NOTICE OF PRIVACY PRACTICES
Deborah Ottenheimer, MD, PC
THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.
This Notice of Privacy Practices is provided to you as a requirement of the Health Insurance Portability & Accountability Act (HIPAA). It describes how we may use or disclose your protected health information, with whom that information may be shared, and the safeguards we have in place to protect it. This Notice also describes your rights to access and amend your protected health information. You have the right to approve or refuse the release of specific information outside of our Practice except when the release is required or authorized by law or regulation.
ACKNOWLEDGMENT OF RECEIPT OF THIS NOTICE ‑ You will be asked to provide a signed acknowledgment of receipt of this Notice. Our intent is to make you aware of the possible uses and disclosures of your protected health information and your privacy rights. The delivery of your health care services will in no way be conditioned upon your signed acknowledgment. If you decline to provide a signed acknowledgment, we will continue to provide your treatment, and will use and disclose your protected health information in accordance with law.
OUR DUTIES TO YOU REGARDING PROTECTED HEALTH INFORMATION ‑ “Protected health information” is individually identifiable health information and includes demographic information (for example, age, address, etc.), and relates to your past, present or future physical or mental health or condition and related health care services. Our Practice is required by law to do the following: (1) keep your protected health information private; (2) present to you this Notice of our legal duties and privacy practices related to the use and disclosure of your protected health information; (3) follow the terms of the Notice currently in effect; (4) post and make available to you any revised Notice; and (5) notify affected individuals following a breach of unsecured protected health information. We reserve the right to revise this Notice and to make the revised Notice effective for health information we already have about you as well as any information we receive in the future. The Notice’s effective date is at the top of the first page and at the bottom of the last page.
HOW WE MAY USE OR DISCLOSE YOUR PROTECTED HEALTH INFORMATION – Following are examples of permitted uses and disclosures of your protected health information. These examples are not exhaustive.
Required Uses and Disclosures ‑ By law, we must disclose your health information to you unless it has been determined by a health care professional that it would be harmful to you. Even in such cases, we may disclose a summary of your health information to certain of your authorized representatives specified by you or by law. We must also disclose health information to the Secretary of the U.S. Department of Health and Human Services (HHS) for investigations or determinations of our compliance with laws on the protection of your health information.
Treatment ‑ We will use and disclose your protected health information to provide, coordinate or manage your health care and any related services. This includes the coordination or management of your health care with a third party. For example, we may disclose your protected health information from time‑to‑time to another physician or health care provider (for example, a specialist, pharmacist or laboratory) who, at the request of your physician, becomes involved in your care. In emergencies, we will use and disclose your protected health information to provide the treatment you require
Payment ‑ Your protected health information will be used, as needed, to obtain payment for your health care services. This may include certain activities we may need to undertake before your health care insurer approves or pays for the health care services recommended for you, such as determining eligibility or coverage for benefits. For example, obtaining approval for a surgical procedure might require that your relevant protected health information be disclosed to obtain approval to perform the procedure at a particular facility. We will continue to request your authorization to share your protected health information with your health insurer or third-party payer.
Health Care Operations ‑ We may use or disclose, as needed, your protected health information to support our daily activities related to providing health care. These activities include billing, collection, quality assessment, licensing, and staff performance reviews. For example, we may disclose your protected health information to a billing agency in order to prepare claims for reimbursement for the services we provide to you. We may call you by name in the waiting room when your physician is ready to see you. We will share your protected health information with other persons or entities who perform various activities (for example, a transcription service) for our Practices. These business associates of our Practice are also required by law to protect your health information. We may use or disclose your protected health information as necessary to contact you in order to raise funds for our Practice. Any such communication will tell you how you may opt out of receiving future fundraising communications from us.
Required by Law ‑ We may use or disclose your protected health information if law or regulations requires the use or disclosure.
Public Health ‑ We may disclose your protected health information to a public health authority who is permitted by law to collect or receive the information. For example, the disclosure may be necessary to prevent or control disease, injury or disability; report births and deaths; or report reactions to medications or problems with medical products. We may provide proof of immunization without authorization, to your school if (i) the school is required by State or other law to have proof of immunization prior to admission and (ii) we obtain and document your permission or, for a minor, the permission of the parent, guardian or other person acting in loco parentis for the individual.
Communicable Diseases ‑ We may disclose your protected health information, if authorized by law, to a person who might have been exposed to a communicable disease or might otherwise be at risk of contracting or spreading the disease or condition.
Health Oversight ‑ We may disclose protected health information to a health oversight agency for activities authorized by law, such as audits, investigations, and inspections. These health oversight agencies might include government agencies that oversee the health care system, government benefit programs, or other regulatory programs.
Food and Drug Administration ‑ We may disclose your protected health information to a person or company required by the Food and Drug Administration to report adverse events; track products, enable product recalls; make repairs or replacements; or conduct post‑marketing review.
Legal Proceedings ‑ We may disclose protected health information during any judicial or administrative proceeding, in response to a court order or administrative tribunal (if such disclosure is expressly authorized), and in certain conditions in response to a subpoena, discovery request, or other lawful process.
Law Enforcement ‑ We may disclose protected health information for law enforcement purposes, including information requests for identification and location; and circumstances pertaining to victims of a crime.
Coroners, Funeral Directors, and Organ Donations ‑ We may disclose protected health information to coroners or medical examiners for identification to determine the cause of death or for the performance of other duties authorized by law. We may also disclose protected health information to funeral directors as authorized by law. Protected health information may be used and disclosed for cadaver organ, eye or tissue donations.
Research ‑ We may disclose protected health information to researchers when authorized by law, for example, if their research has been approved by an institutional review board that has reviewed the research proposal and established protocols to ensure the privacy of your protected health information.
Threat to Health or Safety ‑ Under applicable Federal and State laws, we may disclose your protected health information to law enforcement or another health care professional if we believe in good faith that its use or disclosure is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public. We may also disclose protected health information if it is necessary for law enforcement authorities to identify or apprehend an individual.
Military Activity and National Security ‑ When the appropriate conditions apply, we may use or disclose protected health information of individuals who are Armed Forces personnel for activities believed necessary by appropriate military command authorities to ensure the proper execution of the military mission, including determination of fitness for duty; or to a foreign military authority if you are a member of that foreign military service. We may also disclose your protected health information, under specified conditions, to authorized Federal officials for conducting national security and intelligence activities including protective services to the President or others.
Workers’ Compensation ‑ We may disclose your protected health information to comply with workers’ compensation laws and similar government programs.
Inmates ‑ We may use or disclose your protected health information, under certain circumstances, if you are an inmate of a correctional facility.
Parental Access ‑ State laws concerning minors permit or require certain disclosure of protected health information to parents, guardians, and persons acting in a similar legal status. We will act consistently with the laws of this State (or, if you are treated by us in another state, the laws of that state) and will make disclosures following such laws.
USES AND DISCLOSURES OF PROTECTED HEALTH INFORMATION REQUIRING YOUR PERMISSION – In some circumstances, you have the opportunity to agree or object to the use or disclosure of all or part of your protected health information. Following are examples in which your agreement or objection is required.
Individuals Involved in Your Health Care ‑ Unless you object, we may disclose to a member of your family, a relative, a close friend, or any other person you identify, your protected health information that directly relates to that person’s involvement in your health care. We may also give information to someone who helps pay for your care. Additionally, we may use or disclose protected health information to notify or assist in notifying a family member, personal representative, or any other person who is responsible for your care, of your location, general condition, or death. If you should become deceased, we may disclose your protected health information to a family member or other individual who was previously involved in your care, or in payment for your care, if the disclosure is relevant to that person’s prior involvement, unless doing so is inconsistent with your prior expressed preference. Finally, we may use or disclose your protected health information to an authorized public or private entity to assist in disaster relief efforts and coordinate uses and disclosures to family or other individuals involved in your health care.
YOUR RIGHTS REGARDING YOUR HEALTH INFORMATION – You may exercise the following rights by submitting a written request to our Privacy Officer. Our Privacy Officer can guide you in pursuing these options. Please be aware that our Practice may deny your request; however, in most cases you may seek a review of the denial.
Right to Inspect and Copy ‑ You may inspect and/or obtain a copy of your protected health information that is contained in a “designated record set” for as long as we maintain the protected health information. A designated record set contains medical and billing records and any other records that our Practice uses for making decisions about you. This right does not include inspection and copying of the following records: psychotherapy notes; information compiled in reasonable anticipation of, or use in, a civil, criminal or administrative action or proceeding; and protected health information that is subject to a law that prohibits access to protected health information. You will be charged a fee for a copy of your record and we will advise you of the exact fee at the time you make your request. We may offer to provide a summary of your information and, if you agree to receive a summary, we will advise you of the fee at the time of your request.
Right to Request Restrictions ‑ You may ask us not to use or disclose any part of your protected health information for treatment, payment or health care operations. Your request must be made in writing to our Privacy Officer. In your request, you must tell us: (1) what information you want restricted; (2) whether you want to restrict our use or disclosure, or both; (3) to whom you want the restriction to apply, for example, disclosures to your spouse; and (4) an expiration date. If we believe that the restriction is not in the best interests of either party, or that we cannot reasonably accommodate the request, we are not required to agree to your request. If the restriction is mutually agreed upon, we will not use or disclose your protected health information in violation of that restriction, unless it is needed to provide emergency treatment. You may ask us not to disclose certain information to your health plan. We must agree with that request only if the disclosure is not for the purpose of carrying out treatment (only for carrying out payment or health care operations) and is not otherwise prohibited by law and pertains solely to a health care item or service for which we have been paid out of pocket in full by you or by another person on your behalf other than your health plan. You may revoke a previously agreed upon restriction, at any time, in writing.
Right to Request Alternative Confidential Communications ‑ You may request that we communicate with you using alternative means or at an alternative location. We will not ask you the reason for your request. We will accommodate reasonable requests, when possible.
Right to Request Amendment ‑ If you believe that the information we have about you is incorrect or incomplete, you may request an amendment to your protected health information as long as we maintain this information. While we will accept requests for amendment, we are not required to agree to the amendment.
Right to an Accounting of Disclosure ‑ You may request that we provide you with an accounting of the disclosures we have made of your protected health information. This right applies to disclosures made for purposes other than treatment, payment or health care operations as described in this Notice and excludes disclosures made directly to you, to others pursuant to an authorization from you, to family members or friends involved in your care, or for notification purposes. The accounting will only include disclosures made no more than 6 years prior to the date of your request. The right to receive this information is subject to additional exceptions, restrictions, and limitations as described earlier in this Notice.
Rights Related to an Electronic Health Record – If we maintain an electronic health record containing your protected health information, you have the right to obtain a copy of that information in an electronic format and you may choose to have us transmit such copy directly to a person or entity you designate, provided that your choice is clear, conspicuous, and specific. You may request that we provide you with an accounting of the disclosures we have made of your protected health information (including disclosures related to treatment, payment and health care operations) contained in an electronic health record for no more than 3 years prior to the date of your request (and depending on when we acquired an electronic health record).
Right to Obtain a Copy of this Notice ‑ You may obtain a paper copy of this Notice from us, view or download it electronically at our Practice’s website at www.ottenheimerhealth.com, or, if you agree, by email.
Special Protections ‑ This Notice is provided to you as a requirement of HIPAA. There are several other privacy laws that also apply to HIV‑related information, family planning information, mental health information, psychotherapy notes, and substance abuse information. These laws have not been superseded and have been taken into consideration in developing our policies and this Notice. Psychotherapy notes, release of protected health information for marketing purposes or sale of protected health information, are all specifically subject to more strict privacy standards and most uses and disclosures require express authorization from you.
Complaints ‑ If you believe these privacy rights have been violated, you may file a written complaint with our Privacy Officer or with the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR). We will provide the address of the OCR Regional Office upon your request. No retaliation will occur against you for filing a complaint.
CONTACT INFORMATION – Our Privacy Officer is Connie Carnes and can be contacted at this office or by calling our telephone number 212 366 4765. You may contact our Privacy Officer for further information about our complaint process or for further explanation of this Notice of Privacy Practices.
POLICY & PROCEDURE
DEBORAH OTTENHEIMER, MD, PC
Table of Contents
Policy Number 1: Notice of Privacy Practices
Policy Number 2: Uses and Disclosures of Protected Health Information Not
Requiring Patient Authorization
Policy Number 3: Uses and Disclosures of Protected Health Information
Requiring Patient Authorization
Policy Number 4: “Minimum Necessary” Use and Disclosure of Protected Health Information
Policy Number 5: Uses and Disclosures of Protected Health Information
Where the Patient Has an Opportunity to Agree or Object
Policy Number 6: Access of Individuals to Protected Health Information
Policy Number 7: Accounting for Disclosure of Protected Health Information
Policy Number 8: Amendment of Protected Health Information
Policy Number 9: Business Associates
Policy Number 10: Safeguarding Protected Health Information
Policy Number 11: Training
Policy Number 12: Complaints to Our Practice; Mitigation
Policy Number 13: No Retaliation for the Exercise of Rights or the Filing of a
Complaint; No Waiver of Rights
Policy Number 14: Sanctions for Violations; Exceptions to Sanctions
Glossary of Terms
- What is the HIPAA Privacy Rule?
To improve the efficiency and effectiveness of the health care system, the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) was enacted by Congress. HIPAA included what are called “Administrative Simplification” provisions that required the U.S. Department of Health and Human Services (“HHS”) to adopt national standards for electronic health care transactions, such as health care claims that are filed electronically. Because advances in electronic technology could make it difficult to protect the privacy of health information, Congress mandated the adoption of the HIPAA Standards for Privacy of Individually Identifiable Health Information (“Privacy Rule” or “Rule”). Congress subsequently enacted the HIPAA Security Rule and, more recently, the Health Information Technology for Economic and Clinical Health (HITECH) Act. In addition, the state has enacted laws regarding identity theft prevention, data security breach notification and protected use and disclosure of Social Security numbers (see our Practice’s Data Breach Notification Policy). The Rule does not replace other federal, state or other laws that give individuals even greater privacy protections, and are no pre-empted by the Privacy Rule.
