HIPPA and HITECH NOTIFICATION Effective Date: September 23, 2013



Similar documents
ADMINISTRATIVE REGULATION EFFECTIVE DATE: 1/1/2016

Checklist for HITECH Breach Readiness

POLICY AND PROCEDURE MANUAL

COMPLIANCE ALERT 10-12

STANDARD ADMINISTRATIVE PROCEDURE

Breach Notification Policy

Everett School Employee Benefit Trust. Reportable Breach Notification Policy HIPAA HITECH Rules and Washington State Law

UNDERSTANDING THE HIPAA/HITECH BREACH NOTIFICATION RULE 2/25/14

AVE MARIA UNIVERSITY HIPAA PRIVACY NOTICE

How To Notify Of A Security Breach In Health Care Records

Updated HIPAA Regulations What Optometrists Need to Know Now. HIPAA Overview

The ReHabilitation Center Buffalo Street. Olean. NY

Five Rivers Medical Center, Inc Medical Center Drive Pocahontas, AR Notification of Security Breach Policy

Data Breach, Electronic Health Records and Healthcare Reform

REPRODUCTIVE ASSOCIATES OF DELAWARE (RAD) NOTICE OF PRIVACY PRACTICES PLEASE REVIEW IT CAREFULLY.

IDAHO STATE UNIVERSITY POLICIES AND PROCEDURES (ISUPP) HIPAA Privacy - Data Breach Notification Policy 10240

HIPAA BREACH RESPONSE POLICY

BREACH NOTIFICATION FOR UNSECURED PROTECTED HEALTH INFORMATION

Business Associates and Breach Reporting Under HITECH and the Omnibus Final HIPAA Rule

Barnes & Thornburg LLP HIPAA Update: HITECH Act Breach Notification Rule

TEXAS COLON & RECTAL SURGEONS, LLP HIPAA AND TEXAS LAW PRIVACY POLICIES AND PROCEDURES ADOPTED EFFECTIVE APRIL 1, 2003

HIPAA Breach Notification Policy

HIPAA and the HITECH Act Privacy and Security of Health Information in 2009

New HIPAA Breach Notification Rule: Know Your Responsibilities. Loudoun Medical Group Spring 2010

12/19/2014. HIPAA More Important Than You Realize. Administrative Simplification Privacy Rule Security Rule

HIPAA, HIPAA Hi-TECH and HIPAA Omnibus Rule

FEDERAL AND STATE BREACH NOTIFICATION LAWS FOR CALIFORNIA

NOTICE OF THE NATHAN ADELSON HOSPICE PRIVACY PRACTICES

This presentation focuses on the Healthcare Breach Notification Rule. First published in 2009, the final breach notification rule was finalized in

ACKNOWLEDGMENT OF RECEIPT OF NOTICE OF PRIVACY PRACTICES

HIPAA Privacy and Security

Notice of Privacy Practices

Identity Theft Prevention and Security Breach Notification Policy. Purpose:

BUSINESS ASSOCIATE AGREEMENT

NACHC Issue Brief Changes to the Health Insurance Portability and Accountability Act Included in ARRA. March 2010

SDC-League Health Fund

New Privacy Laws Impacting the Health Care Work Place

By Ross C. D Emanuele, John T. Soshnik, and Kari Bomash, Dorsey & Whitney LLP Minneapolis, MN

HHS Finalizes HIPAA Privacy and Data Security Rules, Including Stricter Rules for Breaches of Unsecured PHI

Healthcare Practice. HIPAA/HITECH Act vs. Oregon Consumer Identity Theft Protection Act. February 2010

CREATIVE SOLUTIONS IN HEALTHCARE, INC. Privacy Policy

FirstCarolinaCare Insurance Company Business Associate Agreement

HIPAA Data Breaches: Managing Them Internally and in Response to Civil/Criminal Investigations

Name of Other Party: Address of Other Party: Effective Date: Reference Number as applicable:

SAMPLE BUSINESS ASSOCIATE AGREEMENT

NOTICE OF PRIVACY PRACTICES

Model Business Associate Agreement

SaaS. Business Associate Agreement

The Health and Benefit Trust Fund of the International Union of Operating Engineers Local Union No A-94B, AFL-CIO. Notice of Privacy Practices

SAMPLE BUSINESS ASSOCIATE AGREEMENT

Legislative & Regulatory Information

University Healthcare Physicians Compliance and Privacy Policy

HIPAA Omnibus Rule Practice Impact. Kristen Heffernan MicroMD Director of Prod Mgt and Marketing

Am I a Business Associate? Do I want to be a Business Associate? What are my obligations?

