Privacy Policy
Introduction
SAW LLC
1 Oak Branch Dr
Brookfield, CT 06804
Health Insurance Portability and Accountability Act of 1996
Including
HIPAA Privacy and Security Policies and Procedures HITECH Act
Omnibus Rule of 2013
These procedures are not a substitute for engaging the assistance from legal, accounting, or other professional services. This information is advisory only. Final interpretation is the responsibility of the regulatory or accrediting body administering the standard or regulation referenced.
Disclaimer
Important Note: All references to “SAW LLC, or the “organization” in this Manual refer to SAW LLC and/or its affiliates, as applicable.
This Manual is a “living document” that SAW LLC may update and revise periodically and unilaterally. This Manual, and the material contained therein, are not intended and should not be construed as creating an implied or express contract of employment, or any other contractual relationship. Unless otherwise stated or predicated on agreements, representations, or documents separate and distinct from this Manual, your employment with SAW LLC is “at will” and either you or SAW LLC may terminate the employment relationship at any time with or without cause. No representative of SAW LLC has the authority to make a commitment
of guaranteed or continuing employment to you unless it is in writing and signed by the President of SAW LLC. This Manual does not give legal advice. This Manual does not create an attorney-client relationship between you and any Total Compliance Solutions employee, member, staff, affiliate or consultant, and you should not act or rely on any information or material without seeking the advice of a qualified attorney. This Manual has been tailored to your particular circumstances. Ongoing assessment and education are integral parts of an effective compliance program under the guidelines promulgated by the Office of Inspector General of the Department of Health and Human Services. The failure to implement any element of this compliance program (such as training and education) may undermine the design and effectiveness of the program. As you implement and administer your compliance program going forward, Total Compliance Solutions strongly recommends that you consult with qualified compliance professionals and attorneys if you have any questions or need any assistance.
These materials are intended for general informational purposes only, may not have been updated to reflect the most recent developments in this area, and are not intended to be relied upon for any specific purpose or action. The information contained in these materials does not constitute and is not intended to be legal advice and should not be so interpreted. If you have questions regarding a specific situation or are seeking legal advice, you should consult an attorney licensed in the appropriate jurisdiction.
Total Compliance Solutions makes no representations or warranties whatsoever regarding the accuracy of these materials, which have been prepared and/or published by third parties other than Total Compliance Solutions. To the extent these materials provide information received from or opinions provided by third parties, the provision of these materials by Total Compliance Solutions does not constitute an endorsement by Total Compliance Solutions. Total Compliance Solutions specifically disclaims any responsibility for the accuracy of these materials or any such opinions or views.
PRIVACY POLICIES AND PROCEDURES
INTRODUCTION TO THE HIPAA PRIVACY STANDARDS
The privacy provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) apply to all protected health information (PHI) created or maintained by the practice. Under the HIPAA law, the Department of Health and Human Services (HHS) is responsible for issuing the final privacy rules. The final HIPAA Omnibus Rule was released on January 17, 2013, and became effective on March 26, 2013, with September 23, 2013 as the compliance deadline. All providers must be in compliance with the new rules by September 23, 2013. The Office for Civil Rights (OCR) is the federal entity responsible for administering and enforcing the privacy rules.
The privacy rules are designated to provide basic, federal protections for an individual’s protected health information. Each state has existing privacy laws that may still apply and with which the practice may already be complying. State laws are included within this manual as an addendum.
Following are the policies and procedures required under the HIPAA Privacy Rule that define the practice’s basic privacy practices.
HIPAA POLICIES AND PROCEDURES IMPLEMENTATION PLAN
- Review the findings from the on-site survey/Security Risk Analysis and rectify deficiencies
- Each policy will have some or all of the following sections:
- Approval Date – should be completed by the Privacy Officer/Security Official;
- Approved By – should be completed by the Privacy Officer/Security Official;
- Definitions – provides definitions of certain words used in the policy (note: there is a master “Definition” section of terms);
- Policy – details the specific requirements under the law;
- Procedure – provides a general outline of how the policy can be implemented;
- Place the updated Notice of Privacy Practices in the waiting room(s), at patient intake areas, and on the practice website (if applicable).
- The entire HIPAA policy and procedure manual should be reviewed. Note: don’t just routinely adopt policies without checking If the practice is ever audited by a governmental agency, they will expect you to be following your own written policies.
- Consider adopting the Facsimile Cover sheet provided, or replace with the practice’s cover
- Adopt the patient consent for use of e-mail if the practice is allowing communications with patients via e-mail.
- Review and implement the authorization form for use and disclosure of PHI. This is a legally valid form and should be the one the practice uses for releases of
- Implement a process for requests to disclose immunization records to schools as required by
- Consider implementing the Patient Record Request Form to include the provision of electronic
- Implement Business Associate Agreements with all identified business (See the Business Associates and Agreements section of the HIPAA manual for additional information.)
- Ensure that business associates are entering into written contracts with their sub-contractors, who now must have HIPAA-compliant policies and
- Complete the “Employee Access to Protected Health Information Grid” This is required under HIPAA rule.
- Consider putting the “Employee Sanctions” policy into the employee Be sure all new employees receive a copy at the start of employment.
- Consider adopting the Exit Interview We also recommends asking staff to complete these
during their annual performance appraisal and/or using the questions as an agenda for an annual staff meeting.
- Make sure that all staff, including providers and governing bodies, , receive training on the practice’s privacy/security policies. This must be documented, and kept on file. All new staff should receive this training at the beginning of employment.
- Obtain signatures on the confidentiality agreements for staff and vendors who have access to protected health information, but who are not business
- Make sure the Notice of Privacy Practices is posted in the location you have The notice must have an effective date; so don’t forget to include one. Implement a process of collecting patient signatures if the practice is a direct care provider. Make sure it is available on the practice website, if applicable. Read this document carefully and make sure that all uses and disclosures of PHI are covered in this document and that all information is correct. If a change is made to this once it is posted, change the effective date and provide new copies in the designated location and to patients. Keep old copies on file for six years.
- Make sure processes for patients to get access to and copies of their PHI have been
- Make sure processes have been implemented for accounting for uses and disclosures of PHI (except for uses and disclosures in treatment, payment, and operations). If you cannot log this information in a common field in an information system, use the model log
- Make sure processes have been implemented for processing requests for amendment to Model letters are provided, should you choose to use them.
- Make copies of all the request forms for the five patient rights. They can be found in the Model Documents section of the HIPAA Privacy A request form is provided for each of the five rights. They should be used with patients to document the request for the right.
- Make sure there is a process in place to communicate restrictions on use and disclosure and confidential communications to staff members who process releases of Model letters for patient requests are included.
- Review the transcription policy to ensure it is consistent with the practice’s current protocols if transcription is
- Complete the hardware inventory log to ensure that you have a complete list of IT and telecommunications hardware, as required under the HIPAA This equipment stores PHI and should be tracked to ensure that it is accounted for at all times.
- Review the Breach Notification section of the manual for information from the HIPAA Omnibus Rule of
- It is recommended that you have all staff review these policies and They should be familiar with the contents of the manual and where to find information when needed.
DEFINITIONS
The HIPAA Privacy Rule includes several definitions that are important to understand in order to interpret the rule and its application to the practice. Under § 164.501, the definitions are as follows:
Business Associate:
- Except as provided in paragraph (4) of this definition, business associate means, with respect to a covered entity, a person who:
- On behalf of such covered entity or of an organized health care arrangement (as defined in this section) in which the covered entity participates, but other than in the capacity of a member of the workforce of such covered entity or arrangement, creates, receives, maintains, or transmits protected health information for a function or activity regulated by this subchapter, including claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, patient safety activities listed at 42 CFR 3.20, billing, benefit management, practice management, and repricing; or
- Provides, other than in the capacity of a member of the workforce of such covered entity, legal, actuarial, accounting, consulting, data aggregation (as defined in 164.501 of this subchapter), management, administrative, accreditation, or financial services to or for such covered entity, or to or for an organized health care arrangement in which the covered entity participates, where the provision of the service involves the disclosure of protected health information from such covered entity or arrangement, or from another business associate of such covered entity or arrangement, to the person.
- A covered entity may be a business associate of another covered
- Business associate includes:
- A Health Information Organization, E-prescribing Gateway, or other person that provides data transmission services with respect to protected health information to a covered entity and that requires access on a routine basis to such protected health (Courier services such as the U.S. Postal Service or United Parcel Service and their electronic equivalents, such as internet service providers (ISPs) providing data transmission services are excluded. A conduit transports information in digital or hard copy form, but does not access it other than on a random or infrequent basis, as necessary to perform the transportation service or as required by other law. Example: a telecommunications company having random, occasional access to PHI when reviewing whether data transmitted over its network is arriving at its destination.)
- A person that offers a personal health record to one or more individuals on behalf of a covered (Personal health record vendors are only considered business associates of the covered entity if they are providing the records on behalf of the covered entity. If an individual has authorized that a personal health record vendor receive their records, the vendor does not automatically become a business associate.)
- A subcontractor that creates, receives, maintains, or transmits protected health information on behalf of the business
- Business associate does not include:
- A health care provider, with respect to disclosures by a covered entity to the health care provider concerning the treatment of the
- A plan sponsor, with respect to disclosures by a group health plan (or by a health insurance issuer or HMO with respect to a group health plan) to the plan sponsor, to the extent that the requirements of 164.504(f) of this subchapter apply and are met.
- A government agency, with respect to determining eligibility for, or enrollment in, a government health plan that provides public benefits and is administered by another government agency, or collecting protected health information for such purposes, to the extent such activities are authorized by
- A covered entity participating in an organized health care arrangement that performs a function or activity as described by paragraph (1)(i) of this definition for or on behalf of such organized health care arrangement, or that provides a service as described in paragraph (1)(ii) of this definition to or for such organized health care arrangement by virtue of such activities or
Correctional institution
Correctional institution means any penal or correctional facility, jail, reformatory, detention center, work farm, halfway house, or residential community program center operated by, or under contract to, the United States, a State, a territory, a political subdivision of a State or territory, or an Indian tribe, for the confinement or rehabilitation of persons charged with or convicted of a criminal offense or other persons held in lawful custody. Other persons held in lawful custody includes juvenile offenders adjudicated delinquent, aliens detained awaiting deportation, persons committed to mental institutions through the criminal justice system, witnesses, or others awaiting charges or trial.
Covered entity
Covered entity means:
A health plan,
A health care clearinghouse, or
A health care provider who transmits any health information in electronic form in connection with a transaction
Data aggregation
Data aggregation means, with respect to protected health information created or received by a business associate in its capacity as the business associate of a covered entity, the combining of such protected health information by the business associate with the protected health information received by the business associate in its capacity as a business associate of another covered entity, to permit data analyses that relate to the health care operations of the respective covered entities.
Designated record set
Designated record set means:
- A group of records maintained by or for a covered entity that is:
- The medical records and billing records about individuals maintained by or for a covered health care provider;
- The enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; or
- Used, in whole or in part, by or for the covered entity to make decisions about
- For purposes of this paragraph, the term record means any item, collection, or grouping of information that includes protected health information and is maintained, collected, used, or disseminated by or for a covered
Direct treatment relationship means a treatment relationship between an individual and a health care provider that is not an indirect treatment relationship.
Disclosure means the release, transfer, provision of, access to, or divulging in any other manner, of information outside the entity holding the information.
Family member means, with respect to an individual:
- A dependent (as such term is defined in 45 CFR 103), of the individual; or
- Any other person who is a first degree, second-degree, third-degree, or fourth-degree relative of the individual or of a dependent of the
- Relatives by affinity (such as by marriage or adoption) are treated the same as relatives by consanguinity (that is, relatives who share a common biological ancestor). In determining the degree of the relationship, relatives by less than full consanguinity (such as half-siblings, who share only one parent) are treated the same as relatives by full consanguinity (such as siblings who share both parents).
- First-degree relatives include parents, spouses, siblings, and
- Second-degree relatives include grandparents, grandchildren, aunts, uncles, nephews, and
- Third-degree relatives include great-grandparents, great-grandchildren, great aunts, great uncles, and first
- Fourth-degree relatives include great-great grandparents, great-great grandchildren, and children of first
Health care operations means any of the following activities of the covered entity to the extent that the activities are related to covered functions:
- Conducting quality assessment and improvement activities, including outcomes evaluation and development of clinical guidelines, provided that the obtaining of generalizable knowledge is not the primary purpose of any studies resulting from such activities; patient safety activities (as defined in 42 CFR 3.20); population-based activities relating to improving health or reducing health care costs, protocol development, case management and care coordination, contacting
of health care providers and patients with information about treatment alternatives; and related functions that do not include treatment;
- Reviewing the competence or qualifications of health care professionals, evaluating practitioner and provider performance, health plan performance, conducting training programs in which students, trainees, or practitioners in areas of health care learn under supervision to practice or improve their skills as health care providers, training of non-health care professionals, accreditation, certification, licensing, or credentialing activities;
- Except as prohibited under 164.502(a)(5)(i), underwriting, enrollment, premium rating, and other activities related to the creation, renewal, or replacement of a contract of health insurance or health benefits, and ceding, securing, or placing a contract for reinsurance of risk relating to claims for health care (including stop-loss insurance and excess of loss insurance), provided that the requirements of § 164.514(g) are met, if applicable;
- Conducting or arranging for medical review, legal services, and auditing functions, including fraud and abuse detection and compliance programs;
- Business planning and development, such as conducting cost-management and planning related analyses related to managing and operating the entity, including formulary development and administration, development or improvement of methods of payment or coverage policies; and
- Business management and general administrative activities of the entity, including, but not limited to:
- Management activities relating to implementation of and compliance with the requirements of this subchapter;
- Customer service, including the provision of data analyses for policy holders, plan sponsors, or other customers, provided that protected health information is not disclosed to such policy holder, plan sponsor, or
- Resolution of internal grievances;
- The sale, transfer, merger, or consolidation of all or part of the covered entity with another covered entity, or an entity that following such activity will become a covered entity and due diligence related to such activity; and;
- Consistent with the applicable requirements of 164.514, creating de-identified health information or a limited data set, and fundraising for the benefit of the covered entity.
Health oversight agency means an agency or authority of the United States, a State, a territory, a political subdivision of a State or territory, or an Indian tribe, or a person or entity acting under a grant of authority from or contract with such public agency, including the employees or agents of such public agency or its contractors or persons or entities to whom it has granted authority, that is authorized by law to oversee the health care system (whether public or private) or government programs in which health information is necessary to determine eligibility or compliance, or to enforce civil rights laws for which health information is relevant.
Indirect treatment relationship means a relationship between an individual and a health care provider in which:
- The health care provider delivers health care to the individual based on the orders of another health care provider; and
- The health care provider typically provides services or products, or reports the diagnosis or results associated with the health care, directly to another health care provider, who provides the services or products or reports to the
Inmate means a person incarcerated in or otherwise confined to a correctional institution.
Marketing:
- Except as provided in paragraph (2) of this definition, marketing means make a communication about a product or service that encourages recipients of the communication to purchase or use the product or service,
- Marketing does not include a communication made:
- To provide refill reminders or otherwise communicate about a drug or biologic that is currently being prescribed for the individual, only if any financial remuneration received by the covered entity in exchange for making the communication is reasonably related to the covered entity’s cost of making the
- For the following treatment and health care operations purposes, except where the covered entity receives financial remuneration in exchange for making the communication:
- For treatment of an individual by a health care provider, including; case management or care coordination for the individual, or to direct or recommend alternative treatments, therapies, health care providers, or settings of care to the individual;.
- To describe a health related product or service (or payment for such product or service) that is provided by, or included in a plan of benefits of, the covered entity making the communication, including communications about: the entities participating in a health care provider network or health plan network; replacement of, or enhancements to, a health plan; and health-related products or services available only to a health plan enrollee that add value to, but are not part of, a plan of benefits; or
- For case management or care coordination, contacting of individuals with information about treatment alternatives, and related functions to the extent these activities do not fall within the definition of
Financial remuneration means direct or indirect payment from or on behalf of a third party whose product or service is being described. Direct or indirect payment does not include any payment for treatment of an individual.
Payment means:
- The activities undertaken by:
- Except as prohibited under 164.502(a)(5)(i), health plan to obtain premiums or to determine or fulfill its responsibility for coverage and provision of benefits under the health plan; or
- A health care provider or health plan to obtain or provide reimbursement for the provision of health care; and
- The activities in paragraph (1) of this definition relate to the individual to whom health care is provided and include, but are not limited to:
- Determinations of eligibility or coverage (including coordination of benefits or the determination of cost sharing amounts), and adjudication or subrogation of health benefit claims;
- Risk adjusting amounts due based on enrollee health status and demographic characteristics;
- Billing, claims management, collection activities, obtaining payment under a contract for reinsurance (including stop-loss insurance and excess of loss insurance), and related health care data processing;
- Review of health care services with respect to medical necessity, coverage under a health plan, appropriateness of care, or justification of charges;
- Utilization review activities, including precertification and preauthorization of services, concurrent and retrospective review of services; and
- Disclosure to consumer reporting agencies of any of the following protected health information relating to collection of premiums or reimbursement:
- Name and address;
- Date of birth;
- Social security number;
- Payment history;
- Account number; and
- Name and address of the health care provider and/or health
Protected Health Information (“PHI”)
Protected Health Information (“PHI”) means information that is created, received, maintained, accessed, and/or transmitted by a covered entity and relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and that identifies the individual or for which there is a reasonable basis to believe the information can be used to identify the individual. PHI includes information of persons living or deceased.
Psychotherapy notes
Psychotherapy notes* means notes recorded (in any medium) by a health care provider who is a mental health professional documenting or analyzing the contents of conversation during a private counseling session or a group, joint, or family counseling session and that are separated from the rest of the individual’s medical record. Psychotherapy notes excludes medication prescription and monitoring,
counseling session start and stop times, the modalities and frequencies of treatment furnished, results of clinical tests, and any summary of the following items: Diagnosis, functional status, the treatment plan, symptoms, prognosis, and progress to date.
Public health authority
Public health authority means an agency or authority of the United States, a State, a territory, a political subdivision of a State or territory, or an Indian tribe, or a person or entity acting under a grant of authority from or con-tract with such public agency, including the employees or agents of such public agency or its contractors or persons or entities to whom it has granted authority, that is responsible for public health matters as part of its official mandate.
Research means a systematic investigation, including research development, testing, and evaluation, designed to develop or contribute to generalizable knowledge.
Treatment means the provision, coordination, or management of health care and related services by one or more health care providers, including the coordination or management of health care by a health care provider with a third party; consultation between health care providers relating to a patient; or the referral of a patient for health care from one health care provider to another.
Workforce member means employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a covered entity, is under the direct control of such entity, whether or not they are paid by the covered entity. The term also includes the employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a business associate, is under the direct control of the business associate.
USES AND DISCLOSURES OF PROTECTED HEALTH INFORMATION
USES AND DISCLOSURES OF PATIENT INFORMATION POLICY
SCOPE OF POLICY
This policy applies to all SAW LLC staff members. SAW LLC “staff members” includes all employees, volunteers, vendors, and subcontractors.
PURPOSE
SAW LLC must establish policies and procedures that all staff are expected to adhere to when using or disclosing patient health information. SAW LLC personnel are required to maintain the confidentiality of patient information in accordance with the regulations promulgated by the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and the Health Information Technology for Economic and Clinical Health Act (“HITECH”).
PROTECTED HEALTH INFORMATION
HIPAA and HITECH impose restrictions on the use and disclosure of protected health information (“PHI”). PHI is defined as information that is created or received by a health care organization. PHI can be written or oral, it can be recorded on paper, computer or removable or other media. PHI includes information that is individually identifiable, such as name, address, telephone number, medical insurance number and social security number. PHI relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual.
USES AND DISCLOSURES OF PHI FOR PURPOSES OTHER THAN TREATMENT, PAYMENT OR HEALTH CARE OPERATIONS
SAW LLC will only use or disclose PHI for purposes of treatment, payment or health care operations, and the following:
- SAW LLC may disclose PHI to the
- SAW LLC may disclose PHI to a patient’s personal (i.e. a person with legal authority to make health care decisions on behalf of the patient; e.g. an executor or administrator of the patient’s estate or other person who has legal authority to act on behalf of the patient or the patient’s estate), a court appointed guardian, or an individual granted health care power of attorney), in accordance with proper legal documentation (e.g. certificate of appointment, guardianship documentation, power of attorney), and to a deceased person’s family provided SAW LLC had not obtained an objection to sharing his or her PHI from the deceased prior to death, and the PHI disclosed pertains to the individual’s involvement in the deceased’s care or payment for services
- SAW LLC may disclose PHI relating to a patient’s proof of immunization if required by State or other law for school admittance with documented authorization. A written request is not necessary, as an oral request is acceptable, but a model Patient Request Form is included in the following pages for your
- SAW LLC may use and disclose PHI pursuant to a valid HIPAA
- SAW LLC may disclose PHI to a business associate, vendor, or subcontractor in accordance with an applicable Business Associate Agreement.
- SAW LLC may disclose PHI to a public or private entity authorized by law or by its obligation to assist in disaster relief
- SAW LLC may disclose PHI to the Department of Health and Human Services or the State Department of Health for compliance reviews and investigations, as required by
- SAW LLC may use or disclose PHI for legal, employment and regulatory purposes in accordance with SAW LLC’s policies for such
- SAW LLC may disclose PHI to the FDA for purposes related to a product
approved by the FDA for product recalls, tracking of products or incident reporting.
- SAW LLC may use or disclose PHI if SAW LLC has entered into a data use agreement with a recipient that meets the requirements of HIPAA
- SAW LLC may use or disclose PHI as is permitted or required by federal
SAW LLC must comply with the requirements of HIPAA with respect to the PHI of a deceased individual for a period of 50 years following the death of the individual.
SAW LLC must agree to a patient’s restriction on the disclosure of a patient’s PHI to the patient’s health plan if the disclosure is for the purpose of carrying out payment or health care operations, is not otherwise required by law, and the patient has paid SAW LLC in full for health care services provided.
SPECIFIC AUTHORIZATIONS AND RESTRICTIONS ON USES AND DISCLOSURES OF PHI
Specific authorizations are required for the use and/or disclosure of the following:
- Psychotherapy notes:
- HIV-related information;
- Alcohol and/or substance abuse records;
- Sexually transmitted diseases;
- Mental health records;
- Genetic information;
- Research;
- Marketing involving direct or indirect remuneration to SAW LLC for the PHI;
- Fundraising activities, unless the use or disclosure is only the patient’s name, address, other contact information, age, gender, date of birth, dates of health care provided, department of service information, treating physician, outcome information, and/or health insurance status; and,
- Sale of PHI involving direct or indirect remuneration to SAW LLC for the
SAW LLC shall not use or disclose genetic information for underwriting purposes as defined in 45 C.F.R. § 164.502.
SAW LLC shall not sell PHI for direct or indirect remuneration from or on behalf of the recipient of the PHI in exchange for the PHI. This does not include the exchange of PHI:
- For public health purposes;
- For research purposes, if SAW LLC receives only a cost-based fee to prepare and transmit the patient information;
- For treatment or payment for treatment;
- For the sale, transfer, merger or consolidation of SAW LLC; and,
- To a business associate, if SAW LLC only receives remuneration for the performance of health care related
Uses and Disclosures of Protected Health Information Policies and Procedures
SAW LLC policy for communicating PHI with a patients’ family, friends or others involved in the patient’s care are as follows:
N/A
Any questions concerning this policy should be directed to Viorica Timosca, the Privacy Officer or Viorica Timosca, the Security Officer.
AUTHORIZATION AND EXCEPTIONS FOR USES AND DISCLOSURES OF PHI
DEFINITIONS:
Disclosure means the release, transfer, provision of access to, or divulging in any other manner of information outside the entity holding the information.
Financial Remuneration means direct or indirect payment from or on behalf of a third party whose product or service is being described. Direct or indirect payment does not include payment for treatment of an individual.
Individually identifiable health information is information that is a subset of health information, including demographic information collected from an individual that identifies the individual; and is created or received by a health care provider, health plan, employer, or health care clearinghouse; and relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual.
Law enforcement official is an officer or employee of any agency or authority of the United States, a state, a territory, a political subdivision of a state or territory, or an Indian tribe, who is empowered by law to investigate or conduct an official inquiry into a potential violation of law; or prosecute or otherwise conduct a criminal, civil, or administrative proceeding arising from an alleged violation of law.
Use means, with respect to individually identifiable health information, the sharing, employment, application, utilization, examination, or analysis of such information within an entity that maintains such information.
POLICY:
SAW LLC complies with the Health Insurance Portability and Accountability Act of 1996 and Department of Health and Human Services rules that are designed to preserve the privacy of identifiable patient information.
SAW LLC is permitted to use or disclose protected health information (“PHI”) if the disclosure is to the patient themselves; a patient’s personal representative; a deceased person’s personal representative or family provided SAW LLC had not obtained an objection to sharing his or her PHI and the PHI disclosed pertains to the individual’s involvement in the deceased’s care or payment for services rendered; to a school if the PHI disclosed is related to a patient’s proof of immunization if required by state or other law for school admittance and the authorization to disclose such records is documented; a valid HIPAA authorization form (see Authorization for Use and Disclosure of PHI form); to a business associate, vendor or subcontractor in accordance with an applicable Business Associate Agreement; to the Department of Health and Human Services or the State Department of Health for compliance reviews, investigations, or as otherwise required by law; and to a recipient with which SAW LLC has entered into a data use agreement that meets the requirements of HIPAA regulations.
SAW LLC must have authorization from individuals before using or disclosing protected health information (PHI) for a purpose not otherwise permitted or required by this rule. Specifically, except for psychotherapy notes, SAW LLC is not required to obtain the patient’s (or an individual acting as the patient’s legal representative) authorization to use or disclose PHI to carry out treatment, payment, and health care operations.
PHI may be used or disclosed to an authorized public or private disaster relief agency for the purpose of helping such entity notify a patient’s family member, personal representative, or another person responsible for the patient’s care, of the individual’s location, general condition, or death.
The HIPAA rule does not require SAW LLC to obtain the individual’s authorization for uses and disclosures of PHI for uses and disclosures requiring an opportunity for the individual to agree or to object (e.g., this pertains to hospital and facility patient directories and information for clergy) or uses and disclosures for which consent, an authorization, or opportunity to agree to object is not required, for disclosures to the individual, or for required disclosures to the Secretary of the Department of Health and Human Services.
There is an exception to the above. If a health plan requests a PHI disclosure of a patient for purposes of carrying out payment or health care operations (not treatment), and the patient has paid for the health care item or service out-of-pocket in full, and the disclosure is not otherwise required by law, then SAW LLC may not disclose the PHI. However, the patient’s request for such restriction will only be applicable to that particular service. The patient will have to request a restriction for each service thereafter.
SAW LLC is bound to comply with statements provided on the authorization form. Uses or disclosures by SAW LLC for purposes not specified in the authorization are violations of the HIPAA law. SAW LLC must comply with the requirements of HIPAA with respect to the PHI of a deceased individual for a period of 50 years following the death of the individual.
Required Authorizations
Uses and disclosures for which the practice must have the individual’s authorization include, but are not limited to, the following activities:
- Marketing
- Genetic information
- Sale of PHI
- Employment determinations
- Conditioning the provisions of care
- Fundraising
- Psychotherapy notes/mental health records
- Research (see regulations for specifics)
- HIV-related information
- Alcohol and/or substance abuse records
- Sexually transmitted diseases
Authorizations should not be construed to waive, directly or indirectly, any privilege granted under federal, state, or local laws or procedures. SAW LLC should consult State law regarding additional protections for sensitive health information such as HIV/AIDS treatment, alcohol and/or substance abuse records, sexually transmitted disease treatment, mental or behavioral health treatment, and genetic health information.
1. Marketing
SAW LLC must obtain an authorization for any use or disclosure of PHI for marketing except for communications in the form of a face-to-face communication made by SAW LLC to the individual or a promotional gift or nominal value provided by SAW LLC. If the marketing involves direct or indirect financial remuneration to SAW LLC from a third party, the authorization must state that such remuneration is involved.
2. Genetic Information for Underwriting
SAW LLC cannot use or disclose PHI that is genetic information to a health plan for underwriting purposes. “Underwriting purpose” means, with respect to a health plan, rule for determination of eligibility for or determination of benefits under the plan, coverage or policy; the
computation of premium or contribution amounts under the plan, coverage or policy; the application of any pre-existing condition exclusion under the plan, coverage or policy; and other activities related to the creation, renewal, or replacement of a contract of health insurance or health benefits. “Underwriting purposes” does not include determinations of medical appropriateness where an individual seeks a benefit under the plan, coverage or policy.
3. Sale of PHI
“Sale of PHI” means the disclosure of PHI by a covered entity, where the covered entity directly or indirectly receives remuneration from or on behalf of the recipient of the PHI in exchange for the PHI. “Sale of PHI” does NOT include a disclosure of PHI for public health purposes; for research purposes where the only remuneration received by the covered entity is a reasonable cost-based fee to cover the cost to prepare and transmit the PHI for such purposes; for treatment and payment purposes; for the sale, transfer, merger or consolidation of all or part of SAW LLC and for related due diligence; to a business associate for activities that the business associate undertakes on behalf of a covered entity, and the only remuneration received by the covered entity is for the performance of such activities; to an individual as requested by such individual under 45 CFR § 164.524 or 164.528; as required by law; or for any other purpose permitted where the only remuneration received by SAW LLC is a reasonable, cost-based fee to cover the cost to prepare and transmit the PHI for such purpose or a fee otherwise expressly permitted by other law.
SAW LLC must obtain an authorization for any disclosure of PHI which is a sale of PHI as defined here. The authorization must state that the disclosure will result in remuneration to SAW LLC.
4. Employment Determinations
SAW LLC must obtain the individual’s authorization to use or disclose PHI for employment determinations. For example, a covered health care provider must obtain the individual’s authorization to disclose the results of a pre-employment physical to the individual’s employer.
