- February 21, 2018
Privacy of Protected Health Information
PURPOSE: Practitioners and staff affiliated with Seasons Medical shall comply with the requirements of applicable state and federal laws concerning the privacy and security of protected health information concerning Practice’s patients, including but not limited to the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations, 45 CFR part 164 (hereafter “the HIPAA privacy and security rules”).
- Protected Health Information. This policy applies to any information concerning a patient’s physical or mental health, health care, or payment for health care that may identify or refer to the patient. It applies to any such information in any form, e.g., oral, written, electronic, photographs, videos, etc. It applies to any information that is created or received by Practice, including information received from other health are providers. It does not apply to data from which all identifiable information has been removed so that the information cannot be linked to a particular patient.
- Use or Disclosure. This policy applies to the internal access to or use of protected health information in addition to disclosure of such information to entities outside the Practice.
- Personnel. This policy applies to all Practice personnel, including physicians and other practitioners, administration, office staff, volunteers, etc. It also applies to business associates of the Practice to whom the Practice discloses protected health information, including consultants, managers, transcriptionists, attorneys, accountants, IT specialists, vendors, etc.
- Privacy Officer and Security Officer. The Practice shall designate in writing a Privacy Officer and Security Officer to facilitate and ensure compliance with relevant privacy and security regulations and policies. The Privacy Officer shall have primary responsibility for implementing and overseeing compliance with the requirements of the HIPAA privacy rules and these policies, and for responding to questions, complaints or issues that arise concerning privacy issues, including violations. The Security Officer shall have primary responsibility for implementing and overseeing compliance with the requirements of the HIPAA security rules and associated policies. (See 45 CFR § 164.530(a)).
- Compliance with Applicable Law. Practice personnel shall maintain the privacy of Practice’s protected health information as required by:
- The HIPAA privacy and security rules. This policy shall be construed to be consistent with the requirements of the HIPAA privacy rules (45 CFR § 164.501 et seq.) and security rules (45 CFR § 164.301 et seq.) as they shall be amended. The regulations, FAQs, and other helpful information concerning the HIPAA rules are found at the Office of Civil Rights website, http://www.hhs.gov/ocr/privacy/index.html. Practice personnel should be familiar with the requirements of the regulations and should review the referenced regulations when responding to specific situations.
- Practice’s current Notice of Privacy Practices. A copy of the Notice of Privacy Practices is incorporated into these policies. The Notice of Privacy Practices summarizes our privacy practices and policies. Practice personnel are expected to know and comply with the Notice of Privacy Practices.
- Use and Disclosure of Protected Health Information. Practice personnel may use or disclose protected health information without the patient’s or personal representative’s written authorization (as described below) in the following circumstances:
- Treatment. Practice personnel may use or disclose protected health information to treat the patient. For example, practice personnel may use or disclose information to evaluate the patient; to schedule appointments; to obtain information needed to treat the patient; make referrals; etc. In addition, Practice personnel may disclose information to other health care providers so that the other providers may properly treat the patient. (See 45 CFR § 164.506).
- Payment. Practice personnel may use or disclose protected health information to obtain payment for services rendered to the patient. For example, practice personnel may contact third party payors to obtain pre-authorization or submit claims; perform billing functions; send a claim to collections; etc. (See 45 CFR § 164.506).
- Health Care Operations. Practice personnel may use or disclose protected health information for certain health care operations. For example, the information may be used for case review; quality improvement; credentialing; employee training; patient relations; business analysis; etc. (See 45 CFR § 164.506).
- To Family or Others Involved in Care or Payment. Practice personnel may disclose protected health information to family members, close friends, or others involved in the care of the patient or the payment for such health care if: (1) the patient is present and does not object to the disclosure, and the practitioner believes disclosure is in the patient’s best interests; or (2) the patient is not present, but the disclosure is in the patient’s best interest and is consistent with the patient’s prior expressed wishes. Practice personnel should only disclose information relevant to the person’s involvement in the patient’s health care. (See 45 CFR § 164.510).