The Privacy Rule establishes national protections for the privacy of protected health information (“PHI”), and applies to three types of HIPAA covered entities: health plans, health care clearinghouses, and health care providers, like our Practice, that conduct certain health care transactions electronically. The Rule requires that Covered Entities implement policies and procedures to protect and guard against the misuse of PHI. This Policy Manual reflects our commitment to compliance with the Privacy Rule.
B. Our Privacy Officer
The Privacy Rule requires that we designate a person who will serve as our “Privacy Officer” and who is responsible for the development and implementation of our privacy policies and procedures. We must also designate a person to serve as the contact person responsible for receiving complaints under the Privacy Rule and who can make further information available to patients about matters covered by our Notice of Privacy Practices.
We have designated Deborah Ottenheimer, MANAGING PHYSICIAN as the Privacy Officer for our Practice, to be responsible for the development and implementation of our privacy policies and procedures, and to be the contact person to answer questions and receive complaints related to our privacy practices.
Our Policy Manual has a Glossary that explains many terms used in the Manual. Every staff person should review and consult the Glossary when reviewing or consulting this Policy Manual. Capitalized words in the Policy Manual are defined in the Glossary.
- What does HIPAA Privacy mean to our Practice and our Workforce?
Each member of our Workforce needs to understand what our basic Privacy Policies and Procedures are and how to request help if further information is needed. We will make a copy of our Policy Manual available to each member of our Workforce and require that each member review the policies and our Notice of Privacy Practices and participate in training we offer on the Privacy Rule. If the Privacy Rule changes, or new guidance is issued that requires a change in our Policy Manual, we will have each member of our Workforce review the changed policies. Together we will commit to providing quality health care to our patients, while maintaining the privacy of their protected health information and complying with the Privacy Rule.
NOTICE OF PRIVACY PRACTICES
Policy Number 1
HIPAA §164.520, 164.514
Policy: The HIPAA Privacy Rule provides that patients have a right to notice of how we may use and disclose a patient’s PHI, as well as the patient’s rights and our obligations regarding their PHI. We have developed a Notice of Privacy Practices to meet these requirements and will make the Notice available to our patients as described in this policy. Our Practice will strive to abide by the terms of our Notice as currently in effect.
1. Content of Notice
Our Notice of Privacy Practices (“Notice”) has been written in plain language to contain all of the elements required by the Privacy Rule, including the following:
A. A description of how we use and disclose patients’ PHI, including:
- i. A description, with at least one example, of the types of uses and disclosures that we are permitted to make for treatment, payment, and health care operations;
- ii. A description of each of the other purposes for which we are permitted or required by HIPAA to use or disclose PHI without the patient’s written authorization;
- iii. A statement that other uses and disclosures will be made only with the patient’s written authorization (see Policy No. 3 of this Policy Manual); and
- iv. If applicable to our operations, a statement that we may use or disclose certain PHI for fundraising communications but that the patient will have the opportunity to opt out of future fundraising communications as specified in the communication made to the patient.
B. A description of the individual rights of our patients regarding access and control
of their PHI, and how a patient may exercise those rights, including:
i. The right to request restrictions on certain uses and disclosures and whether our Practice is required to agree to a requested restriction, including agreeing to the request of a patient to restrict disclosure of PHI about him/her to a health plan if the disclosure is for the purpose of carrying out payment or health care operations and is not otherwise required by law and the PHI pertains solely to a health care item or service for which the patient, or person other than the health plan, has paid us in full for the item or service;
ii. The right to receive certain confidential communications;
iii. The right to inspect and obtain a copy of PHI;
iv. The right to request an amendment of PHI;
- v. The right to receive an accounting of certain disclosures of PHI;
- vi. The right to revoke an authorization;
- vii. A description of our complaint procedure for addressing problems the patient may have with our privacy practices;
- viii. The right to obtain a paper copy of the Notice, upon request;
- ix. If we maintain an electronic health record, the right to: a) access to or obtain a copy of PHI in an electronic form and format requested by the patient, if it is readily producible or, if not, in a readable electronic form and format as agreed to between us and the patient; b) have us transmit such copy directly to a person or entity the patient designates, provided that choice is clear, conspicuous, and specific; c) request that we provide an accounting of the disclosures we have made of the patient’s PHI (including disclosures related to treatment, payment and health care operations) contained in an electronic health record for no more than 3 years prior to the date of the request (and depending on when we acquired an electronic health record); and
- x. Notice of any allowed fees related to the above.
C. A description of our legal duties regarding PHI, including our legal obligation to maintain the privacy of PHI and our obligation to notify affected individuals following a breach of their unsecured PHI.
D. Identification of whom in our Practice a patient may contact for more information
about our privacy practices.
E. The effective date of the Notice and any revisions of the Notice, with the effective
date of such revisions.
2. Providing the Notice
- We will present the Notice to each patient at their first date of service delivery by us and will make a good faith attempt to obtain each patient’s acknowledgment of receipt of the Notice.
- We will have a patient acknowledge receipt by signing an acknowledgment form.
- If the patient refuses to provide such acknowledgment, we will document in the patient’s chart our efforts to obtain the patient’s acknowledgment and the reason why the acknowledgment was not obtained.
- If there is an emergency treatment situation, we will provide the Notice to the patient as soon as reasonably practicable after the emergency situation. No acknowledgment of receipt of the Notice need be obtained in an emergency situation.
- We will post our entire current Notice in a prominent location in our office(s).
- We will provide a paper copy of the Notice upon a patient’s request.
- When our first treatment encounter with a patient is not face-to face, we will follow the following procedures:
- If we first treat a patient over the telephone (not simply obtain information to schedule an appointment or procedure), we will mail the Notice to the patient the same day, if possible, with a request to sign an enclosed acknowledgment and return it to our office. We will maintain a file copy of the acknowledgment form sent to the patient as documentation of our
efforts to obtain the patient’s acknowledgment, in case the patient fails to return the acknowledgment form.
- We may e-mail our Notice to a patient if the patient agrees to receive an electronic notice. An electronic return receipt will serve as the patient’s acknowledgment of receipt of the Notice.
- If our first service delivery to a patient is provided over the Internet, through e-mail, or otherwise electronically, we will send an electronic notice automatically and contemporaneously in response to the patient’s first request for service. An electronic return receipt will serve as the patient’s acknowledgment of receipt of the Notice.
- If the patient has a personal representative acting on the patient’s behalf at the time Notice is provided, we will provide the Notice to the representative and make a good faith effort to obtain the representative’s acknowledgment of receipt of the Notice.
3. Revisions to our Notice
- Our Practice will advise patients in the Notice that we reserve the right to change the terms of the Notice and to make the new Notice provisions effective for all PHI that we maintain.
- We will review our Notice at least annually. If we determine at any time that there is a material change to our privacy practices, or there is a change in law that requires a change in our Notice, we will revise our Notice, date it with the effective date of the revision, post the revised Notice in our office(s), then implement the changes (unless a change in law requires that we implement the change sooner), and provide the revised Notice pursuant to this Policy. We will advise patients in our Notice that they can obtain a revised Notice upon request on or after the effective date of any revision. No acknowledgement is necessary for providing a revised Notice to a patient who has received a prior version of our Notice. Patients can access our revised Notice on our website, if we maintain one.
4. We may utilize a “layered” Notice that consists of a short notice summarizing the patient’s rights, attached to a longer notice that contains all of the elements listed in Subsection 1 of this Policy. The patient will be provided with the two documents stapled together, with the shorter notice on top of the longer notice.
5. If we participate in an Organized Health Care Arrangement and utilize a single, joint
notice with another health care provider, our Privacy Officer will determine the requirements related to such joint notice.
- Our Privacy Officer will maintain a file containing a copy of our Notice and every revised Notice that is issued by our Practice.
- We will place in the patient’s medical record a copy of the acknowledgment of
receipt (which will also contain a reference to the version of the Notice they received), whether provided by hard copy or electronically, or documentation of our good faith efforts to obtain such written acknowledgment.
USES AND DISCLOSURES OF PROTECTED HEALTH INFORMATION NOT REQUIRING PATIENT AUTHORIZATION
Policy Number 2
HIPAA §§164.502, 506, 512, 514
Policy: Our Practice may use and disclose PHI in certain situations where it is not necessary to obtain the patient’s authorization, as allowed under the Privacy Rule. We will follow Policy No.4 of this Policy Manual (regarding application of the Minimum Necessary principle) whenever using or disclosing PHI without patient authorization.
Procedure: In the following situations, our Practice may use or disclose PHI without obtaining the patient’s authorization:
1. For Treatment, Payment or Health Care Operations:
A. A patient’s authorization is not required when we use or disclose the patient’s PHI for our purposes in order to treat the patient, obtain payment for our services, or conduct our own business operations, including disclosure to our business associates (as further described in this Manual).
i. We will, nevertheless, in order to ensure compliance with state law and any payor mandates, obtain a patient’s authorization naming the patient’s health insurer (including any employee, agent or subcontractor of the insurer) as an authorized representative of the patient for purposes of receiving the patient’s PHI as necessary for us to obtain payment for our services (applying our Policy No. 4 regarding our Minimum Necessary principle).
ii. A patient is permitted to request, in writing, that we restrict the uses or disclosures of his or her PHI for treatment, payment or health care operations, or when disclosing information to persons involved in the patient’s care, or for notification purposes. Except as set forth below, we are not required to agree to the patient’s request, but we are bound by any restrictions to which we agree unless and until we withdraw from such agreement, where permitted. Such requests shall be directed to our Privacy Officer.
If a patient requests that we restrict the disclosure of the patient’s PHI to their health plan, our Practice must comply if:
- The disclosure is not for purposes of carrying out treatment (only for purposes of carrying out payment or health care operations); and
- The PHI pertains solely to a health care item or service for which our Practice has been paid out-of-pocket in full.
iii. A patient is permitted to request, in writing, that the patient receive communications of PHI from us by alternative means or at alternative locations (other than the usual way we send communications to our patients). We must accommodate a patient’s reasonable request for such confidential communications. Such requests shall be directed to our Privacy Officer.
iv. Special rules apply if the patient’s file contains psychotherapy notes, if we intend to use the PHI for marketing purposes or if we intend to use PHI in a manner that would be considered a Sale of PHI (see Glossary of Terms). Such cases shall be referred to our Privacy Officer.
B. We may disclose PHI for the treatment activities of another health care provider. Where PHI is disclosed to, or requested by, other health care providers for Treatment purposes, our minimum necessary policy (Policy No. 4) does not apply.
C. We may disclose PHI to another Covered Entity for the peer review activities of that entity, subject to review and approval by our Privacy Officer.
D. If we are part of an Organized Health Care Arrangement (“OHCA,”), we may disclose PHI to other participants in the OHCA for any health care operations activities of the OHCA. Such disclosures, or requests for such disclosures, shall be referred to our Privacy Officer.
E. Any use or disclosure of PHI for Treatment, Payment or Health Care Operations must be consistent with our current Notice of Privacy Practices.
- Consistent with our Notice of Privacy Practices, we may use certain PHI, or disclose certain PHI to a business associate or to an institutionally related foundation, for the purpose of raising funds for our own benefit. Any such communication to the patient will tell the patient in a clear and conspicuous manner how he or she may opt out of receiving future fundraising communications from us, without undue burden or more than nominal cost, as well as how to opt back in to receive such communications. We will not condition treatment or payment on the patient’s choice regarding receipt of fundraising communications and we will not make fundraising communications to a patient who has elected not to receive them.
2. Required Uses and Disclosures Not Requiring Patient Authorization
Other than for disclosures to the patient, no disclosure under this Section 2 shall be made without the prior review and approval of our Privacy Officer who may consult with our legal counsel.
- To the Patient. Under the law, except as provided in Policy No. 6 of this Policy Manual, we must make disclosures to the patient who requests such disclosure and no authorization is required. If the patient requests a copy of his or her record, refer to Policy No. 6 of this Policy Manual.
- To the Secretary of HHS. We must make disclosures of PHI when required by the Secretary of HHS or to OCR to investigate or determine our compliance with the requirements of the Privacy Rule.
- As Required By Law. To the extent that the use or disclosure of PHI is required by an applicable law, we may do so without the patient’s authorization, in compliance with, and limited to, the relevant requirements of such law.
- Public Health Activities. We may use or disclose a patient’s PHI, without the patient’s authorization, for the following public health activities and purposes:
- i. Public Health Authorities: Disclosure to a public health authority that is legally authorized to receive such information for the purpose of preventing or controlling disease, injury or disability, such as reporting of injury or communicable disease; vital events such as birth and death; public health surveillance; public health investigation; and public health intervention; or, if directed by the public health authority, to a foreign government agency that is collaborating with the public health authority.
- ii. Communicable Diseases. In addition to reporting communicable disease information to a public health authority as provided for in Subsection D.i, above, we may disclose a patient’s PHI, as authorized by state law, to a person who may have been exposed to a communicable disease or may otherwise be at risk of contracting or spreading the disease or condition.
- iii. Abuse or Neglect.
- Children: We may disclose a patient’s PHI to a public health authority that is authorized by law to receive reports of child abuse or neglect.
- Adults: Except for vulnerable adults, if we believe that an adult patient has been a victim of abuse, neglect or domestic violence, we may disclose a patient’s PHI to the governmental entity or agency authorized by law to receive such information. No disclosure of information about the victim of domestic violence or abuse may be made to law enforcement without the patient’s authorization.
- Vulnerable Adults: When we believe a vulnerable adult is the subject of abuse, neglect or exploitation, we may disclose the patient’s PHI to the appropriate government adult protective services provider.
- iv. Food and Drug Administration. We may disclose a patient’s PHI to a person or entity authorized by the U.S. Food and Drug Administration (“FDA”) to receive information related to the quality, safety or effectiveness of an FDA-regulated product or activity for which the person or entity has responsibility.