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE ADDENDUM

The Institute of Professional Practice, Inc. Business Associate Agreement

The HITECH Act: Implications to HIPAA Covered Entities and Business Associates. Linn F. Freedman, Esq.

Business Associate Agreement Involving the Access to Protected Health Information

Notice of Privacy Practices

GLENN COUNTY HEALTH AND HUMAN SERVICES AGENCY. HIPAA Policies and Procedures 06/30/2014

HIPAA Omnibus Rule Overview. Presented by: Crystal Stanton MicroMD Marketing Communication Specialist

Tulane University. Tulane University Business Associates Agreement SCOPE OF POLICY STATEMENT OF POLICY IMPLEMENTATION OF POLICY

Business Associates and HIPAA

Notice of Privacy Practices

HIPAA and HITECH Compliance Under the New HIPAA Final Rule. HIPAA Final Omnibus Rule ( Final Rule )

LCD SOLUTIONS and CLICKTATE.COM BUSINESS ASSOCIATE AGREEMENT and DISCLOSURE of RIGHTS to COVERED ENTITIES

BUSINESS ASSOCIATE AGREEMENT

Disclaimer: Template Business Associate Agreement (45 C.F.R )

Long-Expected Omnibus HIPAA Rule Implements Significant Privacy and Security Regulations for Entities and Business Associates

Genworth Life Insurance Company Genworth Life Insurance Company of New York NOTICE OF PRIVACY PRACTICES

HHS Issues New HITECH/HIPAA Rule: Implications for Hospice Providers

Connecticut Pipe Trades Health Fund Privacy Notice Restatement

The Basics of HIPAA Privacy and Security and HITECH

Transcription:

HIPPA and HITECH NOTIFICATION Effective Date: September 23, 2013 Orchard Creek Health Care is required by law to maintain the privacy of protected health information (PHI) of our residents. If you feel your PHI rights have been violated, please contact the designated Privacy Officer, Dale Chilcote. Designated Privacy Officer: Dale Chilcote, Administrator 231-932-9272 or dale@orchardcreektc.com The Privacy Officer will be responsible for developing and implementing the privacy policies and procedures. The Privacy Officer will also be the designated person to receive and investigate complaints and provide individuals with information regarding OCHC privacy practices. Complaints may be made to the Privacy Officer in person, in writing, by email, phone or the Health Information Privacy Complaint Form located in the public notice area. Complaints may also be made directly to the Secretary of Health and Human Services. DEFINITIONS Protected Health Information (PHI) any information about health status, provision of health care, or payment for health care that can be linked to a specific individual (resident). Breach Unauthorized acquisition, access, use or disclosure of protected health information (PHI) which compromises the security or privacy of such information, except where an unauthorized person to whom such information is disclosed would not have been able to retain such information. The term breach does not include: o Any unintentional access or use of PHI by an employee or individual acting under the authority of OCHC or a Business Associate if such access or use was made in good faith and within the course and scope of their employment and such information is not further accessed or used by any person. o Any inadvertent disclosure from an individual who is authorized to access PHI to another individual at the same facility. o Any such information received as a result of such disclosure is not further accessed or disclosed without authorization by any person. Business Associate - A person not on OCHC workforce, but acts on behalf of OCHC, who creates, receives, maintains or transmits PHI for OCHC or provides legal, accounting, consulting, data aggregation, management, administrative accreditation or financial services for OCHC. Business Associates do not include: o Other health care providers, such as ambulance service, Medical Director, attending physicians, contract therapy, X-Ray, Lab. o A plan sponsor with respect to disclosures by a group health plan. o A government agency. o A covered entity participating in an organized health care arrangement. OCHC RESPONSIBILITIES OCHC is required by law to maintain the privacy of protected health information, to provide individuals with notice of its legal duties and privacy practices with respect to protected health information, and to notify affected individuals following a breach of unsecured protected health information. OCHC reserves the right to change the terms of the Privacy Notice regarding PHI and will provide 30 day written notice of any changes to the policy. NOTIFICATIONS

THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY. Right to Notice. An individual has a right to adequate notice of the uses and disclosures of protected health information that may be made by the covered entity, and of the individual's rights and the covered entity's legal duties with respect to protected health information. OCHC may use and disclose protected health information for its own treatment, payment, and health care operations activities. OCHC may also disclose PHI for the treatment activities of any health care provider, or the health care operation of another entity involving quality or competency assurance activities or fraud and abuse detection and compliance activities, if both entities have or had a relationship with the individual and the PHI pertains to the relationship. Example 1: Resident face sheets and other medical information will be sent to pharmacy so that the medication orders may be filled and supplied to the resident. Example 2: Resident financial information may be sent to a billing company to process payments from Medicare or 3 rd party insurance. OCHC will not sell or distribute PHI pertaining to any resident to any outside individual, entity or organization. If OCHC intends to engage in any of the following activities, a separate statement informing the individual of such activities will be required. o Contacting the individual to raise funds for the facility. The individual has a right to opt out of receiving such communications. o A group health plan, health insurance issuer or HMO with respect to a group health plan, may disclose protected health information to the sponsor of the plan. o If a covered entity that is a health plan, excluding an issuer of a long-term care policy intends to use or disclose protected health information for underwriting purposes, a statement that the covered entity is prohibited from using or disclosing protected health information that is genetic information of an individual for such purposes. INDIVIDUAL RIGHTS A resident has; The right to request restrictions on certain uses and disclosures of protected health information. The right to receive confidential communications of protected health information. The right to inspect and copy protected health information. The right to amend protected health information. The right to receive an accounting of disclosures of protected health information. The right of an individual, including an individual who has agreed to receive the notice electronically, to obtain a paper copy of the notice from the covered entity upon request. ACCESS

The covered entity must permit an individual to request access to inspect or to obtain a hard copy or electronic copy of the protected health information about the individual that is maintained in a designated record set. All requests to obtain a copy of the PHI must be made in writing. OCHC will provide the PHI requested within 5 working days from the receipt of the written notice. If the covered entity grants the request, in whole or in part, it must inform the individual of the acceptance of the request and provide the access requested. If the covered entity denies the request, in whole or in part, it must provide the individual with a written denial. If the covered entity is unable to take timely action required by this section, the covered entity may extend the time for such actions by no more than 30 days, provided that: o The covered entity provides the individual with a written statement of the reasons for the delay and the date by which the covered entity will complete its action on the request; and o The covered entity may have only one such extension of time for action on a request for access. USES and DISCLOSURES A covered entity (OCHC) is permitted to use or disclose protected health information: o To the individual. o For treatment, payment, or health care operations. o Incident to a use or disclosure otherwise permitted or required, provided that the covered entity has complied with the applicable requirements. A covered entity or Business Associate is required to disclose protected health information: o To an individual o When required by the Secretary of Health and Human Services to investigate or determine the covered entity's compliance with this subchapter. A covered entity may use or disclose protected health information for its own treatment, payment, or health care operations. A covered entity may disclose protected health information for treatment activities of a health care provider. A covered entity may disclose protected health information to another covered entity or a health care provider for the payment activities of the entity that receives the information. A covered entity may disclose protected health information to another covered entity for health care operations activities of the entity that receives the information, if each entity either has or had a relationship with the individual who is the subject of the protected health information being requested, the protected health information pertains to such relationship, and the disclosure is: (i) For a purpose of health care operations; or (ii) For the purpose of health care fraud and abuse detection or compliance. A covered entity that participates in an organized health care arrangement may disclose protected health information about an individual to other participants in the organized health care arrangement for any health care operations activities of the organized health care arrangement. A covered entity or Business Associate may not sell protected health information. Minimum Necessary - When using or disclosing protected health information or when requesting protected health information from another covered entity or business associate, a covered entity or business associate must make reasonable efforts to limit protected health information to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request. REPORTING