- Personal Representatives. In the case of minors, deceased patients, or other patients who lack capacity, Practice personnel may disclose information to the parent, guardian, or other personal representative with authority to make health care decisions for the patient under Idaho law. (See IC § 39-4504). Non-custodial parents are generally entitled to access information about their children. (See IC § 32-717A). Practice personnel may decline to disclose information to the personal representative if they believe it would not be in the patient’s best interest to disclose the information. (See 45 CFR § 164.502(g)).
- To Avert Serious Threat. Practice personnel may disclose information if necessary to avert serious and imminent harm to the patient or others. The disclosure may only be made to someone with the ability to avert the harm, e.g., the police. (See 45 CFR § 164.512(j)).
- Disclosures Required by Law. Practice personnel may disclose information to the extent another law requires disclosure, e.g., to report abuse, treatment of the victim of a crime or gunshot wounds, certain communicable diseases, threats to others, etc. Any disclosure should be limited to the extent required by that other law. (See 45 CFR § 164.512(a), (c)).
- Subpoenas and Court Orders. Practice personnel may disclose information pursuant to a court order, warrant or subpoena, but only if certain conditions are satisfied. Practice personnel should immediately contact the Privacy Officer if they are presented with a court order, subpoena, or request from a lawyer or prosecutor. The Privacy Officer should review 45 CFR § 164.512(e) before responding to the order, warrant, subpoena or request.
- Workers Compensation. Practice personnel may disclose information to parties in a workers compensation case to the extent such information is relevant to the injuries at issue in the case. (See 45 CFR § 164.512(l)).
- Police, Regulators, and Other Government Officials. Practice personnel may disclose information to the police or other government officials if certain conditions are satisfied. Practice personnel should immediately contact the Privacy Officer if they receive requests from government officials. The Privacy Officer should review 45 CFR § 164.512(b), (c)-(g), (k) before responding to such requests to ensure compliance with the regulations.
- Client/Patient Satisfaction Surveys. Practice personnel may conduct client/patient satisfaction surveys to understand how services can be improved for patients and their families or friends. For example: A client or patient may receive a survey from a patient satisfaction research organization, asking for comment on the services provided.
- Client/Patient E-mail and Phone Number Use. If you choose to provide us with your e-mail address or phone number to receive text messages, we will assume that you permit us to use your e-mail and/or phone number to communicate with you. You should understand that there are certain risks associated with the use of e-mail over an unsecure network. For example, there is some risk that it could be intercepted or misdirected and seen by others, or stored on portable electronic devices that have no security. Please notify us if you do not want us to use e-mail or texts to communicate with you. Additionally, you should understand that use of e-mail or text is not intended to be a substitute for professional medical advice, diagnosis or treatment. E-mail or text communications should never be used in a medical emergency; instead, you should contact your provider directly.
- Written Authorization. Unless one of the foregoing exceptions apply, Practice personnel must generally require or obtain written authorization from the patient or personal representative before using or disclosing protected health information. A written authorization is required for most uses or disclosures of psychotherapy notes. The authorization may not be combined with any other document. The written authorization must contain the elements required by 45 CFR § 164.508(c) to be valid. Practice personnel should normally use Practice’s approved HIPAA authorization form. Practice personnel must retain a copy of the authorization. If the authorization is requested by someone other than the patient or the patient’s personal representative, the Practice must also give the patient or personal representative a copy of the authorization. (See 45 CFR § 164.508).
- Minimum Necessary Standard. Where the use or disclosure of information is permitted, Practice personnel shall make reasonable efforts to limit the use and disclosure of protected health information to the minimum necessary to accomplish the purpose for the use or disclosure. This standard does not apply to uses or disclosures for purposes of treating the patient. (See 45 CFR §§ 164.502(b) and 164.514(d)).
- Routine Disclosure of Protected Health Information. The “minimum necessary standard” does not apply to disclosures to other health care providers for purposes of treating the patient. The minimum necessary standard generally applies to all other routine disclosures of information, including disclosures to third party payors to secure payment; disclosures to business associates; etc. Practice personnel should not request the disclosure of the entire medical record unless they require the entire medical record for legitimate uses.
- Non-Routine Disclosures of Protected Health Information. All non-routine disclosures or requests for protected health information shall be reviewed by the Privacy Officer on a case-by-case basis, including but not limited to requests from law enforcement, government officials, per subpoenas, etc.