- v. Workplace Medical Surveillance. We may disclose PHI to an individual’s employer without the individual’s authorization only in very specific circumstances where the individual is a member of the employer’s workforce and we provide health care to the individual at the request of their employer to conduct an evaluation related to medical surveillance of the workplace or an evaluation to determine whether the individual has a work-related illness or injury. (Note that, where the employer is requesting an evaluation of an individual for purposes other than those stated in this Subsection, or otherwise allowed in this policy, or where some third party other than the individual’s employer is requesting an evaluation of the individual, we will follow our Policy No. 3 regarding uses and disclosures requiring an authorization.)
- Health Oversight. We may disclose PHI to a health oversight agency for activities authorized by law, such as audits; civil, criminal or administrative investigations, proceedings or actions; inspections; or licensure or disciplinary actions.
- Legal Proceedings. We may disclose PHI in the course of any judicial or administrative proceeding, in response to an order of a court or administrative tribunal (but only that PHI for which disclosure is expressly authorized), and, under certain conditions, in response to a subpoena, discovery request or other lawful process. Workforce members should direct all subpoenas, and other requests for disclosures for purposes of legal proceedings, to our Privacy Officer who may consult our legal counsel.
- Law Enforcement. We may disclose PHI for law enforcement purposes, without a patient’s authorization, so long as specific legal requirements are met. Some of these law enforcement purposes include: warrants and other legal process; limited information requests for identification and location purposes; and information related to a crime (including a medical emergency where it is likely that a crime has occurred).
- Coroners, Medical Examiners, Funeral Directors, and Organ Donation.
- We may disclose PHI to a coroner or medical examiner for identification purposes, determining cause of death or for the coroner or medical examiner to perform other official duties.
- We may disclose PHI to a funeral director, as authorized by state law, in order to permit the funeral director to carry out his or her duties, including disclosure prior to, and in reasonable anticipation of, the death of a patient, if necessary for the funeral director to carry out his or her duties.
- We may use a patient’s PHI, or disclose a patient’s PHI to appropriate entities engaged in the procurement, banking or transplantation of cadaveric organs, eyes or tissue, for the purpose of facilitating such activities, as authorized under state law.
- Research. If our Practice is called upon to use or disclose PHI for research purposes, such use and disclosure will be under the direction of our Privacy Officer who shall consult with our Practice’s legal counsel.
- Serious Threat to Health or Safety. Under certain circumstances, we may use a patient’s PHI, or disclose it to another health care professional or to a law enforcement agency, if we believe, in good faith, that the use or disclosure is necessary to prevent or lessen a serious and imminent threat to the health or safety of the patient or to others or is necessary in certain situations for law enforcement authorities to identify or apprehend an individual who is a serious threat to public safety. If the PHI contains identifying information about a person who has AIDS or an HIV infection, we will not disclose such information without the patient’s authorization, unless authorized by state law, or pursuant to a court order.
- Specialized Government Functions. When the appropriate conditions apply, we may use or disclose a patient’s PHI for certain military, national security or intelligence activities, or when needed for correctional institutions and other law enforcement custodial situations.
- Workers’ Compensation. A patient’s PHI may be disclosed by us as authorized under state law to comply with workers’ compensation laws and other similar programs established by law that provide benefits for work-related injuries or illness without regard to fault. If we routinely make disclosures for workers’ compensation purposes, we have developed standard protocols for those disclosures as part of our minimum necessary policy and procedures (see Policy No. 4).
- Schools; Immunization Records. We may disclose a patient’s PHI to a school when the patient is a student or a prospective student of the school if: (i) the PHI that is disclosed is limited to proof of immunization, (ii) the school is required by state law (or other law) to have proof of immunization prior to admitting the individual and (iii) we obtain and document the oral agreement for such disclosure from the parent, guardian or other person acting in loco parentis of an unemancipated minor or from the individual, if the individual is an adult or emancipated minor.
3. Verification of the Identity of an Authorized Person
- Prior to any disclosure of PHI under this policy, we will verify the identity of the person requesting the PHI and the authority of any such person to have access to the patient’s PHI, if the identity or any such authority of the person is not known to us.
- We will obtain and/or document any pertinent credentials, documentation, statements or representations, whether oral or written, from the person requesting the PHI.
USES AND DISCLOSURES OF PROTECTED HEALTH INFORMATION REQUIRING PATIENT AUTHORIZATION
Policy Number 3
HIPAA §§164.508, 514
Policy: Our Practice may use or disclose a patient’s PHI for those purposes specified in Policy No. 2 without obtaining the patient’s authorization. Other uses and disclosures of PHI, as addressed in this policy, will be made only with the patient’s written authorization. Our Practice will not condition treatment on the provision by the patient of a requested authorization except as allowed under this policy.
1. Whenever our Practice needs to use or disclose a patient’s PHI for purposes unrelated to Treatment, our Payment or Health Care Operations (or as otherwise described in Policy No. 2), or if a patient requests disclosure of his or her PHI to a specified third party, we will obtain the patient’s prior written authorization for such use or disclosure.
2. We will only release that PHI consistent with the scope of the authorization.
3. Authorization Form: Our Practice’s authorization form shall provide for the following:
- The name of the person or entity, or category of persons/entities authorized to make the requested use or disclosure;
- The name of the person or entity, or category of persons/entities, to whom the use or disclosure may be made;
- Specifically describe the information to be used or disclosed, including, but not limited to, specific detail such as date of service, type of service provided, level of detail to be released, origin of information, etc.;
- List the specific purposes for the use or disclosure. If the individual does not, or elects not to, provide a statement of the purpose, the form will state the purpose as “at the request of the individual”;
- Specify that the authorization will be in force and effect until a specified date or event (stated in the authorization) that relates to the patient or to the purpose of the use or disclosure, at which time the authorization will expire;
- Provide for the patient’s right to revoke the authorization as set forth in Subsection 4, below;
- Specify that our Practice will not condition treatment upon the patient’s execution of an authorization, as set forth in Subsection 5, below;
- Specify that the information disclosed pursuant to the authorization may be re-disclosed by the recipient and no longer subject to the protections of the Privacy Rule; and
- Provide for the patient’s signature and date of execution or, if the patient’s Personal Representative is signing on behalf of the patient, provide for a description of that person’s authority to act and/or that person’s relationship to the patient.
- Revocation of Authorization
- A patient has the right to revoke an authorization at any time, in writing, by mailing such written notification to the attention of our Practice’s Privacy Officer or by personal delivery to our Privacy Officer.
- A revocation is not effective to the extent that our Practice has taken action in reliance on the patient’s authorization.
5. Our Practice will not condition a patient’s treatment on whether the patient provides authorization for the requested use or disclosure if to do so would be prohibited by federal or state law. If a reason exists under law for conditioning the patient’s treatment on obtaining an authorization, the patient will be advised of that fact and of the consequences to the patient of refusing to sign the authorization. Our Privacy Officer will determine if such reason exists.
6. Independent Medical Examination. In accordance with state law, if a third party has requested that our Practice examine or evaluate a person (“Examinee”) and the Examinee has signed an authorization for the release of our report of such examination or evaluation to the third party:
A. The report shall be consistent with the authorization, to avoid unnecessary disclosure of diagnoses or personal information which is not pertinent to the evaluation;
B. The report shall be forwarded only to the third party who requested the evaluation, in accordance with the Examinee’s authorization and, if no specific individual is identified, the report shall be marked “Confidential”; and
C. We shall not provide the Examinee with a copy of the report unless the third party requesting the examination consents to its release, except that should the examination disclose abnormalities or conditions not known to the Examinee, we will advise the Examinee to consult another health care professional for treatment.
7. If an authorization is being requested for PHI that contains psychotherapy notes, we will refer the matter to our Privacy Officer for complying with such request in accordance with law.
8. If an authorization is being requested for PHI for marketing purposes, we will refer the matter to our Privacy Officer for complying with such request in accordance with law.
9. If an authorization is being requested for PHI for research purposes, we will refer the matter to our Privacy Officer for complying with such request in accordance with law.
10. If an authorization is being requested for a use or disclosure considered a sale of PHI, we will refer the matter to our privacy officer for complying with such request in accordance with law.
11. We shall not directly or indirectly receive remuneration in exchange for any PHI of a patient unless we have obtained from the patient a valid authorization that includes a specification of whether the PHI can be further exchanged for remuneration by the entity receiving the patient’s PHI. This requirement shall not apply if the purpose of the exchange is:
- For public health activities;
- For research and the price charged reflects the costs of preparation and transmittal of the data for such purposes;
- For treatment and payment purposes;
- For the sale, transfer, merger or consolidation of all or part of our Practice with another Covered Entity, and due diligence related to such activity;
- For remuneration that is provided by our Practice to a Business Associate for activities involving the exchange of PHI that the Business Associate undertakes on our behalf and at our specific request pursuant to a Business Associate Agreement;
- To provide a patient with a copy of the patient’s PHI pursuant to Policy 6 of this Manual;
- As required by law; or
- For any other purpose permitted by or in accordance with the Privacy Rule where the only remuneration received by our Practice is a reasonable, cost-based fee to cover the cost to prepare and transmit the PHI for such purpose or a fee otherwise expressly permitted by other law.
Any offer of remuneration in exchange for PHI shall be directed to our Privacy Officer.
12. Prior to any disclosure of PHI under this policy, we will verify the identity of the person requesting the PHI and the authority of any such person to have access to the patient’s PHI, if the identity or any such authority of the person is not known to us. We will obtain any documentation, statements or representations, oral or written, from the person requesting the PHI when such documentation, statement or representation is pertinent to the disclosure.
13. We can accept a government agency’s authorization form as long as it meets the requirements of Subsection 3, above.
14. The patient may receive a copy of the authorization, upon request.
15. Our Practice will document in the patient’s medical record that the patient’s authorization was obtained for the specific use or disclosure and shall retain the signed authorization in the patient’s medical chart, in either written or electronic form, for at least six years from the date when it last was in effect. If the patient revokes the authorization, we will document such revocation in the patient’s medical record and retain the signed revocation in the same manner as an authorization.
“MINIMUM NECESSARY” IN PHI USE, DISCLOSURE, AND REQUEST
Policy Number 4
HIPAA ”164.502(b), 514(d)
Policy: Except as otherwise stated in this policy, whenever we use or disclose PHI, or when we request PHI from another Covered Entity or Business Associate, our Practice will make reasonable efforts to limit the information, to the extent practicable, to the Limited Data Set or, if needed by our Practice, to the Aminimum necessary@ to accomplish the intended purpose of the use, disclosure or request, respectively. At such time as the Secretary of HHS issues guidance on what constitutes “minimum necessary,” we will follow that guidance when applying this Policy.
1. Exceptions to this policy
Our uses and disclosures of PHI, and requests for PHI, that are not subject to this policy requiring that the minimum necessary information be used or disclosed, are as follows:
A. Disclosures to or requests by a health care provider for Treatment purposes, including our own requests for disclosure of PHI for Treatment purposes;
B. Disclosures made to the patient, including but not limited to disclosures made to the patient pursuant to the patient=s request to access his or her record or for an accounting of disclosures made by our Practice of the patient=s PHI;
C. Uses or disclosures made pursuant to a patient’s authorization that meets the requirements of our Policy No. 3;
D. Disclosures made to the Secretary of HHS related to enforcement of the requirements of the HIPAA privacy standard;
E. Uses or disclosures required by other law as described in Policy No. 2 of this Policy Manual;
F. Uses or disclosures that are required for compliance with the requirements of the HIPAA privacy standard; or
G. PHI that has been De-identified, as specified in the Privacy Rule.
2. Situations Where this Policy Does Apply
- Our Own Use of PHI
- Our Practice has established which persons or categories of persons in our Practice need access to PHI to carry out their duties.
- For each such person or category, we have determined the types of PHI to which access is needed, including identification of those persons or classes of persons in our Practice who need to see the entire medical record, and any conditions that exist for access (role-based access).
- We will make reasonable efforts to limit the access only to the amount of information needed by the person in order to carry out the duties of that position or to accomplish the required use.
- Our Own Disclosures of PHI
For disclosures of PHI that we make on a routine and recurring basis, we have established a standard protocol for limiting the PHI disclosed to the minimum amount reasonably necessary to achieve the purpose of the disclosure.
For non-routine disclosures, we have developed criteria designed to limit the PHI disclosed to the minimum information reasonably necessary to accomplish the purpose of the disclosure. We will review requests for such non-routine disclosures on an individual, case-by-case basis for conformance with these criteria.
The criteria for non-routine disclosures do not need to be applied when a request for disclosure is received in the following situations and the request appears to reasonably limit the disclosure to the minimum necessary under the particular circumstances of the request:
- Requests for disclosures received from a health care provider, health plan or health care clearinghouse;
- Requests for disclosures received from public officials in those situations identified in Policy No. 2 (No Authorization Required) of this Policy Manual and the public official represents that the information requested is the minimum necessary;
iii.. Requests for disclosures received from a professional member of our Practice, or from one of our business associates for the purpose of providing professional services to our Practice, if the professional represents that the information requested is the minimum necessary for the stated purpose; or
iv. Requests for disclosures received from a researcher with appropriate documentation from an Institutional Review Board or Privacy Board.
C. For both routine and non-routine disclosures and requests, we have identified in our protocol the circumstances under which the entire medical record is reasonably necessary for particular purposes.
D. We will reasonably rely on requests from the business associate of another health care provider, health plan or health care clearinghouse for the disclosure of PHI as meeting the minimum necessary requirement for the intended purpose.
3. Our Own Requests for PHI
We will limit any request for PHI that we make to another health care provider, a health plan, or a health care clearinghouse to that which is reasonably necessary to accomplish our purposes.
For requests made on a routine and recurring basis, we have established a protocol that limits the PHI requested to the amount reasonably necessary to accomplish our purposes.
For requests on a non-routine or non-recurring basis, we have developed criteria designed to limit the request for PHI to the information reasonably necessary to accomplish our purposes. We will review such non-routine requests on an individual basis for conformance with these criteria.
Our Practice will make reasonable expenditures to implement technologically feasible approaches in complying with this Aminimum necessary@ policy. (See Policy No. 9 (Safeguarding PHI).