5. Conditioning the Provision of Care
SAW LLC may condition the provision of health care that is solely for the purpose of creating PHI for disclosure to a third party, on the provision of authorization for the disclosure of the information to the third party.
SAW LLC prohibits conditioning treatment or payment on the provision by the individual of an authorization, except when the authorization was requested in connection with a clinical trial. In the case of authorization for use or disclosure of psychotherapy notes or research information unrelated to treatment, SAW LLC prohibits conditioning treatment, payment, or enrollment in a health plan on obtaining such an authorization.
This prohibition is intended to prevent coercing individuals into signing an authorization for a use or disclosure that is not necessary to carry out the primary services that SAW LLC provides to the individual. For example, a health care provider could not refuse to treat an individual because the individual refused to authorize a disclosure to a pharmaceutical manufacturer for the purpose of marketing a new product.
Finally, when SAW LLC provides treatment for the sole purpose of providing information to a third party, the covered entity may condition the treatment on the receipt of an authorization to use or disclose PHI related to that treatment. For example, a covered health care provider may have a contract with an employer to provide fitness-for-duty exams to the employer’s employees. The provider may refuse to conduct the exam if an individual refuses to authorize the provider to disclose the results of the exam to the employer.
6. Fundraising
A patient’s authorization is not required when SAW LLC uses or discloses demographic information (name, address, other contact information, age, gender, date of birth) and information about the dates of health care provided to an individual, as well as the department of service information, treating physician, outcome information, and health insurance status, for the purpose of raising funds for its own benefit, nor when it discloses such information to an institutionally related foundation to raise funds for the covered entity.
However, SAW LLC must ensure that with each fundraising communication made, the patient has the opportunity to opt-out of receiving any further fundraising communications. The patient’s ability to opt-out should not cost the patient more than a nominal amount. SAW LLC must also provide the patient with the opportunity to opt back in to receive such communications if the patient should choose to do so.
Any use or disclosure for fundraising purposes that does not meet these requirements and does not fall within the definition of health care operations requires authorization. Specifically, SAW LLC must obtain the individual’s authorization to use or disclose PHI to raise funds for any entity other than SAW LLC. For example, SAW LLC must have the individual’s authorization to use PHI about the individual to solicit funds for a non-profit organization that engages in research, education, and awareness efforts about a particular disease.
7. Psychotherapy Notes
With a few exceptions, SAW LLC must obtain the individual’s authorization to use or disclose psychotherapy notes to carry out treatment, payment, or health care operations. SAW LLC must obtain the individual’s consent, but not an authorization, for the person who created the psychotherapy notes to use the notes to carry out treatment, and for the covered entity to use or disclose psychotherapy notes for conducting training programs in which students, trainees, or practitioners in mental health learn under supervision to practice or improve their skills in group, joint,
family, or individual counseling. SAW LLC may also use psychotherapy notes to defend a legal action or other proceeding brought by the individual pursuant to consent, without a specific authorization.
An authorization is not required for use or disclosure of psychotherapy notes when required for enforcement purposes; when mandated by law; when needed for oversight of the health care provider who created the psychotherapy notes; when needed by a coroner or medical examiner; or when needed to avert a serious and imminent threat to health or safety.
8. Authorizations for Uses and Disclosures of PHI Created for Research that Includes Treatment of Individuals
SAW LLC is required to obtain an authorization for the use or disclosure of PHI that SAW LLC creates for the purpose of research that includes treatment of individuals.
The practice seeking authorization to use or disclose PHI created for the purpose of research that includes treatment of individuals, including clinical trials, must include in the authorization (in addition to the applicable elements required above) a description of the extent to which some or all of the protected health information created for the research will also be used or disclosed for purposes of treatment, payment, and health care.
Research that involves the delivery of treatment to participants sometimes relies on existing health information, such as to determine eligibility for the trial. SAW LLC may combine the research-related authorization with any other authorization for the use or disclosure of protected health information (other than psychotherapy notes), provided that SAW LLC does not condition the provision of treatment on the individual signing the authorization.
SAW LLC will almost always, if not always, condition the provision of research-related treatment on the individual signing an authorization for use or disclosure of PHI created for the research. Therefore, providers who wish to use or disclose PHI about an individual that will be created for research that includes treatment and wish to use existing PHI about that individual for the research that includes treatment, will be required to obtain two authorizations from the individual: (1) an authorization for the use and disclosure of protected health information to be created for the research that involves treatment of the individual, and (2) an authorization for the use of existing protected health information for the research that includes treatment of the individual.
Core Elements and Requirements of an Authorization
- An authorization form must contain the following elements:
A description of the information to be used or disclosed with sufficient specificity to allow the covered entity to know which information the authorization references;
The name of the covered entity, or class of entities or persons, authorized to make the use or
disclosure. If an authorization permits a class of the practice to disclose information to an authorized person, the class must be stated with sufficient specificity so that a covered entity presented with the authorization will know with reasonable certainty that the individual intended the covered entity to release protected health information;
The name or types of recipient(s) of the information. The authorization must identify these persons with sufficient specificity to reasonably permit a covered entity responding to the authorization to identify the authorized user or recipient of the protected health information;
An expiration date or expiration event. This expiration date or event must either be a specific date, a specific time period (e.g., one year from the date of signature), or an event directly relevant to the individual or the purpose of the use or disclosure (e.g., for the duration of the individual’s enrollment with the health plan that is authorized to make the use or disclosure). The expiration date or event is subject to otherwise applicable and more stringent law;
The individual’s signature and date of signature;
If signed by a representative, a description of the representative’s authority or relationship to the individual;
A statement regarding the individual’s right to revoke the authorization. The authorization must include instructions on how the individual may revoke the authorization. For example, the person obtaining the authorization from the individual can include an address where the individual can send a written request for revocation;
A statement that when the information is used or disclosed pursuant to the authorization, it may be subject to re-disclosure by the recipient and may no longer be protected by the HIPAA rule;
Authorization forms must be written in plain language.
Before SAW LLC can use or disclose protected health information of an individual pursuant to a request SAW LLC made, SAW LLC is required to obtain an authorization containing the minimum elements described above and the following additional elements:
Except for authorizations requested for clinical trials, a statement that SAW LLC will not condition treatment or payment on the individual’s authorization;
A description of the purpose of the requested use or disclosure. SAW LLC prohibits the use of broad or blanket authorizations requesting the use or disclosure of protected health information for a wide range of unspecified purposes;
A statement that the individual may inspect or copy the information to be used or disclosed and may refuse to sign the authorization;
If the use or disclosure of the requested information will result in financial gain to SAW LLC a statement that such gain will result.
SAW LLC may request only the minimum amount of information necessary to accomplish the purpose for which the request was made. SAW LLC must provide the individual with a copy of the executed authorization.
In some instances, SAW LLC may be reluctant to undertake the effort to review the record and select portions relevant to the request (or redact portions not relevant). In such circumstances, SAW LLC may provide the entire record to the individual, who may then redact and release the more limited information to the requestor. This rule does not require a covered entity to disclose information pursuant to an individual’s authorization.
If SAW LLC seeks the individual’s written legal permission to obtain PHI about the individual from another covered entity for any purpose, it must obtain the individual’s authorization for the covered entity that maintains the PHI to make the disclosure. If the authorization is for the purpose of obtaining PHI for purposes other than treatment, payment, or health care operations, the authorization need only contain the core elements.
If the authorization, however, is for the purpose of obtaining PHI to carry out treatment, payment, or health care operations, the authorization must include the core requirements and also describe each purpose of the requested disclosure.
2. Valid and Defective Authorizations
An authorization must contain the following required elements to be considered a valid authorization under the HIPAA law. A valid authorization may contain additional, non-required elements, provided that these elements are not inconsistent with the required elements. An authorization is not considered valid if:
The expiration date or expiration event has passed;
The expiration event must, however, be related to the individual or the purpose of the use or disclosure;
The form had not been filled out completely;
The covered entity knew the authorization had been revoked; The completed form lacks a required element; or
An employee of SAW LLC knows that the information on the authorization form is false;
Authorizations that are not completely filled out with respect to the required elements are defective;
An authorization that an employee of SAW LLC knows has been revoked is not a valid authorization. If SAW LLC does not know of the revocation, a release is not a violation of the HIPAA rule by acting pursuant to the authorization.
3. Compound Authorizations
Except for authorizations requested in connection with a clinical trial, SAW LLC cannot combine an authorization for use or disclosure of PHI for purposes other than treatment, payment, or health care operations with an authorization or consent for treatment (e.g., an informed consent to
receive care) or payment (e.g., an assignment of benefits) or any other written legal permission from the individual.
There are three exceptions to this prohibition:
- An authorization for the use or disclosure of PHI created for research study may be combined with any other type of written permission for the same or another research This exception includes combining an authorization for the use of disclosure of PHI for a research study with another authorization for the same research study, with an authorization for the creation or maintenance of a research database or repository, or with a consent to participate in research. However, if SAW LLC conditioned the provision of research related treatment on the provision of one of the authorizations, any compound authorization created must clearly differentiate between the conditioned and unconditioned components and provide the patient with an opportunity to opt in to the research activities described in the unconditioned authorization.
- Authorizations for the use or disclosure of psychotherapy notes for multiple purposes may be combined in a single document, but may not be combined with authorizations for the use or disclosure of other
- Authorizations for the use or disclosure of PHI other than psychotherapy notes may be combined, provided that SAW LLC has not conditioned the provision of treatment, payment, enrollment, or eligibility on obtaining the
4. Revocation of Authorizations
An individual may revoke an authorization at any time, except to the extent that SAW LLC had taken action in reliance on the authorization. The individual must revoke the authorization in writing. When an individual revokes an authorization, SAW LLC must stop making uses and disclosures pursuant to the authorization to the greatest extent practical. SAW LLC may continue to use and disclose PHI in accordance with the authorization only to the extent SAW LLC has taken action in reliance on the authorization. For example, SAW LLC is not required to retrieve information that has already been disclosed in accordance with the authorization.
Individuals do not have the right to revoke an authorization if the authorization was obtained as a condition of obtaining insurance coverage, and other applicable law provides the insurer that obtained the authorization with the right to contest a claim under the policy.
AUTHORIZATION EXCEPTIONS:
45 C.F.R. § 164.512 outlines all the exceptions to the requirement to obtain an individual’s authorization for use or disclosure of PHI. These exceptions fall into the following categories:
- Incidental Use and Disclosure
- Uses and disclosures required by law,
- Uses and disclosures for public health activities,
- Disclosure to a school about a patient who is a student, or prospective student, of the school if the PHI disclosed is limited to proof of immunization, the school is required by State or other law to have such proof of immunization prior to admitting the student, and consent from a parent, guardian, or other person acting in loco parentis, or from the patient themselves if the patient is an adult or emancipated minor is provided,
- Disclosures about victims of abuse, neglect or domestic violence,
- Uses and disclosures for health oversight activities,
- Disclosures for judicial and administrative proceedings,
- Disclosures for law enforcement purposes,
- Uses and disclosures about decedents,
- Uses and disclosures for organ, eye, or tissue donation purposes,
- Uses and disclosures for research purposes,
- Uses and disclosures to avert a serious threat to health or safety,
- Uses and disclosures for specialized government functions,
- Disclosures for Workers’
SAW LLC may use or disclose PHI without the written consent or authorization of the individual, or the opportunity for the individual to agree or object, in the situations described above, subject to the applicable requirements of each section.
1. Incidental Use and Disclosure
The HIPAA final rule acknowledges that uses or disclosures that are incidental to an otherwise permitted use or disclosure may occur, and such incidental uses or disclosures are not considered a violation of the rule provided that the covered entity has met the reasonable safeguards and minimum necessary requirements. For example, if these requirements are met, doctors’ offices may use waiting room sign-in sheets, hospitals may keep patient charts at bedside, doctors can talk to patients in semi- private rooms, and doctors can confer at nurses’ stations without fear of violating the rule if overheard by a passerby.
2. Uses and Disclosures Required by Law
SAW LLC may use or disclose PHI if the use or disclosure is required by law, and the use or disclosure complies with and is limited to the relevant requirements of the law. SAW LLC must meet the following requirements found below in the appropriate section for disclosures about victims of abuse, neglect, or domestic violence; disclosures for judicial and administrative proceedings, or, disclosures for law enforcement purposes.
3. Uses and Disclosures for Public Health Activities
SAW LLC may disclose PHI for the public health activities and purposes described below to:
- A public health authority authorized by law to collect or receive information for the purpose of preventing or controlling disease, injury, or disability, including, but not limited to, the reporting of disease, injury, vital events such as birth or death, and the conduct of public health surveillance, public health investigations, and public health interventions; or, at the direction of a public health authority, to an official of a foreign government agency that is acting in collaboration with a public health
- A public health authority or other government authority authorized by law to receive **reports of child abuse or **
- A person subject to the jurisdiction of the Food and Drug Administration (FDA):
- To report adverse events (or similar reports with respect to food or dietary supplements), product defects, or problems (including problems with the use or labeling of a product), or biological product deviations if the disclosure is made to the person required or directed to report such information to the FDA;
- To track products if the disclosure is made to a person required or directed by the FDA to track the product;
- To enable product recalls, repairs, or replacement (including locating and notifying individuals who have received products of product recalls, withdrawals, or other problems);
- To conduct post marketing surveillance to comply with requirements or at the direction of the
- A person who may have been exposed to a communicable disease or may otherwise be at risk of contracting or spreading a disease or condition, if SAW LLC or public health authority is authorized by law to notify such person as necessary in the conduct of a public health intervention or investigation; or
- An employer, about an individual who is a member of the workforce of the employer:
- If SAW LLC provides health care to the individual at the request of the employer; to conduct an evaluation relating to medical surveillance of the workplace; or to evaluate whether the individual has a work-related illness or injury;
- The PHI that is disclosed may only consist of findings concerning a work-related illness or injury or a workplace-related medical surveillance;
- SAW LLC must need such findings in order to comply with its obligations, under OSHA law and rule (29 CFR parts 1904 through 1928), or under state law having a similar purpose, to record such illness or injury or to carry out responsibilities for workplace medical surveillance;
- SAW LLC provides written notice to the individual that PHI relating to the medical surveillance of the workplace and work-related illnesses and injuries is disclosed to the employer by giving a copy of the notice of patient privacy practices to the individual at the time
the health care is provided; or if the health care is provided on the worksite of the employer, by posting the notice of patient privacy practices in a prominent place at the location where the health care is provided.
4. Disclosures about Victims of Abuse, Neglect or Domestic Violence
SAW LLC may disclose PHI about an individual whom a health care provider reasonably believes to be a victim of abuse, neglect, or domestic violence to a government authority, including a social service or protective services agency, authorized by law to receive reports of such abuse, neglect, or domestic violence to the extent the disclosure is required by law and the disclosure complies with and is limited to the relevant requirements of such law; if the individual agrees to the disclosure; or to the extent the disclosure is expressly authorized by statute or regulation and a health care provider in the exercise of professional judgment, believes the disclosure is necessary to prevent serious harm to the individual or other potential victims; or if the individual is unable to agree because of incapacity, a law enforcement or other public official authorized to receive the report represents that the PHI for which disclosure is sought is not intended to be used against the individual and that an immediate enforcement activity that depends upon the disclosure would be adversely affected by waiting until the individual is able to agree to the disclosure.
If SAW LLC makes a disclosure as described above, it must promptly inform the individual that such a report has been or will be made, except if a health care provider, in the exercise of professional judgment, believes informing the individual would place the individual at risk of serious harm; or SAW LLC would be informing a personal representative, and the covered entity reasonably believes the personal representative is responsible for the abuse, neglect, or other injury, and that informing such person would not be in the best interests of the individual as determined by the covered entity, in the exercise of professional judgment.
5. Uses and Disclosures for Health Oversight Activities
SAW LLC may disclose PHI to a health oversight agency for oversight activities authorized by law, including audits; civil, administrative, or criminal investigations; inspections; licensure or disciplinary actions; civil, administrative, or criminal proceedings or actions; or other activities necessary for appropriate oversight of the health care system; government benefit programs for which health information is relevant to beneficiary eligibility; entities subject to government regulatory programs for which health information is necessary for determining compliance with program standards; or entities subject to civil rights laws for which health information is necessary for determining compliance.
A health oversight activity does not include an investigation or other activity in which the individual is the subject of the investigation or activity and such investigation or other activity does not arise out of and is not directly related to the receipt of health care, a claim for public benefits related to health, or
qualification for, or receipt of, public benefits or services when a patient’s health is integral to the claim for public benefits or services.
If a health oversight activity or investigation is conducted in conjunction with an oversight activity or investigation relating to a claim for public benefits not related to health, the joint activity or investigation is considered a health oversight activity.
6. Disclosures for Proof of Immunization
SAW LLC may disclose proof of a patient’s immunization to a school, about a patient who is a student or prospective student of the school, as required by State or other law, if a parent, guardian, or other person acting in loco parentis, or a patient who is an adult or emancipated minor, authorizes SAW LLC to do so. SAW LLC does not need to obtain a written authorization for such disclosure. Oral authorization that is documented by SAW LLC will satisfy the requirements under HIPAA. However, as a best practice, SAW LLC should implement a system that tracks authorization in a written form to best protect SAW LLC. SAW LLC should consult State law for specific immunization records requirements for school admittance. (See the Patient Proof of Immunization Record Request form).
7. Disclosures for Judicial and Administrative Proceedings
SAW LLC may disclose PHI in the course of any judicial or administrative proceeding in response to an order of a court or administrative tribunal, provided that SAW LLC discloses only the PHI expressly authorized by such order.
SAW LLC may disclose PHI in response to a subpoena, discovery request, or other lawful process that is not accompanied by an order of a court or administrative tribunal, if SAW LLC receives satisfactory assurance from the party seeking the information that reasonable efforts have been made by such party to ensure that the individual who is the subject of the PHI that has been requested has been given notice of the request, or SAW LLC receives satisfactory assurance from the party seeking the information that reasonable efforts have been made by such party to secure a qualified protective order.
SAW LLC receives satisfactory assurances from a party seeking PHI if the covered entity receives from such party a written statement and accompanying documentation demonstrating that the party requesting such information has made a good faith attempt to provide written notice to the individual (or, if the individual’s location is unknown, to mail a notice to the individual’s last known address); that the notice included sufficient information about the litigation or proceeding in which the PHI is requested to permit the individual to raise an objection to the court or administrative tribunal, and the time for the individual to raise objections to the court or administrative tribunal has elapsed, and no objections were filed, or all objections filed by the individual have been resolved by the court or the administrative tribunal and the disclosures being sought are consistent with such resolution.
Also, SAW LLC receives satisfactory assurances from a party seeking PHI, if the covered entity receives from such party a written statement and accompanying documentation demonstrating that the parties to the dispute giving rise to the request for information have agreed to a qualified protective order and have presented it to the court or administrative tribunal with jurisdiction over the dispute, or the party seeking the PHI has requested a qualified protective order from such court or administrative tribunal.
A qualified protective order means, with respect to PHI requested an order of a court or of an administrative tribunal or a stipulation by the parties to the litigation or administrative proceeding that prohibits the parties from using or disclosing the PHI for any purpose other than the litigation or proceeding for which such information was requested; and requires the return to the covered entity or destruction of the PHI (including all copies made) at the end of the litigation or proceeding.
SAW LLC may disclose PHI in response to lawful process if SAW LLC makes reasonable efforts to provide notice to the individual or to seek a qualified protective order.
The provisions of this section do not supersede other provisions of this section that otherwise permit or restrict uses or disclosures of protected health information.
8. Disclosures for Law Enforcement Purposes
SAW LLC may disclose PHI for a law enforcement purpose to law enforcement officials under the following conditions:
- SAW LLC may disclose protected health information as required by law, including laws that require the reporting of certain types of wounds or other physical injuries; or in compliance with and as limited by the requirements of a court order or court-ordered warrant, or a subpoena or summons issued by a judicial officer, grand jury subpoena, or an administrative request, including an administrative subpoena or summons, a civil or an authorized investigative demand, or similar process authorized under law, provided that the information sought is relevant and material to a legitimate law enforcement inquiry, the request is specific and limited in scope to the extent reasonably practicable in light of the purpose for which the information is sought, and de-identified information could not reasonably be
- SAW LLC may disclose PHI in response to a law enforcement official’s request for such information for the purpose of identifying or locating a suspect, fugitive, material witness, or missing person, provided that the covered entity may disclose only the following information:
- Name and address;
- Date and place of birth;
- Social Security number;
- ABO blood type and rh factor;
- Type of injury;
- Date and time of treatment;
- Date and time of death, if applicable; and
- A description of distinguishing physical characteristics, including height, weight, gender, race, hair and eye color, presence or absence of facial hair (beard or moustache), scars, and
SAW LLC may not disclose, for the purposes of identification, any PHI related to the individual’s DNA or DNA analysis, dental records, or typing, or samples or analysis of body fluids or tissue.
- SAW LLC may disclose protected health information in response to a law enforcement official’s request for such information about an individual who is, or is suspected to be, a victim of a crime if the individual agrees to the disclosure; or if SAW LLC is unable to obtain the individual’s agreement because of incapacity or other emergency circumstance, provided that the law enforcement official represents that such information is needed to determine whether a violation of law by a person other than the victim has occurred, and such information is not intended to be used against the victim; the law enforcement official represents that immediate law enforcement activity that depends upon the disclosure would be materially and adversely affected by waiting until the individual is able to agree to the disclosure; and the disclosure is in the best interests of the individual as determined by the covered entity, in the exercise of professional
- SAW LLC may disclose PHI about an individual who has died to law enforcement officials for the purpose of alerting law enforcement of the death of the individual if SAW LLC has a suspicion that such death may have resulted from criminal
- SAW LLC may disclose to a law enforcement official PHI that SAW LLC believes in good faith constitutes evidence of criminal conduct that occurred on the premises of the covered
- A health care provider providing emergency health care in response to a medical emergency, other than such emergency on the premises of SAW LLC may disclose PHI to a law enforcement official if such disclosure appears necessary to alert law enforcement to the commission and nature of a crime, the location of such crime, or of the victim(s) of such crime, and the identity, description, and location of the perpetrator of such
If a covered health care provider believes that the medical emergency is the result of abuse, neglect, or domestic violence of the individual in need of emergency health care, requirements found above under, “Disclosures About Victims of Abuse, Neglect, or Domestic Violence” apply.
9. Decedents
A decedent’s health information is protected for a period of 50 years after the date of death. This does not override State or other laws for sensitive information that may be stricter—such as HIV/AIDS, substance abuse, or mental health information.
The practice is permitted to use or disclose protected health information (“PHI”) if the disclosure is to a deceased person’s personal representative or family, provided the practice had not obtained an objection to sharing his or her PHI and the PHI disclosed pertains to the individual’s involvement in the deceased’s care or payment for services rendered.
A personal representative is a person with legal authority to act on behalf of the decedent of the estate (not restricted to health care decisions), such as an Executor of the estate, next of kin or other family member, or durable power of attorney.
This 50-year period of protection is not the same as a medical record retention requirement, which is governed by State law. Records may be destroyed according to State law.
10. Uses and Disclosures for Cadaveric Organ, Eye or Tissue Donation Purposes
SAW LLC may use or disclose PHI to organ procurement organizations or other entities engaged in the procurement, banking, or transplantation of cadaveric organs, eyes, or tissue for the purpose of facilitating organ, eye, or tissue donation and transplantation.
11. Uses and Disclosures for Research Purposes
In general, SAW LLC may use or disclose PHI for research, regardless of the source of funding of the research under defined circumstances. (See the policy entitled “Uses and Disclosures for Research Purposes,” for specific information.)
12. Uses and Disclosures to Avert a Serious Threat to Health or Safety
SAW LLC may, consistent with applicable law and standards of ethical conduct, use or disclose PHI, if a health care provider, in good faith, believes the use or disclosure is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public, and is to a person or persons reasonably able to prevent or lessen the threat, including the target of the threat; or is necessary for law enforcement authorities to identify or apprehend an individual because of a statement by an individual admitting participation in a violent crime that the covered entity reasonably believes may have caused serious physical harm to the victim; or where it appears from all the circumstances that the individual has escaped from a correctional institution or from lawful custody.
A use or disclosure pursuant to PHI necessary for law enforcement individuals to identify or apprehend an individual may not be made if the information is learned by SAW LLC in the course of treatment to affect the propensity to commit the criminal conduct that is the basis for the disclosure,
or counseling or therapy; or through a request by the individual to initiate or to be referred for the treatment, counseling, or therapy.
A disclosure made to law enforcement individuals to identify or apprehend an individual shall contain only the statement from the individual admitting participation in a violent crime that the covered entity reasonably believes may have caused serious physical harm to the victim and the following PHI:
- Name and address;
- Date and place of birth;
- Social Security number;
- ABO blood type and rh factor;
- Type of injury;
- Date and time of treatment;
- Date and time of death, if applicable; and
- A description of distinguishing physical characteristics, including height, weight, gender, race, hair and eye color, presence or absence of facial hair (beard or moustache), scars, and
If SAW LLC uses or discloses PHI pursuant to disclosures to avert a serious threat to health or safety is presumed to have acted in good faith with regard to a good faith belief, if the belief is based upon a health care provider’s actual knowledge or in reliance on a credible representation by a person with apparent knowledge or authority.
13. Uses and Disclosures For Specialized Government Functions
SAW LLC may use and disclose the PHI of individuals who are Armed Forces personnel for activities deemed necessary by appropriate military command authorities to assure the proper execution of the military mission, if the appropriate military authority has published by notice in the Federal Register the following information: appropriate military command authorities; and the purposes for which the PHI may be used or disclosed.
SAW LLC may use and disclose the PHI of individuals who are foreign military personnel to their appropriate foreign military authority for the same purposes for which uses and disclosures are permitted for Armed Forces personnel.
SAW LLC may disclose PHI to authorized federal officials for the conduct of lawful intelligence, counter-intelligence, and other national security activities authorized by the National Security Act (50 U.S.C. 401, et seq.) and implementing authority (Executive Order 12333).
SAW LLC may disclose PHI to authorized federal officials for the provision of protective services to the President or other persons authorized by 18 U.S.C. 3056, or to foreign heads of state or other persons authorized by 22 U.S.C. 2709(a)(3), or for the conduct of investigations authorized by 18
U.S.C. 871 and 879.
SAW LLC may disclose to a correctional institution, or a law enforcement official having lawful custody of an inmate or other individual, PHI about such inmate or individual, if the correctional institution or such law enforcement official represents that such PHI is necessary for the provision of health care to such individuals, the health and safety of such individual or other inmates, the health and safety of the officers or employees of or others at the correctional institution, the health and safety of such individuals and officers or other persons responsible for the transporting of inmates or their transfer from one institution, facility, or setting to another, law enforcement on the premises of the correctional institution; and the administration and maintenance of the safety, security, and good order of the correctional institution.
For the purposes of this provision, an individual is no longer an inmate when released on parole, probation, supervised release, or otherwise is no longer in lawful custody.
14. Disclosures for Workers’ Compensation
SAW LLC may disclose PHI as authorized by and to the extent necessary to comply with laws relating to Workers’ Compensation, or other similar programs, established by law, that provide benefits for work-related injuries or illness without regard to fault.
Procedure
- When requests are made for access to an individual’s protected health information under circumstances identified above, first read the appropriate section to make sure that all requirements of the HIPAA rule are
- Except in circumstances where the HIPAA rule or other law forbids informing the individual of the release of their PHI, a member of the clinical staff should advise the patient that such release is being or has been
- Prepare the information to be released following the “minimum necessary ” That is, release only the specific information required to fulfill the purpose of the release. Note: some sections above have very specific requirements about the information that can be released. Read that section carefully before completing the release. When in doubt, get a second opinion from SAW LLC’s manager or medical director. If you are still uncertain about the content of the release, confer with SAW LLC’s legal counsel before a release is made.
- With the exception of uses and disclosures for practice treatment, payment, or health care operations, document the release on an Authorization for Use and Disclosure form and file the form in the patient’s record. A patient’s accounting will be comprised of any completed authorization for use and disclosure forms that have been filed in the patient’s record over a six- year
- If documents are provided for the release, e.g., a court order, subpoena, or other document authorizing the release, make a copy and keep the documents scanned into the patients
=
Please refer to the “Forms” section to find the “Patient Authorization for Use and Disclosure of Protected Health Information” form.
=
Please refer to the “Forms” section to find the “Patient Authorization Revocation/Fundraising Opt-Out” form.
=
Please refer to the “Forms” section to find the “Patient Proof of Immunization Record Request” form.
USE AND DISCLOSURE OF PROTECTED HEALTH INFORMATION FOR MARKETING POLICY
SCOPE OF POLICY
This policy applies to all SAW LLC staff members. This includes all employees, volunteers, vendors, and subcontractors.
STATEMENT OF POLICY
SAW LLC marketing activities involving the use or disclosure of protected health information may only be conducted after being approved by authorized marketing staff at SAW LLC who will ensure that requirements set forth in the Health Insurance Portability and Accountability Act (“HIPAA”) of 1996 and the Health Information Technology for Economic and Clinical Health Act (“HITECH”) for the use and disclosure of patient information have been met. Patient information or lists should not be used or released before this approval has been obtained from authorized marketing staff, as there are legal restrictions on marketing activities of SAW LLC.
If SAW LLC receives financial remuneration from a third party in exchange for patient information, an authorization from the patient is required including an acknowledgement that remuneration is being received. Financial remuneration means direct or indirect payment from or behalf of a third party whose product or service is being described, not including payment for patient treatment.
IMPLEMENTATION OF POLICY
Marketing Activities Subject To This Policy
Marketing activities generally include all oral or written communications with a patient about a product or service that encourage the patient to purchase or use that product or service. SAW LLC marketing activities may involve patient information because the marketing is directed at current or former patients. Marketing also may include distributing patient information to another organization so that it may market its own products and services if SAW LLC receives direct or indirect payment in exchange for the patient information.