- Access to Protected Health Information. Practice personnel should only access protected health information if and to the extent necessary to perform their particular assigned job duties, as described below:
- Practice managers and owners shall have access to any information as reasonably necessary to facilitate the effective and efficient operations of Practice.
- Practitioners and other clinical personnel shall have access to any protected health information relevant to patients being treated by the practitioner or clinical personnel.
- Billing personnel shall have access to any protected health information necessary to allow such personnel to bill for services rendered by the Practice, including financial information. Billing personnel should not normally access patients’ medical records unless and to the extent necessary to properly bill for the service rendered.
- Administrative personnel (e.g., receptionists, assistants, etc.) shall have access to only the protected health information that is reasonably necessary to allow the administrative personnel to fulfill their duties on behalf of Practice. Administrative personnel should not normally access patients’ medical records unless and to the extent necessary to allow them to properly fulfill their administrative duties.
- Business associates of the Practice who assists Practice with administration, treatment, payment, and operations of the Practice shall have access to protected health information that is reasonably necessary to allow the business associate to fulfill their duties on behalf of Practice. Practice must have a “business associate agreement” with business associates before the business associate may access protected health information as described below. Business associates’ access shall be conditioned on and subject to the business associate agreement and the HIPAA privacy and security rules.
The unauthorized access of information outside the scope of such person’s duties will subject Practice personnel to appropriate sanctions as provided below. (See 45 CFR § 164.514(d)).
- Verification. If Practice personnel do not personally know the entity to whom a disclosure is to be made, Practice personnel shall take reasonable steps to verify the identity and authority of the entity before making the disclosure. (See 45 CFR § 164.514(f)). Reasonable steps may include asking for identification or asking questions that only the authorized person would know (e.g., patient’s birthdate, social security number, etc.).
- Notice of Privacy Practices. As its name suggests, the Notice of Privacy Practices summarizes our privacy responsibilities and patients’ rights. Practice shall post a copy of its Notice in its reception area and on its website. Practice personnel are responsible for knowing and complying with the Notice. (See 45 CFR § 164.520).
- Copy to Patient. Practice personnel shall provide a copy of Practice’s current Notice of Privacy Practices to the patient or personal representative no later than the first date of treatment. Practice personnel shall take reasonable action to obtain the patient’s or personal representative’s written acknowledgment that they have received a copy of the Notice. If the patient will not sign the acknowledgement, Practice personnel shall document the circumstance in the Patient’s record.
- Changes. The Privacy Officer shall be responsible for updating the Notice of Privacy Practices to conform to changes in Practice’s privacy practices or changes in the law. Changes in the Notice shall apply retroactively.
- Accounting of Disclosures. Practice personnel shall maintain an accounting log documenting disclosures that are made of protected health information excluding disclosures for purposes of treatment, payment or health care operations; disclosures to the patient or personal representative; disclosures to family members or others involved in the care or payment for care; or disclosures pursuant to a written authorization. The accounting shall be maintained on a log approved by the Privacy Officer, and shall include the date of the disclosure; name of the entity to whom disclosure is made; description of the information disclosed; and the purpose of the disclosure. The accounting log must be made available to the patient or personal representative if requested as described below. (See 45 CFR § 164.528).
- Idaho Health Data Exchange (IHDE). The IHDE shall have access to any protected health information (including HIV status) for the purposes of sharing that information with other participating healthcare providers involved in your care through the IHDE. If you do not want to have your healthcare information shared with other medical providers involved in your care, you can opt out of participating. To opt out, you must complete and sign the IHDE “Request to Restrict Disclosure of Health Information” form and mail or fax it to IHDE. You will receive a letter of confirmation upon completion of your request. This will restrict your information being released through the exchange only. The IHDE form is available at the front desk of any of our clinics.
- Business Associates. Practice personnel may disclose protected health information to Practice’s business associates for purposes of treatment, payment or health care operations if Practice has a valid agreement with the business associate that complies with the requirements in 45 CFR §164.504(e). Practice personnel shall notify the Privacy Officer when they engage a business associate to provide services involving protected health information. The Privacy Officer shall ensure valid business associate agreements are in place. If Practice personnel discover that a business associate is failing to comply with HIPAA privacy rules, they shall immediately notify the Privacy Officer. The business associate agreement shall set forth more fully Practice’s rights and obligations with regard to business associates. (See 45 CFR §§ 164.502(e) and 164.504(e)).