USES AND DISCLOSURES OF PROTECTED HEALTH INFORMATION WHERE THE PATIENT HAS AN OPPORTUNITY TO AGREE OR OBJECT
Policy Number 5
HIPAA §§164.510, 514
Policy: Our Practice may use and disclose PHI in certain situations where it is necessary or beneficial to involve others in the patient’s health care or to notify others of the patient’s status or condition. In these situations, the patient has the opportunity to agree or object to the use or disclosure of all or part of the patient’s PHI for these purposes.
1. We may make the following disclosures for involvement in the patient’s care and notification purposes:
A. Disclosing to a Family Member, other relative, close personal friend of the patient, or any other person identified by the patient, PHI that is directly relevant to that person’s involvement in the patient’s health care or payment related to the patient’s health care; or
- Using or disclosing PHI to notify, or assist in the notification of, a Family Member, a Personal Representative of the patient or another person who is responsible for the patient’s care, of the patient’s location, general condition or death.
- Disclosing PHI to any person identified in 1A, above, who was involved in the patient’s care or payment for the patient’s health care prior to the patient’s death, PHI of the patient that is relevant to such person’s involvement, unless doing so is inconsistent with any prior expressed preference of the individual that is known to us.
2. If the patient is present or otherwise available prior to our using or disclosing their PHI in this way, and the patient has the capacity to make health care decisions, we will only disclose the information if we:
A. Provide the patient with the opportunity to agree or object to the disclosure, and the individual does not express an objection (we can inform the patient orally and accept the patient’s oral agreement or objection, but we will document such agreement or objection in the patient’s medical record); or
B. Can reasonably infer from the circumstances, based on the exercise of professional judgment, that the patient does not object to the disclosure.
3. If the patient is not present, or it is impractical to offer the patient the opportunity to agree or object to a use or disclosure of their PHI in these situations, because the individual is incapacitated or an emergency exists:
- We may use our professional judgment to determine whether the disclosure is in the best interests of the patient; and
- If we determine disclosure is appropriate, will disclose only that PHI which is directly relevant to the person’s involvement in the patient’s care or payment related to the patient’s health care or needed for notification purposes.
4. If the patient is not present, we may use our professional judgment and experience with common practice to allow another person acting on the patient’s behalf to pick up medical supplies, x-rays or other similar forms of PHI because it is in the patient’s best interest.
5. We may use or may disclose a patient’s PHI to a public or private entity authorized to assist in disaster relief efforts for coordinating with them in notifying Family Members or other individuals involved in the patient’s health care. In such situations, we will still follow the procedures of Subsections 2 through 4 of this Policy if, in our professional judgment, to do so will not interfere with the ability to respond to the emergency circumstances.
6. Patient Requests Special Restrictions on Disclosures to Others
A patient may request that we restrict disclosures otherwise allowed under this Policy. Any such requests will be directed to our Privacy Officer.
ACCESS OF INDIVIDUALS TO PROTECTED HEALTH INFORMATION
Policy Number 6
Policy: Our Practice, in accordance with this policy, will provide a patient the right to inspect and obtain a copy of the patient’s PHI for as long as our Practice maintains the information.
1. General Procedure
A. A patient of our Practice can request to inspect and/or obtain a copy of their PHI that we maintain in a Designated Record Set and we will provide such access, unless access is to be limited as required in this Policy.
- A Personal Representative of a patient may also be permitted to access the patient’s PHI, in accordance with this Policy.
- If we do not maintain the PHI that is the subject of the request, and we know where the requested information is maintained, we will inform the patient where to direct the request for access.
2. Requests for Access and Responding to Requests
A. All requests for inspection and/or copying of a patient’s PHI must be in writing. Patients will be advised of this requirement in our Notice of Privacy Practices. These requests will be directed to our Privacy Officer.
B. We may choose to provide a summary of the requested information. Patients will be advised in our Notice of Privacy Practices of this alternative. We may only provide a summary of the PHI if the patient agrees in advance to receive a summary of their PHI and to the fee we would charge for a summary of the PHI.
C. Our Practice will respond to a request for inspection or copying within thirty (30) days of receipt of the written request.
D. If the patient requests, we will mail the copy of the PHI or the summary of the PHI, as agreed upon, to another person specified by the patient if the patient’s request is in a writing signed by the patient and clearly identifying the designated person and where to send the copy of the PHI.
E If we maintain an electronic health record that contains the PHI requested by the patient, the patient has the right to obtain a copy of that information in an electronic form and format they request, if it is readily producible or, if not, in a readable electronic form and format as agreed between us and the patient. In addition, the patient may choose to direct us to transmit such copy directly to an entity or person designated by the patient, provided that any such choice is clear, conspicuous, and specific.
F. We will charge a fee for the copy of the patient’s PHI or for a summary of the PHI) that is reasonable and cost-based, including in all cases any charge limits imposed by state law. Any fee we impose for providing a copy or summary of PHI in an electronic form shall not be greater than our labor costs in responding to the request and the supplies for creating the electronic media if the individual requests that the electronic copy be provided on portable media, again as limited by state law. Patients will be notified in our Notice of Privacy Practices that a fee will be charged and patients will be advised of the fee.
G. Our Practice will not refuse to provide a patient with a copy of his or her medical record due solely to the fact that the patient has an outstanding balance with the Practice, when it is known to us that the record is needed by another health care professional for the purpose of rendering care to the patient. In all other cases, the copying fee must be paid prior to or at the time the copy is provided to the patient or personal representative.
H. If the patient requests only to inspect his or her PHI, we will arrange with the patient for a convenient time (no later than 30 days from the request) and place (at our office or wherever the record is kept) for the inspection to take place. All inspections of PHI by patients or personal representatives shall be under the personal supervision of a designated member of our staff.
I. If any state or federal agency or official, by subpoena or by demand for statement in writing under oath or otherwise, requests a patient’s PHI, our Privacy Officer will contact our legal counsel immediately.
3. Denying or Limiting Access
A. Our Practice may deny or limit access to a patient’s PHI, without any right to a review of our decision, if the information:
- Is psychotherapy notes;
- Has been compiled in reasonable anticipation of, or for use in, a civil, criminal or administrative action or proceeding;
- Is that of an inmate in a correctional institution and our physician was acting under the direction of the correctional institution, and certain circumstances exist which prohibit providing a copy of PHI to the inmate (to be determined by our Privacy Officer);
- Was obtained by our Practice in the course of research that includes treatment of the research participant, while the research is in progress, under certain circumstances (to be determined by our Privacy Officer);
- Is subject to the Privacy Act, as required by that Act; or
- Was obtained by our Practice from someone other than a health care provider, under a promise of confidentiality, and the requested access would be reasonably likely to reveal the source of the information.
B. Our Practice may deny or limit access to a patient’s PHI, with the right to a review of our decision, in the following situations:
i. A licensed health care professional in our Practice has determined that the access requested is reasonably likely to endanger the life or physical safety of the individual or another person;
ii. The information references another person (unless such other person is a health care provider) and a licensed health care professional has determined that the access requested is reasonably likely to cause substantial harm to that other person;
iii. Access is requested by a personal representative of the patient and a licensed health care professional has determined that access by that person is reasonably likely to cause substantial harm to the patient or another person; or
iv. A licensed health care professional has reason to believe that the patient’s mental or physical condition will be adversely affected upon being made aware of the subjective information contained in the PHI (or a summary of the PHI); in this case, however, the PHI can be provided, if requested by the patient (with an accompanying notice setting forth the reasons for the original refusal) directly to the patient’s attorney, another licensed health care professional, the patient’s health insurance carrier (through an employee of the carrier), or to a governmental reimbursement program or to an agent of such program who has responsibility to review utilization and/or quality of care.
C. The determination of whether to deny or limit access based on the grounds in Subsections 3A or 3B, above, shall be made by a licensed physician of our Practice (or, if a physician is unavailable, by another licensed health care practitioner of our Practice), in conjunction with our Privacy Officer.
D. Our Practice will provide a patient with a written notice of denial or limitation of
access (see Forms section of this Manual) which shall contain: the reason for such denial or limitation; a statement of the patient’s right to a review of the denial, if such right exists; how to exercise the review rights; and a description of our complaint procedures (see Policy No. 14 of this Policy Manual), including the name or title and telephone number of our Privacy Officer as the contact person.
E. If we deny the patient access to some of his or her PHI, we will, to the extent possible, give the patient access to any other of the patient’s PHI requested by the patient, where no grounds exist to deny such access.
4. Appeal of a Decision to Deny Access
A. A patient may request a review of a denial of access that was made based on one of the reasons under Subsection 3B above.
B. Requests for review of a denial of access shall be directed to our Privacy Officer who shall promptly refer the request for review by the person designated pursuant to subsection C, below.
C. Review of the denial of access shall, within a reasonable period of time, be performed by a licensed health care professional designated by our Practice and who did not participate in the original decision to deny access. Where available, another licensed physician of the Practice shall conduct such review. Where another licensed physician of the Practice is not available, another licensed health care practitioner of the Practice shall conduct the review. Where no other physician or licensed health care practitioner of the Practice exists or is available, the review will be conducted by another health care professional designated by our Privacy Officer.
D. Our Practice will conduct the review within a reasonable period of time and will attempt to conduct the review within 30 days of the request for review. Once the review is complete, we will promptly provide a written response (see Forms) to the patient setting forth the decision of the reviewing professional and shall provide access or deny access based on that decision.
E. We will maintain a copy of the inspection/copying request form in the patient’s medical record, including documentation on the form of our response, and the results of any appeal and review that may have occurred.
ACCOUNTING FOR DISCLOSURES OF PROTECTED HEALTH INFORMATION
Policy Number 7
Policy: Our Practice will provide patients with an accounting of disclosures of their PHI as required under federal and state law and regulations.
1. A patient of our Practice may request and has a right to receive an accounting of disclosures our Practice has made of the patient’s PHI, except as limited by this Policy. A patient may request an accounting for a time period of up to six (6) years prior to the date of his or her request. The accounting shall include disclosures made to or by our business associates. Such requests must be in writing and shall be directed to our Privacy Officer.
2. No accounting need include disclosures that we made:
- To carry out Treatment, Payment or Health Care Operations (“TPO”) of our Practice, except as set forth in subsection 3, below;
- To patients about their own PHI;
- Pursuant to an authorization made by the patient or the patient’s personal representative regarding the patient’s PHI;
- To individuals involved in the patient’s care or for other allowed notification purposes;
- Incident to a use or disclosure otherwise permitted or required by the Privacy Rule and this Policy Manual;
- For any facility directory maintained by our Practice;
- For national security or intelligence purposes;
- To correctional institutions or law enforcement officials; or
- As part of a Limited Data Set
3. If we use or maintain an electronic health record with respect to the PHI, the accounting must include disclosures made for Treatment, Payment and Health Care Operations of our Practice but only for a time period of up to three (3) years prior to the date of the patient’s request. If we had acquired an electronic health record as of January 1, 2009, we need only provide an accounting of TPO disclosures made by us from such record on and after January 1, 2014. If we acquired an electronic health record after January 1, 2009, we must provide an accounting of TPO disclosures made by us from such record on and after the later of the following: (i) January 1, 2011; or (ii) the date that we acquire an electronic health record.
4. In order to provide this accounting to our patients, our Practice will maintain a log or record of all disclosures, other than those excluded under Section 2 above, of a patient’s PHI, for a six (6) year period (or for three (3) years if an electronic health record is used or maintained), along with a copy of every accounting made to a patient.
5. A request for an accounting of disclosures shall be acted upon within sixty (60) days of receipt of the request. A one-time thirty (30) day extension may be allowed if the patient has been notified, within the initial 60-day period, of the reasons for the delay and the date by which we will provide the accounting. We may choose to provide an accounting of all disclosures made by our Practice and by any Business Associate acting on our behalf; or an accounting of all disclosures made by our Practice and provide to the patient a list of all Business Associates acting on our behalf, including contact information for such Business Associates (such as mailing address, phone, and email address), in which case such Business Associates shall provide an accounting of their disclosures upon a request made by our patient directly to the Business Associate. Our Privacy Officer shall determine which option we choose.
6. For each disclosure for which we are required to provide an accounting under this Policy, we shall maintain the following information and shall provide the information in the accounting to the patient:
A. The date of the disclosure;
B. The name of the entity or person who received the PHI and, if known, the address of such entity or person;
C. A brief description of the PHI disclosed; and
D. A brief statement of the purpose of the disclosure that reasonably informs the individual of the basis for the disclosure or, in lieu of such statement, a copy of a written request by the Secretary for a disclosure to investigate or determine our compliance with the HIPAA privacy standard or a written request received for a disclosure made under our Policy No. 2 (Disclosures Where No Authorization is Required).
7. If, during the period covered by the accounting, we have made multiple disclosures of PHI to the same person or entity for a single purpose, the accounting may provide:
A. The information required in Section 6 of this Policy for the first disclosure during the accounting period;
B. The frequency, periodicity, or number of the disclosures made during the accounting period; and
- The date of the last such disclosure during the accounting period.
8. If any disclosures of a patient’s PHI involved a particular research purpose, our Privacy Officer shall determine the manner of our log of disclosures and the manner of disclosing the accounting to the particular patient.
9. The first accounting provided to a patient in any 12-month period shall be without charge. We will charge a reasonable, cost-based fee for each subsequent request for an accounting by the same patient within the 12-month period, provided that we have informed the patient in advance of the fee and provided the patient with an opportunity to withdraw or modify the request for a subsequent accounting in order to avoid or reduce the fee.
10. We will temporarily suspend a patient’s right to receive an accounting of disclosures we have made to a health oversight agency or law enforcement official (see Policy No. 2 of this Policy Manual), for the time specified by such agency or official, if such agency or official has provided us with a written statement that such an accounting to the patient would be reasonably likely to impede the agency’s activities and specifying the time for which such a suspension is required. If the agency or official statement is made orally, we will:
A. Document the statement, including the identity of the agency or official making the statement;
B. Temporarily suspend the patient’s right to an accounting of disclosures subject to the statement; and
C. Limit the temporary suspension to no longer than thirty (30) days from the date of the oral statement, unless the appropriate written statement is submitted to us by the agency or official during that time.