Marketing Activities Not Subject To This Policy
Marketing activities not subject to this policy include:
Refill reminders or other drugs or biologics currently prescribed to a patient if any financial remuneration received by SAW LLC in exchange for making the communication is reasonably related to SAW LLC’s cost of making the communication;
Treatment and health care operations purposes where SAW LLC does not receive financial remuneration in exchange for making the communication, including:
Treatment by a health care provider; Case management or care coordination;
Recommendations for alterative treatments, therapies, providers or settings of care;
Descriptions of a health related product or service (or payment for such product or service) that is provided by, or included in a plan of benefits of SAW LLC, including communications about SAW LLC participation in a health care provider or health plan network, replacements and/or enhancements to health plans or health-related products or services available to a health-plan enrollee that add value to, but are not part of, their plan or benefits.
Responsibility
It is the responsibility of SAW LLC’s Privacy Officer, to implement processes to ensure that the distribution of marketing materials adhere to this policy, HIPAA, and HITECH.
Contacting Privacy Officer
To obtain approval for marketing activities contact the Privacy Officer at N/A.
VIOLATIONS
SAW LLC’s Privacy Officer has general responsibility for implementation of this policy. Anyone who violates this policy will be subject to disciplinary action up to and including termination of employment or contract with SAW LLC. Anyone who knows or has reason to believe that another person has violated this policy should report the matter promptly to SAW LLC’s Privacy Officer. Any attempt to retaliate against a person for reporting a violation of this policy will itself be considered a violation of this policy that may result in disciplinary action up to and including termination of employment or contract with SAW LLC.
USE AND DISCLOSURE OF PROTECTED HEALTH INFORMATION FOR FUNDRAISING POLICY
SCOPE OF POLICY
This policy applies to SAW LLC staff members. SAW LLC staff members include all employees, volunteers, vendors, and subcontractors.
STATEMENT OF POLICY
Fundraising activities involving the use or disclosure of patient information may only be conducted by authorized development staff at SAW LLC who will ensure that all requirements for the use and disclosure of such information have been met. Fundraising communications may only be sent to individuals who have not opted out of receiving such communications. SAW LLC may not condition treatment or payment on the individual’s choice with respect to receipt of fundraising communications.
IMPLEMENTATION OF POLICY
Fundraising Activities Subject To This Policy.
Fundraising activities include any activities undertaken to raise money, or other things of value, on behalf of SAW LLC or any of its affiliated organizations. This policy applies to any fundraising activities undertaken by SAW LLC, SAW LLC staff (including volunteers, vendors, subcontractors and other business associates). Examples of fundraising activities include:
Requests for general donations to benefit SAW LLC; Requests for special-purpose donations;
Requests for sponsorship of SAW LLC events or activities; and
Auctions, rummage sales, or bake sales.
The fundraising activities are subject to this policy only if the activities involve the use or disclosure of patient information. SAW LLC may use or disclose to a business associate or to an institutionally related foundation, the following patient information for purposes of fundraising on its own behalf, without a patient authorization:
Name; Address;
Other contact information; Age;
Gender; Date of birth;
Dates of health care provided; Department of service; Treating physician;
Outcome information; and Health insurance status.
Approval by Development Staff
To obtain approval of fundraising activities by SAW LLC’s development staff, contact the Privacy Officer.
Opt-Out Requests
Individuals have the right to opt out of receiving fundraising communications. All fundraising communications must contain clear and conspicuous language providing the individual the opportunity to opt-out of receiving further fundraising communications without any undue burden or more than a nominal cost on the individual. All individual’s requests to opt out of such communications should be forwarded to authorized development staff. If an individual decides to opt-out, the request must be treated as a revocation of authorization under 164.508 of the Privacy Rule. Requiring the patient to write a letter requesting an opt-out is considered an undue burden. Filling out a pre-printed postcard or making a phone call is not. A model form “Patient Authorization Revocation / Fundraising Opt- Out” is available for this purpose within this manual.
It is the responsibility of the Privacy Officer in connection with the development office, to implement processes to ensure that individuals who have opted-out of receiving fundraising communications do not receive such communications. However, the individual may be provided the opportunity to opt back in to receive fundraising communications if they have previously elected to opt-out of such communications.
VIOLATIONS
SAW LLC’s Privacy Officer has a general responsibility for implementation of this policy. Anyone who violates this policy will be subject to disciplinary action up to and including termination of employment or contract with SAW LLC. Anyone who knows or has reason to believe that another person has violated this policy should report the matter promptly to his or her supervisor or SAW LLC’s Privacy Officer. All reported matters will be investigated, and, where appropriate, steps will be taken to remedy the situation. Any attempt to retaliate against a person for reporting a violation of this policy will itself be considered a violation of this policy that may result in disciplinary action up to and including termination of employment or contract with SAW LLC.
QUESTIONS
If you have questions about this policy, please contact SAW LLC’s Privacy Officer immediately. It is important that all questions be resolved as soon as possible to ensure protected health information is used and disclosed appropriately.
PERSONAL REPRESENTATIVES
REFERENCE: 45 CFR § 164.502(G)
POLICY:
Individuals Authorized to Act
In the final rule, the definition of “individual” is limited to the subject of the PHI, which includes unemancipated minors and other individuals who may lack capacity to act on their own behalf. The rule removes from the definition of “individual” the provisions regarding legal representatives.
Individual is defined as the subject of the protected health information, which includes unemancipated minors and other individuals who may lack capacity to act on their own behalf.
Personal Representatives
With respect to adults or emancipated minors, a practice must treat a person as a personal
representative of an individual if such person is, under applicable law, authorized to act on behalf of the individual in making decisions related to health care. This includes a court-appointed guardian and a person with a power of attorney, but may also include other persons.
The authority of a personal representative under this rule is limited: the representative must be treated as the individual only to the extent that PHI is relevant to the matters on which the personal representative is authorized to represent the individual. For example, if a person’s authority to make health care decisions for an individual is limited to decisions regarding treatment for cancer, such person is a personal representative and must be treated as the individual with respect to PHI related to the cancer treatment of the individual. Such a person is not the personal representative of the individual with respect to all PHI about the individual, and therefore, the practice may not disclose PHI that is not relevant to the cancer treatment to the person, unless otherwise permitted.
This provision applies to persons empowered under state or other law to make health related decisions for an individual, whether or not the instrument or law granting such authority specifically addresses health information.
Unemancipated Minors
In addition, with respect to an unemancipated minor, if under applicable law (state law should be consulted) a parent may act on behalf of an unemancipated minor in making decisions related to health care, the practice must treat such person as a personal representative with respect to PHI relevant to such personal representation, with three exceptions. Under the general rule, in most circumstances the minor would not have the capacity to act as the individual, and the parent would be able to exercise rights and authorities on behalf of the minor. Under the exceptions to the rule on personal representatives of unemancipated minors, the minor, and not the parent, would be treated as the individual and able to exercise the rights and authorities of an individual. These exceptions occur if:
- The minor consents to a health care service; no other consent to such health care service is required by state or other law, regardless of whether the consent of another person has also been obtained; and the minor has not requested that such person be treated as the personal representative;
- The minor may lawfully obtain such health care service without the consent of a parent, and the minor, a court, or another person authorized by law consents to such health care service; or
- A parent assents to an agreement of confidentiality between a covered health care provider and the minor with respect to such health care
Minors
A minor does not have the authority to act under the rule unless the state has given them the ability to obtain health care without consent of a parent, or the parent has assented. In addition, we defer to state law where the state authorizes or prohibits disclosure of protected health information to a parent.
This rule does not affect parental notification laws that permit or require disclosure of protected health information to a parent. However, the rights of a minor under this rule are not otherwise affected by such notification.
Denials of Personal Authorization
Practices may elect not to treat a person as a personal representative in abusive situations. The practice need not treat a person as a personal representative of an individual if the practice, in the exercise of professional judgment, decides that it is not in the best interest of the individual to treat the person as the individual’s personal representative, and the practice has a reasonable belief that the individual has been or may be subjected to domestic violence, abuse, or neglect by such person, or that treating such person as the personal representative could endanger the individual.
Families and Others Involved in the Individual’s Care
The practice is permitted to use their discretion to disclose certain PHI to family members, relatives, close friends, and other persons assisting in the care of an individual. Many health care decisions take place on an informal basis, and the rule allows disclosures in certain circumstances to permit this practice to continue. Health care providers may continue to use their discretion to address these informal situations.
Summary
The practice must treat a person that meets the requirements of a personal representative as the individual (with the exceptions described above). The disclosure of PHI to a personal representative is mandatory under this rule only if disclosure to the individual is mandatory. Further, as noted above, the personal representative’s rights are limited by the scope of its authority under other law. Thus, this provision does not constitute a general grant of authority to personal representatives.
Disclosure to a personal representative is mandatory to ensure that an individual’s rights are preserved even when individuals are incapacitated or otherwise unable to act for themselves to the same degree as other individuals. If the practice were to have the discretion to recognize a personal representative as the individual, there could be situations in which no one could invoke an individual’s rights under these sections.
PROCEDURE:
- It is the policy of the practice to verify the identity of all individuals seeking use or disclosure of an individual’s
- At the time that a written request is made to access, use, or disclose PHI, staff will verify the identity of the individual making the request in the following manner:
If the individual is personally known to the practice as being authorized to request a use of
disclosure of PHI, a release may be completed. This includes personal knowledge of a parent or guardian of a minor child.
If the individual is not personally known, s/he must provide a picture identification (e.g., driver’s license, passport, military identification card, or other valid identification) for releases of his/her own PHI. Staff will document the nature of the identification used and create a photocopy of the identification.
If the individual is not personally known to the practice and has requested information as an authorized representative for another party, the individual must produce the legal documentation that verifies his/her authority to act on behalf of the individual.
In any occasion where a question may arise as to the validity of an individual to make a request, please contact the practice manager. Legal counsel may be consulted.
- If an individual is requesting information as an authorized representative of another party, the use of disclosure of the PHI must be the minimum necessary to meet the requirements of the
- Care providers are permitted to use their discretion to disclose certain PHI to family members, relatives, close friends, and other persons assisting in the care of an individual. Many health care decisions take place on an informal basis, and the rule allows disclosures in certain circumstances to permit this practice to continue. Health care providers may continue to use their discretion to address these informal Staff must seek a provider’s permission before releasing information to family members, relatives, and others involved in an individual’s care.
- A care provider may elect not to treat a person as a personal representative in abusive The provider need not treat a person as a personal representative of an individual if the practice, in the exercise of professional judgment, decides that it is not in the best interest of the individual to treat the person as the individual’s personal representative, and the practice has a reasonable belief that the individual has been or may be subjected to domestic violence, abuse, or neglect by such person, or that treating such person as the personal representative could endanger the individual.
- All uses and disclosures of information conducted under a request from the individual or the individual’s personal representative are approved by the individual’s primary care provider prior to the release being performed to ensure that no circumstances exist that may result in a violation of the HIPAA rule or a denial of the
INTERPRETATION:
Parents and Minors: The final rule clarifies that state law, or other applicable law, governs in the area of parents and minors. Generally, the Privacy Rule provides parents with new rights to control the health information about their minor children, with limited exceptions that are based on state or other applicable law and professional practice. For example, where a state has explicitly addressed disclosure of a minor’s health information to a parent, or access to a child’s medical record by a
parent, the final rule clarifies that state law governs. In addition, the final rule clarifies that, in special cases in which the minor controls his or her own health information under such law and that law does not define the parents’ ability to access the child’s health information, a licensed health care provider continues to be able to exercise discretion to grant or deny such access as long as that decision is consistent with the state or other applicable law.
COMMUNICATING WITH A PATIENT’S FAMILY, FRIENDS, OR OTHERS INVOLVED IN THE PATIENT’S CARE
SOURCE:
Health and Human Services Office for Civil Rights
This guide explains when a health care provider is allowed to share a patient’s health information with the patient’s family members, friends, or others identified by the patient as involved in the patient’s care under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule. HIPAA is a federal law that sets national standards for how health plans, health care clearinghouses, and most health care providers are to protect the privacy of a patient’s health information.
Even though HIPAA requires health care providers to protect patient privacy, providers are permitted, in most circumstances, to communicate with the patient’s family, friends, or others involved in their care or payment for care. This guide is intended to clarify these HIPAA requirements so that health care providers do not unnecessarily withhold a patient’s health information from these persons. This guide includes common questions and a table that summarizes the relevant requirements.
COMMON QUESTIONS ABOUT HIPAA:
If the patient is present and has the capacity to make health care decisions, when does HIPAA allow a health care provider to discuss the patient’s health information with the patient’s family, friends, or others involved in the patient’s care or payment for care?
If the patient is present and has the capacity to make health care decisions, a health care provider may discuss the patient’s health information with a family member, friend, or other person if the patient agrees, or when given the opportunity, does not object. A health care provider also may share information with these persons if, using professional judgment, he or she decides that the patient does not object. In either case, the health care provider may share or discuss only the information that the person involved needs to know about the patient’s care or payment for care.
Here are some examples:
An emergency room doctor may discuss a patient’s treatment in front of the patient’s friend if the patient asks that her friend come into the treatment room.
A doctor’s office may discuss a patient’s bill with the patient’s adult daughter who is with the patient at the patient’s medical appointment and has questions about the charges.
A doctor may discuss the drugs a patient needs to take with the patient’s health aide who has accompanied the patient to a medical appointment.
A doctor may give information about a patient’s mobility limitations to the patient’s sister who is driving the patient home from the hospital.
A nurse may discuss a patient’s health status with the patient’s brother if she informs the patient she is going to do so, and the patient does not object.
BUT:
A nurse may not discuss a patient’s condition with the patient’s brother after the patient has stated she does not want her family to know about her condition.
If the patient is not present or is incapacitated, may a health care provider still share the patient’s health information with family, friends, or others involved in the patient’s care or payment for care?
Yes. If the patient is not present or is incapacitated, a health care provider may share the patient’s information with family, friends, or others as long as the health care provider determines, based on professional judgment, that it is in the best interest of the patient. When someone other than a friend or family member is involved, the health care provider must be reasonably sure that the patient asked the person to be involved in his or her care or payment for care. The health care provider may discuss only the information that the person involved needs to know about the patient’s care or payment. Here are some examples: – A surgeon who did emergency surgery on a patient may tell the patient’s spouse about the patient’s condition while the patient is unconscious.
A pharmacist may give a prescription to a patient’s friend who the patient has sent to pick up the prescription.
A hospital may discuss a patient’s bill with her adult son who calls the hospital with questions about charges to his mother’s account.
A health care provider may give information regarding a patient’s drug dosage to the patient’s health aide who calls the provider with questions about the particular prescription.
BUT:
A nurse may not tell a patient’s friend about a past medical problem that is unrelated to the patient’s current condition.
A health care provider is not required by HIPAA to share a patient’s information when the patient is not present or is incapacitated, and can choose to wait until the patient has an opportunity to agree to the disclosure.
Does HIPAA require that a health care provider document a patient’s decision to allow the provider to share his or her health information with a family member, friend, or other person involved in the patient’s care or payment for care?
No. HIPAA does not require that a health care provider document the patient’s agreement or lack of objection. However, a health care provider is free to obtain or document the patient’s agreement, or lack of objection, in writing, if he or she prefers. For example, a provider may choose to document a patient’s agreement to share information with a family member with a note in the patient’s medical file.
May a health care provider discuss a patient’s health information over the phone with the patient’s family, friends, or others involved in the patient’s care or payment for care?
Yes. Where a health care provider is allowed to share a patient’s health information with a person, information may be shared face-to-face, over the phone, or in writing.
If a patient’s family member, friend, or other person involved in the patient’s care or payment for care calls a health care provider to ask about the patient’s condition, does HIPAA require the health care provider to obtain proof of who the person is before speaking with them?
No. If the caller states that he or she is a family member or friend of the patient, or is involved in the patient’s care or payment for care, then HIPAA doesn’t require proof of identity in this case. However, a health care provider may establish his or her own rules for verifying who is on the phone. In addition, when someone other than a friend or family member is involved, the health care provider must be reasonably sure that the patient asked the person to be involved in his or her care or payment for care.
Can a patient have a family member, friend, or other person pick up a filled prescription, medical supplies, X-rays, or other similar forms of patient information, for the patient?
Yes. HIPAA allows health care providers to use professional judgment and experience to decide if it is in the patient’s best interest to allow another person to pick up a prescription, medical supplies, X-rays, or other similar forms of information for the patient.
For example, the fact that a relative or friend arrives at a pharmacy and asks to pick up a specific prescription for a patient effectively verifies that he or she is involved in the patient’s care. HIPAA allows the pharmacist to give the filled prescription to the relative or friend. The patient does not need to provide the pharmacist with their names in advance.
May a health care provider share a patient’s health information with an interpreter to communicate with the patient or with the patient’s family, friends, or others involved in the patient’s care or payment for care?
Yes. HIPAA allows covered health care providers to share a patient’s health information with an interpreter without the patient’s written authorization under the following circumstances:
A health care provider may share information with an interpreter who works for the provider (e.g., a bilingual employee, a contract interpreter on staff, or a volunteer).
For example, an emergency room doctor may share information about an incapacitated patient’s condition with an interpreter on staff who relays the information to the patient’s family.
A health care provider may share information with an interpreter who is acting on its behalf (but is not a member of the provider’s workforce) if the health care provider has a written contract or other agreement with the interpreter that meets HIPAA’s business associate contract requirements.
For example, many providers are required under Title VI of the Civil Rights Act of 1964 to take reasonable steps to provide meaningful access to persons with limited English proficiency. These
providers often have contracts with private companies, community-based organizations, or telephone interpreter service lines to provide language interpreter services. These arrangements must comply with the HIPAA business associate agreement requirements at 45 C.F.R. 164.504(e).
A health care provider may share information with an interpreter who is the patient’s family member, friend, or other person identified by the patient as his or her interpreter, if the patient agrees, or does not object, or the health care provider determines, using his or her professional judgment, that the patient does not object.
For example, health care providers sometimes see patients who speak a certain language, and the provider has no employee, volunteer, or contractor who can competently interpret that language. If the provider is aware of a telephone interpreter service that can help, the provider may have that interpreter tell the patient that the service is available. If the provider decides, based on professional judgment, that the patient has chosen to continue using the interpreter, the provider may talk to the patient using the interpreter.
Where can I find additional information about HIPAA? The Office for Civil Rights, part of the Department of Health and Human Services, has more information about HIPAA on its website. Visit www.hhs.gov/ocr/hipaa (http://www.hhs.gov/ocr/hipaa) for a wide range of helpful information, including the full text of the Privacy Rule, a HIPAA Privacy Rule Summary, fact sheets, over 200 Frequently Asked Questions, as well as many other resources to help health care providers and others understand the law. HIPAA Privacy Rule Disclosures to a Patient’s Family, Friends, or Others Involved in the Patient’s Care or Payment for Care
PRIVACY POLICIES AND NOTICE OF PRIVACY PRACTICES
PRIVACY POLICY
Introduction
SAW LLC hereby implements this Privacy Policy pursuant to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and the Health Information Technology for Economic and Clinical Health Act of 2009 (“HITECH”) with respect to its activities when receiving
protected health information (“PHI”). The policies described within this document also have expanded policies elsewhere in this manual.
Members of SAW LLC’s workforce may have access to PHI as defined by HIPAA.
Workforce member means employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a covered entity, is under the direct control of such entity, whether or not they are paid by the covered entity. The term also includes the employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a business associate, is under the direct control of the business associate.
Protected health information (“PHI”) means information that is created or received from a covered entity and relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and that identifies the individual or for which there is a reasonable basis to believe the information can be used to identify the individual. PHI includes information of persons living or deceased.
It is SAW LLC’s policy to comply with HIPAA’s requirements for the privacy of PHI. To that end, all members of SAW LLC’s workforce who have access to PHI must comply with this Privacy Policy. For the purposes of this Policy, SAW LLC’s workforce includes individuals who would be considered part of the workforce under HIPAA such as employees, trainees, and other persons whose work performance is under the direct control of SAW LLC, whether or not they are paid by SAW LLC. The term “employee” includes all of these types of workers.
No third-party rights are intended to be created by this Policy. SAW LLC reserves the right to amend or change this Policy at any time (and even retroactively) without notice. To the extent this Policy establishes requirements and obligations above and beyond those required by HIPAA or HITECH the Policy shall be aspirational and shall not be binding upon SAW LLC. To the extent this Policy is in conflict with the HIPAA Privacy Rule, the HIPAA Privacy Rule shall govern.
COVERED ENTITY RESPONSIBILITIES
1. Privacy Officer and Contact Person
Viorica Timosca will be the Privacy Officer for SAW LLC. The Privacy Officer will be responsible for the development and implementation of policies and procedures relating to privacy of PHI in the possession of SAW LLC, including but not limited to this Privacy Policy. The Privacy Officer will also serve as the contact person for individuals who have questions, concerns, or complaints about the privacy of PHI.
The Privacy Officer is responsible for ensuring that SAW LLC complies with the provisions of the HIPAA Privacy Rule regarding third-party business associate vendors or
subcontractors, including the requirement that a HIPAA-compliant Business Associate Agreement is in place with business associate vendors or subcontractors of SAW LLC. The Privacy Officer shall also be responsible for monitoring compliance with the HIPAA Privacy Rule and this Privacy Policy.
2. Workforce Training
It is SAW LLC’s policy to train all members of its workforce who have access to PHI on SAW LLC’s Policy and Procedures. The Privacy Officer is charged with developing training schedules and programs so that all workforce members receive the training necessary and appropriate to permit them to carry out SAW LLC’s functions in compliance with HIPAA and HITECH.
3. Safeguards and Firewall
SAW LLC will establish appropriate administrative, technical, and physical safeguards to prevent PHI from intentionally or unintentionally being used or disclosed in violation of HIPAA’s requirements. SAW LLC has implemented Security Policies that set forth the security measures in place to protect the privacy of PHI.
4. Complaints
Viorica Timosca will be the practice’s contact person for receiving complaints.
The Privacy Officer is responsible for creating a process for individuals to lodge complaints about the Plan’s privacy procedures and for creating a system for handling such complaints. A copy of the complaint procedure shall be provided to any participant upon request.
SAW LLC procedure for handling complaints received from patients or others about HIPAA Compliance is as follows:
N/A
5. Sanctions for Violations of Privacy Policy
Sanctions for using or disclosing PHI in violation of HIPAA or this HIPAA Privacy Policy will be imposed in accordance with SAW LLC’s discipline policy, up to and including termination.
SAW LLC procedures regarding our employee sanctions policy for employee misconduct are as follows:
N/A
6. Mitigation of Inadvertent Disclosures of PHI
SAW LLC shall mitigate, to the extent possible, any harmful effects that become known to it from a use or disclosure of an individual’s PHI in violation of HIPAA or the policies and procedures set forth in this Policy. As a result, if an employee or business associate vendor or subcontractor becomes aware of an unauthorized use or disclosure of PHI, either by an employee or a business associate vendor or subcontractor, the employee or business associate vendor or subcontractor must immediately contact the Privacy Officer so that appropriate steps to mitigate harm to the patient can be taken.
7. No Intimidating or Retaliatory Acts; No Waiver of HIPAA Privacy
No employee may intimidate, threaten, coerce, discriminate against, or take other retaliatory action against individuals for exercising their rights, filing a complaint, participating in an investigation, or opposing any improper practice under HIPAA.
8. Documentation
SAW LLC’s privacy policies and procedures shall be documented and maintained for at least six years from the date last in effect. Policies and procedures must be changed as necessary or appropriate to comply with changes in the law, standards, requirements and implementation specifications (including changes and modifications in regulations). Any changes to policies or procedures must be promptly documented.
The documentation of any policies and procedures, actions, activities and designations may be maintained in either written or electronic form. SAW LLC will maintain such documentation for at least six years.
MedSafe will archive all your policy and procedures for 6 years as long as you are current clients.
9. Workforce Must Comply With SAW LLC’s Policy and Procedures
All members of SAW LLC’s workforce (described at the beginning of this Policy and referred to herein as “employees”) who have access to PHI must comply with this Policy.
10. Breach Notification Requirements
SAW LLC will comply with the requirements of the HITECH Act and its implementing regulations to provide notification to affected individuals, HHS, and the media (when required) if SAW LLC or one of its business associate vendors or subcontractors discovers a breach of unsecured PHI.
11. Mandatory Disclosures of PHI
PHI must be disclosed in the following situations:
The disclosure is to the individual who is the subject of the information; The disclosure is required by law; or
The disclosure is made to HHS for purposes of enforcing HIPAA.
12. Other Permitted Disclosures of PHI
PHI may be disclosed in the following situations without the patient’s authorization, when specific requirements are satisfied. The requirements include prior approval of the Privacy Officer. Permitted are disclosures—
about victims of abuse, neglect or domestic violence; for treatment purposes;
for judicial and administrative proceedings; for law enforcement purposes;
for public health activities; for health oversight activities; about decedents;
for cadaveric organ-, eye- or tissue-donation purposes; for certain limited research purposes;
to avert a serious threat to health or safety; for specialized government functions; and
that relate to workers’ compensation programs.
13. Disclosure of Sensitive Information
At no time may a patient’s sensitive information, including HIV/Aids, drug and/or alcohol, genetic, mental health, sexually transmitted diseases or family planning be disclosed without the patient’s consent.
14. Complying With the “Minimum-Necessary” Standard
Minimum Necessary When Disclosing PHI. SAW LLC, when disclosing PHI subject to the minimum necessary standard, shall take reasonable and appropriate steps to ensure that only the minimum amount of PHI that is necessary for the requestor is disclosed. All disclosures not discussed
in this Policy must be reviewed on an individual basis with the Privacy Officer to ensure that the amount of information disclosed is the minimum necessary to accomplish the purpose of the disclosure.
Minimum Necessary When Requesting PHI. SAW LLC, when requesting PHI subject to the minimum-necessary standard, shall take reasonable and appropriate steps to ensure that only the minimum amount of PHI necessary for SAW LLC is requested. All requests must be reviewed on an individual basis with the Privacy Officer to ensure that the amount of information requested is the minimum necessary to accomplish the purpose of the disclosure.
To the extent practicable, SAW LLC will limit its use and/or disclosure of PHI to a Limited Data Set. If it is not practicable for SAW LLC to limit its use and/or disclosure of PHI to a Limited Data Set, SAW LLC will use the “minimum necessary” PHI to accomplish the purpose of the use or disclosure.
A Limited Data Set is PHI that excludes the following identifiers of the individual or of relatives, employers, or household members of the individual:
- Names;
- Postal address information, other than town or city, State, and zip code;
- Telephone numbers;
- Fax numbers;
- Electronic mail addresses;
- Social security numbers;
- Medical record numbers;
- Health plan beneficiary numbers;
- Account numbers;
- Certificate/license numbers;
- Vehicle identifiers and serial numbers, including license plate numbers;
- Device identifiers and serial numbers;
- Web Universal Resource Locators (URLs);
- Internet Protocol (IP) address numbers;
- Biometric identifiers, including finger and voice prints; and
- Full face photographic images and any comparable
15. Disclosures of PHI to Business Associates
Employees may disclose PHI to SAW LLC’s business associate vendors or subcontractors and allow SAW LLC’s business associate vendors or subcontractors to create or receive PHI on its behalf. However, prior to doing so, SAW LLC must first obtain assurances from the business associate vendor or subcontractor that it will appropriately
safeguard the information. Before sharing PHI with outside consultants or contractors who meet the definition of a “business associate,” employees must contact the Privacy Officer and verify that a Business Associate Agreement is in place.
Business Associate is an entity that:
performs or assists in performing function or activity involving the use and disclosure of PHI; or
provides legal, accounting, actuarial, consulting, data aggregation, management, accreditation, or financial services, where the performance of such services involves giving the service provider access to PHI.
16. Disclosures of De-Identified Information
SAW LLC may freely use and disclose information that has been “de-identified” in accordance with the HIPAA Privacy Rule. De-identified information is health information that does not identify an individual and with respect to which there is no reasonable basis to believe that the information can be used to identify an individual.
17. Accounting
An individual has the right to obtain an accounting and an Access Report of certain access and disclosures of his or her own PHI. This right to an accounting extends to disclosures made in the last six years, (except for disclosures of electronic disclosures of Electronic Health Records————————————————————————————- EHRs—the
specifics to be determined by future rulemaking). Exceptions to the right to an accounting extends:
to carry out treatment, payment, or health care operations (except in the case of EHRs, for which this exception does not apply);
to individuals about their own PHI;
incident to an otherwise permitted use or disclosure; pursuant to an authorization;
to persons involved in the individual’s care or payment for the individual’s care or for certain other notification purposes;
to correctional institutions or law enforcement when the disclosure was permitted without authorization;
as part of a limited data set;
for specific national security or law enforcement purposes; or disclosures that occurred prior to the compliance date.
SAW LLC shall respond to an accounting request within 60 days. If SAW LLC is unable to provide the accounting within 60 days, it may extend the period by 30 days, provided that it gives the participant notice (including the reason for the delay and the date the information will be provided) within the original 60-day period.
The accounting must include the date of the disclosure, the name of the receiving party, a brief description of the information disclosed, and a brief statement of the purpose of the disclosure that reasonably informs the individual of the basis for the disclosure (or a copy of the written request for disclosure, if any). If a brief purpose statement is included in the accounting, it must be sufficient to reasonably inform the individual of the basis of the disclosure.
The first accounting in any 12-month period shall be provided free of charge. The Privacy Officer may impose reasonable production and mailing costs for subsequent accountings.
NOTICE OF PRIVACY PRACTICES POLICY
REFERENCE: 45 C.F.R. 164.502(I)
POLICY:
SAW LLC is required to have a notice and may not use or disclose PHI in a manner inconsistent with such notice. A covered entity that is required to include a specific statement in its notice if it intends to engage in an activity may not use or disclose PHI for such activities, unless the required statement is included in the notice.