- Patients’ Rights Concerning Their Protected Health Information. Patients or their authorized personal representative shall have the rights set forth in the Notice of Privacy Practices concerning their protected health information as set forth below. To exercise these rights, the patient or personal representative should submit a written request to the Privacy Officer.
- Review and Obtain Copies of Records. The patient or personal representative may inspect and obtain a copy of protected health information that Practice may use to make decisions about the patient’s care or payment for the care (e.g., medical records and patient bills, but not psychotherapy notes, internal reviews, etc.). The Practice generally has 30 days to respond to a request. The Practice may charge a reasonable cost-based fee for providing the records. The Practice may deny the request under limited circumstances, e.g., if the patient seeks psychotherapy notes; information prepared for legal proceedings; or if disclosure may result in substantial harm to the patient or others. If the practice denies the request, it will advise the patient of the basis for the denial in writing. Practice personnel should discuss the scope of any request with the patient to ensure that the requested records are properly identified. (See 45 CFR § 164.524).
- Amend Health Records. The patient or personal representative may request that the patient’s protected health information be amended. The patient or personal representative must provide a written explanation for the request. The Privacy Officer is responsible for reviewing and coordinating any response to a request for amendment. The Practice generally has 60 days to respond to a request. The Practice may deny the request if it did not create the record unless the originator is no longer available; if the patient did not have a right to access the record; or if the Practice determines that the record is accurate and complete. If the Practice denies the request, the Privacy Officer will notify the patient or personal representative of the basis for the denial in writing. The patient or personal representative has the right to submit a statement disagreeing with the Practice’s decision and to have the statement attached to the record. Any amendment to the record becomes a part of the record. If other providers may have relied on an incorrect record, the Practice must notify them of the amendment. (See 45 CFR § 164.526).
- Request Restrictions on Use or Disclosure of Information. Patients or personal representatives have the right to right to request restrictions on the use or disclosure of protected health information for purposes of treatment, payment or health care operations; however, the Practice is not required to agree to such restrictions. The Practice generally does not agree to such restrictions. Only the Privacy Officer may agree to such additional uses or disclosures. If the Practice agrees to such a restriction, it will comply with the restriction unless an emergency or the law prevents the Practice from complying with the restriction, or until the restriction is terminated. (See 45 CFR § 164.522(a)).
- Communicate By Alternative Means. To ensure privacy, patients or personal representatives may request that the Practice communicate with them by alternative means (e.g., by e-mail, by phone, by sealed envelope without a return address, etc.) or at alternative locations (e.g., send all information to work). Practice personnel may not ask the patient to explain the reason for the request. The practice will accommodate reasonable requests. (See 45 CFR § 164.522(b)).
- Account for Certain Disclosures. The patient or personal representative may receive an accounting of certain disclosures by the Practice of the patient’s information. Such disclosures are tracked in the Accounting Log described in section 8, above. The Practice generally has 60 days to respond to the request. The patient or personal representative may receive the first accounting within a 12-month period free of charge; after that, the Practice may charge a reasonable cost-based fee for all subsequent requests during that 12-month period. (See 45 CFR § 528).
The limits and process for exercising and responding to a patient’s or personal representative’s exercise of rights are more fully described in the HIPAA privacy rules, 45 C.F.R. § 164.522 et seq. Practice personnel should consult with the Privacy Officer in responding to a patient’s request.
- Training Employees. The Privacy Officer shall train persons who are members of the Practice’s workforce concerning their obligations to maintain the confidentiality of protected health information consistent with these policies. New employees shall be trained within a reasonable time after they undertake responsibilities on behalf of the Practice. The training shall be documented. (See 45 CFR § 164.530(b)).
- Safeguards and Security. Consistent with the requirements of the HIPAA privacy and security rules, Practice personnel shall use reasonable physical, technical and administrative safeguards to protect participants’ protected health information. (See 45 CFR §§ 164.301 et seq. and 164.530(c)). For example:
- Practice personnel should avoid leaving patient records or other information in open areas where unauthorized persons may see or access the information.