AMENDMENT OF PROTECTED HEALTH INFORMATION
Policy Number 8
Policy: Our Practice, in accordance with this policy, will provide our patients the opportunity to request amendment of their PHI that we maintain and, where appropriate under this policy, the right to have their PHI amended.
1. Receiving and Acting Upon a Request for Amendment
A. A patient of our Practice can request to have his or her PHI amended. Our Notice of Privacy Practices will advise our patients that such a request must be in writing and must state a specific reason supporting the requested amendment.
B. All requests for amendment of PHI shall be directed to our Privacy Officer.
C. Action upon the request for amendment should occur within sixty (60) days of receipt. A one-time extension of not more than thirty (30) days may be allowed if our Practice, before the end of the initial sixty-day period, provides a written notice to the requestor of the reason for the delay and the date by which our Practice intends to complete its action on the request. The Privacy Officer shall track the progress of each request for amendment to attempt to ensure compliance with these timeframes.
- Our Privacy Officer will review the amendment request for the following elements:
i. The reason for the requested amendment, such as how the information is incorrect or incomplete;
ii. Whether the requested amendment is to: 1) administrative information; and/or 2) medical information, including the source, if known, the date(s) of service, and the specific provider of service;
iii. Whether our Practice was the originator of the information; and
iv. The specific wording requested to correct the alleged inaccuracy or incompleteness.
E. Our Privacy Officer shall make a preliminary determination regarding whether an amendment request should be honored, and shall then consult with the physician, other health care professional, or administrative staff person of our Practice who provided the care and/or made the entry that is the subject of the amendment.
i. If that physician, health care professional or administrative staff person agrees with the Privacy Officer’s preliminary determination, the Privacy Officer shall obtain final approval from an Officer of the Practice.
- If such final approval is obtained, the Privacy Officer shall proceed with the amendment or denial of amendment, pursuant to this policy.
- If a determination as to whether to accept or deny the amendment cannot be made internally, the Privacy Officer shall notify the Practice’s legal counsel and request a resolution of the disagreement.
2. Denying a Request for Amendment
A. Our Practice may deny a request for an amendment in the following situations:
i. Our Practice did not create the information, unless the patient provides a reasonable basis to believe that the originator of the PHI is no longer available to act on the requested amendment;
ii. The information is not part of our records for a patient;
iii. The information would not otherwise be available for inspection (see Policy Number 6 regarding Access to PHI); or
iv. Our Practice determines that the information in dispute is neither inaccurate nor incomplete.
B. If our Practice determines to deny a request for amendment, in whole or in part, our Privacy Officer shall provide written notice to the requestor, within the timeframe stated in Subsection 1B this Policy, advising of the decision to deny amendment, stating the reason for the denial, and advising of our complaint procedures (see Policy No. 14 of this Policy Manual).
- The written notice shall also advise the requestor that the individual may submit to our Privacy Officer a written statement of disagreement with the denial, stating the basis for such disagreement.
- In most cases, the length of the statement of disagreement will be limited to one (1) page, unless it is unreasonable in the particular circumstance to impose such a limit.
C. If the patient does not submit a statement of disagreement, the patient may request that we provide the patient’s request for amendment, and the denial, with any future disclosures of the PHI that is the subject of the requested amendment.
D. If a statement of disagreement is received from a requestor, our Privacy Officer, in consultation with the pertinent physician, health care professional or administrative staff person, shall determine whether to prepare a rebuttal statement. If a rebuttal statement is prepared, we will provide a copy to the requestor.
E. The denial–and the disagreement and rebuttal statement, if any–shall be linked to the PHI in dispute by physically attaching these documents to the disputed information in the patient’s record.
F. Whenever the disputed information is disclosed to another person or entity, the information shall include the denial and, if any exists, the statement of disagreement and the rebuttal.
i. Alternatively, we can provide a summary of any of the foregoing information.
ii. If the patient has not submitted a statement of disagreement, we will include the patient’s request for amendment and our denial, or a summary of the information, with any future disclosure of the patient’s PHI only if the patient has requested such action.
iii. If such a subsequent disclosure is made using a standard transaction under the HIPAA Transaction Rule that cannot accommodate the denial, disagreement and rebuttal, our Practice shall separately disclose the denial, disagreement, and rebuttal to the recipient of the transaction.
3. Accepting the Request for Amendment
A. If a determination is made to make the requested amendment, our Privacy Officer shall provide written notification to the requestor that the requested amendment has been approved and the exact wording of the amendment.
B. The Privacy Officer shall seek the requestor’s identification of, and agreement to, the relevant persons identified by our Privacy Officer as persons or entities with whom the amendment needs to be shared.
C. The requestor shall have ten (10) days to object to the form of amendment or to the persons with whom the amendment will be shared. If no objection is received within that time period, the amendment shall be made in the PHI and the identified parties notified.
D. Our Privacy Officer will identify the records in the designated record set for the patient that are affected by the amendment and append or otherwise provide a link to the location of the amendment.
E. Our Privacy Officer shall, within a reasonable period of time (but no longer than thirty (30) days), take reasonable efforts (such as send written notification by certified mail, return receipt requested) to provide the exact wording of the amendment to:
i. Such persons or entities that the patient has identified as having received the relevant portion of the patient’s PHI from our Practice; and
ii. Such persons, including our business associates, who we have identified as having received the relevant portion of the patient’s PHI from our Practice and who may have relied, or could foreseeably rely, on such information to the detriment of the patient.
- Making the Amendment
- Our Privacy Officer, or his or her designee, shall identify all media forms in which the Practice maintains the information to be amended, i.e., paper, microfiche, microfilm, automated data processing or other electronic medium, and shall cross check across all systems and applications maintained by the Practice to ensure that the amendment is made, stored (as necessary), and susceptible to audit trails.
- In no case shall the Privacy Officer, a physician or any other person of our Practice delete, erase, “white out” or otherwise obliterate medical information in a patient’s record. Any correction or addition to a patient’s PHI shall be clearly identified as a correction or addition to the original and shall be dated and initialed by the physician or other person who made the initial entry.
- Requests for Amendment where our Practice was not the Originator of the Information
- If a request for amendment applies to information for which our Practice was not the originator, our Privacy Officer will contact the requestor and advise the requestor to seek amendment from the originator of the information.
- If the requestor notifies us of a reasonable basis to believe that the originator is no longer available to act on a requested amendment, our Privacy Officer shall make a reasonable attempt to confirm the unavailability. If the originator’s unavailability is confirmed, our Practice will act on the request for amendment as though our Practice created the information.
- Amendments Received from Other Covered Entities
- If we are informed by another health care provider, a health care plan or a health care clearinghouse of an amendment to a patient’s PHI, we will amend the patient’s PHI that we maintain, accordingly.
- The Privacy Officer shall:
- Document in the patient’s record that the approved amendment has been received from another source and the identity of the source providing the amendment;
- Ensure that the amendment is properly made in the PHI that is held by our Practice; and
- If the patient whose PHI is amended is a current patient of our Practice, alert the treating physician(s) for that patient of the amendment that has been made.
Policy Number 9
HIPAA §§164.103, 502(e), 504(e), 532(d) & (e)
Policy: Before our Practice can disclose PHI to a Business Associate, or allow a Business Associate to create, receive, maintain or transmit PHI on our behalf, we will obtain satisfactory assurances that the Business Associate will use or disclose the PHI only as permitted or required by our Business Associate Agreement, will safeguard the PHI from misuse, will help the Practice comply with its duties under HIPAA and the Data Breach Notification Rule, and will secure these same assurances from any Subcontractor of the Business Associate. The Business Associate cannot use or disclose PHI provided by us in any manner that would not be a permissible use or disclosure by our Practice under the Privacy Rule.
1. Business Associates; Business Associate Agreements
A. For each new arrangement where the Practice plans to retain a person or entity to perform a function, activity or service on behalf of the Practice, our Privacy Officer will first consult the definition of Business Associate in the Glossary of Terms to determine whether the person or entity is to be treated as a Business Associate of the Practice.
B. Our Practice will enter into a written Business Associate Agreement with every person or entity who meets the definition of a Business Associate as set forth in the Glossary. Our Privacy Officer will consult our form of Business Associate Agreement and contact our legal counsel, as necessary, to assist in negotiation and/or preparation of the necessary agreement. Any Business Associate Agreement our Practice enters into shall meet the requirements of 45 C.F.R. §164.504(e)(1).
- If a Business Associate presents to our Practice the Business Associate’s own proposed Business Associate Agreement, our Privacy Officer will review the proposed agreement under our model form and contact our legal counsel, as necessary, to assist in negotiation of necessary revisions to the proposed agreement(s).
- If our Practice has a Business Associate Agreement with an existing Business Associate Agreement that does not address requirements under the Data Breach Notification Rule or is not in compliance with the HITECH Act, we will enter into an Amended and Restated Business Associate Agreement and contact our legal counsel, as necessary, for assistance.
2. Confidentiality Agreements
Where the Privacy Officer has identified that a person or entity is not a Business Associate but, nevertheless, may have more than incidental or inadvertent access or exposure to PHI held by the Practice, the Privacy Officer will seek to enter into a confidentiality agreement with that person or entity and will obtain the advice of our legal counsel, as necessary.
3. Responding to Violations by a Business Associate
A. If any person in our Practice receives any information leading him or her to believe that one of our Business Associates (or an employee or agent of one of our Business Associates) is violating a provision of our Business Associate Agreement or is engaged in some activity that could result in a violation of our privacy policies and procedures, that person shall immediately provide that information to our Privacy Officer.
B. Our Privacy Officer shall keep a record of information provided to him or her pursuant to subsection 3A. If the information provided appears credible, the Privacy Officer shall contact the Business Associate to discuss the problem or may contact our legal counsel prior to contacting the Business Associate.
C. If the information received by the Privacy Officer reflects a pattern of activity or practice of the Business Associate that constitutes a material breach or violation of the Business Associate’s obligations under our agreement with that entity or person, the Privacy Officer shall notify legal counsel for further action as required by the Privacy Rule.
SAFEGUARDING PROTECTED HEALTH INFORMATION
Policy Number 10
Policy: Our Practice will have in place appropriate administrative, technical, and physical safeguards to try to reasonably safeguard our patients’ PHI.
1. Our Practice will implement safeguards to reasonably:
A. Protect our patients’ PHI from intentional or unintentional use or disclosure in violation of the Privacy Rule and our policies and procedures; and
B. Limit incidental uses or disclosures that may occur as a result of an otherwise permitted or required use or disclosure of PHI.
2. In determining what type of safeguards we should implement, we will take into consideration our own needs and circumstances, such as:
A. The nature of the PHI we hold;
B. The potential risks to patients’ privacy;
C. The potential effects on patient care; and
D. The financial and administrative burden of implementing particular safeguards.
3. Some of the types of safeguards that our Practice will implement include:
A. Development, implementation, and periodic review and revision of the policies and procedures in this Policy Manual;
B. The designation of our Privacy Officer as the person responsible for implementing our policies and procedures, receiving complaints, and, along with his or her designee, providing information regarding our Notice of Privacy Practices;
C. Proper storage and disposal of documents and records, such as shredding documents and records prior to disposal;
D. Speaking quietly when discussing a patient’s condition with family members in a waiting room or other public area;
E. Avoiding use of patients’ names in public hallways and other public areas of our office;
F. In areas where multiple patient-staff communications routinely occur, use of cubicles, dividers, shields, curtains, or similar barriers as is reasonable for our Practice;
G. Posting signs to remind employees to protect patient confidentiality;
H. Utilizing a patient sign-in sheet that does not include any of a patient’s health information and, when calling out patient names or addressing patients in the waiting area, limiting the information disclosed, such as referring the patients to a reception area where they can receive further instructions in a more confidential manner;
I. Eliminating the posting of PHI in public areas where unauthorized persons can view the information;
J. Isolating or locking file cabinets or records rooms, or otherwise restricting medical records from access by unauthorized persons, such as maintaining reasonable supervision of these areas;
K. When maintaining patient charts outside of exam rooms, using such measures as reasonably limit access to these areas, such as ensuring that the area is supervised, escorting non-employees in the area, and/or placing patient charts in their holders with identifying information facing the door or wall or otherwise covered, rather than having health information about the patient visible to anyone who walks by;
L. Determining which Workforce members have access to keys and/or combinations to gain access to our office and/or to areas housing PHI and limiting such access to those whose duties require this level of access;
M. Imposing security measures on computers and other systems containing PHI, such as restrictions on workstation use, unique user ID’s and strong passwords to access such computers, and firewalls;
N. Limiting visual access to computer monitors to avoid incidental disclosure of information to unauthorized persons, and utilizing automatic screen-savers with password re-entry or automatic log-off;
O. Establishing a disaster recovery plan, both for paper and electronic records;
P. Establishing a reporting and response system for security violations, in conjunction with our Practice’s Data Breach Notification Policy; and
Q. Providing periodic security awareness training to our Workforce.
Policy Number 11
Policy: Our Practice will provide training to all Workforce members on the policies and procedures in this Policy Manual, as necessary and appropriate for them to carry out their function and duties within our Practice.
1. Our Privacy Officer shall develop and implement a training program for our Workforce to include the following:
- Making a copy of this Policy Manual available to all Members of our Workforce for the purpose of reviewing each policy and procedure (such review to occur in a training meeting(s) of our entire Workforce and/or through individual review by each member of our Workforce) or for consulting our policies and procedures on an as-needed basis;
- Informal awareness training regarding privacy and security of PHI, including application of the minimum necessary principle (see Policy No. 4 of this Policy Manual);
- Periodic reminders about the need to make good faith efforts to maintain the privacy and security of our patients’ PHI;
- Education concerning computer virus protection, detection, and response to a virus infection; and
- Education about the importance of a secure login and our Practice’s policy regarding creating, changing, and protecting the confidentiality of computer passwords.
2. Our Practice will provide this training as follows:
A. To each member of our current Workforce;
B. To each new member of our Workforce within a reasonable period of time after the person joins our Practice; and
C. To each member of our Workforce whose job functions are affected by a material change in our policies or procedures or a material change in the HIPAA Privacy Rule, with such training to occur within a reasonable period of time after the material change becomes effective.