Notification to individuals. A covered entity shall, following the discovery of a breach of unsecured protected health information, notify each individual whose unsecured protected health information has been, or is reasonably believed by the covered entity to have been, accessed, acquired, used, or disclosed as a result of such breach. A breach shall be treated as discovered by a covered entity as of the first day on which such breach is known to the covered entity, or, by exercising reasonable diligence would have been known to the covered entity. A covered entity shall be deemed to have knowledge of a breach if such breach is known, or by exercising reasonable diligence would have been known, to any person, other than the person committing the breach, who is a workforce member or agent of the covered entity. A covered entity shall provide the notification required without unreasonable delay and in no case later than 60 calendar days after discovery of a breach. The content of the notification will include to the extent possible: o A brief description of what happened, including the date of the breach and the date of the discovery of the breach, if known o A description of the types of unsecured protected health information that were involved in the breach (such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved) o Any steps that individuals should take to protect themselves from potential harm resulting from the breach o A brief description of what the covered entity involved is doing to investigate the breach, to mitigate harm to individuals, and to protect against any further breaches o Contact procedures for individuals to ask questions or learn additional information, which shall include a toll free telephone number, an e-mail address, Web site, or postal address. o The notification required shall be written in plain language. The notification required by this section shall be provided in the following form: Written notice. o Written notification by first-class mail to the individual at the last known address of the individual or, if the individual agrees to electronic notice and such agreement has not been withdrawn, by electronic mail. The notification may be provided in one or more mailings as information is available. o If the covered entity knows the individual is deceased and has the address of the next of kin or personal representative of the individual written notification by first class mail to either the next of kin or personal representative of the individual. The notification may be provided in one or more mailings as information is available. Substitute notice. o In the case in which there is insufficient or out-of-date contact information that precludes written notification to the individual, a substitute form of notice reasonably calculated to reach the individual shall be provided. Substitute notice need not be provided in the case in which there is insufficient or out-of-date contact information that precludes written notification to the next of kin or personal representative of the individual. o In the case in which there is insufficient or out-of-date contact information for fewer than 10 individuals, then such substitute notice may be provided by an alternative form of written notice, telephone, or other means. o In the case in which there is insufficient or out-of-date contact information for 10 or more individuals, then such substitute notice shall:

a) Be in the form of either a conspicuous posting for a period of 90 days on the home page of the Web site of the covered entity involved, or conspicuous notice in major print or broadcast media in geographic areas where the individuals affected by the breach likely reside and b) Include a toll-free phone number that remains active for at least 90 days where an individual can learn whether the individual's unsecured protected health information may be included in the breach. o In any case deemed by the covered entity to require urgency because of possible imminent misuse of unsecured protected health information, the covered entity may provide information to individuals by telephone or other means, as appropriate, in addition to notice provided above. REPORTING Notification to State Agency and Media Health and Human Services. A covered entity shall immediately notify the Secretary of Health and Human Services at (877) 696-6775 of a breach that involves more than 500 individuals. If the breach involves less than 500 individuals, the entity may maintain a log of any such breach and submit the log to HHS on an annual basis, not later than 60 days after the end of the calendar year. The Secretary shall make a list available to the public on the HHS website which identifies each covered entity involved in a breach in which more than 500 individual s PHI was acquired or accessed. Media Notice. Notice shall be provided to prominent media outlets serving a State or jurisdiction if the unsecured PHI of more than 500 individuals is believed to have been accessed, acquired or disclosed during the breach. PENALTIES Tier A is for violations in which the offender didn t realize he or she violated the Act and would have handled the matter differently if he or she had. This results in a $100 fine for each violation, and the total imposed for such violations cannot exceed $25,000 for the calendar year. Tier B is for violations due to reasonable cause, but not willful neglect. The result is a $1,000 fine for each violation, and the fines cannot exceed $100,000 for the calendar year. Tier C is for violations due to willful neglect that the organization ultimately corrected. The result is a $10,000 fine for each violation, and the fines cannot exceed $250,000 for the calendar year. Tier D is for violations of willful neglect that the organization did not correct. The result is a $50,000 fine for each violation, and the fines cannot exceed $1,500,000 for the calendar year. For a copy of the HIPAA/HITECH Law, see Privacy Officer, Dale Chilcote (Administrator) or go to the Health and Human Services website at www.hhs.gov

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information