- Practice personnel should avoid discussing patient information in areas where others may overhear.
- Practice personnel should take reasonable steps to ensure that letters, faxes, e-mails, and other communications are sent to and received by the correct party, e.g., by confirming or checking the applicable number or address.
- Practice personnel should secure computers, PDAs, and patient records, and avoid creating situations in which unauthorized persons would be able to access computers, records, etc.
- Practice may require employees, janitors, vendors, volunteers and others to execute confidentiality agreements.
Notwithstanding the foregoing, Practice personnel are only required to utilize safeguards that are reasonable under the circumstances. Practice personnel should use reasonable judgment to ensure that privacy concerns do not interfere with effective patient care.
- Reporting Complaints. Practice personnel shall immediately report suspected privacy violations to the Privacy Officer. In addition, patients and others may report suspected privacy violations or complaints to the Privacy Officer. The Privacy Officer shall promptly investigate and respond to any alleged violation or complaint. Complaints shall be documented and maintained by the Privacy Officer. (See 45 CFR § 164.530(d)).
- Mitigation. Practice personnel shall immediately take appropriate steps to mitigate any improper disclosure, e.g., obtain the return of misdirected information; confirm that improperly disclosed information will not be further disclosed; etc. The Privacy Officer shall coordinate such efforts. (See 45 CFR § 164.530(f)).
- Correction of Violation. The Privacy Officer shall immediately take appropriate action to correct any violation of this policy, the HIPAA privacy and security rules, or patient privacy. Such action shall be taken and documented within 30 days to avoid penalties under the HIPAA privacy rules.
- Notice of Privacy Breaches to Patient and HHS. Practice may be required to notify the patient, HHS, and in some cases, local media if protected health information is disclosed in violation of the HIPAA privacy rules and poses a significant risk of financial, reputational, or other harm to the patient. (See 45 CFR § 164.401 et seq.). Practice’s obligation to give notice is set forth in Policy No. ____________, Privacy Breach Notification Policy.
- Sanctions for Violation. Practice personnel who violate the provisions of these policies or applicable law shall be subject to discipline as the circumstances warrant, which may include but is not limited to termination of employment. The Privacy Officer shall document sanctions imposed upon Practice personnel in personnel files. (See 45 CFR § 164.530(e)).
- Non-Retaliation. Practice personnel shall not intimidate or retaliate against any other Practice personnel or patient for exercising any of their rights granted by law. Practice personnel shall not require a waiver of rights as a condition of treatment or payment. (See 45 CFR § 164.530(g)).
- Documentation. The Privacy Officer shall maintain copies of documents required by these policies and the HIPAA privacy and security rules for a period of six years from the later of when the document was created or the last effective date of the document. Such documents include, but are not limited to, these policies; authorizations for disclosure; the Notice of Privacy Practices; designation of Privacy and Security Officers; business associate contracts; privacy complaints; employee training; employee sanctions; etc. Such documentation may be maintained in electronic form. (See 45 CFR § 164.530(i)).
- Questions. Any questions or concerns about this policy should be directed to the Privacy Officer.
NONDISCRIMINATION AND ACCESSIBILITY REQUIREMENTS.
Seasons Medical complies with applicable Federal civil rights laws and does not discriminate on the basis of race, color, national origin, age, disability, or sex. Seasons Medical does not exclude people or treat them differently because of race, color, national origin, age, disability, or sex.
- Provides free aids and services to people with disabilities to communicate effectively with us, such as:
- Qualified sign language interpreters.
- Written information in other formats (large print, audio, accessible electronic formats, other formats).
- Provides free language services to people whose primary language is not English such as:
- Qualified interpreters.
- Information written in other languages.
If you need these services, contact Jen Harris.
If you believe that Seasons Medical has failed to provide these services or discriminated in another way on the basis of race, color, national origin, age, disability, or sex, you can file a grievance with: Jen Harris, 37th South 2nd East Rexburg, ID 83401, (phone) 208-356-0234, (fax) 208-656-8877, firstname.lastname@example.org. You can file a grievance in person or by mail, fax, or email. If you need help filing a grievance, Jen Harris is available to help you.