PROCEDURE:
- SAW LLC will maintain an up-to-date Notice of Privacy That Notice will be posted in the main reception area and N/A.
- SAW LLC will use and disclose PHI only in a manner identified in the
- A copy of the Notice will be provided to every patient at his or her first visit with SAW LLC. Staff will make a good faith effort to have the patient sign to attest that they have received a copy of the notice. Care must be given even if the patient refuses to sign the
INTERPRETATIONS:
- The Rule requires practices to provide patients with notice of the patient’s privacy rights and the privacy practices of SAW LLC. The strengthened Notice requires direct treatment providers to make a good faith effort to obtain a patients’ written acknowledgement of the Notice of Privacy The final rule promotes access to care by removing mandatory consent requirements that would inhibit patient access to health care while providing the practice with the option of developing a consent process that works for that entity.
- A health care provider that has a direct treatment relationship with a patient (e.g., a direct treatment relationship is one in which the health care provider is providing care or service directly to a patient, such as a doctor or a pharmacist who provides advice on the proper use of a drug and anticipated adverse effects) must give a copy of the practice’s Notice to the patient
at the first delivery of service starting on or after April 14, 2003.
- A health care provider that has an indirect treatment relationship with a patient (e.g., provides services on the orders of another health care provider and delivers care and services to the patient through the referring provider, e., a laboratory would draw blood from a patient on the orders of a doctor and return the results to the doctor to give to the patient) need only give the organization’s Notice to the patient if it is requested by the patient.
- If the first delivery of care to a patient is over the telephone, the practice must provide a copy of the Notice to the patient on that day, either electronically, if the patient agrees, or by Scheduling an appointment is not considered a service delivery.
- Practices are permitted to send the Notice to patients electronically only if the patient agrees to receive the document The patient’s agreement can be indirect. For example, if the patient provides an e-mail address to the practice, the practice can interpret that as a willingness of the patient to receive the Notice by e-mail.
- If a copy of the Notice is sent to patients electronically, a paper copy of the Notice must still be provided if the patient requests
- If unable to give the Notice to the patient because of an emergency situation or because they are not currently able to acknowledge receipt, the Notice must be given as soon thereafter as is “reasonably ”
- If the patient is a minor or incompetent, a copy must be provided to the patient’s parent or legal
- SAW LLC Notice of Privacy Practices is posted N/A.
- If a significant revision is made to the Notice, a copy must be made available to the patient on or after the expiration date if the patient The new Notice must be posted.
NOTICE OF PRIVACY PRACTICES
Effective Date: April 14, 2003 Last Modified: May 12, 2013
THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.
We are required by law to protect the privacy of health information that may reveal your identity, and to provide you with a copy of this notice, which describes the health information privacy practices of our medical group, its medical staff and affiliated health care providers who jointly perform health care services with our medical group, including physicians and physician groups who provide services at our facilities. A copy of our current notice will always be posted at all registration and/or admission points, including N/A. You will also be able to obtain your own copies by calling the Privacy Officer at 203-790-0111.
If you have any questions about this notice or would like further information, please contact the above referenced individual.
WHAT HEALTH INFORMATION IS PROTECTED
We are committed to protecting the privacy of information we gather about you while providing health- related services. Some examples of protected health information include information indicating that you are a patient of our medical group or receiving health-related services from our facilities, information about your health condition, genetic information, or information about your health care benefits under an insurance plan, each when combined with identifying information, such as your name, address, social security number or phone number.
REQUIREMENT FOR WRITTEN AUTHORIZATION
Generally, we will obtain your written authorization before using your health information or sharing it with others outside of our medical group. There are certain situations where we must obtain your written authorization before using your health information or sharing it, including:
Most Uses of Psychotherapy Notes, when appropriate.
Marketing. We may not disclose any of your health information for marketing purposes if our medical group will receive direct or indirect financial payment not reasonably related to our medical group’s cost of making the communication.
Sale of Protected Health Information. We will not sell your protected health information to third parties. The sale of protected health information, however, does not include a disclosure for public health purposes, for research purposes where our medical group will only receive payment for our costs to prepare and transmit the health information, for treatment and payment purposes, for the sale, transfer, merger or consolidation of all or part of our medical group, for a business associate or its subcontractor to perform health care functions on our medical group’s behalf, or for other purposes as required and permitted by law.
WRITTEN AUTHORIZATION
If you provide us with written authorization, you may revoke that written authorization at any time, except to the extent that we have already relied upon it. To revoke a written authorization, please write to the Privacy Officer at our medical group. You may also initiate the transfer of your records to another person by completing a written authorization form.
HOW WE MAY USE AND DISCLOSE YOUR HEALTH INFORMATION WITHOUT YOUR WRITTEN AUTHORIZATION
There are some situations when we do not need your written authorization before using your health information or sharing it with others, including:
- Treatment, Payment and Health Care Operations.
Treatment. We may share your health information with providers at the medical group who are involved in taking care of you, and they may in turn use that information to diagnose or treat you. A provider in our medical group may share your health information with another provider to determine how to diagnose or treat you. Your provider may also share your health information with another provider to whom you have been referred for further health care.
Payment. We may use your health information or share it with others so that we may obtain payment for your health care services. For example, we may share information about you with your health insurance company in order to obtain reimbursement after we have treated you. In some cases, we may share information about you with your health insurance company to determine whether it will cover your treatment.
Health Care Operations. We may use your health information or share it with others in order to conduct our business operations. For example, we may use your health information to evaluate the performance of our staff in caring for you, or to educate our staff on how to improve the care they provide for you.
- Appointment Reminders, Treatment Alternatives, Benefits and Services. In the course of providing treatment to you, we may use your health information to contact you with a reminder that you have an appointment for treatment, services or refills or in order to recommend possible treatment alternatives or health-related benefits and services that may be of interest to
- Business Associates. We may disclose your health information to contractors, agents and other “business associates” who need the information in order to assist us with obtaining payment or carrying out our business For example, we may share your health information with a billing company that helps us to obtain payment from your insurance company, or we may share your health information with an accounting firm or law firm that provides professional advice to us. Business associates are required by law to abide by the HIPAA regulations. If we do disclose your health information to a business associate, we will have a written contract to ensure that our business associate also protects the privacy of your health information. If our business associate discloses your health information to a subcontractor or vendor, the business associate will have a written contract to ensure that the subcontractor or vendor also protects the privacy of the information.
- Friend and Family Designated to be Involved in Your Care. If you have not voiced an objection, we may share your health information with a family member, relative, or close personal friend who is involved in your care or payment for your care, including following your
- Proof of Immunization. We may disclose proof a child’s immunization to a school, about a child who is a student or prospective student of the school, as required by State or other law, if a parent, guardian, other person acting in loco parentis, or an emancipated minor, authorizes us to do so, but we do not need written The authorization may be oral.
- Emergencies or Public Need.
Emergencies or as Required by Law. We may use or disclose your health information if you need emergency treatment or if we are required by law to treat you. We may use or disclose your health information if we are required by law to do so, and we will notify you of these uses and disclosures if notice is required by law.
Public Health Activities. We may disclose your health information to authorized public health officials (or a foreign government agency collaborating with such officials) so they may carry out their public health activities under law, such as controlling disease or public health hazards. We may also disclose your health information to a person who may have been exposed to a communicable disease or be at risk for contracting or spreading the disease if permitted by law. We may disclose a child’s proof of immunization to a school, if required by State or other law, if we obtain and document the agreement for disclosure (which may be oral) from the parent, guardian, person acting in loco parentis, an emancipated minor or an adult. And finally, we may release some health information about you to your employer if your employer hires us to provide you with a physical exam and we discover that you have a work related injury or disease that your employer must know about in order to comply with employment laws.
Victims of Abuse, Neglect or Domestic Violence. We may release your health information to a public health authority authorized to receive reports of abuse, neglect or domestic violence.
Health Oversight Activities. We may release your health information to government agencies authorized to conduct audits, investigations, and inspections of our facilities. These government agencies monitor the operation of the health care system, government benefit programs such as Medicare and Medicaid, and compliance with government regulatory programs and civil rights laws.
Lawsuits and Disputes. We may disclose your health information if we are ordered to do so by a court or administrative tribunal that is handling a lawsuit or other dispute. We may also disclose your information in response to a subpoena, discovery request, or other lawful request by someone else involved in the dispute, but only if required judicial or other approval or necessary authorization is obtained.
Law Enforcement. We may disclose your health information to law enforcement officials for certain reasons, such as complying with court orders, assisting in the identification of fugitives or the location of missing persons, if we suspect that your death resulted from a crime, or if necessary, to report a crime that occurred on our property or off-site in a medical emergency.
To Avert a Serious and Imminent Threat to Health or Safety. We may use your health information or share it with others when necessary to prevent a serious and imminent threat to your health or safety, or the health or safety of another person or the public. In such cases, we will only share your information with someone able to help prevent the threat. We may also disclose your health information to law enforcement officers if you tell us that you participated in
a violent crime that may have caused serious physical harm to another person (unless you admitted that fact while in counseling), or if we determine that you escaped from lawful custody (such as a prison or mental health institution).
National Security and Intelligence Activities or Protective Services. We may disclose your health information to authorized federal officials who are conducting national security and intelligence activities or providing protective services to the President or other important officials.
Military and Veterans. If you are in the Armed Forces, we may disclose health information about you to appropriate military command authorities for activities they deem necessary to carry out their military mission. We may also release health information about foreign military personnel to the appropriate foreign military authority.
Inmates and Correctional Institutions. If you are an inmate or you are detained by a law enforcement officer, we may disclose your health information to the prison officers or law enforcement officers if necessary to provide you with health care, or to maintain safety, security and good order at the place where you are confined. This includes sharing information that is necessary to protect the health and safety of other inmates or persons involved in supervising or transporting inmates.
Workers’ Compensation. We may disclose your health information for workers’ compensation or similar programs that provide benefits for work-related injuries.
Coroners, Medical Examiners and Funeral Directors. In the event of your death, we may disclose your health information to a coroner or medical examiner. We may also release this information to funeral directors as necessary to carry out their duties.
Organ and Tissue Donation. In the event of your death or impending death, we may disclose your health information to organizations that procure or store organs, eyes or other tissues so that these organizations may investigate whether donation or transplantation is possible under applicable laws.
- Completely De-identified or Partially De-identified Information. We may use and disclose your health information if we have removed any information that has the potential to identify you so that the health information is “completely de-identified.” We may also use and disclose “partially de-identified” health information about you if the person who will receive the information signs an agreement to protect the privacy of the information as required by federal and state Partially de-identified health information will not contain any information that would directly identify you (such as your name, street address, social security number, phone number, fax number, electronic mail address, website address, or license number).
- Incidental Disclosures. While we will take reasonable steps to safeguard the privacy of your health information, certain disclosures of your health information may occur during or as an unavoidable result of our otherwise permissible uses or disclosures of your health For example, during the course of a treatment session, other patients in the treatment area may
see, or overhear discussion of, your health information.
- Fundraising. We may use or disclose your demographic information, including, name, address, other contact information, age, gender, and date of birth, dates of health service information, department of service information, treating physician, outcome information, and health insurance status for fundraising With each fundraising communication made to you, you will have the opportunity to opt-out of receiving any further fundraising communications. We will also provide you with an opportunity to opt back in to receive such communications if you should choose to do so.
- Changes to This Notice. We reserve the right to change this notice at any time and to make the revised or changed notice effective in the
YOUR RIGHTS TO ACCESS AND CONTROL YOUR HEALTH INFORMATION
You have the following rights to access and control your health information:
- Right to Inspect and Copy Records. You have the right to inspect and obtain a copy of any of your health information that may be used to make decisions about you and your treatment for as long as we maintain this information in our records, including medical and billing records. To inspect or obtain a copy of your health information, please submit your request in writing to the Privacy Officer. If you request a copy of the information, we may charge a fee for the costs of copying, mailing or other supplies we use to fulfill your request. If you would like an electronic copy of your health information, we will provide you a copy in electronic form and format as requested as long as we can readily produce such information in the form Otherwise, we will cooperate with you to provide a readable electronic form and format as agreed. In some limited circumstances, we may deny the request.
- Right to Amend Records. If you believe that the health information we have about you is incorrect or incomplete, you may ask us to amend the information for as long as the information is kept in our records by writing to Your request should include the reasons why you think we should make the amendment. If we deny part or all of your request, we will provide a written notice that explains our reasons for doing so. You will have the right to have certain information related to your requested amendment included in your records.
- Right to an Accounting of Disclosures. You have a right to request an “accounting of disclosures,” which is a list with information about how we have shared your health information with others. To obtain a request form for an accounting of disclosures, please write to the Privacy Officer. You have a right to receive one list every 12-month period for However, we may charge you for the cost of providing any additional lists in that same 12-month period.
- Right to Receive Notification of a Breach. You have the right to be notified within sixty (60) days of the discovery of a breach of your unsecured protected health information if there is more than a low probability the information has been compromised. The notice will include a description of what happened, including the date, the type of information involved in the breach,
steps you should take to protect yourself from potential harm, a brief description of the investigation into the breach, mitigation of harm to you and protection against further breaches and contact procedures to answer your questions.
- Right to Request Restrictions. You have the right to request that we further restrict the way we use and disclose your health information to treat your condition, collect payment for that treatment, run our normal business operations or disclose information about you to family or friends involved in your care. You also have the right to request that your health information not be disclosed to a health plan if you have paid for the services out of pocket and in full, and the disclosure is not otherwise required by law. The request for restriction will only be applicable to that particular You will have to request a restriction for each service thereafter. To request restrictions, please write to the Privacy Officer. We are not required to agree to your request for a restriction, and in some cases the restriction you request may not be permitted under law. However, if we do agree, we will be bound by our agreement unless the information is needed to provide you with emergency treatment or comply with the law. Once we have agreed to a restriction, you have the right to revoke the restriction at any time. Under some circumstances, we will also have the right to revoke the restriction as long as we notify you before doing so.
- Right to Request Confidential Communications. You have the right to request that we contact you about your medical matters in a more confidential way, such as calling you at work instead of at home, by notifying the registration associate who is assisting We will not ask you the reason for your request, and we will try to accommodate all reasonable requests.
- Right to Have Someone Act on Your Behalf. You have the right to name a personal representative who may act on your behalf to control the privacy of your health information. Parents and guardians will generally have the right to control the privacy of health information about minors unless the minors are permitted by law to act on their own
- Right to Obtain a Copy of Notices. If you are receiving this Notice electronically, you have the right to a paper copy of this Notice. We may change our privacy practices from time to time. If we do, we will revise this Notice and post any revised Notice in our registration area and N/A.
- Right to File a Complaint. If you believe your privacy rights have been violated, you may file a complaint with us by calling the Privacy Officer at 203-790-0111, or with the Secretary of the Department of Health and Human We will not withhold treatment or take action against you for filing a complaint.
- Use and Disclosures Where Special Protections May Apply. Some kinds of information, such as HIV-related information, alcohol and substance abuse treatment information, mental health information, psychotherapy information, and genetic information, are considered so sensitive that state or federal laws provide special protections for them. Therefore, some parts of this general Notice of Privacy Practices may not apply to these types of information. If you have questions or concerns about the ways these types of information may be used or disclosed, please speak with your health care
SAW LLC
54 Main Street, Suite F Danbury, CT 06810
203-790-0111
203-797-0822
These procedures are not a substitute for engaging the assistance from legal, accounting, or other professional services. This information is advisory only. Final interpretation is the responsibility of the regulatory or accrediting body administering the standard or regulation referenced.
=
Please refer to the “Forms” section to find the “Notice of Privacy Practices Acknowledgement and Consent” form.
PRIVACY HIPAA AND HITECH DOCUMENTATION
Purpose:
This policy is designed to give guidance for compliance with provisions of the Health Insurance Portability and Accountability Act (HIPAA) of 1996, the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH) and implementing regulations requiring covered entities to maintain documentation of policies, procedures and other administrative documents.
Policy:
- SAW LLC will implement policies and procedures with respect to protected health information (“PHI”) designed to comply with the standards, implementation specifications, or other requirements of the HIPAA Privacy
- SAW LLC will maintain documentation, in written or electronic form, of policies, procedures, communications, and other administrative documents as required by 45 F.R
- 164.530 (i) and (j), for a period of at least six years from the date of creation or the date when last in effect, whichever is later.
- SAW LLC will incorporate any changes in law into its policies, procedures, and other administrative documents, as
Procedures:
- SAW LLC’s policies have been reasonably designed to take into account the size and type of activities undertaken by the facility with respect to
- The following documentation will be maintained in an organized manner:
Policies and procedures related to the use or disclosure of PHI;
Policies and procedures related to sanctions for a violation of policies and procedures;
Policies and procedures related to requests of individuals for an accounting of disclosures and Access Report;
Requests for the use or disclosure of PHI;
Policies and procedures related to minimum necessary disclosure; Policies and procedures related to fundraising and marketing of PHI.
ENFORCEMENT
REFERENCES: 45 CFR PARTS 160 AND
**HITECH SECTIONS 13409, 13410 AND 13411**
DEFINITIONS:
According to the “HIPAA Omnibus Rule,” of 2013 the following definitions apply:
Reasonable cause (amended) means an act or omission in which a covered entity or business associate knew, or by exercising reasonable diligence would have known, that the act or omission violated an administrative simplification provision, but in which the covered entity or business associate did not act with willful neglect.
Reasonable diligence means the business care and prudence expected from a person seeking to satisfy a legal requirement under similar circumstances.
Willful neglect means conscious, intentional failure or reckless indifference to the obligation to comply with the administrative simplification provision violated.
POLICY
SAW LLC is aware of, and complies with, the Enforcement provisions of the HIPAA Omnibus Rule of 2013. The purpose of the Rule is to amend HIPAA’s enforcement regulations relating to the imposition of civil monetary penalties, to incorporate the following items of the HITECH Act:
Categories of violations,
Tiered ranges of civil monetary penalty amounts, and
Revised limitations on the Secretary’s authority to impose civil monetary penalties for established violations of HIPAA’s Administrative Simplification Rules (HIPAA Rules).
SAW LLC will comply with all the HIPAA provisions, and will quickly and voluntarily correct any acts or omissions that may possibly be violations of the HIPAA rules. Any individual person associated with SAW LLC who wrongfully obtains, uses, or discloses individually identifiable health information may be subject to criminal penalties. These penalties can include fines, imprisonment, or both. It should be noted that both individuals and organizations who violate the Rule may be subject to both civil and criminal penalties.
The provisions of the Rule apply to covered entities and business associates, who are now considered covered entities under many sections of the HITECH Act.
Improved Enforcement
The following penalty amounts of the HIPAA Enforcement Rule explain HHS’ implementation of authority regarding violations that occur on or after February 18, 2009, when ARRA became law. Under the HITECH Act, the HHS Secretary’s civil monetary penalty authority was strengthened. The revisions significantly increase the penalty amounts the HHS Secretary can impose for violations of the HIPAA Rules, and encourages the establishment of compliance programs that effectively prevent, detect, and quickly correct violations of the HIPAA Rules.
Penalty tiers are different, depending on whether the violations occurred before or after the enactment date of HITECH—February 18, 2009. For violations prior to this date, HHS is allowed to issue civil penalties of not more than $100 for each violation, with a total maximum amount of $25,000 for identical violations per calendar year, and they are not allowed if:
- The covered entity could prove that they did not know of the violation (and by using reasonable diligence would not have known); or
- The violation was due to reasonable cause, and not to willful neglect—and was corrected within 30 days (or other period based on circumstances, determined by HHS) after the covered entity knew of the violation, (or with reasonable diligence should have known).
For violations that have occurred after February 18, 2009, the Omnibus Rule establishes the following civil penalties for covered entities:
- For violations where the entity did not have knowledge of the violation (and by using reasonable diligence would NOT have known), penalty amounts can range from $100 to $55,010 for each violation, or can be up to $1,650,300 for identical violations during a calendar year;
- For violations due to reasonable cause, and not to willful neglect, penalties can range from
$1,000 to $55,010 for each violation;
- For violations due to willful neglect, and timely corrected within 30 days after the entity knew of the violation, penalties can range from $10,000 to $55,010 for each violation, or not more than
$1,650,300 for identical violations during a calendar year;
- For violations due to willful neglect, and NOT timely corrected within 30 days after the entity knew of the violation, minimum penalties of $55,010 for each violation, or not more than
$1,650,300 for identical violations during a calendar year.
When determining the amount of a penalty for a violation, HHS will base the decision on the nature and extent of the violation, the nature and extent of the harm resulting from the violation, and possibly other factors such as the entity’s prior compliance with the HIPAA Rules.
It may be possible to avoid penalties if the covered entity can establish with HHS that an “affirmative defense” exists. Further information may be obtained from counsel.
Civil Actions
The HITECH Act, Section 13410(e), Enforcement Through State Attorneys General, states that the State Attorney General must bring actions against a covered entity for a violation on behalf of the state’s residents. If the action is successful, reasonable attorney’s fees and the cost of the action may be imposed upon the covered entity. Civil penalties may be waived by the Secretary of the Department of Health and Human Services in whole or in part, under certain circumstances.
Business Associates
Under the federal common law of agency, covered entities may be held liable for the acts of their business associates. Practice counsel will be consulted about whether a particular business associate is considered an agent of the practice.
According to the preamble of the Omnibus Rule:
“An analysis of whether a business associate is an agent will be fact specific, taking into account the terms of a business associate agreement as well as the totality of the circumstances involved in the ongoing relationship between the parties. The essential factor in determining whether an agency relationship exists between a covered entity and its business associate (or business associate and its subcontractor) is the right or authority of a covered entity to control the business associate’s conduct in the course of performing a service on behalf of the covered entity.”
“The right or authority to control the business associate’s conduct also is the essential factor in determining whether an agency relationship exists between a business associate and its business associate subcontractor.”
Covered entities or business associates are not liable for the acts of third parties that are not under their control, because such third parties are not their agents.
PROCEDURE
- All employees are required to inform the Privacy Officer of any known or suspected violations of SAW LLC HIPAA policies and
- The Privacy Officer will evaluate the violation and whether there was more than low probability that the PHI was compromised, and determine the appropriate course of action according to the HITECH Breach Notification All such violations and associated efforts to mitigate the harmful effects will be documented. Mitigation may include, but is not limited to:
Taking operational and procedural corrective measures to remedy violations;
Taking employment actions to re-train, reprimand, or discipline employees as necessary, up to and including termination;
Addressing problems with business associates once SAW LLC is aware of a breach of privacy;
Incorporating mitigation solutions into SAW LLC’s policies as necessary and appropriate.
- All violations of HIPAA policy and procedure that affect an individual will be documented in the accounting of disclosures The patient may not necessarily be notified if the Privacy Officer determines, using a risk assessment according to the Breach Notification Rule, that there was a low probability that the PHI was compromised, given the nature of the violation. In cases where the probability of compromise is more than low, the patient will be notified of the violation and SAW LLC’s efforts to mitigate the resulting harm. In some cases, HHS and the media may also need to be notified, depending on the number of individuals affected by the breach.
ENFORCEMENT
The Privacy Officer is responsible for enforcing this Policy. Employees who violate this policy are subject to discipline, up to and including termination from employment, in accordance with SAW LLC’s Sanctions policy. Under HITECH Section 13409, any individual person associated with the practice who wrongfully obtains, uses, or discloses individually identifiable health information may be subject to criminal penalties. These penalties can include fines, imprisonment, or both.
RIGHT TO REQUEST RESTRICTIONS ON USE AND DISCLOSURE OF PROTECTED HEALTH INFORMATION
PATIENT’S RIGHTS: RESTRICTIONS ON USES AND DISCLOSURES / CONFIDENTIAL COMMUNICATIONS
REFERENCE: 45 C.F.R. 164.522
SCOPE OF POLICY
This policy applies to all SAW LLC staff members and health care professionals. SAW LLC staff members include all employees, volunteers, consultants, contractors, vendors, subcontractors and business associates of SAW LLC.
STATEMENT OF POLICY
SAW LLC complies with the Health Insurance Portability and Accountability Act of 1996 and Department of Health and Human Services rule that is designed to preserve the privacy of identifiable patient information. HITECH Section 13405, “Restrictions on Certain Disclosures and Sales of Health Information,” is followed regarding PHI in electronic form.
From time to time, patients may request certain additional privacy protections for their health information. For example, patients may request restrictions on the way SAW LLC uses and discloses their protected health information. They may also request that we communicate with them by an alternative means or methods that are more confidential for them. SAW LLC must permit an individual to request that SAW LLC restrict uses or disclosures of PHI about the individual to carry out treatment, payment, or health care operations, and disclosures to individuals involved in the patient’s care.
It is SAW LLC’s policy to respond to all patient requests in a respectful manner. Under the law, special procedures must be followed when handling such requests. Patients requesting additional privacy protections should therefore be directed to submit their requests to the Privacy Officer.
Under HITECH Section 13405, “Accounting of Certain Protected Health Information Disclosures Required if Covered Entity Uses Electronic Health Records,” this part of the HIPAA Rule is clarified, and now the covered entity must comply with the requested restriction if:
- Except as otherwise required by law, the disclosure is to a health plan for purposes of carrying out payment or health care operations (and is not for purposes of carrying out treatment); and
- The protected health information pertains solely to a health care item or service for which the health care provider involved has been paid out-of-pocket in full, by the patient or other person on behalf of the
Stated another way, if a health plan, or the business associate of the health plan, requests a PHI disclosure of a patient for purposes of carrying out payment or health care operations (not treatment), and the patient has paid for the health care item or service out-of-pocket in full, then the practice may not disclose the PHI if the individual has requested a restriction on disclosure and the practice is not otherwise required by law.
Refer the Patient to the Privacy Officer
If a patient requests additional privacy protections, SAW LLC staff should direct the patient to submit his or her request to the Privacy Officer, who is the only person authorized to grant or deny the requests. SAW LLC staff should never grant a patient’s request, nor provide any assurances that the request will be granted, unless the Privacy Officer has specifically approved the request. The patient’s request for additional privacy protections should never be denied outright by a staff member without requesting that the patient submit his or her request to the Privacy Officer.
On those occasions when SAW LLC agrees to a restriction, staff of SAW LLC may not use or disclose PHI in violation of the restriction, except that, if the individual who requested the restriction is in need of emergency treatment, and the restricted PHI is needed to provide the emergency treatment, practice clinicians may use the restricted PHI, or may disclose such information to a health care provider, to provide such treatment to the individual. If restricted PHI is disclosed to a health care provider for emergency treatment, SAW LLC must request that such health care provider not further use or disclose the information.
The practice is not required to notify downstream providers (such as physician specialists referrals made on behalf of the patient), but may do so if they wish. If the patient desires to restrict use and disclosures with other providers, it is his / her responsibility to do so.
A restriction agreed to by SAW LLC is not effective to prevent uses or disclosures permitted or required for the individual’s right to access to PHI or right to an accounting of uses and disclosures of PHI; uses and disclosures for facility directories; or uses and disclosures that do not require permission (e.g., as required by law).
Terminating a Restriction
SAW LLC may modify or terminate its agreement to a restriction, if:
- The individual agrees to or requests the termination or modification in writing,
- SAW LLC informs the individual that it is terminating its agreement to a restriction, except that such termination is only effective with respect to PHI created or received after it has so informed the
PROCEDURE:
- All requests for a restriction on use and disclosure of PHI must be made in writing by the A model patient request form is available on the following pages.
- The requirement for requests to be made in writing will be reflected in the Notice of Privacy
- The restriction also applies to the Business Associates of a health
- All requests for restriction must be reviewed and approved by Viorica Timosca, the practice’s
Privacy Officer.
- One of three decisions may be reached:
The request is granted,
The request is granted only in part, The request is denied.
- Decisions on requests for restriction must be communicated to the A model Decision Letter is available on the following pages. A copy of this document must be retained in the individual’s record in accordance with step 7 below.
- If SAW LLC agrees to a restriction, the agreement must be documented in a written or electronic SAW LLC will retain the documentation required for six years from the date of its creation or the date when it last was in effect, whichever is later.
- All restrictions must be documented and filed in a conspicuous location within the individual’s record and communicated to appropriate staff to ensure that the agreed upon restrictions are
- All agreed upon restrictions on use and disclosure will be documented in one of two manners:
- A note will be placed on the outside of the patient record — “Restrictions on Uses and ” The Privacy Officer will document the actual restriction on the inside cover of the patient record.
- If the capability exists, a note will be placed in a general notes field, attached to the patient’s name in the practice’s information
- If SAW LLC denies the restriction, a timely written denial is provided to the patient (see Model Documents). The denial meets the following requirements:
- Written in plain language,
- Includes the reason or basis for the denial,
- Includes a statement of the individual’s right to have the decision reviewed and a description of how the individual can exercise that right,
- A description of how the individual may complain to the covered entity or to the Secretary of The description must include the name, or title, and telephone number of the contact person or office designated where the complaint is made.
- The restriction remains effective until:
- The patient agrees to remove the restriction, or requests the removal of the restriction in writing,
- The patient orally agrees to the termination and the oral agreement is documented,
- SAW LLC unilaterally terminates the restriction by telling the patient, and the termination applies only to PHI collected or created after the termination
Confidential Communications
SAW LLC must permit individuals to request and receive communications of PHI by alternative means or at alternative locations, and must accommodate reasonable requests by individuals.
- SAW LLC requires individuals to make requests for confidential communication in
- If the patient’s confidential communication involves restricting information to be released to his/her insurer in lieu of self-pay, SAW LLC may condition the provision of a reasonable accommodation on full payment by the patient for the particular services SAW LLC requires that the individual provide payment for necessary labor and expenses necessary to facilitate a requested confidential communication if expenses are incurred.
- SAW LLC will not require an explanation from the individual as to the basis for the request as a condition of providing communications on a confidential
- If a request for confidential communications is approved, that request must be documented and placed in a conspicuous location in the patient’s file and communicated to appropriate staff to ensure that the request is
- All agreed upon confidential communications will be documented in one of two manners:
- A note will be placed on the outside of the patient record — “Confidential ” The Privacy Officer will document the actual restriction on the inside cover of the patient’s record.