3. All Members of our Workforce shall:
A. Sign a log indicating the date and content of training received by such person; and
B. Sign a confidentiality agreement stating that the person has reviewed and understands the Practice’s privacy policies and procedures and will strive to comply with them, and to reinforce each person’s responsibility to protect and maintain the privacy and security of our patients’ PHI.
4. Our Privacy Officer shall maintain records documenting that the training required by this policy is provided.
COMPLAINTS TO OUR PRACTICE; MITIGATION
Policy Number 12
HIPAA §164.530(d), (f)
Policy: Our Practice will provide a procedure for patients to make a complaint concerning our Practice’s privacy policies and procedures or our Practice’s compliance with such policies and procedures or with the HIPAA Privacy Rule.
1. A patient of our Practice who has a complaint about our policies and procedures regarding the handling of PHI, about our compliance with such policies and procedures or with the Privacy Rule, may file a complaint with our Privacy Officer.
A. A complaint must be in writing and must state the specific nature of the problem with our policies and procedures or the specific area of alleged non-compliance.
B. Our Privacy Officer will acknowledge to the patient, in writing, that we received the complaint and that it will be addressed appropriately and a response provided to the patient.
2. As specified in our Notice of Privacy Practices, a patient may also file a complaint directly with the Office for Civil Rights (see Glossary). The address for filing a complaint with the OCR will be provided to any person, upon request.
3. A complaint to our Practice shall be acted upon as soon as reasonably possible but in no case less than thirty (30) days of receipt.
4. Upon receipt of a complaint, our Privacy Officer shall advise the managing physician of our Practice, and, upon such review of the complaint, may notify our legal counsel for retention in reviewing, investigating, and formulating a response to the complaint.
5. Once the investigation into the complaint has been concluded, our Privacy Officer, in conjunction with legal counsel, shall formulate an appropriate response to the complaining individual.
6. If the investigation of the complaint revealed a problem with our policies and procedures, or a failure to comply with such policies and procedures or with applicable law or regulations, our Privacy Officer, in conjunction with our legal counsel, shall formulate corrective action intended to remedy the problem or non-compliance including, as appropriate, imposing sanctions pursuant to Policy No. 14 of this Manual.
7. If the violation is found to involve a Business Associate of our Practice, we shall take the steps required by Policy No. 9 of this Policy Manual, regarding our Practice’s Business Associates.
8. Our Privacy Officer shall document all complaints received and their disposition.
9. Any correspondence or communication our Practice receives from the OCR–whether regarding the investigation of a complaint, a compliance review, or otherwise–shall be immediately provided to our Privacy Officer who shall notify legal counsel for the Practice to assist in responding to the OCR. Our Practice shall cooperate with the OCR and provide access as required by the Privacy Rule.
A. Our Privacy Officer shall take reasonable efforts to mitigate, to the extent practicable, any harmful effect that is actually known to our Practice of a use or disclosure of PHI by our Practice or by one of our Business Associates, in violation of our policies and procedures or the requirements of law. Our Privacy Officer shall implement our Data Breach Notification Policy, to determine if any notice is required and what mitigation efforts should be undertaken
NO RETALIATION FOR THE EXERCISE OF RIGHTS OR THE FILING OF A COMPLAINT; NO WAIVER OF RIGHTS
Policy Number 13
HIPAA §164.530(g), (h)
Policy: Our Practice will not intimidate, threaten, coerce, discriminate against or take other retaliatory action against any individual who exercises, or attempts to exercise, his or her rights under the HIPAA Privacy Rule or who files a complaint or otherwise participates in HIPAA compliance efforts as described in this policy. Our Practice shall not require an individual to waive his or her rights under the HIPAA Privacy Rule as a condition of receiving treatment from our Practice.
1. All requests for access, amendment, copying, authorizations, acknowledgments, and accountings related to the PHI of a patient of our Practice shall be handled in accordance with this Policy Manual.
2. All complaints about our policies and procedures, or about our compliance with this Policy Manual, will be handled in accordance with this Policy Manual and no patient, Personal Representative, or Member of our Workforce will be retaliated against in any way for:
A. Filing a complaint with our Privacy Officer or with the Secretary of Health and Human Services (Office for Civil Rights) pursuant to Policy No. 12 of this Policy Manual;
B. Testifying, assisting, or participating in an investigation, compliance review, proceeding, or hearing related to the Privacy Rule; or
C. Opposing any act or practice that is unlawful under the HIPAA Privacy Rule, provided the person has a good faith belief that the practice opposed is unlawful, and the manner of the opposition is reasonable and does not involve a disclosure of PHI made in violation of the HIPAA Privacy Rule.
3. Workforce members are encouraged to contact our Privacy Officer for clarification in the event of confusion or questions concerning any part of this Policy Manual.
4. Workforce members are encouraged to and shall immediately report, in good faith, to our Privacy Officer, or to our managing physician, any knowledge of a violation of this Policy Manual by a member of our workforce or by a Business Associate, or a violation of this policy of non-retaliation and non-waiver of rights.
5. If our Practice receives information that this policy may have been violated, our Privacy Officer, or managing physician, as appropriate to the complaint, shall promptly investigate the report of retaliation and shall consult with our Practice’s legal counsel regarding the matter, as necessary.
6. Any Member of our Workforce found to have violated this policy shall be sanctioned according to the provisions of Policy No. 14 of this Manual and consistent with our personnel policies.
SANCTIONS FOR VIOLATIONS OF PRIVACY; EXCEPTIONS TO SANCTIONS
Policy Number 14
HIPAA §164.530(e), (g)(2); §164.502(j)
Policy: Our Practice will apply appropriate sanctions against any member of our Workforce who fails to comply with the policies and procedures in this Policy Manual or the requirements of the Privacy Rule. Sanctions will not be imposed, however, under certain circumstances described in this Policy.
1. General Sanction Policy
A. Our Practice may receive complaints regarding our compliance with our Policies and Procedures or with the Privacy Rule. Such complaints will be handled in accordance with Policy No. 12 of this Manual. We may also learn of non-compliance issues through allegations of violations received internally from our Workforce members.
B. Workforce members are encouraged to make our Privacy Officer or managing physician aware of any concerns about our compliance with our Privacy Policies or with the Privacy Rule. Any allegations of noncompliance should be made in good faith, and in accordance with this policy, as applicable.
C. All allegations of a violation by a member of our Workforce of a provision of this Policy Manual will be investigated. Appropriate disciplinary action will be taken whenever it is determined that a member of our Workforce has committed a significant violation of our Policy Manual or the Privacy Rule. The established disciplinary procedures and processes are applicable to all Workforce members, whether an owner, employee or independent contractor.
D. The determination of the disciplinary measures to be imposed will be made on a case-specific basis, appropriate to the nature of the violation, and in accordance with our personnel policies. We will consider factors such as:
- The severity of the violation;
- Whether it was intentional or unintentional; and
- Whether there has been a pattern of noncompliance by the member of our Workforce.
E. Disciplinary actions may include counseling, verbal warning, written warning, suspension without pay, and/or discharge.
F. As set forth in Policy No. 11 of this Manual, we will have procedures in place requiring our Workforce members to review and become familiar with our privacy policies and procedures so they will understand what is expected of them in the area of privacy and be aware that noncompliance could result in sanctions. Such training will include the specific requirements set forth in Section 2, below, regarding otherwise impermissible disclosures.
G. Our Privacy Officer will be responsible for documenting all sanctions and disciplinary action resulting from a violation.
2. Exceptions to Sanctions
Sanctions shall not apply to a member of our Workforce with respect to the following activities, where the specific requirements for each type of activity or disclosure is met:
A. Actions taken in pursuit of compliance with the Privacy Rule
Our Practice will not intimidate, threaten, coerce, discriminate against or take other retaliatory action against Workforce members or others who:
i. File a complaint with the Secretary of Health & Human Services, or the Office for Civil Rights;
ii. Testify, assist or participate in an investigation or a compliance review, proceeding or hearing related to OCR’s enforcement of the Privacy Rule;
iii. Oppose any act or practice made unlawful by the Privacy Rule, provided the person has a good faith belief that the act or Practice is unlawful, and the manner of the opposition is reasonable and does not involve disclosures of PHI in violation of the Privacy Rule.
Our Practice will not impose sanctions or otherwise retaliate against a member of our Workforce or a Business Associate of our Practice who discloses PHI in the following circumstances:
i. The individual believes that the conduct at issue (which requires the disclosure of PHI in order for the individual to report the conduct) is unlawful or otherwise violates professional or clinical standards, or that the care, services or conditions provided by our Practice potentially endangers one or more patients, workers or the public and if;
ii. The disclosure is made to one of the following:
a. A health oversight agency or public health authority authorized by law to investigate or otherwise oversee the relevant conduct or conditions of our Practice;
b. An appropriate health care accreditation organization for the purpose of reporting the allegation of misconduct or failure to meet professional standards or misconduct by our Practice; or
c. An attorney retained by or on behalf of the member of our Workforce or Business Associate for the purpose of determining the person’s legal options and/or obligations with regard to the Practice’s conduct.
C. Victims of Crime
Our Practice will not impose sanctions or otherwise retaliate against a member of our Workforce who is the victim of a criminal act and discloses PHI related to the crime, provided that:
i. The disclosure is to a law enforcement official;
ii. The PHI disclosed is about the suspected perpetrator of the criminal act; and
iii. The PHI disclosed is limited to the following information:
a. Name and address;
b. Date and place of birth;
c. Social security number;
d. ABO blood type and Rh factor;
e. Type of injury;
f. Date and time of treatment;
g. Date and time of death, if applicable; and
h. A description of distinguishing physical characteristics, including height, weight, gender, race, hair and eye color, presence or absence of facial hair, scars, and tatoos.
GLOSSARY OF TERMS
Authorization – The permission granted by a patient, or the patient’s Personal Representative, to use Protected Health Information for specified purposes or to disclose Protected Health Information to a third party specified by the individual. An Authorization Form is the document that reflects this permission.
Breach – With certain exceptions, the acquisition, access, use or disclosure of PHI in a manner not permitted under the Privacy Rule which compromises the security or privacy of the PHI.
Business Associate – With certain exceptions, a person or entity that: (1) creates, receives, maintains, or transmits PHI for a function or activity regulated by the Privacy Rule or (2) provides legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services to or for our practice, or to or for an Organized Health Care Arrangement in which our practice participates, where the provision of the service involves the disclosure of protected health information from our practice or OCHA, or from our Business Associate, to the person. A Business Associate does not include a member of the Covered Entity’s Workforce nor a health care provider with respect to disclosures by the Covered Entity to the health care provider concerning the treatment of a patient. A Business Associate includes: a personal health record vendor, Health Information Organization, and an E-prescribing Gateway or other organization that provides data transmission of PHI to a Covered Entity and requires access to such PHI on a routine basis but not organizations that are mere conduits for the transport of PHI and do not access the information other than on a random or infrequent basis. A Business Associate is also a subcontractor that creates, receives, maintains or transmits PHI on behalf of a Business Associate.
Business Associate Agreement – A Covered Entity’s written agreement with its Business Associate, setting forth the Business Associate’s obligations related to the Covered Entity’s PHI.
Correctional Institution – Any penal or correctional facility, jail, reformatory, detention Practice, work farm, halfway house, or residential community program Practice operated by, or under contract to, the United States, a State, a territory, a political subdivision of a State or territory, or an Indian tribe, for the confinement or rehabilitation of persons charged with or convicted of a criminal offense or other persons held in lawful custody. Other persons held in lawful custody includes juvenile offenders adjudicated delinquent, aliens detained awaiting deportation, persons committed to mental institutions through the criminal justice system, witnesses or others awaiting charges or trial. Inmate is a person incarcerated in or otherwise confined to a correctional institution. Covered Entity – A health care provider who conducts certain financial and administrative transactions electronically for which standards have been adopted under HIPAA, such as electronic billing. Health Plans and Healthcare Clearinghouses are also Covered Entities.
Data Breach – See our Practice’s Data Breach Notification Policy.
Designated Record Set – Basically a group of records which a Covered Entity uses to make decisions about individuals, and includes a health care provider’s medical records and billing records, and a health plan’s enrollment, payment, claims adjudication, and case or medical management record systems. A record, for purposes of a Designated Record Set, means any item, collection or grouping of information that includes PHI and is maintained, collected, used or disseminated by or for a Covered Entity.
Direct Treatment Relationship – A treatment relationship between an individual and a health care provider that is not an Indirect Treatment Relationship.
Disclosure – The release, transfer, provision of access to, or divulging in any other manner, of information outside the entity holding the information.
Electronic Health Record – An electronic record of health-related information on an individual that is created, gathered, managed, and consulted by authorized health care clinicians and staff.
Electronic Media – (1) Electronic storage material on which data is or may be recorded electronically, including, for example, devices in computers (hard drives) and any removable/transportable digital memory medium, such as magnetic tape or disk, optical disk, or digital memory card; (2) Transmission media used to exchange information already in electronic storage media. Transmission media include, for example, the Internet, extranet or intranet, leased lines, dial-up lines, private networks, and the physical movement of removable/transportable electronic storage media. Certain transmissions, including of paper, via facsimile, and of voice, via telephone, are not considered to be transmissions via electronic media if the information being exchanged did not exist in electronic form immediately before the transmission.
Electronic Protected Health Information (EPHI) –
Family Member – An individual’s: (1) dependent; or (2) any other person who is a first-degree, second-degree, third-degree, or fourth-degree relative of the individual or of a dependent of the individual. Relatives by affinity (such as by marriage or adoption) are treated the same as relatives by consanguinity (that is, relatives who share a common biological ancestor). In determining the degree of the relationship, relatives by less than full consanguinity (such as half-siblings, who share only one parent) are treated the same as relatives by full consanguinity (such as siblings who share both parents). First-degree relatives include parents, spouses, siblings, and children. Second-degree relatives include grandparents, grandchildren, aunts, uncles, nephews, and nieces. Third-degree relatives include great-grandparents, great-grandchildren, great aunts, great uncles, and first cousins. Fourth-degree relatives include great-great grandparents, great-great grandchildren, and children of first cousins.