You can also file a civil rights complaint with the U.S. Department of Health and Human Services, Office for Civil Rights, electronically through the Office for Civil Rights Complaint Portal, available at https://ocrportal.hhs.gov/ocr/portal/lobby.jsf, or by mail or phone at: U.S. Department of Health and Human Services 200 Independence Avenue, SW Room 509F, HHH Building Washington, D.C. 20201 1-800-368-1019, 800-537-7697 (TDD) Complaint forms are available at http://www.hhs.gov/ocr/office/file/index.html.
Information about nondiscrimination and accessibility requirements can be read in 15 different languages by visiting: http://www.hhs.gov/civil-rights/for-individuals/section-1557/translated-resources/
At the very least, know that language assistance services, free of charge, are available to you. Please call us at (208) 356-0234.
Spanish: ATENCIÓN: si habla español, tiene a su disposición servicios gratuitos de asistencia lingüística. Llame al (1-208-356-0234)
Chinese: 注意：如果您使用繁體中文，您可以免費獲得語言援助服務。請致電 (1-208-356-0234)
Serbo Croation: OBAVJEŠTENJE: Ako govorite srpsko-hrvatski, usluge jezičke pomoći dostupne su vam besplatno. Nazovite (1-208-356-0234)
Korean: 주의: 한국어를 사용하시는 경우, 언어 지원 서비스를 무료로 이용하실 수 있습니다 (1-208-356-0234) 번으로 전화해 주십시오.
Nepali: ध्यान दिनुहोस्: तपार्इंले नेपाली बोल्नुहुन्छ भने तपार्इंको निम्ति भाषा सहायता सेवाहरू निःशुल्क रूपमा उपलब्ध छ । फोन गर्नुहोस् (1-208-356-0234)
Vietnamese: CHÚ Ý: Nếu bạn nói Tiếng Việt, có các dịch vụ hỗ trợ ngôn ngữ miễn phí dành cho bạn. Gọi số (1-208-356-0234)
Arabic: تنبيه: إذا كنت تتكلم العربية، وخدمات المساعدة اللغوية، مجانا، تتوفر لك. دعوة 1-208-356-0234.
German: ACHTUNG: Wenn Sie Deutsch sprechen, stehen Ihnen kostenlos sprachliche Hilfsdienstleistungen zur Verfügung. Rufnummer: (1-208-356-0234)
Tagalog: PAUNAWA: Kung nagsasalita ka ng Tagalog, maaari kang gumamit ng mga serbisyo ng tulong sa wika nang walang bayad. Tumawag sa (1-208-356-0234)
Russian: ВНИМАНИЕ: Если вы говорите на русском языке, то вам доступны бесплатные услуги перевода. Звоните (1-208-356-0234)
French: ATTENTION : Si vous parlez français, des services d’aide linguistique vous sont proposés gratuitement. Appelez le (1-208-356-0234)
Romanian: ATENȚIE: Dacă vorbiți limba română, vă stau la dispoziție servicii de asistență lingvistică, gratuit. Sunați la (1-208-356-0234)
Bantu (Swahili): KUMBUKA: Ikiwa unazungumza Kiswahili, unaweza kupata, huduma za lugha, bila malipo. Piga simu (1-208-356-0234)
Persian (Farsi): توجه: اگر به زبان فارسی گفتگو می کنید، تسهیلات زبانی بصورت رایگان برای شما فراهم می باشد. با 1–208-356-0234 تماس بگیرید.
HIPAA Privacy Rules, 45 CFR § 164.501 et seq.
HIPAA Breach Notification Rules, 45 CFR § 164.401 et seq.
HIPAA Security Rules, 45 CFR § 164.301 et seq.
Idaho Code § 39-4504 (identifying “personal representatives” under Idaho law)
RELATED DOCUMENTS AND POLICIES
HIPAA Security Policy
Privacy Breach Notification Policy
Notice of Privacy Practices
Accounting of Disclosure Log
Sample Business Associate Agreement
Sample Authorization for Disclosure of Protected Health Information
Last Modified January 22, 2018