- If the capability exists, a note will be placed in a general notes field, attached to the patient’s name in the practice’s information system. This will ensure uniform communication of the restriction to staff that need to
- The restriction remains effective until:
- The patient agrees to remove the restriction, or requests the removal of the restriction in writing,
- The patient orally agrees to the termination and the oral agreement is documented,
- SAW LLC unilaterally terminates the restriction by telling the patient, and the termination applies only to PHI collected or created after the termination
VIOLATIONS
All SAW LLC staff are expected to review a patient’s medical record for possible restrictions on the use or disclosure of the patient’s information. Restrictions will be posted in the appropriate section of the patient’s medical record. All restrictions must be followed.
SAW LLC has general responsibility for implementation of this policy. Staff members who violate this policy will be subject to disciplinary action up to and including termination of employment or affiliation with SAW LLC.
INTERPRETATION(S):
The final rule retains an individual’s right to request restrictions on uses or disclosures of PHI for treatment, payment, or health care operations, and prohibits a practice from using or disclosing PHI in a way that is inconsistent with an agreed upon restriction between SAW LLC and the patient.
=
Please refer to the “Forms” section to find the “Patient Request to Restrict Disclosure of Protected Health Information to Health Plan” form.
=
Please refer to the “Forms” section to find the “Patient Request to Restrict Disclosure of Protected Health Information to Health Plan” form.
=
Please refer to the “Forms” section to find the “Request fo Confidential Communication” form.
ACCESS TO PROTECTED HEALTH INFORMATION
PATIENT ACCESS TO PROTECTED HEALTH INFORMATION POLICY
REFERENCE: 45 CFR § 164.524
SCOPE OF POLICY
This policy applies to all SAW LLC staff members in the Patient Records Department, Billing Department, other designated departments, and the Privacy Officer, who are authorized to respond to requests for access to patient health information.
STATEMENT OF POLICY
Patients generally have a right to access their own health information contained in records that may be used to make decisions about them (called “designated record sets”). It is SAW LLC’s policy to treat all patient requests in a respectful manner. Patients should be directed to submit any requests for access to medical records, billing records or any other records (whether or not they contain Patient health information) to the Privacy Officer.
IMPLEMENTATION OF POLICY
1. Right To Access Records
Who Can Access: A patient, a patient’s guardian or a patient’s personal representative may access a record after submitting a written request to physically inspect the medical record. A patient or patient’s personal representative is any patient, parent, guardian, or committee of an incompetent. (A model letter for this purpose is contained on the following pages.)
What Information: SAW LLC’s patients have the right to inspect and obtain a copy of the protected health information that SAW LLC, or one of its business associates, maintains in “designated record sets.” “Designated record sets” are sets of records that may be used to make decisions about the patients or their treatment.
The designated record set for each patient generally includes the patient’s medical record.
For How Long: A patient, a patient’s guardian or personal representative may access a record. Patients must submit a written request to physically inspect the medical record. Patients have the right to access their protected health information for as long as the information is contained in their designated record set.
In Writing: All requests for access must be made in writing.
Proper Identification: In the interest of protecting the confidentiality of the record, the person requesting access should present identification such as a government issued picture card, a driver’s license or ID card that carries a valid signature. Individuals requesting access in the capacity of guardian or conservator of the person should send a copy of their appointment papers when requesting copies or present such papers at the time of inspection. The signature will be compared with the signature on the consent for treatment and any discrepancy clarified.
2. Response Time
The Privacy Officer must respond to a patient’s requests for access to their protected health information (by either granting or denying the request) as soon as possible after the request is received. When possible, the request will be granted within 30 days of the day of request. If it cannot be granted within this time frame, a one-time 30-day extension may be used. The patient will be notified if this is necessary.
3. Granting Requests For Inspection Of Records
If SAW LLC is granting a patient’s request to inspect his or her protected health information, the Privacy Officer will arrange an appointment with the individual to review their records. Copies may be provided in lieu of inspection.
Proper Identification: The person requesting access must present a government-issued picture identification, such as a driver’s license or ID card which carries a valid signature. Individuals requesting access in the capacity of guardian or conservator of the person should send a copy of their appointment papers when requesting copies or present such papers at the time of inspection. The signature will be compared with the signature on the consent for treatment and any discrepancy clarified.
Assisting Patient With Review: The Privacy Officer may ask the patient whether a staff member may assist the patient in reviewing the information requested. The patient is free to refuse any assistance, and cannot be penalized or denied access for doing so.
Supervising Patient’s Independent Review: If the patient is not reviewing his or her information jointly with a staff member, the Privacy Officer will be present in the room at all times to ensure that the integrity of the records is maintained. The Privacy Officer should remain in view of the patient to prevent inappropriate tampering, but far enough away so that the patient is afforded appropriate privacy when reviewing the content of his or her records. The Privacy Officer will not answer any questions regarding the content of the record. If the patient wishes to be completely alone, he or she must request copies of the records.
Miscellaneous: A patient’s review of his or her information should take place only where the patient will not be able to view information or records concerning other patients. A patient may be accompanied by a family member or other individual and may view their records with that companion.
4. Requests for Copies
The patient must submit a valid authorization form to obtain paper or electronic copies of medical records. (A model letter for this purpose is contained on the following pages.) If the patient requests an electronic copy of their medical records, SAW LLC must provide the patient a copy in the electronic form and format as requested, as long as SAW LLC can readily produce such information in the form requested. Otherwise, SAW LLC should cooperate with the patient to provide a readable electronic form and format of the records as agreed between SAW LLC and the patient.
Copies should be delivered to the patient in the method specified on the patient’s request form or letter. The patient may visit SAW LLC to pick up the copies or request that the copies be delivered by mail to the address provided on the authorization form. The patient may also request that the practice transmit electronic copies directly to the patient’s designee. The choice of designee must be clear, conspicuous and specific.
A nominal fee may be charged for supplies, postage, and labor for copying, whether in paper or electronic form, in accordance with state law.
5. Denying Access
Reasons for Denial: In the following circumstances, a patient’s request to access his or her health information should be denied if the request is not in writing.
The right to access does not pertain to:
Psychotherapy notes;
Information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding;
PHI maintained by a covered entity that is subject to the Clinical Laboratory Improvements Amendments of 1988, 42 U.S.C. 263a, to the extent the provision of access to the individual would be prohibited by law, or exempt from the Clinical Laboratory Improvements Amendments of 1988, pursuant to 42 CFR 493.3(a)(2);
When SAW LLC is acting under the direction of a correctional institution it may deny, in whole or in part, an inmate’s request to obtain a copy of PHI, if obtaining such copy would jeopardize the health, safety, security, custody, or rehabilitation of the individual or of other inmates, or the safety of any officer, employee, or other person at the correctional institution who is responsible for the transporting of the inmate;
An individual’s access to PHI created or obtained by a covered health care provider in the course of research that includes treatment may be temporarily suspended for as long as the research is in progress, provided that the individual has agreed to the denial of access when consenting to participate in the research that includes treatment, and SAW LLC has informed the individual that the right of access will be reinstated upon completion of the research;
A individual’s access to PHI that is contained in records that are subject to the Privacy Act, 5
U.S.C. § 552a, may be denied, if the denial of access under the Privacy Act would meet the requirements of that law;
An individual’s access may be denied if the PHI was obtained from someone other than a health care provider under a promise of confidentiality and the access requested would be reasonably likely to reveal the source of the information.
SAW LLC may deny an individual access, provided that the individual is given a right to have such denials reviewed, in the following circumstances:
A licensed health care professional has determined, in the exercise of professional judgment, that the access requested is reasonably likely to endanger the life or physical safety of the individual or another person;
The PHI makes reference to another person (unless such other person is a health care provider) and a licensed health care professional has determined, in the exercise of professional judgment, that the access requested is reasonably likely to cause substantial harm to such other person;
The request for access is made by the individual’s personal representative, and a licensed health care professional has determined, in the exercise of professional judgment, that the provision of access to such personal representative is reasonably likely to cause substantial harm to the individual or another person.
If access is denied on a ground permitted under the aforementioned circumstances, the individual has the right to have the denial reviewed by SAW LLC’s Privacy Officer as long as that individual did not participate in the original decision to deny.
Notice of Denial: If the patient’s request is being denied, the patient must be notified. (A model letter for this purpose is contained on the following pages.)
The patient has the right to request a review of a denial by SAW LLC’s privacy officer, or to register a complaint. The review request must be in writing and submitted to the privacy officer: Viorica Timosca, SAW LLC, 54 Main Street, Suite F, Danbury, CT 06810. The Privacy Officer or his/her designee will review the request. Alternatively, the patient may register a complaint with the Secretary of the United States Department of Health and Human Services. The complaint can be filed in writing, either on paper or electronically. The complaint must be filed within 180 days of when the patient knew or should have known that the act or omission complained of occurred, unless the Secretary for good cause shown waives this time limit.
6. Requests For Access By A Patient’s Personal Representative
If a patient’s personal representative requests access to the patient’s records, the Privacy Officer generally should grant or deny access according to the procedures in this policy as though the patient’s personal representative were the patient, unless one of the following exceptions applies.
Patient Lacking Capacity: When a patient lacks capacity to make health care decisions and the patient’s personal representative must be given access to the patient’s information in order to make health care decisions on behalf of the patient, the Privacy Officer should grant such access to the patient’s personal representative.
Patients Who have Expired: The final OMNIBUS HIPAA rule adopts the proposal to amend § 164.510(b) to permit covered entities to disclose a decedent’s protected health information to family members and others who were involved in the care or payment for care of the decedent prior to death, unless doing so is inconsistent with any prior expressed preference of the individual that is known to the covered entity. The right to inspect and obtain copies of patient information is extinguished with the death of the qualified person. A duly appointed or qualified estate representative of the individual has the right of access to the medical record.
For example, a covered health care provider could describe the circumstances that led to an individual’s passing with the decedent’s sister who is asking about her sibling’s death. A covered health care provider could also disclose billing information to a family member of a decedent who is assisting with wrapping up the decedent’s estate. However, in both of these cases, the provider generally should not share information about past, unrelated medical problems. These disclosures
are permitted and not required—a covered entity that questions the relationship of the person to the decedent or otherwise believes, based on the circumstances, that disclosure of the decedent’s protected health information would not be appropriate, is not required to make the disclosure.
The amended HIPAA regulations have changed the definition of PHI to exclude a person who has been deceased for more than 50 years.
Documentation: The Privacy Officer must keep the documentation in connection with any request by a patient or a patient’s personal representative to access protected health information. These documents must be maintained by SAW LLC for six (6) years from the date of their creation. When possible, these documents will be kept in the patient’s medical record.
VIOLATIONS
SAW LLC’s staff and medical professionals who violate this policy will be subject to disciplinary action up to and including termination of employment or staff privileges with SAW LLC. Anyone who knows or has reason to believe that another person has violated this policy should report the matter promptly to his or her supervisor or SAW LLC’s Privacy Officer. Any attempt to retaliate against a person for reporting a violation of this policy will itself be considered a violation of this policy that may result in disciplinary action up to and including termination of employment.
=
Please refer to the “Forms” section to find the “Patient Record Request” form.
=
Please refer to the “Forms” section to find the “Letter— Decision on Request for Access or Copy of Medical Records” form.
THE CURES ACT FINAL RULE
The Cures Act Final Rule (effective April 5, 2021) pertains exclusively to electronic health information and the access and exchange of that electronic data. This sets it apart from HIPAA, which covers paper, electronic and verbal data as protected health information (PHI). “The Cures Act directed HHS to develop the Trusted Exchange Framework and Common Agreement (TEFCA) among health information networks nationally for EHI exchange through Health Information Networks (HINs) (Sec 4003), to require certified Health Information Technology (HIT) to publish application programming
interfaces (Sec 4002), & to educate stakeholders about how EHI exchange can support individual access (Sec 4006).” Providers will more easily retrieve data from different sources across HINs to produce more complete health records for individuals.
Interconnected Networks
More interconnected networks can make it easier for individuals to: Access their protected and other electronic health information
Direct their compiled EHI to any recipient they designate, including researchers or digital health apps
Framework
HIPAA & the Trusted Exchange Framework will allow health records to be transmitted many ways. Entities should work with their Vendors and/or HIN to enable these functions. Entities should find a method that satisfies the individual. Patients need to be supported so they can use a secure electronic method to access their information in the following ways:
Through digital health apps that use open Application Programming Interfaces (APIs). Patients can use the smartphone app of their choice.
Through other view/ download/ transmit options
By secure email (or insecure, if requested by the individual) and direct messaging, through HINs, etc.
Through patient portals
Engage patients through online appointment scheduling, secure messaging, and prescription refills
Timeline and Types of Clinical Notes To Be Shared
As of April 5, 2021, clinical notes must be shared by health systems. By October 6, 2022, clinical notes must be shared with a patient’s 3rd party application (“app”) that may be downloaded to a smart phone or other device. There are eight (8) types of clinical notes that must be shared and are outlined in the United States Core Data for Interoperability (USCDI). These include:
- consultation notes
- discharge summary notes
- history & physical
- imaging narratives
- laboratory report narratives
- pathology report narratives
- procedure notes
- progress notes
Clinical Notes To Which The Rules Do NOT Apply
Clinical notes to which the rules do not apply include:
Psychotherapy notes that are separated from the rest of the individual’s medical record and are recorded (in any medium) by a health care provider who is a mental health professional documenting or analyzing the contents of conversation during a private counseling session or a group, joint, or family counseling session.
Information compiled in reasonable anticipation of, or use in a civil, criminal or administrative action or proceeding.
Section 4004
Section 4004 of the Cures Act specifies certain practices that could constitute information blocking, which the Final Rule says would restrict patients’ access to all of their health records. Provided certain conditions are met, known as “exceptions”, there are eight exceptions to the information-blocking rule, which gives clinicians some flexibility to protect patient privacy and security and where data interoperability is not technically reasonable. The exceptions are divided into two classes:
Class #1
Exceptions that involve not fulfilling requests to access, exchange, or use EHI
Preventing Harm Exception: It will not be information blocking for an actor to engage in practices that are reasonable and necessary to prevent harm to a patient or another person, provided certain conditions are met.
Privacy Exception: It will not be information blocking if an actor does not fulfill a request to access, exchange, or use EHI in order to protect an individual’s privacy, provided certain conditions are met.
Security Exception: It will not be information blocking for an actor to interfere with the access, exchange, or use of EHI in order to protect the security of EHI, provided certain conditions are met.
Infeasibility Exception: It will not be information blocking if an actor does not fulfill a request to access, exchange, or use EHI due to the infeasibility of the request, provided certain conditions are met.
Health IT Performance Exception: It will not be information blocking for an actor to take reasonable and necessary measures to make health IT temporarily unavailable or to degrade the
health IT’s performance for the benefit of the overall performance of the health IT, provided certain conditions are met.
Class #2
Exceptions that involve procedures for fulfilling requests to access, exchange, or use EHI
Content and Manner Exception: It will not be information blocking for an actor to limit the content of its response to a request to access, exchange, or use EHI or the manner in which it fulfills a request to access, exchange, or use EHI, provided certain conditions are met.
Fees Exception: It will not be information blocking for an actor to charge fees, including fees that result in a reasonable profit margin, for accessing, exchanging, or using EHI, provided certain conditions are met.
Licensing Exception: It will not be information blocking for an actor to license interoperability elements for EHI to be accessed, exchanged, or used, provided certain conditions are met.
EMPLOYEE ACCESS TO PROTECTED HEALTH INFORMATION
REFERENCE: 45 CFR § 164.514(d)(2)(i)(a)-(b)
SAW LLC complies with the Health Insurance Portability and Accountability Act of 1996 and Department of Health and Human Services rules that are designed to preserve the privacy of identifiable patient information.
C.F.R. Section 164.514 (d)(2)(i)(A)—(B) requires that a covered entity must identify those persons or classes of persons, as appropriate, in its workforce who need access to protected health information (PHI) to carry out their duties; and for each such person or class of persons, the category or categories of protected health information to which access is needed and any conditions appropriate to such access.
SAW LLC must make reasonable efforts to limit the access of such persons or classes to protected health information (PHI).
The “Employee Access to Protected Health Information Grid” is used to identify employees of SAW LLC and the classes of PHI to which they are permitted access in order to carry out their duties. (A model form for this purpose is contained on the following pages.) All employees of SAW LLC must sign a confidentiality agreement that reminds all employees that they are obligated to access only PHI that is necessary for them to complete their job responsibilities. It is a violation of practice policy to knowingly access protected health information in circumstances where that information is not required for an individual to complete their job responsibilities. Violation of this policy will result in disciplinary action that may include termination.
In addition, under HITECH Section 13409, any individual person associated with the practice who wrongfully obtains, uses, or discloses individually identifiable health information may be subject to criminal penalties. These penalties can include fines, imprisonment, or both.
PROCEDURE:
- The practice defines, for each employee, the protected health information that an individual, or class of individuals, is authorized to use and
- Each individual or class of individuals is identified on the “Employee Access to Protected Health Information Grid” in the following manner:
- Employee Name — enter Last Name, First Name
- Job Title — enter job title, in general terms, g., Clinician (MD, DO, NP, PA, RT, RN, PT, etc.), Medical Assistant, Billing, and Administrative Support
- Job Responsibilities — in general terms, g., billing, clinical care, administrative support, clinical support
- Categories of PHI permitted: Enter one of the following:
- Entire record
- Demographics and encounter notes for billing
- Demographic information and forms/faxes with PHI for administrative
- Restrictions: Identify any restrictions, g., no encounter information, etc.
All employees are required to review the HIPAA Policies and Procedures, and sign an acknowledgement form stating that they understand their duties regarding patient privacy. (A model form “Staff Member Confidentiality & Non-Disclosure Agreement” is available on the following pages.)
Please refer to the “Forms” section to find a printable verison of the “Employee Access to Protected Health Information Grid” as well.
STAFF CONFIDENTIALITY AND NON-DISCLOSURE AGREEMENT POLICY
POLICY
The purpose of this policy is to maintain an adequate level of security to protect SAW LLC’s protected health information (“PHI”) and personal information from unauthorized access, use or disclosure. This policy applies to all SAW LLC staff members. Staff members include all employees, volunteers, and consultants at SAW LLC. Users who are granted access to PHI and personal information will be required to sign this Staff Confidentiality and Non-Disclosure Agreement. This policy is not intended, and should not be construed, to limit or prevent an employee from exercising rights under the National Labor Relations Act.
PROCEDURE
Only authorized users are granted access to PHI. Such access is limited to specific, defined, documented and approved applications and level of access rights.
As a condition to receiving passwords and user ID codes, or access rights to PHI (either by electronic or hard copy access), each employee, volunteer, consultant and user must agree, in writing, to comply with established terms and conditions included here, and within the Acceptable Use of Information Policy (contained within the HIPAA Policy Manual). Failure to comply with such terms and conditions may result in the denial and/or immediate suspension of access to PHI.
A violation of the terms of the confidentiality and non-disclosure agreement may be grounds for disciplinary action, including termination of employment or contract, loss of privileges, legal action for monetary damages or injunction, or both, or any other remedy available to SAW LLC.
=
Please refer to the “Forms” section to find the “Staff Member Confidentiality and Non-Disclosure Agreement” form.
=
Please refer to the “Forms” section to find the “Employee Exit Interview” form.
=
Please refer to the “Forms” section to find the “Employee Exit/Termination Checklist” form.
AMENDMENT TO PROTECTED HEALTH INFORMATION
PATIENT REQUESTS TO AMEND PROTECTED HEALTH INFORMATION
REFERENCE: 45 CFR § 164.526
SCOPE OF POLICY
This policy applies to all SAW LLC’s staff members and health care professionals. SAW LLC staff members include all employees, trainees, volunteers, consultants, and health care professionals at SAW LLC.
STATEMENT OF POLICY
Patients generally have a legal right to request that SAW LLC amend protected health information (“PHI”) contained in “designated record sets” maintained by SAW LLC or its business associates. (A model form is available for this purpose on the following pages.)
Designated record sets are defined by HIPAA as:
Medical records maintained by SAW LLC or a business associate of SAW LLC;
Billing records maintained by SAW LLC or a business associate of SAW LLC; and,
Any enrollment, payment, claims adjudication, and case or medical management records maintained for a health plan or insurer by SAW LLC or a business associate of SAW LLC.
It is SAW LLC’s policy to treat all patient requests in a respectful manner. If a patient asks questions about amending his or her record, the patient is to submit his or her request directly to the Privacy Officer. The Privacy Officer will enlist the assistance of the provider, who will determine whether to grant the request. The Privacy Officer will also be responsible for updating SAW LLC’s records if a requested amendment is granted.
PROCEDURE
SAW LLC will act on the individual’s request for an amendment no later than 60 days after receipt of such a request. If SAW LLC is unable to act on the amendment within the time required, SAW LLC may extend the time for such action by no more than 30 days, provided that:
SAW LLC, within the time limit described above, provides the individual with a written statement of the reasons for the delay and the date by which SAW LLC will
complete its action on the request;
Under HIPAA rule, SAW LLC may have only one such extension of time for action on a request for an amendment.
Denials of Requests
SAW LLC may deny an individual’s request for amendment, if a provider determines that:
The PHI, or record that is the subject of the request, was not created by the covered entity, unless the individual provides a reasonable basis to believe that the originator of PHI is no longer available to act on the requested amendment.
The PHI or record that is the subject of the request is not part of the designated record set.
The PHI, or record that is the subject of the request, would not be available because access has been denied (see policy on Patient Right to Access).
The PHI, or record that is the subject of the request, is accurate and complete.
- If SAW LLC accepts the requested amendment, in whole or in part, SAW LLC will comply with the following requirement:
SAW LLC will make the appropriate amendment to the PHI or record that the data is the subject of the request for amendment and at a minimum, identify the records in the designated record set that are affected by the amendment and append or otherwise provide a link to the location of the amendment.
- SAW LLC will inform the individual in a timely fashion that the amendment is accepted and obtain the individual’s identification of and agreement to have the covered entity notify the relevant persons with which the amendment needs to be
- SAW LLC will make reasonable efforts to inform and provide the amendment within a reasonable time to:
Persons identified by the individual as having received PHI about the individual and needing the amendment; and
Persons, including business associates, that the covered entity knows have the PHI that is the subject of the amendment and that may have relied, or could foreseeably rely, on such information to the detriment of the individual.
- SAW LLC will document the amendment using the form found in the Model Documents section of this
- If the individual’s primary care provider denies the requested amendment, in whole or in part, SAW LLC must comply with the following requirements:
The covered entity must provide the individual with a timely, written denial (see Model Documents). The denial must use plain language and contain:
- The basis for the denial,
- The individual’s right to submit a written statement disagreeing with the denial and how the individual may file such a statement,
- A statement that, if the individual does not submit a statement of disagreement, the individual may request that SAW LLC provide the individual’s request for amendment and the denial with any future disclosures of the PHI that is the subject of the amendment,
- A description of how the individual may complain to the covered entity or to the Secretary of The description will include the name, or title, and telephone number of SAW LLC’s Privacy Officer.
- SAW LLC will permit the individual to submit to SAW LLC a written statement disagreeing with the denial of all or part of a requested amendment and the basis of such SAW LLC may reasonably limit the length of a statement of disagreement.
- SAW LLC may prepare a written rebuttal to the individual’s statement of Whenever such a rebuttal is prepared, SAW LLC must provide a copy to the individual who submitted the statement of disagreement.
- SAW LLC will, as appropriate, identify the record or PHI in the designated record set that is the subject of the disputed amendment and append or otherwise link the individual’s request for an amendment, SAW LLC’s denial of the request, the individual’s statement of disagreement, if any, and SAW LLC’s rebuttal, if any, to the designated record
- For risk management purposes, it is SAW LLC’s policy never to delete medical Medical information should be amended, and the prior information should be noted as being amended, but not deleted. Some state laws prohibit information in the medical records from being changed or deleted.
- If a statement of disagreement has been submitted by the individual, SAW LLC will include the material appended or, at the election of SAW LLC, an accurate summary of any such information, with any subsequent disclosure of the PHI to which the disagreement
- If the individual has not submitted a written statement of disagreement, SAW LLC will include the individual’s request for amendment and its denial, or an accurate summary of such information, with any subsequent disclosure of the PHI only if the individual has requested such
- When a subsequent disclosure of PHI is made using a standard transaction (e.g., a standard electronic transaction defined in C.F.R. Section 162 of the HIPAA rule) that does not permit the additional material to be included with the disclosure, SAW LLC may separately transmit the material required, as applicable, to the recipient of the standard
- All documentation related to requests, approvals, denials, disagreements and rebuttals will be documented in a written or electronic form. SAW LLC will retain the documentation required for six years from the date of its creation or the date when it last was in
effect, whichever is later.
Amendments to Information Agreed to by Other Covered Providers
If SAW LLC is informed by another covered entity of an amendment to an individual’s PHI, SAW LLC must amend the PHI in designated record sets as provided above.
VIOLATIONS
The Privacy Officer has general responsibility for implementation of this policy. Anyone who violates this policy will be subject to disciplinary action up to and including termination of employment. Anyone who knows or has reason to believe that another person has violated this policy should report the matter promptly to SAW LLC. Any attempt to retaliate against a person for reporting a violation of this policy will itself be considered a violation of this policy that may result in disciplinary action up to and including termination of employment with SAW LLC.
=
Please refer to the “Forms” section to find the “Patient Request for Amendment of Records” form.
=
Please refer to the “Forms” section to find the “Documentation of Request for Amendment of Protected Health Information” form.
=
Please refer to the “Forms” section to find the “Letter for Communicating Denial of Request for Amendment of PHI” form.
ACCOUNTING OF DISCLOSURES OF PROTECTED HEALTH INFORMATION
ACCOUNTING OF DISCLOSURES
REFERENCE: 45 CFR § 164.528
SCOPE OF POLICY
This policy applies to all SAW LLC’s employees, volunteers, vendors, subcontractors, and business associates of SAW LLC.
STATEMENT OF POLICY
All patients whose information has been received by SAW LLC, and who’s information is maintained by SAW LLC, have a right to an “accounting of disclosures,” which includes information about many disclosures of the patient’s protected health information (“PHI”) that SAW LLC has made to third parties. It is SAW LLC’s policy to treat all patient requests in a respectful manner. If a patient asks questions about obtaining an accounting of disclosures, the patient should be directed to make his or her request to the Privacy Officer.
MAINTENANCE OF DISCLOSURE LOG
SAW LLC is responsible to maintain a log of all PHI that is disclosed when an authorization has not been received, which must be maintained and kept for six (6) years from the date of the last access or disclosure for paper records and three (3) years for electronic records. At the time the patient or the patient’s personal representative requests an Accounting of Disclosures, the Privacy Officer will be responsible to document if any disclosure has been made related to the request.
IMPLEMENTATION OF THIS POLICY
Because a patient may request an accounting of disclosures at any time, SAW LLC staff must record, on an ongoing basis, all information that is needed to respond to a patient’s request regarding disclosures of information. Certain information must be recorded about each disclosure. The authorized personnel who disclose a patient’s PHI without the patient’s written authorization MUST maintain a retrievable accounting.
Each and every SAW LLC staff member will be expected to comply with this policy of recording disclosures. Violations may be subject to disciplinary action, up to and including termination.
SAW LLC is required to keep records of certain disclosures of a patient’s PHI and to provide an accounting of those disclosures to patients who request such an accounting. Disclosure means a release, transfer, provision of access to or divulging in any other way of information outside SAW LLC.
Types of Disclosures Which Must Be Recorded
All disclosures made to:
Third-party requests allowable by law that do not require patient authorization; Federal and/or state inquiries required by law (i.e. CMS or Department of Health); Disclosure made without authorization.
Types of Disclosures Which Do Not Have To Be Recorded
- Sharing protected health information with SAW LLC staff and the treating health care providers are not considered disclosures and therefore need not be
- _All _disclosures of a patient’s protected health information made by SAW LLC, or its business associate vendors or subcontractors, except:
To carry out treatment, payment, and health care operations, To individuals of PHI about themselves,
For the facility’s directory,
To persons involved in the individual’s care, For national security or intelligence purposes,
To correctional institutions or law enforcement officials,
That occurred prior to the compliance date for the covered entity.
IMPLEMENTATION OF THIS POLICY
The Privacy Officer will respond to patient requests for accounting of disclosures in accordance with the following procedures.
- Patient Requests
All patient requests for accounting of disclosures must be made in writing.
- Response Time
The Privacy Officer is expected to provide the patient with the requested accounting within a reasonable timeframe. At the very latest, the Privacy Officer must provide the accounting within 60 days from the date SAW LLC received the request.
In rare circumstances, the Privacy Officer may be unable to provide the accounting within 60 days. If so, the Privacy Officer may extend the time for responding by another 30 days. However, under no circumstances may SAW LLC provide the accounting later than 90 days from the date the patient’s request was received.
If the 30-day extension is needed, the Privacy Officer must notify the patient in writing within the
first 60 days to explain the reason for the delay and the date when SAW LLC expects to provide the accounting.
- Content of the Accounting
The Privacy Officer must prepare the content of an accounting as follows:
The Privacy Officer will determine the period of accounting, which will be covered in the accounting. Patients may request an accounting of disclosures made during any period of time falling within six years before the date of the request.
When preparing an accounting, the following information must be included for each disclosure:
The date of the disclosure;
The name of the person or organization that received the information;
The address of the person or organization that received the information (if known);
A brief description of the protected health information disclosed (with dates of treatment when possible); and
At least one of the following items –
A brief statement explaining the purpose of the disclosure and why the disclosure is permitted under SAW LLC’s policies, or
A copy of a written request made by a person or organization to whom the disclosure was made where the information was disclosed for one of the public policy reasons.