Health Care – Health care includes, but is not limited to, the following:
Preventive, diagnostic, therapeutic, rehabilitative maintenance, or palliative care, and
counseling service, assessment, or procedure with respect to the physical or mental
condition, or functional status, of an individual or that affects the structure or function of
the body; and sale or dispensing of a drug, device, equipment, or other item in accordance
with a prescription.
Health Care Clearinghouse – A public or private entity that either: (1) processes or facilitates the processing of health information received from another entity in a nonstandard format or containing nonstandard data content into standard data elements or a standard transaction; or (2) receives a standard transaction from another entity and processes or facilitates the processing of health information into nonstandard format or nonstandard data content for the receiving entity.
Health Care Operations – Certain administrative, financial, legal, and quality improvement activities of a Covered Entity that are necessary to run its business and to support the core functions of treatment and payment. These activities are limited to the activities listed in the definition of “health care operations” at 45 CFR 164.501, such as : conducting quality assessment and improvement activities and case management and care coordination; reviewing the competence or qualifications of health care professionals, training health care and non-health care professionals, accreditation, certification, licensing, or credentialing activities; conducting or arranging for medical review, legal, and auditing services, including fraud and abuse detection and compliance programs; business planning and development; and business management and general administrative activities, including those related to implementing and complying with the Privacy Rule and other HIPAA rules, customer service, resolution of internal grievances, sale or transfer of assets, and creating de-identified health information or a Limited Data Set.
Health Information – Any information, including genetic information, whether oral or recorded in any form or medium, created or received by a provider that relates to the past, present, or future physical or mental health condition of a patient; the provision of healthcare to a patient; or the past, present or future payment for the provision of healthcare to a patient.
Health Oversight Agency – An agency or authority of the United States, a State, a territory, a political subdivision of a State or territory, or an Indian tribe, or a person or entity acting under a grant of authority from or contract with such public agency, including the employees or agents of such public agency or its contractors or persons or entities to whom it has granted authority, that is authorized by law to oversee the health care system (whether public or private) or government programs in which health information is necessary to determine eligibility or compliance, or to enforce civil rights laws for which health information is relevant.
Health Plan – An individual or group plan that provides for, or pays the cost of, medical care.
HHS – The U.S. Department of Health & Senior Services (see Secretary).
HIPAA – The Health Insurance Portability and Accountability Act of 1996.
HITECH – The Health Information Technology for Economic and Clinical Health Act.
Incidental use or disclosure – A secondary use or disclosure that cannot reasonably be prevented, is limited in nature, and that occurs as a result of a use or disclosure permitted by the Privacy Rule.
Indirect Treatment Relationship – A relationship between an individual and a health care provider in which: (1) the health care provider delivers health care to the individual based on the orders of another health care provider; and (2) the health care provider typically provides services or products, or reports the diagnosis or results associated with the health care, directly to another health care provider, who provides the services or products or reports to the individual.
Individual – The person who is the subject of Protected Health Information.
Institutional Review Board or IRB or Privacy Board – Within the provisions of the institutional review board (IRB) rules (21 CFR, Part 56) are requirements that the IRB ensure that there are adequate provisions to protect the privacy of research subjects and to maintain the confidentiality of research data.
Law Enforcement Official – An officer or employee of any agency or authority of the United States, a State, a territory, a political subdivision of a State or territory, or an Indian tribe, who is empowered by law to: (1) investigate or conduct an official inquiry into a potential violation of law; or (2) prosecute or otherwise conduct a criminal, civil or administrative proceeding arising from an alleged violation of law.
Limited Data Set – A Limited Data Set is PHI that excludes the following direct identifiers of the individual or of relatives, employers or household members of the individual:
- Postal address information, other than town or city, State, and zip code;
- Telephone numbers;
- Fax numbers;
- Electronic mail addresses;
- Social security numbers;
- Medical record numbers;
- Health plan beneficiary numbers;
- Account numbers;
- Certificate/license numbers;
- Vehicle identifiers and serial numbers, including license plate numbers;
- Device identifiers and serial numbers;
- Web Universal Resource Locators (URLs);
- Internet Protocol (IP) address numbers;
- Biometric identifiers, including finger and voice prints; and
- Full face photographic images and any comparable images.
Marketing – Marketing means:
(1) (except as provided in (2) below) to make a communication about a product or service that encourages recipients of the communication to purchase or use the product or service.
(2) Marketing does not include a communication made:
(i) to provide refill reminders or otherwise communicate about a drug or biologic that is currently being prescribed for the individual, only if any financial remuneration received by the Covered Entity in exchange for making the communication is reasonably related to the Covered Entity’s cost of making the communication;
(ii) for the following treatment and health care operations purposes, except where the Covered Entity receives financial remuneration in exchange for making the communication: (A) for treatment of an individual by a health care provider including: case management or care coordination for the individual, or to direct or recommend alternative treatments, therapies, health care providers, or setting of care to the individual; (B) to describe a health-related product or service (or payment for such product or service) that is provided by, or included in a plan of benefits of, the Covered Entity making the communication, including communications about: the entities participating in a health care provider network or health plan network; replacement of, or enhancements to, a health plan; and health0related products or services available only to a health plan enrollee that add value to, but are not part of, a plan of benefits; or (C) for case management or care coordination, contacting of individuals with information about treatment alternatives, and related functions to the extent these activities do not fall within the definition of treatment.
(3) Financial remuneration means direct or indirect payment from or on behalf of a third party whose product or service is being described. Direct or indirect payment does not include any payment for treatment of an individual.
Minimum Necessary – The principle that a Covered Entity, when using or disclosing PHI, or when requesting PHI from another Covered Entity, must make reasonable efforts to limit such PHI, to the extent practicable, to the Limited Data Set or, if needed by the Covered Entity, to the minimum necessary to accomplish the intended purpose of the use, disclosure or request. The Secretary of HHS will issue guidance on what constitutes “minimum necessary.”
OCR – The Office for Civil Rights of the U.S. Department of Health & Human Services. OCR is the federal agency charged with enforcing the Privacy Rule and receives complaints regarding same. The OCR address for filing complaints related to our Practice is the Region II – New York OCR Office (New Jersey, New York, Puerto Rico, Virgin Islands):
Linda Colon, Regional Manager
Office for Civil Rights
U.S. Department of Health and Human Services
Jacob Javits Federal Building
26 Federal Plaza – Suite 3312
New York, NY 10278
Voice Phone (800) 368-1019
FAX (212) 264-3039
TDD (800) 537-7697
Organized Health Care Arrangement (OHCA) – An Organized Health Care Arrangement is: (1) a clinically integrated care setting in which individuals typically receive health care from more than one health care provider; or (2) an organized system of health care in which more than one Covered Entity participates, and in which the participating Covered Entities: (i) hold themselves out to the public as participating in a joint arrangement; and (ii) participate in joint activities that include at least one of the following: (A) utilization review, in which health care decisions by participating Covered Entities are reviewed by other participating Covered Entities or by a third party on their behalf; (B) quality assessment and improvement activities, in which treatment provided by participating Covered Entities is assessed by other participating Covered Entities or by a third party on their behalf; or (C) payment activities, if the financial risk for delivering health care is shared, in part or in whole, by participating Covered Entities through the joint arrangement and if PHI created or received by a Covered Entity is reviewed by other participating Covered Entities or by a third party on their behalf for the purpose of administering the sharing of financial risk.
Payment – The various activities of health care providers to obtain payment or be reimbursed for their services and of a Health Plan to obtain premiums, to fulfill their coverage responsibilities and provide benefits under the plan, and to obtain or provide reimbursement for the provision of health care. It includes billing and collection activities, determining eligibility or coverage under a plan and adjudicating claims, reviewing health care services for medical necessity, coverage, justification of charges, etc., utilization review activities (including precertification and preauthorization of services, concurrent and retrospective review of services), and disclosures to consumer reporting agencies of any of the following PHI relating to collection of premiums or reimbursement: name and address; date of birth; social security number; payment history; account number; and name and address of the health care provider and/or Health Plan.
Personal Representative – Under the Privacy Rule, a person authorized under State or other applicable law to act on behalf of the individual in making health care related decisions is the individual’s personal representative. Except in certain limited situations specified in the Privacy Rule, a Covered Entity is required to treat an individual’s Personal Representative as the individual with respect to uses and disclosures of the individual’s PHI, as well as with respect to the individual’s rights under the Privacy Rule. PHI – Protected Health Information. Protected Health Information is individually identifiable health information that is: (i) transmitted by electronic media; (ii) maintained in any electronic medium; or (iii) transmitted or maintained in any other form or medium, but does not include certain education records covered by the Family Educational Rights and Privacy Act or employment records held by a Covered Entity in its role as an employer. A Covered Entity need only comply with the requirements of the Privacy Rule with respect to the PHI of a deceased individual for a period of 50 years following the death of the individual.
Privacy Act means the Privacy Act of 1974 (5 U.S.C., section 552A).
Privacy Contact – The person or persons designated by our Practice to answer questions and provide information to patients and others about our Notice of Privacy Practices and our policies and procedures, if this role is not filled by our Privacy Officer.
Privacy Rule – The Standards for Privacy of Individually Identifiable Health Information, 45 CFR Parts 160 and 164.
Privacy Officer – The person designated by our Practice to oversee the development and implementation of our Practice’s privacy policies and procedures and, where not delegated to a Privacy Contact(s), the person who receives complaints about our privacy practices and answers questions about our Notice of Privacy Practices.
Psychotherapy Notes – Notes recorded (in any medium) by a health care provider who is a mental health professional documenting or analyzing the contents of conversation during a private counseling session or a group, joint, or family counseling session and that are separated from the rest of the individual’s medical record. It excludes medication prescription and monitoring, counseling session start and stop times, the modalities and frequencies of treatment furnished, results of clinical tests, and any summary of the following items: diagnoses, functional
status, the treatment plan, symptoms, prognosis, and progress to date.
Public Health Authority – An agency or authority of the United States government, a State, a territory, a political subdivision of a State or territory, or Indian tribe that is responsible for public health matters as part of its official mandate, as well as a person or entity acting under a grant of authority from, or under a contract with, a public health agency. Examples of a public health authority include State and local health departments, the Food and Drug Administration (FDA), the Centers for Disease Control and Prevention (CDC), and the Occupational Safety and Health Administration (OSHA).
Required by Law – A mandate contained in law that compels a Covered Entity to make a use or disclosure of PHI and that is enforceable in a court of law, e.g., court orders, court-ordered warrants, subpoenas, and summons; a civil investigative demand; Medicare conditions of participation with respect to health care providers participating in the program; and statutes or regulations that require the production of information, including statutes or regulations that require such information if payment is sought under a government program providing public benefits.
Research – A systematic investigation, including research development, testing, and evaluation, designed to develop or contribute to generalizable knowledge.
Sale of PHI – With certain exceptions set forth at 45 CFR §164.502(a)(5)(ii)(B)(2), a disclosure of PHI by a Covered Entity or Business Associate, if applicable, where the Covered Entity or Business Associate directly or indirectly receives remuneration from or on behalf of the recipient of the PHI in exchange for the PHI.
Secretary – The Secretary of the U.S. Department of Health & Human Services or any other officer or employee of HHS to whom the authority involved has been delegated.
Subcontractor – A person to whom a Business Associate delegates a function, activity or service, other than in the capacity of a member of the Workforce of such Business Associate.
Treatment – The provision, coordination or management of health care and related services by one or more health care providers, including the coordination or management of health care by a health care provider with a third party; consultation between health care providers relating to a patient; or the referral of a patient, from one health care provider to another, for health care.
Use – With respect to Individually Identifiable Health Information, is the sharing, employment, application, utilization, examination or analysis of such information within an entity that maintains such information.
Workforce – Employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a Covered Entity or Business Associate, is under the direct control of such Covered Entity or Business Associate, whether or not they are paid by the Covered Entity or Business Associate.
NEW YORK DATA BREACH AND INFORMATION
SECURITY NOTIFICATION POLICY
Purpose: To facilitate compliance with the requirements of the HITECH Act’s Data Breach Notification Rule, the New York Information Security and Breach Notification Act, and the New York Social Security Number Protection Law.
Definitions: The definitions attached hereto apply to this policy. Any terms not defined in the attachment shall have the meaning given them in the HIPAA Privacy and Security Standards, 45 CFR Parts 160 and 164, as may be amended, or given them in the New York Policy Addendum attached hereto.
Policy: In the case of a breach of unsecured PHI, and as determined necessary pursuant to this policy, our Practice will provide the notifications as required herein. When such breach involves computerized data containing Private Information, our Practice will also comply with the attached New York Policy Addendum. Our Practice will also comply with the restrictions on communication and use of Social Security Numbers, as set forth in the New York Policy Addendum.
- Discovery of Breach
- A breach is considered discovered as of the first day on which the breach is known by the Practice or, by exercising reasonable diligence, would have been known to the Practice.
- The Practice is deemed to have knowledge of a breach if the breach is known or, by exercising reasonable diligence, would have been known, to any person (other than the person committing the breach) who is an employee, officer or agent of the Practice. We do not consider a Business Associate to be an agent of the Practice but this is a fact-specific determination based on how much control we have over the Business Associate’s performance of services on our behalf.
- Every member of our workforce (including owners, employees, contractors, volunteers, and trainees) shall immediately report to our Privacy Officer any information regarding a security incident, or a potential breach of PHI.
- Our Privacy Officer shall be primarily responsible for investigating a security incident and will consult with our managing physician and our legal counsel in conducting such investigation. The investigation shall be conducted as promptly and expeditiously as possible, while addressing and documenting each step of the investigation.
- The first step in the investigation shall be to determine if the PHI involved was secured or unsecured PHI. (See Definitions accompanying this policy.) If the PHI was unsecured, the Privacy Officer shall continue to the second step. If the PHI was secured, no breach notification is required, but the Practice will take reasonably necessary steps to mitigate any harm, impose required sanctions, and to assess and implement needed measures to avoid future security incidents of the same nature.
