entity authorized by law to receive the abuse report; c. Disclosures from an individual's record when reasonably believed to be a victim of abuse, neglect or domestic violence to an entity authorized by law to receive the abuse report; d. Disclosures from an individual's record to a health oversight agency for oversight activities authorized by law, including audits; civil, administrative, or criminal investigations, proceedings or actions; inspections; licensure or disciplinary actions; e. Disclosures made for the purposes of research following privacy board approval; f. Disclosures for workers' compensation related matters; g. Disclosures about an individual pursuant to a court order in a court case or other legal proceeding; h. Disclosures about an individual provided for law enforcement purposes; i. Disclosures about an individual related to decedent status or tissue donation; 2

j. Disclosures about an individual to prevent or lessen a serious threat to health or safety of a person or the public; and, k. Disclosures about an individual provided for specialized government functions related to Armed Forces personnel. 4. For all disclosures covered by this policy, HCFA shall track and record the date, nature, and purpose of each disclosure of a record, and to whom the disclosure was made. Records of disclosures shall be retained for a minimum of six years after the disclosure was made. 5. HCFA must act on an enrollee's request for an accounting of disclosures within sixty (60) days of receipt. If we are unable to provide the accounting within sixty (60) days, we have one opportunity to extend the time by giving the enrollee a written statement of the reasons for the delay, extending the time by no more than thirty (30) days. 6. Enrollee requests for accounting of disclosures should be submitted to: Health Care Finance and Administration Privacy and Public Records Office 310 Great Circle Road Nashville TN 37243 (866) 797-9469 (615) 734-5289 (fax) 7. In the event of disclosure of an enrollee's PII or PHI not permitted under HIPAA or other federal or state laws or regulations, HCFA will attempt to mitigate any potential harmful effects and will log such a disclosure in a manner consistent with this policy. 8. Enrollees may receive one (1) accounting of disclosures free of charge per year. Additional accountings of disclosures are subject to applicable fees. DEFINITIONS EnroUee: Individuals currently enrolled in all categories of TennCare Medicaid and TennCare Standard, including an individual eligible for and enrolled in the TennCare program or in any Tennessee federal Medicaid waiver program pursuant to Sections 1115 or 1915 of the Social Security Act; and, for purposes of the bureau privacy policies, the term may also be used to reference one who was previously an enrollee during a period for which there is a privacy request or compliance inquiry. Health care operations: Any HCFA activity related to covered functions such as eligibility determination and benefits administration. 3

HIPAA: Health Insurance Portability and Accountability Act of 1996 and for which administrative simplification, privacy, and security regulations are codified at 45 Code of Federal Regulations, Parts 160-164. Incidental disclosure: A term of art used to describe inadvertent or uncalculated releases of information that may occur incidentally during HCFA operations, such as when a person overhears a nearby HCFA employee discuss health information on the phone. Limited data set: PHI that excludes direct identifiers (e.g. names, address, social security numbers) of the individual, relatives, employers or household members. Payment: Activities undertaken to obtain premiums, determine eligibility and benefits or provide reimbursement for the provision of health care. PersonaJ rep1~esentative: individual enrollee. An individual or entity legally authorized to act on behalf of the Personally J dentifiable Information (PII): Information that can be used to distinguish or trace an individual's identity, either alone or when combined with other personal or identifying information that is linked or linkable to a specific individual. The Privacy Act of 1974: A United States federal law, enacted December 31, 1974, and codified at 5 U.S.C. 552a which establishes a Code of Fair Information Practice that governs the collection, maintenance, use, and dissemination of personally identifiable information. Protected Hea1th Information (PHI): Information that is: (i) Transmitted by electronic media; (ii) Maintained in electronic media; or (iii) Transmitted or maintained in any other form or medium, including demographic information that identifies or may be used to identify an individual and that: (1) Is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and (2) Relates to the physical or mental health or condition of an individual. Treatment: means the provision, coordination, or management of health care. OFFICE OF PRIMARY RESPONSIBILITY HCF A Privacy and Public Records Office, Office of General Counsel RELATED FORMS 4

Request for Accounting of Disclosures REFERENCES 45 CFR 160.103 45 CFR 164.501-530 42 USCA 1320d-5 5 U.S.C. 552a ( c)(1 ), ( c)(3), (j), (k) OMB Circular A-130 5