- Collection of Fees
SAW LLC must provide a patient with one free accounting every twelve (12) months. If a patient requests an additional accounting within the same twelve (12) month period, the Privacy Officer may prepare an estimate of a reasonable fee that will recover the costs of producing the accounting.
- Documentation
Documentation relating to a patient’s request for an accounting must be maintained by SAW LLC for six years from the date of their creation.
VIOLATIONS
Anyone who violates this policy will be subject to disciplinary action up to and including termination of employment. Anyone who knows or has reason to believe that another person has violated this policy should report the matter promptly to the Privacy Officer. Any attempt to retaliate against a person for reporting a violation of this policy will itself be considered a violation of this policy that may result in disciplinary action up to and including termination of employment or contract with SAW LLC.
=
Please refer to the “Forms” section to find the “Request for Accounting of Uses and Disclosures” form.
=
Please refer to the “Forms” section to find the “Account of Uses and Disclosures of PHI” form.
ADMINISTRATIVE SAFEGUARDS
PRIVACY ADMINISTRATIVE SAFEGUARDS
REFERENCE: **45 C.F.R. 164.530**
POLICY:
SAW LLC must implement policies and procedures with respect to PHI that are designed to comply with the standards, implementation specifications, or other requirements of HIPAA rules. The policies and procedures must be reasonably designed, taking into account the size and type of activities that relate to PHI undertaken by SAW LLC, to ensure such compliance.
This standard is not to be construed to permit or excuse an action that violates any other standard, implementation specification, or other requirement of this subpart.
If a practice has not reserved its right to change a privacy practice that is stated in the Notice, SAW LLC is bound by the privacy practices as stated in the Notice with respect to PHI created or received while such Notice is in effect. A practice may change a privacy practice that is stated in the Notice, and the related policies and procedures, without having reserved the right to do so, provided that such change meets the implementation of the requirements in this procedure; and such change is effective only with respect to PHI created or received after the effective date of the Notice.
PROCEDURES
- SAW LLC maintains written policies and procedures that outline SAW LLC’s privacy and confidentiality policies in accordance with legal requirements mandated by the HIPAA law of
- SAW LLC will change its policies and procedures as necessary and appropriate
to comply with changes in the law, including the standards, requirements, and implementation specifications of the HIPAA rule.
- When SAW LLC changes a privacy practice that is stated in the Notice of Privacy Practices, and makes corresponding changes to its policies and procedures, it may make the changes effective for PHI that it created or received prior to the effective date of the Notice revision if the covered entity has included in the Notice a statement reserving its right to make such a change in its privacy
- SAW LLC may make any other changes to policies and procedures at any time, provided that the changes are documented and implemented in accordance with this
- Whenever there is a change in law that necessitates a change to SAW LLC’s policies or procedures, SAW LLC will promptly document and implement the revised policy or procedure. If the change in law materially affects the content of the Notice of Privacy Practices, SAW LLC will promptly make the appropriate revisions to the Nothing in this paragraph may be used by SAW LLC to excuse a failure to comply with the law.
- To implement a change as described above, SAW LLC will:
- Ensure that the policy or procedure, as revised to reflect a change in SAW LLC’s privacy practice as stated in its Notice of Privacy Practices, complies with the standards, requirements, and implementation specifications identified in this
- Document the policy or procedure, as revised, as required in a written or electronic SAW LLC will retain the documentation required for six years from the date of its creation, or the date when it last was in effect, whichever is later.
- Revise the Notice to state the changed practice and make the revised Notice available as SAW LLC will not implement a change to a policy or procedure prior to the effective date of the revised Notice.
- A practice may change, at any time, a policy or procedure that does not materially affect the content of the Notice of Privacy Practices, provided that the policy or procedure, as revised, complies with the standards, requirements, and implementation specifications of this procedure; and prior to the effective date of the change, the policy or procedure, as revised, is documented in a written or electronic
- SAW LLC will retain the documentation required for six years from the date of its creation, or the date when it last was in effect, whichever is
INTERPRETATION:
The policies and procedures of small providers may be more limited under the Rule than those of a large hospital or health plan, based on the volume of health information maintained and the number of interactions with those within and outside of the health care system.
PERSONNEL DESIGNATIONS POLICY
REFERENCE: 45 CFR § 164.530
POLICY:
SAW LLC must designate a Privacy Officer who is responsible for the development and implementation of the policies and procedures of the entity.
The Privacy Officer will serve as the contact person who is responsible for receiving complaints, and who is able to provide further information about matters covered by the Notice of Privacy Practices.
SAW LLC must document the personnel designations in a written or electronic form. SAW LLC will retain the documentation required for six years from the date of its creation, or the date when it last was in effect, whichever is later.
The Privacy Officer will maintain all documentation relating to the Privacy and Security Rules for a period of six years from the date of creation, or the last effective date, whichever is later.
PROCEDURE:
- SAW LLC’s Privacy Officer is Viorica This person is responsible for oversight of development and implementation of SAW LLC’s privacy standards, and will also review all complaints and requests for review of denials.
- SAW LLC’s privacy contact is Viorica This person is responsible for inquiries and questions regarding SAW LLC’s Notice of Privacy Practices.
- This policy, SAW LLC’s Notice of Privacy Practices, and any other applicable policies and procedures will be updated whenever there is a change to the Privacy Officer or privacy
INTERPRETATIONS:
The Privacy Officer at a small physician practice may be the office manager, who will have other non- privacy related duties; the Privacy Officer at a large health plan may be a full-time position, and may have the regular support and advice of a privacy staff or board.
PRIVACY OFFICER RESPONSIBILITIES
SAW LLC will identify the Privacy Officer who is responsible for the development and implementation of the policies and procedures required under the HIPAA Privacy Rule. The Privacy Officer will have the following responsibilities:
- Provides guidance and assists in the identification, implementation, and maintenance of organization privacy policies and procedures in coordination with practice management and legal
- Ensures the performance of initial and periodic information privacy risk assessments, and conducts related ongoing compliance monitoring activities in coordination with SAW LLC’s other compliance and operational assessment
- Works with legal counsel and management to ensure SAW LLC has and maintains appropriate privacy authorization forms, and information notices and materials reflecting current organization and legal practices and
- Oversees, directs, delivers, or ensures delivery of initial and privacy training and orientation to all employees, volunteers, medical and professional staff, contractors, alliances, business associates, and other appropriate third
- Participates in the development, implementation, and ongoing compliance monitoring of all trading partner and business associate agreements to ensure all privacy concerns, requirements, and responsibilities are
- Establishes with management a mechanism to track access to PHI, within the purview of SAW LLC and as required by law, and to allow qualified individuals to review or receive a report on such
- Ensures SAW LLC honors patient rights to inspect, amend, and restrict access to PHI when
- Establishes and administers a process for receiving, documenting, tracking, investigating, and taking action on all complaints concerning the organization’s privacy policies and procedures in coordination and collaboration with other similar functions and, when necessary, legal
- Ensures compliance with privacy practices and consistent application of sanctions for failure to comply with privacy policies for all individuals in SAW LLC’s workforce, extended workforce, and for all business associates in cooperation with legal counsel as
- Initiates, facilitates, and promotes activities to foster information privacy awareness within the organization and related
- Serves as a member of, or liaison to, the organization’s Institutional Review Board or Privacy Committee, should one Also serves as the information privacy liaison for users of clinical and administrative systems.
- Reviews all system-related information security plans to ensure alignment between security and privacy
- Works with all practice personnel involved with any aspect of release of PHI, to ensure full coordination and cooperation under the organization’s policies and procedures and legal
- Maintains current knowledge of applicable federal and state privacy laws and accreditation standards as applicable, and monitors advancements in information privacy
technologies to ensure organizational adaptation and compliance.
- Serves as information privacy consultant to SAW LLC and appropriate
- Cooperates with the Office for Civil Rights, other legal entities, and organization officers in any compliance reviews or
QUALIFICATIONS:
Knowledge of state and federal privacy laws;
Experience with practice operations and privacy practices;
Ability to develop working relationships with practice staff and practice management.
This description is intended to serve as a scalable framework for organizations in development of a position description for the Privacy Officer. Under the HIPAA Security Rule, the Security Officer and the Privacy Officer may be the same individual, or different individuals.
FAX POLICY
REFERENCE: 45 CFR § 164.530
PURPOSE: While it is recognized that fax equipment, associated software, and the mechanism of faxing information can significantly enhance the operations of SAW LLC, the general operation of faxing can also introduce risk. These risks can be caused by a failure to follow precautions that cause information to be misdirected or received by individuals other than for whom it was intended. This policy is intended to ensure that the privacy of any information that is faxed is appropriately protected and maintained, including protected health information (“PHI”), financial information, and confidential and proprietary information (“Confidential Information”).
POLICY:
General
- Only authorized users are permitted to receive faxes containing Confidential The sender of Confidential Information has the responsibility to verify that the intended recipient receives the fax.
- All faxes are to be sent only under those conditions that allow for reasonable safeguards to exist prior to the fax being sent, so that the protection of Confidential Information can be
- Safeguards include, but are not limited to, ensuring and verifying that the fax number being used is correct, ensuring that the fax machine being used by the sender is in a secure location not viewable by public traffic, ensuring that the fax will only be received by the intended recipient, and determining a mechanism to verify receipt of said
- Fax machine numbers including those used by AutoFax processes and preprogrammed
numbers should be verified on a scheduled basis not less that once every six months to ensure that numbers have not changed.
- SAW LLC’s fax machines that transmit or receive Confidential Information as outlined in this Policy should be placed in areas that are not accessible by the public, and whenever possible, they should be placed in areas that require some form of access mechanism such as keys, badges, or similar mechanisms to restricted
- The use of pre-programmed numbers should be employed whenever possible to minimize accidental keying of wrong The pre-programmed numbers must be independently verified prior to keying the numbers into the fax machine. The pre-programmed number must be verified in the fax machine memory prior to use to ensure it is correct.
- The use of audit controls including but not limited to, fax transmittal and confirmation sheets should be Whenever possible, these documents should be safely stored and available for review to ensure that unauthorized use or access has not taken place.
- Faxes should be transmitted in such a way that is commensurate with the classification of the
- Under all circumstances and/or conditions, faxes should be transmitted as to protect against any accidental or intentional disclosure, use, or manipulation of Confidential
- All misdirected faxes containing Confidential Information must be brought to the attention of the Privacy Officer for review. “Misdirected faxes” include sending a fax to a wrong number or recipient, or receiving a fax that was intended for another recipient. The employee sending the fax must account for the disclosure, and it must be recorded on the “Accounting of Disclosure” The fax cover sheets or activity report should be kept on file within SAW LLC.
Fax Cover Sheets
- All faxes sent outside of SAW LLC containing any type of information that could be considered Confidential Information, including PHI should be sent utilizing a fax
- The cover sheet should contain the following:
SAW LLC’s Name Sender’s name
Sender’s telephone number Sender’s fax number Intended recipient name
Intended recipient telephone number Intended recipient fax number
Date
Number of pages sent
Special instructions, if necessary.
- The following statement, or a similar one covering the same points, must be attached to all outgoing faxes:
“The information contained in this transmittal may include privileged or confidential material intended solely for the individual to whom it is addressed. The material may also include information of a proprietary nature that is exempt from disclosure under applicable State and Federal laws. Such disclosure is expressly prohibited without the prior, written authorization of SAW LLC. If the recipient of this transmittal is not the intended person(s), you are notified that any unauthorized dissemination, distribution, or duplication of this material is strictly prohibited. If you have received this communication in error, please notify the sender immediately.”
“The recipient of patient information is prohibited from disclosing the information to any other party and is required to destroy the information after the need for the information has been fulfilled.”
Faxing of Confidential Information
Faxes, in general, should only be utilized by SAW LLC when standard, mail-delivered copies will not meet the needs of immediate patient care.
- Faxes may only be utilized to transmit Confidential Information when warranted by an urgent need or when required by a third party. Except as authorized for treatment, payment, practice operations, or federal or state law, a properly completed and signed authorization must be obtained before releasing PHI. The following types of medical information are protected by federal and/or State statute, and may NOT be faxed or photocopied without specific written patient authorization, unless required by law. Confidential details of:
Psychotherapy (records of treatment by a psychiatrist, licensed psychologist or psychiatric clinical nurse specialist;
Other professional services of a licensed psychologist; Social work counseling/therapy;
Domestic violence victims’ counseling; Sexual assault counseling;
HIV test results (patient authorization required for EACH release request); Records pertaining to sexually-transmitted diseases;
Alcohol and drug abuse records protected by federal confidentiality rules (42 CFR Part 2).
- Faxes should be limited to transmitting the minimum necessary information to meet the requestor’s needs;
- Except as authorized by law, a properly completed and signed authorization must be obtained
before releasing patient information.
- In the event of a medical emergency, an authorization is not required to transmit a fax to a physician or other health care
Failure to Comply
Failure to comply with this policy shall result in disciplinary action up to and including termination of employment.
=
Please refer to the “Forms” section to find the “Fax Cover Sheet” form.
=
Please refer to the “Forms” section to find the “Misdirected Fax Cover Sheet” form.
E-MAIL POLICY
REFERENCE: 45 CFR § 164.530
PURPOSE:
As a productivity enhancement tool, SAW LLC encourages the business use of electronic communications, specifically e-mail. While understanding the need for this type of access, it is also important for SAW LLC to set policies governing the use of the e-mail tool. All
e-mail users of SAW LLC are expected to be familiar, understand, and comply with this policy. This policy outlines acceptable e-mail usage.
POLICY:
General Rules
- Email containing PHI must be treated with the same degree of privacy and confidentiality as the patient’s medical
- SAW LLC will make all email messages sent or received, concerning the treatment of a patient, part of the patient’s medical
- SAW LLC personnel may not send or forward any PHI outside the practice network via email unless specifically authorized by the
- When using email, SAW LLC employees must limit the information transmitted to the minimum necessary to meet the requester’s
- In addition, all external disclosures of PHI through email must be in compliance with the policies on uses and disclosures and patient
- Prior to personnel using email to correspond with patients, the patient must consent to the use of email for transmitting confidential PHI by signing a “Patient Consent for Use of Electronic Mail” form. It is the responsibility of each practice staff member to make sure the patient has provided consent to correspond through email before doing
- Email should not be used to replace a clinical visit, (e.g., initial patient visit, ) The health care provider should use “due care” in corresponding with the patient through email for treatment.
Authorized Usage
Business Activities only. SAW LLC’s electronic communications systems shall be used for proper business use only, or those activities which management has approved.
Personal Use. Incidental personal use is permissible as long as: (a) it does not consume more than a trivial amount of resources, (b) does not interfere with worker productivity, (c) does not preempt any business activity. Users are expressly prohibited from using SAW LLC’s electronic communication systems for charitable endeavors, private business activities, or amusement / entertainment purposes.
Use of Resources. The use of SAW LLC’s resources, including electronic communications, shall not create either the appearance or the reality of inappropriate use.
Subscription to Newsgroups. While SAW LLC recognizes that subscription to Newsgroups that are industry related are beneficial and even necessary, users are reminded to be cautious about providing e-mail addresses, and subscribing. Many providers willfully sell e- mail addresses, and can cause a great deal of damage by excessive messaging known as spam. Users receiving excessive, frivolous messages from sources other than those they subscribe to are required to report this activity to the Helpdesk, so a resolution can be found. Additionally, subscriptions to newsgroups and mailing lists are only permitted for SAW LLC’s business related purposes. All other subscriptions are expressly prohibited.
Use of Outside e-mail Accounts. SAW LLC’s users are prohibited from using non-SAW LLC’s e-mail accounts to conduct SAW LLC’s business activities. This includes the automatic forwarding of messages to outside e-mail from SAW LLC accounts, and the accessing of non-SAW LLC accounts via SAW LLC’s resources.
Content Filtering and Scanning of Attachments. All SAW LLC e-mail will be scanned with content filtering software approved by the Privacy Officer for the presence of viruses, worms, Trojans, and any other harmful attachment or condition. All e-mail and/or attachments found to contain harmful code is to be quarantined by specified and approved procedures and policies as to prevent further infection to SAW LLC resources. Additionally, all e-mail shall be scanned so as to identify all non-business related attachments, and/or those attachments that could cause potential harm such as GIFs, JPEGs, EXEs, and similar type attachments. These attachments will be quarantined and/or deleted from all SAW LLC’s e-mail as part of the scan, unless specifically authorized by the Security Officer.
Default Privileges
Least Privilege. Employee privileges on electronic communication systems shall be assigned such that only those capabilities necessary to perform a job are granted.
Non-Administrators. Those users not classified as Administrators shall not have the capabilities and or permissions to reprogram or manage electronic mail system software.
Broadcast Facilities. Only with SAW LLC management approval can broadcast facilities be utilized.
Those groups that are created to send electronic messaging to all users shall be restricted to only authorized users, which have been approved by SAW LLC management.
User Accountability
Unique Login IDs. E-mail systems shall employ personal login IDs and passwords to allow access so that communications of different users can be isolated. All users shall logon with the login ID that was assigned to them, and the sharing of login IDs, or using another user’s login ID is expressly prohibited. All users are completely accountable for all actions performed with the login ID that is assigned to them. All e-mail accounts that are established on the practice’s systems will utilize the name that is used in the SAW LLC HR system. The use of nicknames is not permitted unless it is the same name that is entered in the HR system; i.e., the legal name.
Passwords. Passwords shall never be shared or revealed to anyone else other than the authorized user. The sharing of passwords and/or login IDs is strictly prohibited. To prevent unauthorized parties from obtaining access to electronic communications, users shall choose passwords that are difficult to guess.
User Identity. Misrepresenting, obscuring, suppressing, or replacing a user’s identity on an electronic communications system is expressly forbidden. The user name, electronic mail message, organizational affiliation, and related information included with electronic messages or postings shall reflect the actual originator of the messages or postings.
Generic Type Users. The use of a generic login IDs that is not assigned to any one, specific user is expressly forbidden on any SAW LLC e-mail system. The only exception permitted is a generic type mailbox set up for the specific use of an area or area of responsibility, and the SO as well as appropriate SAW LLC Management must approve this.
This type of mailbox shall not be permitted to send e-mail, only receive it.
Privacy of Communications
No Default Protection. The external sending of proprietary data, passwords, trade secrets, medical and or patient information, or any other data that could be considered confidential via e- mail, is expressly prohibited unless prior written authorization is obtained from appropriate SAW LLC management. If approval is to be granted, the use of encryption techniques shall be employed. Additionally, all users must recognize that since errors can occur, precautions should be taken when sending information of this type over the internal SAW LLC network, so that only authorized parties receive information that is considered confidential.
Respecting Privacy Rights. Except for monitoring activities authorized by management, no user may intentionally intercept or disclose, or assist in intercepting or disclosing, electronic communications.
No Expectations of Privacy. The SAW LLC resources and user accounts are issued to users to assist them in the performance of their jobs, and as such, remain the property of SAW LLC. Users do not have an expectation of privacy in anything users create, store, send, or receive on SAW LLC resources. Resources belong to SAW LLC and are to be used solely for the purpose of SAW LLC business, the user’s usual duties, and or other purposes authorized by management.
Message Monitoring. The content of electronic communications may be monitored and the usage of electronic communications systems will be monitored as required, to support operational maintenance, auditing, security, and investigative activities. Electronic communications should be structured in recognition of the fact that SAW LLC will from to time examine the content of electronic communications without prior notice.
Incidental Disclosure. It may be necessary for authorized technical support personnel to review the content of an individual employee’s communications during the course of problem resolution.
Public Representations
SAW LLC Representations. No media advertisement, Internet home page, electronic bulletin board posting, electronic mail message, voice mail message, or any other public representation about SAW LLC may be issued unless it has been first approved by proper practice management.
SAW LLC Affiliations. When sending electronic mail, an employee’s affiliation with SAW LLC is often implied by the electronic mail address or explicitly indicated by adding certain words in messages. Personal opinions should be clearly identified as their own, and not necessarily those of SAW LLC. Before sending any material, SAW LLC users must consider whether the communication could put the practice at a disadvantage, or could cause public relations problems for SAW LLC.
Statistical Data
Collection of Data. Consistent with generally accepted business practice, SAW LLC collects statistical data about electronic communications. For example, call detail reporting information collected by telephone switching systems indicates the numbers dialed, the duration of calls, the time of day when calls are placed, etc. Using such information, technical support personnel monitor the use of electronic communications to ensure the ongoing availability and reliability of these systems.
Message Content
Common Sense Approach. Users shall not use profanity, obscenities, or derogatory remarks in electronic mail messages discussing employees, customers and / or patients, competitors, or others. Such remarks – even when made in jest – may create legal problems such as trade libel and defamation of character. Special caution is warranted because back-up and archival copies of electronic mail may actually be more permanent and more readily accessed than traditional paper communications (See also Section H).
Think Before Sending. Users must carefully choose words when creating e-mails. Responding to e-mails when upset could create e-mails that may have words not normally sent, and can’t be taken back. Users should be encouraged to think carefully before sending out e-mails.
Express Prohibitions
- User activity that violates the principles in this
- The distribution of “junk mail” such as chain letters, marketing, fund-raising, advertisements, or any other frivolous
- The transmission or solicited receipt of any type of communication that could be construed by any other user as harassment, vulgar, obscene, discriminatory, defamatory or offensive based on
race, national origin, sex, age, disability, religious affiliation, or any other characteristic protected by federal, state, or local law, or is potentially damaging to SAW LLC.
- Excessive or abusive volume of personal
- Distribution, retrieval, or reproduction of intellectual property without documented permission from the copyright or patent
- Any electronic communication that includes published material for which copyrights, trademarks or contractual agreements prohibit duplication without
- Communications which imply that any type of contractual agreement is being entered into, unless prior authorization is first obtained from appropriate SAW LLC
- Communications that promote or imply unlawful activity or activities contrary to SAW LLC’s
- Any activity that attempts to bypass the security controls of the system
- Any activity that puts the system at
- Any activity that does not have prior SAW LLC management
- Some information that is transmitted via electronic communications is intended for specific individuals, and therefore, should not be shared with Users should exercise caution when forwarding communications to other SAW LLC users. SAW LLC information that is sensitive in nature may not be forwarded to external parties without the expressed permission of senior management.
- The use of the system to create, harbor, or transport Additionally, all users must not disable any anti-virus software.
- Subscriptions to newsgroups, mailing lists, , that are not SAW LLC business related.
- The external transmission of any Protected Health Information that is considered to be protected by any Federal or State statute, unless it is sent in encrypted form, and the transmission method has been approved by the Privacy Officer.
- The use of any form of Instant Messaging, unless authorized by SAW LLC management and the Privacy Officer.
- The use of backgrounds, stationary, or other graphics in e-mail due to the excessive amount of storage that is
- The downloading or copying of any software or applications without prior authorization or
- Access or downloading of any pornography or other illegal materials or illegal activity such as
- Storing personal files or electronic
- As a condition to receiving passwords and user ID codes, or access rights to information (either by electronic or hard copy access), each employee and user must agree in writing to comply with established terms and Failure to comply with such terms and conditions may
result in the denial and/or immediate suspension of access to employee or company information.
Message Retention
Purging Messages. Messages no longer needed for business purposes shall be periodically purged by users from their personal electronic storage areas. Most electronic mail should be purged after it is opened and read. Those messages, which are required for business decisions or reference, shall be stored appropriately and/or backed up.
Space Limitations. All e-mail users will have a threshold set on the amount of space that may be utilized for their use as defined by SAW LLC Management. It is each user’s responsibility to monitor the amount of messages being retained so that the allocation is not exceeded. If the allocated space is exceeded, a user’s privileges to send and/or receive e-mail may be temporarily suspended until the user can delete a sufficient number of messages to lower the amount of space occupied.
Security Reporting
Incident Handling. Users shall promptly report all virus and security alerts, warnings, suspected vulnerabilities, and the like to the Privacy Officer. Users are prohibited from forwarding any security problems to any other users, whether those users are internal or external, unless specifically instructed to do so by the Privacy Officer.
Violation of Policy
Failure to comply with the SAW LLC E-Mail Policy may result in disciplinary action up to and including termination, as well as the possibility of appropriate legal action including, but not limited to, the right to seek compensation and / or prosecution.
The Privacy Officer will deny or revoke communication privileges if there is a reasonable belief that a violation has occurred.
=
Please refer to the “Forms” section to find the “Patient Consent for Use of Electronic Mail” form.
SOCIAL MEDIA POLICY
REFERENCE: 45 CFR § 164.530
Use of Social Media
“Social Media” means any Internet-based content created through public or social interaction, where users primarily produce and contribute to (rather than just read) the content. Social Media include, but are not limited to, social or professional networking websites, wikis, blogs, virtual worlds, personal websites, photo-sharing websites, and video-sharing websites (such as, for example, Facebook, Twitter, YouTube, etc.). The lack of reference to specific Social Media websites in this policy does not limit the extent or application of this policy.
SAW LLC acknowledges the growing popularity of Social Media as a means for sharing experiences, ideas, and opinions. However, SAW LLC also strives to protect itself, its employees, and third parties such as patients, subsidiaries, affiliates, vendors, and business partners from damages and potential criminal liability resulting from improper or unlawful use of Social Media. Indeed, because of the nature of SAW LLC’s practice, including the fact that SAW LLC is subject to the stringent regulations found in the Health Insurance Portability and Accountability Act (“HIPAA”) concerning nondisclosure of protected health information, SAW LLC employees may not contribute content about their work at SAW LLC, with certain narrow exceptions.
Employees must also keep in mind that SAW LLC’s other policies – including but not limited to its HIPAA policies, confidentiality policies, anti-harassment policies, E-mail and Acceptable Use of Information Policies – apply to its employees’ online conduct, including via Social Media.
This policy applies to all employees of SAW LLC during both working and non-working time, regardless of whether the employee is using the practice’s equipment or the employee’s personal equipment, on or off the practice’s property.
PROCEDURE
If an employee uses Social Media, the following rules must be followed:
Do not contribute content or images about or related to any patients or their family members. Even a comment which does not mention a patient’s name may violate HIPAA, if the information contributed could be used alone or in combination with other information to identify the individual who is the subject of the information.
Do not contribute any confidential, proprietary, libelous, or defamatory content or information about or related to SAW LLC, its employees, or third parties such as subsidiaries, vendors, affiliates, or business partners.
Do not engage in behavior that will reflect negatively on the reputation of SAW LLC, its employees, or third parties such as subsidiaries, vendors, affiliates, or business partners.
Do not post obscenities, slurs, or personal attacks that could damage the reputation of SAW LLC, its employees, or third parties such as subsidiaries, vendors, affiliates, or business partners.
Do not contribute commentary, content, or images that could be considered an act or threat of violence, harassment, or could create a hostile work environment.
Do not contribute content that could be considered an endorsement of SAW LLC’s services without authorization and without disclosing your employment relationship with SAW LLC or using the following disclaimer: “The content I have contributed to this site is my own and does not necessarily represent the views or opinions of SAW LLC. I am not a SAW LLC spokesperson.”
Comply with all applicable intellectual property, trademark, copyright, and fair use laws.
Do not post photographs or other images of SAW LLC’s employees, patients, affiliates, vendors, or business partners without their prior express written consent. Do not reference, mention, or cite to SAW LLC’s employees, patients, subsidiaries, or third parties such as vendors, affiliates, or business partners without their prior express written consent.
Do not use SAW LLC’s images, logos, trademarks, or service marks.
Do not post content related to SAW LLC’s legal matters, internal investigations, litigation (whether threatened, pending or concluded), or any parties with whom SAW LLC may be or have been in litigation.
Do not post content that is confidential or proprietary to the practice’s competitors or referral sources.
Consider whether connecting to other SAW LLC employees, business partners, vendors, or competitors via Social Media is appropriate for your level, position, and responsibilities. To the extent that you do connect to other SAW LLC employees, business partners, vendors, or competitors via Social Media, consider using available privacy filters or settings to block any inappropriate, unprofessional, or overly personal information about you from access by such people.
Do not use your SAW LLC email address to register for Social Media. You may reference your employment with SAW LLC and contact information on professional networking sites, such as LinkedIn.
Requests for employment references or recommendations through Social Media sites, such as LinkedIn, concerning present or former SAW LLC employees, should be referred to SAW LLC’s Human Resources Department.
Personal use of Social Media is not permitted during work hours or on SAW LLC’s equipment.
Nothing in this Social Media policy is intended to prohibit employees from communicating in good faith about wages, hours, or other terms and conditions of their or their co-workers’ employment at SAW LLC.
Violations
Failure to comply with these policies and guidelines may result in discipline, up to and including termination of employment. Further, an employee who contributes content to Social Media concerning patients or patient situations encountered at SAW LLC may also violate HIPAA and be personally subject to civil and criminal penalties. Employees must become familiar with SAW LLC’s HIPAA policies. Any employee with questions about this Social Media policy, SAW LLC’s HIPAA policies, or the application of HIPAA to the use of Social Media should contact the Privacy Officer.
EMPLOYEE TRAINING
REFERENCE: 45 CFR § 164.530(B)
POLICY:
SAW LLC must train all members of its workforce on SAW LLC’s HIPAA/HITECH policies and procedures with respect to PHI/ePHI, as necessary and appropriate for the members of the workforce to carry out their function within SAW LLC.
PROCEDURE:
SAW LLC will provide training that meets the following requirements:
To each new member of the workforce within a reasonable period of time after the person joins SAW LLC’s workforce.
To each member of SAW LLC’s workforce whose functions are affected by a material change in the policies or procedures, within a reasonable period of time after the material change becomes effective.
The practice’s workforce includes employees, students, trainees and volunteers. It also includes all staff that works for the practice and are under the practice’s direct control, whether or not the practice pays them.
SAW LLC’s practice manager will be responsible for ensuring that training occurs.
SAW LLC’s training will include:
HIPAA/HITECH awareness training.
Periodic security reminders to staff and business associates on the need to ensure security and confidentiality of PHI/ePHI, and on any new changes to SAW LLC’s policies and procedures.