- The second step in the investigation shall be to determine if the acquisition, access, use or disclosure of PHI was a violation of the Privacy Rule and, thus, impermissible, or if an exception applies. (See definition of breach.) If there was a violation of the Privacy Rule, and no exception applies, our Privacy Officer shall continue to the third step.
- The third step in the investigation shall be to conduct a risk assessment to determine if the impermissible acquisition, access, use or disclosure of PHI compromises the security or privacy of the PHI. The impermissible acquisition, access, use or disclosure of PHI is presumed to be a breach, requiring notification, unless our Practice can demonstrate that there is a low probability that the PHI has been compromised, based on a risk assessment of at least the following factors:
- The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification;
- The unauthorized person who used the PHI or to whom the disclosure was made;
- Whether the PHI was actually acquired or viewed; and
- The extent to which the risk to the PHI has been mitigated.
- Investigation of Security Incident
- Our Privacy Officer shall consult with the managing physician and legal counsel in conducting the required risk assessment and making a determination as to whether the impermissible acquisition, access, use or disclosure of PHI constituted a breach that requires notification. If the determination is made that notification is required, our Privacy Officer shall implement the notification procedures required by this policy.
- Concurrent with the steps taken above, our Practice will determine if the security incident involved computerized data involving Private Information and, if so, our Practice will incorporate the procedures contained in the New York Policy Addendum, including any notification procedures.
- Timeliness of Notification
- Once a determination has been made that a breach notification is required, notice of the breach shall be made promptly to the patient(s) who we know, or reasonably believe, to be affected, without unreasonable delay, and in no case later than sixty (60) days after discovery of the breach. Note: The investigation conducted pursuant to Section 2 of this Policy does not stop the 60 day period from continuing to run from the date the breach was first discovered.
- Delay of Notice for Law Enforcement Purposes – If a law enforcement official advises our Practice that a notification, notice or posting required under this policy would impede a criminal investigation or cause damage to national security, our Practice shall take the following steps:
- Notification Procedures
– If the statement is in writing and specifies the time needed for delay, our Practice shall delay breach notification for the period of time specified in the writing
– If the statement is oral, our Practice will document the statement, including the identity of the law enforcement official, and shall delay breach notification temporarily, but no longer than 30 days from the date of the statement, unless a written statement described above is provided to the Practice within that 30-day time period, stating a specific time for delay.
- Content of the Notice – Regardless of the method by which notice is provided to patients under this policy, the required notice shall be in plain language and, to the extent possible, shall contain the following information:
- A brief description of what happened, including the date of the breach and the date of the discovery of the breach, if known.
- A description of the types of unsecured PHI that were involved in the breach, such as whether full name, Social Security Number, date of birth, home address, account number, diagnosis code, or disability code, or other types of information were involved. Only the generic type of PHI should be included in the notice, i.e., not the patient’s actual SSN or birth date.
- The steps the patient should take to protect themselves from potential harm resulting from the breach.
- A brief description of what the Practice is doing to investigate the breach, to mitigate harm to patients, and to protect against further breaches.
- Contact procedures for patients to ask questions or learn additional information, which shall include a toll-free telephone number, an email address, Web site, or postal address.
- Patient Notification – Notice to individual patients shall be provided as follows:
- A written notice shall be sent by first-class mail to the last known address of the patient or, if the patient has previously agreed to electronic notice, then by electronic mail (preferably encrypted).
- If the Practice knows that the patient is deceased, the notice shall be sent to the last known address of the patient’s next of kin, if known to the Practice.
- If the patient is incapacitated or incompetent, the notice shall be sent to the last known address of the patient’s personal representative.
- If the patient is a minor, the notice shall be sent to the last known address of the patient’s parent or guardian.
- Substitute Notification – In the case where there is insufficient or out-of-date contact information (including a phone number, email address or other form of appropriate communication) to provide direct written notice to the patient, the following procedure shall be followed:
- If there are fewer than ten (10) patients for whom there is out-of-date or insufficient contact information, a substitute form of notice shall be made to the patient reasonably calculated to reach the patient, such as telephone contact, followed by written notice, if possible.
- If there are ten (10) or more patients for whom there is out-of-date or insufficient contact information, the substitute form of notice shall be made by:
– Posting a conspicuous notice for 90 days on the home page of our Practice’s Web site that includes a toll-free number for patients to contact for more information; or
– Providing a conspicuous notice in major print or broadcast media in the geographic area where the affected patients likely reside, that includes a toll-free number, active for 90 days, that a patient can call to learn whether or not their PHI may be included in the breach.
- Urgent Notification – If our Practice determines that a patient should be notified urgently of a breach because of possible imminent misuse of unsecured PHI, our Practice may provide notification to the patient by telephone or other means, as appropriate, in addition to providing the written notice as outlined above.
- Media Notification – When we reasonably believe that a single breach event affects more than 500 of our patients, notice shall be provided to prominent media outlets serving the area(s) in which our Practice is located, such as through a press release.
- HHS Notification
- If a single breach event affects 500 or more patients, notice shall be provided by our Practice without unreasonable delay, but in no case less than 60 days after the breach is discovered, to the Secretary of the U.S. Department of Health & Human Services (HHS). Our Privacy Officer shall use the electronic form available on the HHS Web site (http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/brinstruction.html) when notifying HHS of such breaches.
- Our Practice shall maintain an annual log of every breach (determined to require notification under this policy) discovered in a calendar year that affected less than 500 patients. Our Privacy Officer shall notify HHS of such breaches no later than 60 days following the end of each calendar year, using the instructions and electronic form available on the HHS Web site for such notification.
- Our Practice shall maintain documentation related to all breach investigations and notices, including the risk assessment conducted to determine whether a breach notification was required, and shall maintain such documentation for six (6) years after the discovery of the breach.
- The documentation maintained for each breach investigation shall include:
- i. A description of what happened, including the date of the breach, the date of the discovery of the breach, and the number of patient affected, if known.
- ii. A description of the types of PHI that were involved in the breach.
- iii. A description of the action taken by our Practice with regard to notification of patients, the media and/or HHS.
- iv. A description of the evidence demonstrating the necessity of any delay in providing notification.
- v. A description of the measures taken by our Practice to mitigate the breach.
- vi. A description of the steps taken by our Practice to prevent future occurrences of that type of breach.
- Workforce Training – Our Practice shall train all members of our workforce regarding this policy, including how to notify the Privacy Officer of a security incident or possible breach, and shall utilize the Practice’s Privacy Policies and Procedures regarding non-retaliation and sanctions related to workforce compliance with this policy.
- Business Associates – Our Practice’s Business Associates shall be required to provide notice to our Privacy Officer of a security incident or possible breach of our Practice’s unsecured PHI, without unreasonable delay and within the timeframe established in the Business Associate Agreement. The Business Associate shall be required to provide our Practice with the information necessary for the Practice to conduct a risk assessment and to provide any notice required under this policy, to the extent the Business Associate has such information.
Effective Date: 9/1/2013
Definition of Breach
A breach is, generally, the acquisition, access, use or disclosure of protected health information (PHI) in a manner not permitted under the Privacy Rule that compromises the security or privacy of the PHI. Except as provided below, an acquisition, access, use or disclosure of PHI in a manner not permitted under the Privacy Rule is presumed to be a breach unless the Covered Entity or Business Associate, as applicable, demonstrates that there is a low probability that the PHI has been compromised based on the risk assessment as set forth in this policy.
There are three exceptions to the definition of “breach.” A breach excludes:
- The unintentional acquisition, access, or use of PHI by a workforce member or person acting under the authority of a covered entity or business associate, if such was made in good faith and within the scope of authority and does not result in further use or disclosure in a manner not permitted under the Privacy Rule.
- The inadvertent disclosure of PHI by a person authorized to access PHI at a covered entity or business associate to another person authorized to access PHI at the covered entity or business associate and the information is not further used or disclosed in a manner not permitted by the Privacy Rule.
- A disclosure of PHI where the covered entity or business associate has a good faith belief that the unauthorized individual, to whom the impermissible disclosure was made, would not reasonably have been able to retain the information.
Unsecured Protected Health Information; Guidance
Covered entities and business associates must only provide the required notification if the breach involved unsecured protected health information. Unsecured protected health information is protected health information that has not been rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology specified in guidance issued by the Secretary of Health & Human Services. The guidance specifies encryption and destruction as the technologies and methodologies for rendering protected health information unusable, unreadable, or indecipherable to unauthorized individuals. Covered entities and business associates that secure information as specified by the guidance are relieved from providing notifications following the breach of such information. This guidance, found at: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/brguidance.html will be updated annually by HHS.
New York Policy Addendum
Notification under New York’s Information Security
Breach & Notification Act
Protection of Social Security Numbers Under New York Law
Information Security Breach & Notification
The New York State Information Security Breach and Notification Act (N.Y. Gen. Bus. Law § 899-aa) requires our Practice to notify patients in the event of certain data security breaches. The following definitions are key to determining whether there has been a breach of our security system that triggers our obligation under New York law:
“Personal Information” means any information concerning a person which, because of name, number, personal mark or other identifier, can be used to identify that person.
“Private Information” means Personal Information consisting of any information in combination with any one or more of the following data elements, when either the Personal Information or the data element is not encrypted, or encrypted with an encryption key that has also been acquired:
– Social Security Number
– Driver’s license number or non-driver identification card number; or
– Account number, credit or debit card number, in combination with any required security code, access code or password that would permit access to an individual’s financial account
“Private Information” does not include publicly available information that is lawfully made available to the general public from federal, state or local government records
“Breach of the Security of the System” means unauthorized acquisition or acquisition without valid authorization of computerized data that compromises the security, confidentiality or integrity of Personal Information maintained by the Practice. Good faith acquisition of Personal Information by an employee or agent of the Practice for the purposes of the Practice is not a breach of the security of the system, provided that the Private Information is not used or subject to unauthorized disclosure.
When our investigation of a data breach reveals that there has been a Breach of the Security of the System, we will incorporate the following procedures in our response to the breach:
- Disclose any Breach of the Security of the System following discovery or notification of the Breach in the Security of the System to any resident of New York State whose Private Information was, or is reasonably believed to have been, acquired by a person without valid authorization. The disclosure shall be made by notification as provided in paragraph 4, below, in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement, or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the system;
- Notify the owner or licensee of the information of any Breach of the Security of the System immediately following discovery, if the Private Information was, or is reasonably believed to have been, acquired by a person without valid authorization;
- Potentially delay any necessary notification if a law enforcement agency determines that such notification impedes a criminal investigation. The notification required shall be made after such law enforcement agency determines that such notification does not compromise such investigation;
- Directly provide any required notice to the affected persons by one of the following methods:
(a) written notice;
(b) electronic notice, provided that the person to whom notice is required has expressly consented to receiving said notice in electronic form and a log of each such notification is kept by our Practice in such form; provided further, however, that in no case shall our Practice require a person to consent to accepting said notice in said form as a condition of establishing any business relationship or engaging in any transaction with our Practice;
(c) telephone notification, provided that a log of each such notification is kept by our Practice; or
(d) substitute notice, after demonstrating to the state attorney general the necessary requirements (cost of notice exceeds $250,000 or affected class of persons to be notified exceeds 500,000 or our Practice does not have sufficient contact information).
- Ensure that any required notice shall include contact information for our Practice and a description of the categories of information that were, or are reasonably believed to have been, acquired by a person without valid authorization, including specification of which of the elements of Personal Information and Private Information were, or are reasonably believed to have been, so acquired; and
- Ensure that:
(a) In the event that any New York residents are to be notified, the Practice shall notify the state attorney general, the consumer protection board, and the state office of cyber security and critical infrastructure coordination as to the timing, content and distribution of the notices and approximate number of affected persons (such notice shall be made without delaying notice to affected New York residents); and
(b) In the event that more than five thousand New York residents are to be notified at one time, the Practice shall also notify consumer reporting agencies as to the timing, content and distribution of the notices and approximate number of affected persons (such notice shall be made without delaying notice to affected New York residents).
More information regarding our obligations under the New York law, including a fact sheet, a link to the required notification form, and a sample data security breach notification letter, is available at: http://www.nysconsumer.gov/business_interests/manage_sb.htm.
Communication and Use of Social Security Numbers
In order to comply with The New York Social Security Number Protection Law (N.Y. Gen. Bus. Law § 399-dd) our Practice will not do the following with regard to a social security account number:
- Intentionally communicate to the general public or otherwise make available to the general public in any manner an individual’s social security account number;
- Print an individual’s social security account number on any card or tag required for the individual to access products, services or benefits provided by our Practice;
- Require an individual to transmit his or her social security account number over the internet, unless the connection is secure or the social security account number is encrypted;
- Require an individual to use his or her social security account number to access an internet web site, unless a password or unique personal identification number or other authentication device is also required to access the internet website.
- Print an individual’s social security account number on any materials that are mailed to the individual, unless state or federal law requires the social security account number to be on the document to be mailed. Notwithstanding this paragraph, social security account numbers may be included in applications and forms sent by mail, including documents sent as part of an application or enrollment process, or to establish, amend or terminate an account, contract or policy, or to confirm the accuracy of the social security account number. A social security account number that is permitted to be mailed under this section may not be printed, in whole or part, on a postcard or other mailer not requiring an envelope, or visible on the envelope or without the envelope having been opened.
- Encode or embed a social security number in or on a card or document, including, but not limited to, using a bar code, chip, magnetic strip, or other technology, in place of removing the social security number as required by this section.
- File any document available for public inspection with any state agency, political subdivision, or in any court of this state that contains a social security account number of any other person, unless such other person is a dependent child, or has consented to such filing, except as required by federal or state law or regulation, or by court rule.
This does not prevent our Practice’s collection, use, or release of a social security account number as required by state or federal law, the use of a social security account number for internal verification, fraud investigation or administrative purposes or for any business function specifically authorized by law.
Our Practice will take reasonable measures to ensure that no employee has access to a social security number for any purpose other than for a legitimate or necessary purpose related to the conduct of our Practice and will provide safeguards necessary or appropriate to preclude unauthorized access to the social security account number and to protect the confidentiality of such number.
Effective Date: 2013
 “Social security account number” shall include the number issued by the federal social security administration and any number derived from such number but not any number that has been encrypted.