All staff will be required to review SAW LLC’s HIPAA/HITECH privacy/security policies and procedures. An employee who does not fulfill this obligation may be subject to disciplinary action.
All staff members are required to sign the Confidentiality and Non-Disclosure Form found in the
Access to Patient Health Information chapter of this manual to attest that they understand their obligations regarding SAW LLC’s HIPAA/HITECH privacy and security practices and the penalties for violating these policies.
SAW LLC will document that the training has been provided. These training records, together with the confidentiality statement that each employee signs, are kept in the employee’s permanent employment record.
Please refer to the “Forms” section to find the “HIPAA and HITECH and Breach Notification Training Acknowledgement Form”.
HIPAA COMPLAINTS, VIOLATIONS AND SANCTIONS
REFERENCE: 45 CFR § 164.530(D), (E) AND (H)
SCOPE OF POLICY
This policy applies to all SAW LLC’s employees, volunteers, vendors, and subcontractors.
PURPOSE
SAW LLC must establish policies and procedures that all SAW LLC personnel are expected to follow when individuals make complaints regarding privacy issues. SAW LLC must also have a procedure to address violations of the privacy regulations promulgated by the Health Insurance Portability and Accountability Act (“HIPAA”), the Health Information Technology for Economic and Clinical Health Act (“HITECH”) and implementing regulations.
This policy addresses complaints and sanctions relating to HIPAA violations. It applies to every employee and user of SAW LLC’s computer system.
COMPLAINTS REGARDING PRIVACY
It is the responsibility of SAW LLC to receive all complaints (whether written or oral) regarding SAW LLC’s privacy policies and procedures, SAW LLC’s compliance with such policies and procedures, and, SAW LLC’s compliance with the requirements of HIPAA’s privacy regulations. The Privacy Officer shall investigate all complaints and document the results of such investigations.
SAW LLC’s Notice of Privacy Practices provides instructions on how to submit complaints both to «PraticeName» and to the Secretary of the Department of Health and Human Services, the governmental agency that oversees practices’ compliance with the HIPAA law. By law, the complaint must be filed within 180 days of when the complainant knew or should have known that the act had occurred.
After receiving a HIPAA-related complaint, the Privacy Officer will promptly investigate the complaint and will determine who was involved in the possible HIPAA violation, including employees, volunteers, vendors, and sub-contractors of SAW LLC.
All complaints received as well as the final disposition are documented in the individual’s medical record. This documentation is kept in a written or electronic form. SAW LLC will retain the documentation required for six years from the date of its creation, or the date when it last was in effect, whichever is later.
MITIGATION OF HIPAA VIOLATIONS
The Privacy Officer will take appropriate steps to mitigate, to the extent practicable, any known harmful effect resulting from any violation of the HIPAA privacy regulations or SAW LLC’s privacy policies and procedures.
SANCTIONS FOR HIPAA VIOLATIONS
If the Privacy Officer determines that a violation of SAW LLC’s privacy practices or HIPAA has occurred, the Privacy Officer shall make written findings concerning: (i) the nature of the violation(s); (ii) the identity of any SAW LLC personnel involved; and (iii) recommend further action, if any, that should be taken, including, but not limited to, sanctions to be applied against any SAW LLC personnel involved in such violation(s).
PROCESS FOR ISSUING SANCTIONS
Levels of Violation:
Level 1 Violation: A violation that is considered to be minor and usually accidental. This type of violation can result from the accidental use or misuse of information, carelessness or a lack of privacy awareness education. These types of violations are not considered a direct threat to privacy, as they usually do not include the intent to further access, use or disclose the information or use the information to harm the patient who’s PHI has been compromised, but each case must be examined. Sanctions might include verbal warning and mandatory re-education for a first offense. A repeat incident from the same person requires a more stringent disciplinary action, up to, and including termination.
Examples of Level 1 Violations:
User fails to log off of a session, terminal or application when left unattended. This can allow another user to access records to which they are not entitled.
User fails to protect information in a reasonable manner that results in an inadvertent disclosure.
Level 2 Violation: This type of incident occurs when there is an intentional disregard of an established information security policy or procedure. The user is aware of the security policies and procedures, but is willing to circumvent them in order to achieve a personal goal.
Examples of a Level 2 violations:
Accessing of any information without utilizing the proper documented procedure. This can be done by intentionally attempting to circumvent procedures such as viewing patient information without authorization or by knowingly using a workstation logged on with another user’s credentials to access patient information.
Accessing patient information that would not normally be accessed in the normal course of his or her job responsibilities. This would include, but not be limited to, a user accessing birth dates, addresses of friends or relatives, or accessing records out of curiosity.
Collecting information on any patient or sets of patients without permission outside of the scope of his or her job responsibilities.
Releasing records or information in an inappropriate manner.
User discusses patient information in public areas without discretion. SAW LLC visitors or workers that would not be authorized to access this information could overhear discussions.
User accesses patient information on behalf of another user that would not normally have access under normal circumstances.
Level 3 Violation: The intentional actions of any user when he or she access, reviews, discloses, or discusses patient information for personal gain, or with malicious intent. This type of incident is considered to be the most serious and must be dealt with accordingly. It could cause personal damage to some party, and fines and/or civil action to the organization as well as to the violator.
Examples of a Level 3 violations:
Intentionally releasing personal, corporate, or medical information for personal gain or profit. Collecting information such as patient lists or mailing addresses for personal gain or profit. Intentionally destroying or altering any information with intent to harm.
Releasing information of any individual with the intent to cause harm or adverse publicity, or for personal profit or gain.
Intentionally attempting to bypass security controls and attempting to gain unauthorized access to PHI.
RECORDS
The Privacy Officer will maintain a record for every privacy-related complaint received, the investigation undertaken, and the disposition, if any. The Privacy Officer will also maintain records of any sanctions imposed for a HIPAA violation, including the underlying HIPAA violation, any SAW LLC personnel involved, and any action taken, including sanctions. Records related to HIPAA complaints and sanctions for privacy violations shall be maintained in a secured location and for at least six years from the date of creation.
POLICY AGAINST RETALIATION
In accordance with SAW LLC’s policy, SAW LLC will not intimidate, threaten, coerce, discriminate against, or take any retaliatory action against any individual for the exercise by the individual of any right under, or for participation by the individual in any process, established by this policy, including the filing of a HIPAA complaint, participating or assisting in an investigation related to a HIPAA complaint, filing a complaint with the Secretary of the Department of Health and Human Services concerning HIPAA compliance, or opposing any act or practice prohibited by the HIPAA privacy regulations or SAW LLC’s privacy-related policies or procedures. Further, SAW LLC will not, as a condition of the provision of treatment, require patients to waive their rights under the privacy regulations, including, without limitation, the right to complaint to the Secretary of the Department of Health and Human Services or to the Privacy Officer concerning possible HIPAA violations.
DE-IDENTIFICATION OF INFORMATION POLICY
REFERENCE: 45 CFR § 164.502(D) 45 C.F.R. 164.514
DEFINITIONS
Disclosure means the release, transfer, provision of access to, or divulging in any other manner of information outside the entity holding the information.
Protected health information means individually identifiable health information transmitted by electronic media; maintained or transmitted in any other form or medium including oral, written, and electronic communications.
Individually identifiable health information is information that is a subset of health information, including demographic information collected from an individual that identifies the individual; and is created or received by a health care provider, health plan, employer, or health care clearinghouse; and relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual.
POLICY:
SAW LLC complies with the Health Insurance Portability and Accountability Act of 1996 and Department of Health and Human Services rule that are designed to preserve the privacy of identifiable patient information. SAW LLC may use PHI to create information that is not individually identifiable health information, or disclose PHI only to a business associate for such purpose, whether or not the de-identified information is to be used by SAW LLC. Health information that meets the requirements below is not considered to be individually identifiable health information, i.e., “de-identified.”
PROCEDURE:
- Health information that does not identify an individual, and there is no reasonable basis to believe that the information can be used to identify an individual, is not individually identifiable health
SAW LLC may determine that health information is not individually identifiable health information only if:
- A person with appropriate knowledge of and experience with generally accepted statistical and scientific principles and methods for rendering information not individually identifiable applying such principles and methods, determines that the risk is very small that the information could be used, alone or in combination with other reasonably available information, by an anticipated recipient to identify an individual who is a subject of the information and documents the methods and results of the analysis that justify such determination, or
- The following identifiers of the individual or of relatives, employers or household members of the individual are removed
Names;
All geographic subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code if, according to the current publicly available data from the Bureau of the Census: The geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and the initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000;
All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older;
Telephone numbers; Fax numbers;
Electronic mail addresses;
Social Security numbers; Medical record numbers;
Health plan beneficiary numbers; Account numbers; Certificate/license numbers;
Vehicle identifiers and serial numbers, including license plate numbers; Device identifiers and serial numbers;
Web Universal Resource Locators (URLs); Internet Protocol (IP) address numbers;
Biometric identifiers, including finger and voice prints;
Full face photographic images and any comparable images; and
Any other unique identifying number, characteristic, or code; and SAW LLC does not have actual knowledge that the information could be used alone or in combination with other information to identify an individual who is a subject of the information
- Whenever possible, de-identified PHI should be used for quality assurance monitoring and utilization reporting.
Re-Identification
SAW LLC may assign a code or other means of record identification to allow information de-identified to be re-identified by SAW LLC, provided that:
The code or other means of record identification is not derived from or related to information about the individual and is not otherwise capable of being translated so as to identify the individual.
SAW LLC does not use or disclose the code or other means of record identification for any other purpose, and does not disclose the mechanism for re-identification.
Documentation
When creating de-identified health information, all steps taken to create this information and the intended uses and disclosures of such information should be documented in a written or electronic form. SAW LLC will retain the documentation required for six years from the date of its creation, or the date when it last was in effect, whichever is later.
INTERPRETATION
The rule permits a practice to use PHI to create de-identified information, whether or not the de- identified information is to be used by SAW LLC. The rule specifies that de-identified information created in accordance with procedures (which are found in § 164.514(a)) is not subject to
the requirements of these privacy rules unless it is re-identified. Disclosure of a key or mechanism that could be used to re-identify such information is also defined to be disclosure of PHI.
EDUCATION ON HEALTH INFORMATION PRIVACY
REFERENCE: HITECH SECTION 13403: EDUCATION ON HEALTH INFORMATION
REGIONAL OFFICE PRIVACY ADVISORS POLICY:
Under HITECH Section 13403, “Education on Health Information Privacy,” the Department of Health and Human Services (HHS) was mandated to designate an individual in each regional office of HHS to offer guidance and education to covered entities, business associates and individuals, on their federal privacy and security protected health information (PHI) rights and responsibilities.
The HHS Office for Civil Rights enforces the HIPAA Privacy Rule, which protects the privacy of individually identifiable health information, and the HIPAA Security Rule, which sets national standards for the security of electronic protected health information.
According to a press release by the Office for Civil Rights on August 14, 2009, the HHS Secretary authorized the Director of the Office for Civil Rights to carry out the designations required under the Act. Pursuant to that authorization, Robinsue Frohboese, the Acting Director and Principal Deputy Director for the Office for Civil Rights, designated the OCR Regional Managers in each of the HHS Regional Offices to serve as the Regional Office Privacy Advisors for their respective regions. The names, addresses, and contact information for each of the Regional Managers are listed at www.hhs.gov/ocr/office/about/rgn-hqaddresse… (http://www.hhs.gov/ocr/office/about/rgn- hqaddresses.html), together with a list of the states for which each Regional Manager has responsibility.
This list can be found on the following pages. It was current as of March 2013.
EDUCATION INITIATIVE ON USES OF HEALTH INFORMATION
POLICY:
Not later than 12 months after the date of the enactment of HITECH (which was February 17, 2009), the Office for Civil Rights HHS was to develop and maintain a multi-faceted national education initiative to enhance public transparency regarding the uses of protected health information, including programs
to educate individuals about the potential uses of their protected health information, the effects of such uses, and the rights of individuals with respect to such uses. Such programs shall be conducted in a variety of languages and present information in a clear and understandable manner.
OFFICE FOR CIVIL RIGHTS REGIONAL OFFICE PRIVACY ADVISORS
Current as of March 2013
HEADQUARTERS
Leon Rodriguez, Director Office for Civil Rights
U.S. Department of Health and Human Services 200 Independence Avenue, S.W.
Room 509F HHH Bldg.
Washington, D.C. 20201
REGIONAL OFFICE ADDRESSES
Region I – Boston (Connecticut, Maine, Massachusetts, New Hampshire, Rhode Island, Vermont)
Peter Chan, Regional Manager Office for Civil Rights
U.S. Department of Health and Human Services Government Center
J.F.Kennedy Federal Building – Room 1875 Boston, MA 02203
Voice phone (800) 368-1019
FAX (617) 565-3809
TDD (800) 537-7697
Region II – New York (New Jersey, New York, Puerto Rico, Virgin Islands)
Linda Colon, Regional Manager Office for Civil Rights
U.S. Department of Health and Human Services Jacob Javits Federal Building
26 Federal Plaza – Suite 3312 New York, NY 10278
Voice Phone (800) 368-1019
FAX (212) 264-3039
TDD (800) 537-7697
Region III – Philadelphia (Delaware, District of Columbia, Maryland, Pennsylvania, Virginia, West Virginia)
Barbara Holland, Regional Manager Office for Civil Rights
U.S. Department of Health and Human Services 150 S. Independence Mall West
Suite 372, Public Ledger Building Philadelphia, PA 19106-9111
Main Line (800) 368-1019
FAX (215) 861-4431
TDD (800) 537-7697
Region IV – Atlanta (Alabama, Florida, Georgia, Kentucky, Mississippi, North Carolina, South Carolina, Tennessee)
Roosevelt Freeman, Regional Manager Office for Civil Rights
U.S. Department of Health and Human Services
Sam Nunn Atlanta Federal Center, Suite 16T70 61 Forsyth Street, S.W.
Atlanta, GA 30303-8909
Voice Phone (800) 368-1019
FAX (404) 562-7881
TDD (800) 537-7697
Region V – Chicago (Illinois, Indiana, Michigan, Minnesota, Ohio, Wisconsin)
Celeste Davis, Regional Manager Office for Civil Rights
U.S. Department of Health and Human Services 233 N. Michigan Ave., Suite 240
Chicago, IL 60601
Voice Phone (800) 368-1019
FAX (312) 886-1807
TDD (800) 537-7697
Region VI – Dallas (Arkansas, Louisiana, New Mexico, Oklahoma, Texas)
Jorge Lozano, Regional Manager Office for Civil Rights
U.S. Department of Health and Human Services 1301 Young Street, Suite 1169
Dallas, TX 75202
Voice Phone (800) 368-1019
FAX (214) 767-0432
TDD (800) 537-7697
Region VII – Kansas City (Iowa, Kansas, Missouri, Nebraska)
Frank Campbell, Regional Manager Office for Civil Rights
U.S. Department of Health and Human Services 601 East 12th Street – Room 353
Kansas City, MO 64106 Voice Phone (800) 368-1019
FAX (816) 426-3686
TDD (800) 537-7697
Region VIII – Denver (Colorado, Montana, North Dakota, South Dakota, Utah, Wyoming)
Velveta Howell, Regional Manager Office for Civil Rights
U.S. Department of Health and Human Services 999 18th Street, Suite 417
Denver, CO 80202
Voice Phone (800) 368-1019
FAX (303) 844-2025
TDD (800) 537-7697
Region IX – San Francisco (American Samoa, Arizona, California, Guam, Hawaii, Nevada)
Michael Leoz, Regional Manager Office for Civil Rights
U.S. Department of Health and Human Services 90 7th Street, Suite 4-100
San Francisco, CA 94103
Voice Phone (800) 368-1019
FAX (415) 437-8329
TDD (800) 537-7697
Region X – Seattle (Alaska, Idaho, Oregon, Washington)
Linda Yuu Connor, Regional Manager Office for Civil Rights
U.S. Department of Health and Human Services 2201 Sixth Avenue – M/S: RX-11
Seattle, WA 98121-1831
Voice Phone (800) 368-1019
FAX (206) 615-2297
TDD (800) 537-7697
RESPONDING TO GOVERNMENT AUDIT/AGENTS
PURPOSE:
It is SAW LLC’s policy to cooperate fully with legitimate law enforcement investigations. It is also the policy of SAW LLC to protect the privacy of patients’ records.
POLICY:
Government law enforcement agents may, at any time and with no prior warning, demand to search SAW LLC’s property or request access to patients’ records. In these situations, you should be courteous and respectful, but explain that you are legally required to keep patient information confidential. Explain that it is SAW LLC’s policy not to allow anybody to view a patient’s records without the patient’s authorization or a valid court order, such as a search warrant.
- If a government law enforcement agent appears at SAW LLC requesting access to protected health information, immediately ask for Check the agent’s authenticity by contacting the field office to which the agent is attached (e.g., OSHA, HHS, OIG, etc.). Find this information by calling directory assistance. Do not accept this information from the agent.
Write down each agent’s name, title, division, badge number, address and telephone number. Keep a record of this information. Under HIPAA rule, it is SAW LLC’s responsibility to ensure the identity of those persons authorized to access protected health information.
- Once you have verified the agent’s identity as valid, immediately contact SAW LLC, Do not let the agent enter SAW LLC or access records without approval from
- Do not answer questions until you have spoken with You should always answer questions truthfully, to the best of your knowledge, but do not provide more information than is requested by the agent.
- If the agent appears with a court order, such as search warrant, ask to see the document. If agents request information about, access to, or possession of patients’ records, or demand to search nonpublic areas, ask to see a search warrant or other court If they do not have one, politely refuse to give them any confidential information or to let them search SAW LLC.
NOTE: A subpoena is different from a search warrant. If law enforcement officers show you a subpoena, give it to the practice manager immediately. Agents should not be let into nonpublic areas of SAW LLC or given records or information if they have a subpoena rather than a search warrant.
- Examine the search warrant carefully, if one is The search warrant should include the following information:
The names or types of law enforcement agents allowed to conduct the search; SAW LLC name and address;
The date and time that the search is permitted;
What part of SAW LLC the agents are allowed to search; and The records, property, or persons they may search for.
Make a copy of the search warrant for SAW LLC’s records.
- Ask agents to delay Ask the agents if they would agree to delay the search until SAW LLC’s attorneys arrive, or to arrange for a more convenient time to conduct it. If the agent has a court order, they may not be required to wait.
- Always accompany the agent or surveyor during the If the agents won’t agree to a delay, at least one staff member should go with them while they search. Make sure they search only the areas and take only the items authorized by the warrant.
- Record and copy seized If the agents take property or records with them during a search:
Write down a detailed list of items they seize;
Request a copy of the inventory the agents make of seized property;
Ask to make copies of important documents; and
Ask to copy files contained on computers or hard drives onto a disk.
- You are not legally required to answer agents’ questions during a You may want to show the agents where documents described in a search warrant are located, if you think that will speed up the search. Keep careful notes. Write down all questions asked and the answers you provided. Keep this information as part of your permanent records of the visit.
- Don’t destroy Once agents arrive with a search warrant or other court order, do not throw away or destroy records or other documents.
TRANSCRIPTION OF HEALTH INFORMATION
POLICY:
SAW LLC complies with the Health Insurance Portability and Accountability Act of 1996 and Department of Health and Human Services rule that is designed to preserve the privacy of identifiable patient information as well as to meet its duty to protect the confidentiality and integrity of protected health information (PHI), as required under state and federal law, the cannon of professional ethics, and applicable accreditation requirements.
All staff and contractors who participate in the processes of dictation, transcription, maintenance, storage, and retrieval of SAW LLC’s transcribed data must be familiar with this Policy and their responsibilities for protecting PHI from unauthorized use and disclosure.
Under HITECH, business associates are required to comply with many aspects of the HIPAA Privacy and Security Rules, just as a covered entity must comply.
Transcribed information contains confidential PHI the use and disclosure of which, outside SAW LLC’s treatment, payment, and operations requires an individual’s authorization. Transcriptions must be accurate to provide the highest quality of patient care. Inaccurate transcriptions may put patients at risk of harm.
- No Right to Privacy: SAW LLC encourages transcription of medical records to enhance productivity and improve the quality of care through legible and comprehensive medical records The transcription system and all transcribed data are part of the business equipment owned by SAW LLC, and are not the Users’ property. As a result, Users have no right to privacy in their use of the transcription system or its data.
- Right to Monitor, Audit, Read: SAW LLC reserves the right to monitor, audit, and read transcribed SAW LLC’s manager may override user passwords. SAW LLC may monitor the content and usage of the transcription system to support operational, maintenance, auditing, security, and investigative activities.
- Training and Authorization Required: Users are permitted to use the transcription system only
after having completed appropriate training, and after having received proper authorization in accordance with SAW LLC’ s Security Policy. The Privacy Officer is responsible for such training and authorization.
- User’s Acknowledgment Required: A User is authorized to use the transcription system only after signing an acknowledgment stating that the User acknowledges and understands the User’s obligation to protect security and maintain confidentiality when using the transcription system, that the User will fulfill his or her obligations, and that the User will face disciplinary action if he or she does not, in accordance with SAW LLC’s Sanction The Privacy Officer is responsible for obtaining and keeping such written acknowledgment from each User.
- Access: Access to health information, records, tapes, dictation, or a combination thereof is limited to authorized users on a need-to-know basis in accordance with HIPAA rule and
- Dictation and Dictation Playback: Dictation and dictation playback must be done in a secure environment that protects the information from being overheard by unauthorized Health information may not be dictated into cellular phones or into public telephones where others can overhear the dictation, or into equipment with an activated auto answer, such as an answering machine.
- Shipping of Dictation: Dictation on audiocassette tapes, CDs, or other voice files may be shipped only in accordance with carriers authorized by the Privacy Officer.
- Log-off Required: Users must log off computers and dictation equipment when not transcribing, unless using a pause feature that removes the document from screen view and access until the transcriptionist reactivates
- Electronic Transmission of Transcribed Data: No User may electronically transmit transcribed data except as authorized by the Privacy Officer, consistent with relevant system security policies and chain of trust partner
- Storage and Deletion of Dictation on Voice File: Users may store dictation on an audio cassette tape, CD, or any other voice file only for the length of time necessary to transcribe and review documentation and in a manner that protects against unauthorized Once the dictation has been transcribed, and that transcribed data received by SAW LLC, the dictation on the voice file must be deleted from a digital system, or erased from an analog system, in a manner approved by the Privacy Officer to protect the confidentiality of the data. Transcribed tapes may not be reused until they are first erased.
- Authentication of Report: After a User completes transcription of a report, he or she must authenticate it by an identifier assigned by the Privacy Officer. This authentication does not, however, constitute the formal authentication of the report required by law and professional
- Release of Patient Data: No User may release any patient data, except to the individual who dictated the data, SAW LLC, or persons authorized in writing by the Privacy Officer.
ENFORCEMENT:
The Privacy Officer is responsible for enforcing this Policy. Employees who violate this policy are subject to discipline, up to and including termination from employment, in accordance with SAW LLC’s Sanctions policy. Under HITECH Section 13409, any individual person associated with the practice who wrongfully obtains, uses, or discloses individually identifiable health information may be subject to criminal penalties. These penalties can include fines, imprisonment, or both.
HIPAA/HITECH BREACH NOTIFICATION POLICY AND PROCEDURE
BREACH NOTIFICATION OF UNSECURED PROTECTED HEALTH INFORMATION
REFERENCE: HITECH Section 13402 and Omnibus Breach Notification Modification Rule
POLICY
SAW LLC and its contractors and vendors will strive to prevent breaches of Unsecured Protected Health Information (“PHI”) and personal information (“PI”) electronically or otherwise, and maintain privacy and security measures to protect the confidentiality of PHI and PI. This policy describes the process by which SAW LLC will notify individuals regarding a confirmed breach of security when Unsecured PHI has been acquired, assessed, used or disclosed by an unauthorized person.
Background and Purpose:
The purpose of the Rule is to provide notification in the case of breaches of unsecured protected health information. The Rule applies to covered entities and business associates that access, maintain, retain, modify, record, store, destroy, or otherwise hold, use, or disclose unsecured protected health information.
Pursuant to the Health Insurance Portability and Accountability Act (“HIPAA”) and Regulations promulgated thereunder, SAW LLC will notify individuals when Unsecured PHI has been acquired, accessed, used or disclosed by an unauthorized person, when a confirmed breach of the security of the system does not fall within a statutory exception or there is a low probability that the PHI has been compromised.
Definitions
Breach: the acquisition, access, use or disclosure of PHI in a manner not permitted by HIPAA which compromises the security or privacy of the protected health information.
Unsecured PHI: PHI that is not secured through the use of a technology or methodology specified by the Secretary in guidance. Technology or methodology must render PHI unusable, unreadable or indecipherable. In guidance, these methods are:
encryption or an encryption algorithm destruction
Access controls, fire walls and redaction are insufficient.
Encryption: “the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key and such confidential process or key that might enable decryption has not been breached.” Decryption tools should be stored in a separate location from data.
Valid encryption processes for data in motion are those that comply with NIST Special Publications SW-52, SW-77, SW-113 or others which are Federal Information Standards (FIPS) 140-2 validated.
Destruction: Paper, film or other hard copy media has been shredded or destroyed so it cannot be read or reconstructed.
Electronic media has been cleared, purged, or destroyed consistent with NIST Special Publications 800-88 so PHI cannot be retrieved.
RESPONSIBILITY
The SAW LLC is responsible for the Breach process, although it is shared with the Security Officer and other members of a Breach Response Team, as necessary.
Requirements
The Act requires the following:
Covered entities (CEs) and business associates (BAs) must determine if a breach is notifiable by performing a risk assessment and determining if exceptions to the Rule apply. (Model Documents titled “Breach Determination Worksheet” and “Breach Risk Assessment Worksheet” are available for this purpose on the following pages.)
Notification must be provided to affected individuals and to the Secretary of Health and Human Services, either immediately or by annual summary reports, following the discovery of a notifiable breach of unsecured protected health information. In some cases, the Act requires covered entities to provide notification of these breaches to the media.
Specific methods may be used by CEs and BAs to encrypt and destroy patient records to prevent breaches.
Notifications must be made using specific methods.
The contents of the notifications must contain certain information.
The Department of Health and Human Services (HHS) Secretary must post on an HHS website a list of covered entities that experience breaches of unsecured protected health information involving more than 500 individuals.
Covered entities and business associates are required to create and maintain specific documentation.
Covered entities and business associates must comply with certain administrative requirements.
PROCEDURE:
General Procedures
Once SAW LLC has discovered a breach of unsecured PHI, it will perform a risk assessment to determine if the affected individual must be notified. If so, it will (or its Business Associate will, depending on contract provisions) notify each individual whose unsecured PHI has been, or believed by the practice or its BA to have been, accessed, acquired, used or disclosed as a result of the breach. Notifications are done as soon as possible without unreasonable delay, but no more than 60 days from the time a breach is found or becomes known, (or the date the practice’s workforce member or agent such as a BA, SHOULD have known about the breach using reasonable diligence, business care and prudence). The 60-day investigation period does not begin after the risk assessment has been done. Notifications must be sent even if all the information is not known or collected. For example, it is not acceptable to wait 60 days hoping a stolen laptop will be recovered, etc.
Waiting longer than 60 days to notify individuals of breaches of their unsecured protected health information could substantially increase the risk of harm to individuals as a result of the breach, and decrease the ability of the individuals to effectively protect themselves from this harm. Therefore, the Breach Rule specifically states that notification must occur before 60 days.
The practice and BAs must have systems in place for breach discovery. Both the practice and the BA can be held liable if breaches occur and either party is unaware of them because reasonable diligence has not been used. HHS stresses the need for training workforce members of both entities, especially regarding the 60-day notification part of the Rule and timely reporting.
Law Enforcement Requests for Delays
If a law enforcement official states that a breach notification would impede a criminal investigation, or cause damage to national security, the practice or its BA must:
- Delay notification (by mail, posting or notice) for the time period requested in writing from law
- If the statement is oral, document the statement, include the ID of the law enforcement official, and delay the notification/notice/posting temporarily—no longer than 30 days from date of the oral statement, unless a written statement is submitted during those 30
BREACH NOTIFICATION CRITERIA
Generally, if a possible breach occurs, the practice will determine whether the following breach notification criteria have been met before notifications are performed. This process will be done as soon as reasonably possible, so that any required notifications are made in a timely fashion. The Breach Rule specifically states that notifications must be made within 60 days.
Unsecured PHI
In order for notifications to be required, a breach must be of unsecured PHI. This is PHI in any form or medium (electronic, paper or oral) that is not secured through the use of a technology or methodology specified by the HHS Secretary in the guidance issued under Section 13402(h)(2) of Public Law 111-5 (the HITECH Act), which makes PHI unusable, unreadable, or indecipherable to unauthorized individuals. These methods are published on the HHS website: www.hhs.gov/ocr/privacy, as will future updates to this guidance.
The technologies or methodologies specified in HHS guidance within the Breach Notification Interim Final Rule are encryption and destruction. HHS guidance gives specific information on encryption processes that have been tested and meet HHS approval. The guidance states:
Protected Health Information is rendered unusable, unreadable, or indecipherable to unauthorized individuals if one or more of the following applies:
- Electronic PHI has been encrypted as specified in the HIPAA Security Rule by the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key, and such confidential process or key that might enable decryption has not been To avoid a breach of the confidential process or key, these decryption tools should be stored on a device or at a location separate from the data they are used to encrypt or decrypt.
The encryption processes must be approved by HHS.
- The media on which the PHI is stored or recorded have been destroyed in one of the following ways:
Paper, film, or other hard copy media have been shredded or destroyed such that the PHI cannot be read or otherwise cannot be reconstructed. Redaction (edit, modify, or revise by removing confidential or personal information) is specifically excluded as a means of data destruction.
Electronic media have been cleared, purged, or destroyed consistent with NIST Special Publication 800–88, Guidelines for Media Sanitization, such that the PHI cannot be retrieved.
Breach Notifications Security Methods vs. the Security Rule
The Security Rule states that encryption and destruction are “addressable” security methods, which the practice may use to safeguard electronic PHI. The Breach Rule is not contrary to this. The Breach Rule simply states that if encryption processes and destruction security methods are not executed according to the HHS guidance, and the breach does not fall under one of the exceptions, then notification must be performed. Stated another way, notification is only required in breaches of “unsecured PHI,” (NOT for secure PHI where breaches are made unusable, unreadable, or indecipherable by using the HHS guidance recommendations of encryption and destruction.)
Access Controls and Firewalls
Guidance within the Breach Rule discusses the use of access controls. Although these controls may render protected health information unusable, unreadable, or indecipherable to unauthorized individuals, they do not meet the statutory standard of the Breach Rule because if the controls are compromised, the underlying information could still be usable, readable, or decipherable.
Identifiers
A use or disclosure of PHI that does not include the identifiers listed below from the HIPAA Privacy Rule Section 164.514(e)(2) under “Limited Data Sets,” DOB, and zip code, does not compromise the security or privacy of PHI, so is not a breach. If a breach does not include any of these identifiers, together with PHI, then no breach has occurred.
PHI Identifiers
Names;
Postal address information, other than town or city, state, and zip code; Telephone numbers;
Fax numbers;
Electronic mail addresses; Social Security numbers; Medical record numbers;
Health plan beneficiary numbers; Account numbers; Certificate/license numbers;
Vehicle identifiers and serial numbers, including license plate numbers; Device identifiers and serial numbers;
Web Universal Resource Locators (URLs); Internet Protocol (IP) address numbers;
Biometric identifiers, including finger and voice prints;
Full face photographic images and any comparable images.
Limited Data Sets, Dates of Birth, and Zip Codes
A limited data set, often used in research or public health, is protected health information that does not have the 16 direct identifiers listed above of the individual, or of relatives, employers, or household members of the individual. Limited data sets often contain dates of birth and/or zip codes.
Data sets are considered PHI, and are covered by the Privacy Rule. For purposes of the Breach Notification Rule, if elements of dates such as DOB and zip codes are allowed to remain, data could be re-identified. If impermissible use or disclosure occurs with limited data sets that include DOB or zip code, the practice or BA needs to do a “risk assessment” and question the probablity of harm if the data is re-identified. If the probability is low, there is no significant risk, and the breach does not require notification. Use and disclosures using data sets are permissible under the Privacy Rule if other requirements are met (i.e., data use agreements). A covered entity may use or disclose a limited data set only for the purposes of research, public health, or health care operations.
Exceptions
The Breach Rule specifies certain exceptions to breach notification. For the practice and its BAs, a breach is not notifiable if one of the following applies:- Un-retainable: Unauthorized disclosures where the practice or its BA has good faith belief that the recipient of the information would not be able to retain the information, and it doesn’t result in further use or disclosures. For example:
A covered entity with insufficient safeguards sends several EOBs by mail to the wrong individuals, and some are returned by the post office unopened. Notifications do not need to be made for unopened ones, but there could be a potentially notifiable breach for those opened or not returned, and
A nurse hands a patient a medical report, but quickly realizes that it was someone else’s report and requests the return of the incorrect report. In this case, if the nurse can reasonably conclude that the patient could not have read or otherwise retained the information, then providing the patient report to the wrong patient does not constitute a breach.
Unintentional: A good faith acquisition, access, or use of information by a workforce member (employee, volunteer, trainee—those under direct control of the CE), or persons acting under the authority of a CE or BA, which doesn’t result in further use or disclosures EXCEPT in a manner allowed under the Privacy Rule, i.e., if an e-mail is sent to the wrong party at a covered entity, is re-directed, and then deleted.
Inadvertent: Disclosures among persons similarly authorized to access PHI at the same facility (same CE or BA—which can include different locations of the same CE or BA), and the original disclosure doesn’t result in further use or disclosures without authorization. For example, disclosures between a physician at a hospital and another hospital employee, who may both
access PHI under the Privacy Rule—such as if a nurse calls a doctor who provides medical information on a patient in response to the inquiry, and it turns out the information was for the wrong patient.
Risk Assessment
Before deciding if a breach is notifiable, the practice or its BA must perform a risk assessment to determine if there was or was not a low probability that the PHI was compromised. Determine the probability that the PHI has been compromised based on a risk assessment of at least the following factors: – the nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification;
the unauthorized person who used the PHI or to whom the disclosure was made; whether the PHI was actually acquired or viewed; and
the extent to which the risk to the PHI has been mitigated.
SAW LLC and its BAs must document their risk assessments, showing that there is a low probability of harm to the individual. When a covered entity or business associate knows of an impermissible use or disclosure of protected health information, it should maintain documentation that all required notifications were made, or, alternatively, of its risk assessment or the application of any exceptions to the definition of “breach” to demonstrate that notification was not required. BREACH NOTIFICATIONS:
Once SAW LLC has discovered a notifiable breach of unsecured PHI, they will notify each individual whose unsecured PHI has been, or believed to have been, accessed, acquired, used or disclosed as a result of the breach. This notification will be done as soon as reasonably possible, and no later than 60 days from the time the breach was discovered. The practice must provide notification of the breach to affected individuals and the Secretary of HHS, and possibly to the media under some circumstances. All notices are sent in a manner that is reasonably calculated to reach the individual. Business associates must notify the practice that a breach has occurred as soon as possible after they have become aware of it. The practice will attempt to document a reporting timeframe for BAs within the business associate agreements. ### Content Requirements of Breach Notifications
The notice must include the following information:1. A brief description of what happened, including the date of the breach and the date of discovery, if known;
- A description of the types of unsecured PHI involved in the breach (e.g., Social Security
number, full name, DOB, home address, diagnosis, disability code etc.). The actual information breached should not be used, only a description. Do not include sensitive information on the notification.
- The steps affected individuals should take to protect themselves from harm from the breach (contact credit card companies, credit monitoring services, file a police report, );
- A brief description of what the practice is doing to investigate the breach (filing a police report, if needed), mitigate harm (of all types, not just financial), and protect against further breaches (improve security, employee sanctions, );
- How to contact the practice for questions or information—the notice must include the practice’s toll-free number, e-mail address, website or postal
The written notice must be written in plain language, and may need to be translated into frequently encountered languages. Also, the Breach Rule states:
“Similarly, to the extent that a covered entity is obligated to comply with Section 504 of the Rehabilitation Act of 1973 or the Americans with Disabilities Act of 1990, the covered entity has an obligation to take steps that may be necessary to ensure effective communication with individuals with disabilities, which could include making the notice available in alternate formats, such as Braille, large print, or audio.”
Notice to Individuals
Written Notice
A written notice is sent to the affected individual by first-class mail, at their last known address, or next of kin if necessary. An e-mail notice may be sent if the individual has authorized the use of e-mail. If e- mail is used, the practice will monitor undeliverable e-mail, and if the e-mail is returned to the practice as undeliverable, the practice will then issue a written notice. If the individual is a minor or lacks legal capacity, the written notice will be sent to the parent or personal representative.
If the affected individual is deceased (if known), then a written notice is sent by first-class mail to the last known address of the next-of-kin or personal representative (if known), with authority to act. It is not necessary to try to obtain contact information for the next-of-kin or personal representative, only to send a written notice if the practice already has the contact information.
It may be necessary to send more than one mailing as information becomes available.
Urgent Information: If the practice determines that the information contained in the written notice is of an urgent nature because of possible imminent misuse of unsecured PHI, a phone call or other means of immediate notification will be used. The phone call or other method is not a substitution for the written notice, which must still be sent. Care must be taken when leaving information on an answering machine.
Substitute Notice: The substitute notice is an alternative form of written notice, allowed by the Rule when there is insufficient or out-of-date contact information for the affected person, or mail is returned. The substitute notice must contain all the same elements as the written notice to the individual. If the individual is deceased, the practice is not required to send a substitute notice to the next of kin or personal representative if the practice doesn’t have the contact information, or has out-of-date information.
The methods used for the substitute notice will vary, depending on the number of affected individuals.
For less than 10 people:
An alternate form of written notice can be used—such as a phone call or e-mail (even if there is no authorization for e-mail). If the practice does not have contact information available, a notice may be placed on the company website. Sensitive information must not be included.
For greater than 10 people:
- A website posting on the practice’s homepage (or prominent hyperlink) for 90 days, if a practice website is available, or
- A conspicuous notice in major print or broadcast media in the geographic areas where the affected individuals likely
Both methods must include a toll-free number, active for at least 90 days, where the individual can receive information on whether their unsecured PHI was part of the breach. The practice may also attempt to update the contact information.
Annual Summary Reports
For less than 500 individuals (in any geographic area), immediate HHS notification is not necessary, but SAW LLC must record a log or other documentation of all notifiable breaches, and send an annual summary report to HHS not later than 60 days after the end of the calendar year. A separate form is required for every breach that has occurred during a calendar year. (A Model Document titled “Breach of Unsecured Protected Health Information” is available for this purpose on the following pages.) This report must be submitted electronically to the Secretary. The annual report form and instructions are available on the HHS website at:
www.hhs.gov/ocr/privacy/hipaa/administrativ… (http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/brinstruction.html)
The practice log must be retained for six years.
Breaches Involving More Than 500 Individuals
In addition to the above for notifiable breaches involving more than 500 individuals, the practice must do the following:
Media notification: For more than 500 residents of a state or jurisdiction (defined as a geographic area smaller than a state—such as county, city or town), whose unsecured PHI has been, or believed by the practice to have been, accessed, acquired, or disclosed as a result of the breach, a media notification is required. Individuals must be notified by written notice AND also by a notice (possibly a press release) to prominent media outlets serving the state or jurisdiction. The notifications will be made without unreasonable delay, no later than 60 days after discovery (unless the law enforcement exception applies). The media notification must include the same information as the written notice.
HHS Notification: For more than 500 individuals (in any geographic area), the practice must notify the Secretary of HHS at same time as the individual, and no later than 60 days after the notifiable breach is found (unless the law enforcement exception applies). As the Rule specifies, notice must be submitted electronically by following the link below and completing all information required on the breach notification form:
www.hhs.gov/ocr/privacy/hipaa/administrativ… (http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/brinstruction.html))
Section 13402(e)(4) of the HITECH Act requires HHS to post a list of covered entities that submit reports of notifiable breaches of more than 500 individuals on their website.
In cases where a BA has had a breach of more than 500 people, but the practice did not have more than 500 affected persons, the above media notification does not apply. Also, the practice does not need to notify HHS, but must log the breach and include the information in the annual notice to HHS.
NOTIFICATION TO THE PRACTICE BY A BUSINESS ASSOCIATE
According to Sect. 13402(b) of the HITECH Act, a business associate of SAW LLC that accesses, maintains, retains, modifies, records, destroys, or otherwise holds, uses, or discloses unsecured PHI is required to notify the practice when it discovers a breach of such information.
The breach is treated as discovered by the BA as of the first day a breach is known to the BA, or should have been known by exercising reasonable diligence, by any person (other than the one committing the breach) who is an employee, officer, or other agent of the BA.
Occasionally, a breach originating from a BA concerns affected individuals from different covered entities. The BA is only required to notify SAW LLC regarding the practice’s affected individuals, as long as the BA is certain which individuals are associated with SAW LLC; if the BA is uncertain, it may be necessary for the BA to notify all potentially affected covered entities.
BA AGREEMENTS REGARDING BREACHES
Agreements between BAs and SAW LLC may address which party will provide notice to affected individuals, and the timeframe when the BA should notify the practice following a breach, as long as all required notifications are provided and the other requirements of Rule are met. The Breach Rule specifies that the business associate contract can be used to determine the method a BA will use when notifying the CE (such as whom to notify within the practice). According to the Rule, the parties should consider “which entity is in the best position to provide notice to the individual, which may depend on circumstances, such as the functions the BA performs for the CE.” The practice and BA should also make sure both parties don’t notify individuals about the same breach.
Documentation
SAW LLC must make all documentation available to HHS upon request. All documentation requirements that apply to the practice under the HIPAA Privacy Rule Section 164.530, Administrative Requirements also apply to the Breach Rule. This includes:
Personnel designations;
Training for each member of the practice’s current workforce, and new members of the workforce within a reasonable period of time;
Complaints: the practice must document all complaints received, and their disposition;
Sanctions against members of its workforce who fail to comply with the privacy policies and procedures of the practice;
Changes to the Privacy Notice; Changes to policies and procedures;
Documentation sufficient to meet its burden of proof under 164.414(b) Breach Notifications. All information gathered for the risk assessment during the investigative process must be documented. SAW LLC and its BAs have the “burden of proof,” and must demonstrate and document that breach notification(s) were not required following an
impermissible use or disclosure of PHI, or that notification(s) were necessary, including why they were necessary. The practice must also document that notifications were made as required by the Rule.
Administrative Requirements
The practice complies with the administrative requirements of the following parts of Section
164.530 of the Privacy Rule, with respect to breach notification:
- Training: SAW LLC trains all members of its workforce on policies and procedures with respect to PHI, including complaints to the practice, as necessary and appropriate for the members of the workforce to carry out their functions within the covered
entity. Each new member of the workforce receives training within a reasonable period of time after the person joins the workforce. Each member of the practice’s workforce whose functions are affected by a material change in the policies or procedures is trained within a reasonable period of time after the material change becomes effective. Training is documented.
- Complaints to the Covered Entity: SAW LLC provides a process for individuals to make complaints concerning the HIPAA/HITECH policies and procedures, or compliance with such policies and
- Sanctions: The practice has, and applies, appropriate sanctions against members of its workforce who fail to comply with our HIPAA/HITECH policies and
- Refraining From Intimidating or Retaliatory Acts: The practice does not intimidate, threaten, coerce, harass, discriminate against, or take other retaliatory action against any individual for:
Filing a complaint under Sect 160.306;
Testifying, assisting, or participating in an investigation, compliance review, proceeding, or hearing under Sect 160.316; or
Opposing any act or practice made unlawful by the subchapter of Section 160.316, provided the individual or person has a good faith belief that the practice opposed is unlawful, and the manner of opposition is reasonable and does not involve a disclosure of protected health information in violation of subpart E of part 164.
- Waiver of Rights: SAW LLC may not require individuals to waive their rights regarding filing complaints (contained in Sect. 160.306) as a condition of the provision of treatment, payment, enrollment in a health plan, or eligibility for
- Policies and Procedures: SAW LLC implements policies and procedures with respect to PHI that are designed to comply with the standards, implementation specifications, or other requirements of the Administrative
- Documentation: According to the Rule, the practice does the following:
Maintains the policies and procedures of the Administrative Requirements in written or electronic form;
If a communication is required by the Administrative Requirements to be in writing, maintain such writing, or an electronic copy, as documentation;
If an action, activity, or designation is required by the Administrative Requirements to be documented, maintain a written or electronic record of such action, activity, or designation;
Maintain documentation sufficient to meet its burden of proof by demonstrating that all notifications were made as required by the Breach Rule, or that the use or disclosure did not constitute a breach.
STATE LAWS/PREEMPTION:
In cases where state law regarding breaches is “contrary” to HIPAA, the federal law preempts state law, and the practice follows the federal HIPAA Rules. “Contrary” is defined as circumstances where “a CE could find it impossible to comply with both the state and federal requirements” or if the state law “stands as an obstacle to the accomplishment and execution of the full purposes and objectives” of the breach notification provisions.
If state law is not contrary in a particular area, but is just more stringent, state law must be followed. The practice will comply with both at the same time. For example, if the state Written Notice requires more information than the federal Rules, the state law is followed. (Since it is possible to comply with both at the same time, there is no conflict.)
PROCEDURE:
- If it is confirmed that a breach of security or confidentiality has occurred and has resulted in the unauthorized disclosure of PHI, the following risk assessment steps will be taken:
- Determine whether or not the information breached was Unsecured PHI includes information not secured through encryption or destruction, and is not rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology specified by the Secretary of HHS in guidance issued under Section 13402(h)(c) of Public Law 111-5.
- Determine the reasonable likelihood that such information was accessed by an unauthorized
- Determine the probability that the PHI has been compromised based on a risk assessment of at least the following factors: (i) the nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification; (ii) the unauthorized person who used the PHI or to whom the disclosure was made; (ii) whether the PHI was actually acquired or viewed; and (iv) the extent to which the risk to the PHI has been
- The risk assessment will be documented thoroughly, including the actions taken, the conclusions of the assessment and the basis for the determination that there was or was not a low probability that the PHI was (This is a change in the rule, whereas the prior rule only required notification in cases where there was a “significant risk of harm”—
-the harm threshold has been removed and many more breaches will be notifiable)
- If it is determined that the information breached was secured and there is no reasonable likelihood that the secured information was rendered usable, readable or viewable by an unauthorized person, no further action is necessary, but the determination and conclusion will be
- If it is determined that the information breached was Unsecured, but the circumstance of the breach falls within one of the exceptions to HIPAA (45 C.F.R. § 164.42), so notification is not required, such determination will be
- If it is determined that the breach of the security of the system demonstrates that there is more than a low probability that the PHI was compromised, SAW LLC will as soon as
possible, but no later than 60 days after the discovery of the breach, notify the individual(s) whose information was disclosed as a result of the breach, and the determination and conclusion will be documented.
- If it is determined that the information breached was Unsecured and notification is required, an analysis of the requirements for notification of the State in which the individuals reside will be conducted and
- If notification to law enforcement or another regulatory body or agency is required under State law, such notification will be made to the regulatory body or agency in accordance with State
- If State law requires notification to the individual, notification will be made in accordance with State
- Notification to the individual may be delayed if a law enforcement agency determines that the notification will impede a criminal investigation and the notification will be made after law enforcement determines it will not compromise its
- Notification of a breach to affected individuals will be in plain language and include the information given
- The notification must include any additional information required by applicable State
- If the breach involves more than 500 residents of a state or jurisdiction, notice will be provided to the media and to the Secretary of the Department of Health and Human Services (“HHS”)
- A log of any and all breaches of Unsecured PHI of less than 500 individuals will be maintained and reported to the Secretary of HHS on an annual
- Business Associates and vendors, through their contracts and/or Business Associates Agreements with SAW LLC will be required to provide notification of a breach to SAW LLC so affected individuals can be notified, as necessary. Business Associates must provide all available information without
- Documentation will be maintained of each individual notified, each notification provided to HHS and any other notification to the Secretary of HHS as required by
=
Please refer to the “Forms” section to find the “Breach Determination Worksheet” form.
=
Please refer to the “Forms” section to find the “Breach Risk Assessment Worksheet” form.
=
Please refer to the “Forms” section to find the “Security Incident Report” form.
=
Please refer to the “Forms” section to find the “Breach Response Sample Letter”.
=
Please refer to the “Forms” section to find the “Breach of Unsecured PHI Report to the Department of Health and Human Services” form.
MITIGATION OF BREACHES POLICY
REFERENCE: 45 CFR § 164.530(F)
POLICY
SAW LLC complies with the Health Insurance Portability and Accountability Act of 1996 and Department of Health and Human Services rules that are designed to preserve the privacy of identifiable patient information.
SAW LLC must mitigate, to the extent practicable, any harmful effect that is known to SAW LLC of a use or disclosure of PHI in violation of its policies and procedures by SAW LLC or its business associate.
This practice complies with the HIPAA Omnibus Rule of January, 2013 “Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules.”
The purpose of the Rule is to provide notification in the case of breaches of unsecured protected health information. The Rule applies to covered entities and business associates that access, maintain, retain, modify, record, store, destroy, or otherwise hold, use, or disclose unsecured protected health information.
The Act requires the following:
Covered entities (CEs) and business associates (BAs) must determine if a breach is notifiable by performing a risk assessment and determining if exceptions to the Rule apply.
Notification must be provided to affected individuals and to the Secretary of Health and Human Services, either immediately or by annual summary reports, following the discovery of a notifiable breach of unsecured protected health information (breaches with a more than low probability that the PHI was compromised). In some cases, the Act requires covered entities to provide notification of these breaches to the media.
Specific methods may be used by CEs and BAs to encrypt and destroy patient records to prevent breaches.
Notifications must be made using specific methods.
The contents of the notifications must contain certain information
In the case of a breach of unsecured protected health information at or by a business associate of a covered entity, the Act requires the business associate to notify the covered entity of the breach. The Department of Health and Human Services (HHS) Secretary must post on an HHS website a list of covered entities that experience breaches of unsecured protected health information involving more than 500 individuals.
Covered entities and business associates are required to create and maintain specific documentation.
Covered entities and business associates must comply with certain administrative requirements. Additional information on Breach Notification can be found in the “Breach Notification of Unsecured PHI Policy” chapter of this manual.
PROCEDURE:
- All employees are required to inform the Privacy Officer of any known or suspected violations of SAW LLC’s HIPAA policies and procedures.
- The Privacy Officer will evaluate the violation and whether there was more than low probability that the PHI was compromised, and determine the appropriate course of action according to the HITECH Breach Notification All such violations and associated efforts to mitigate the harmful effects will be documented. Mitigation may include, but is not limited to:
Taking operational and procedural corrective measures to remedy violations;
Taking employment actions to re-train, reprimand, or discipline employees as necessary, up to and including termination;
Addressing problems with business associates once «PraticeName» is aware of a breach of privacy;
Incorporating mitigation solutions into SAW LLC’s policies as necessary and appropriate.
- All violations of HIPAA policy and procedure that affect an individual will be documented in the accounting of disclosures form. The patient may not necessarily be notified if the Privacy Officer determines, using a risk assessment according to the Breach Notification Rule, that there was a low probability that the PHI was compromised, given the nature of the violation. In cases where the probability of compromise is more than low, the patient will be notified of the violation and SAW LLC’s efforts to mitigate the resulting harm. In some cases, HHS and the media may also need to be notified, depending on the number of individuals affected by the breach.
When a breach is discovered or suspected:
SAW LLC’s procedure for handling requests received from patients on the use and disclosures of PHI is as follows: N/A
N/A handles requests received from patients on the use and disclosures of PHI.
SAW LLC’s procedure for responding to known or suspected breaches is as follows: N/A
BUSINESS ASSOCIATES
BUSINESS ASSOCIATES AND VENDOR AGREEMENTS POLICY
REFERENCE: 45 CFR Parts 160 and 164, and the HIPAA Omnibus Rule of 2013
Definition
Business Associate:
- Except as provided in paragraph (4) of this definition, business associate means, with respect to a covered entity, a person who:
- On behalf of such covered entity or of an organized health care arrangement (as defined in this section) in which the covered entity participates, but other than in the capacity of a member of the workforce of such covered entity or arrangement, creates, receives, maintains, or transmits protected health information for a function or activity regulated by this subchapter, including claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, patient safety activities listed at 42 CFR 3.20, billing, benefit management, practice management, and repricing; or
- Provides, other than in the capacity of a member of the workforce of such covered entity, legal, actuarial, accounting, consulting, data aggregation (as defined in §164.501 of this subchapter), management, administrative, accreditation, or financial services to or for such covered entity, or
to or for an organized health care arrangement in which the covered entity participates, where the provision of the service involves the disclosure of protected health information from such covered entity or arrangement, or from another business associate of such covered entity or arrangement, to the person.
- A covered entity may be a business associate of another covered
- Business associate includes:
- A Health Information Organization, E-prescribing Gateway, or other person that provides data transmission services with respect to protected health information to a covered entity and that requires access on a routine basis to such protected health (Courier services such as the U.S. Postal Service or United Parcel Service and their electronic equivalents, such as internet service providers (ISPs) providing data transmission services are excluded. A conduit transports information in digital or hard copy form, but does not access it other than on a random or infrequent basis, as necessary to perform the transportation service or as required by other law. Example: a telecommunications company having random, occasional access to PHI when reviewing whether data transmitted over its network is arriving at its destination.)
- A person that offers a personal health record to one or more individuals on behalf of a covered (Personal health record vendors are only considered business associates of the covered entity if they are providing the records on behalf of the covered entity. If an individual has authorized that a personal health record vendor receive their records, the vendor does not automatically become a business associate.)
- A subcontractor that creates, receives, maintains, or transmits protected health information on behalf of the business
- Business associate does not include:
- A health care provider, with respect to disclosures by a covered entity to the health care provider concerning the treatment of the
- A plan sponsor, with respect to disclosures by a group health plan (or by a health insurance issuer or HMO with respect to a group health plan) to the plan sponsor, to the extent that the requirements of 164.504(f) of this subchapter apply and are met.
- A government agency, with respect to determining eligibility for, or enrollment in, a government health plan that provides public benefits and is administered by another government agency, or collecting protected health information for such purposes, to the extent such activities are authorized by
- A covered entity participating in an organized health care arrangement that performs a function or activity as described by paragraph (1)(i) of this definition for or on behalf of such organized health care arrangement, or that provides a service as described in paragraph (1)(ii) of this definition to or for such organized health care arrangement by virtue of such activities or
POLICY
Business Associates and the HIPAA Privacy and Security Rules
The HITECH Act has provisions regarding business associates and the Privacy Rule. Prior to HITECH, BAs were required to follow the HIPAA Privacy Rules because of their contracts with CEs. Under HITECH, this has changed.
BAs are now considered the same as CEs, and are bound by the same requirements of the HIPAA Privacy and Security Rules as covered entities. Business associates must implement, and comply with, many parts of the Privacy and Security Rules, and must have their own contracts with covered entities. Civil and criminal penalties that apply to covered entities that violate the Privacy and Security Rules now also apply to business associates.
Under “Uses and disclosures: Organizational requirements, Business associate contracts,” if a CE/BA knows of a pattern of activity or practice of the CE/BA that constitutes a material breach or violation of the CE/BA’s obligation under the contract or other arrangement, the CE/BA must take reasonable steps to cure the breach or end the violation, as applicable. If these steps are unsuccessful, the CE/BA must terminate the contract or arrangement, if feasible.
HIPAA Requirements for Business Associate Contracts
There are several HIPAA and HITECH requirements concerning business associate contracts. Attention should be paid to the use of contracts for business associates on the subject of internet hosted or
non-hosted practice management/EHR applications. When establishing a business associate agreement, there are several aspects that should be considered.
HIPAA 164.504(2) “Uses and disclosures of protected health information: general rules,” states that a contract between the covered entity and a business associate must:
Establish the permitted and required uses and disclosures of such information by the business associate. The contract may not authorize the business associate to use or further disclose the information in a manner that would violate the requirements of this subpart, if done by the covered entity, except that:
- The contract may permit the business associate to use and disclose protected health information for the proper management and administration of the business associate, as provided in paragraph (e)(4), “Other requirements for contracts and other arrangements,” of this section; and
- The contract may permit the business associate to provide data aggregation service relating to the health care operations of the covered
Breaches
The purpose of HITECH Section 13402, “Notification in the case of breach,” is to provide individuals a notification in the case of breaches of unsecured protected health information. The Rule applies to covered entities and business associates that access, maintain, retain, modify, record, store, destroy, or otherwise hold, use, or disclose unsecured protected health information. The Rule requires CEs and BAs to take steps to cure any breaches or end violations of unauthorized use, access, or disclosure of PHI in any form (oral, written or electronic).
The agreement should state that the business associate will comply with the Breach Notification Rule. It may include:
The methods the BA will use to notify the CE of a breach; Which specific individuals or departments will be notified; Who will perform the risk assessment;
Who will provide the notification to the individual and the information that will be included; How the BA will encrypt and destroy PHI to avoid notifiable breaches;
Whether there are available systems in place for breach discovery; Training and sanctions for workforce members;
Maintaining documentation in compliance with the Breach Rule, which includes demonstrating that all notifications were made as required, or that the use or disclosure did not constitute a breach.
The BA will provide notification to the Covered Entity without unreasonable delay and in no event later than calendar days after discovery of the breach (possibly five days after the breach becomes known to the BA).
It may also be decided whether encryption and destruction will be performed by the BA, using the suggestions contained in the NIST guidance documents (as HHS has stated in guidance). These methods are not required under HITECH, but if they are not used, a breach could be notifiable. The contracts may include other items depending on the needs of both parties. They should be reviewed by legal counsel.### VENDORS
In order to protect the privacy of health information and to protect the interests of the practice, vendors who are not business associates (and would not be entering into a business associate contract with the practice) will be asked to sign a “HIPAA Vendor Confidentiality Agreement.” (A model document can be found on the following pages.)
Vendors, unlike business associates, are individuals who do not need access or use of PHI in order to perform their duties. Examples of vendors include contracted cleaning agencies and tradespeople such as plumbers, electricians, etc. The Vendor Confidentiality Agreement makes clear that should these individuals come in contact with or have access to confidential employee, patient, and business information (in any form—oral, written electronic, images, etc.), they are
required to abide by privacy regulations. The access, possession, use, copying, printing, transmission or reading of practice records, or disclosure of any information of a confidential or personal nature about a patient or employee to unauthorized persons is strictly forbidden.
The Agreement contains a clause that requires the vendor to have insurance against any losses the practice may incur though the acts of the vendor. This clause may be removed if the practice wishes to do so.
PROCEDURE:
These procedures relate to the relationships between Business Associates, the Privacy and Security Rules, and Business Associate contracts.
- SAW LLC develops and maintains a list of business associates. It determines:
if contracts are in place, when they were instituted.
(A Model Document titled “Business Associate List” is available for this purpose in this manual. It can also be used as a checklist for Business Associate contracts.)
- The practice performs a gap analysis of existing contracts, determines where there are gaps, and re-negotiates contracts as needed to include the HIPAA and HITECH Act contract
- SAW LLC is obligated under the HITECH Act to monitor its business associates, and be assured that they have their own HIPAA Privacy and Security Policies and Assurances are sought by asking each of the practice BAs specific questions relating to the above HIPAA and HITECH business associate contract policies. This procedure alerts the practice as to which areas the BAs are not in compliance.
- The Breach Notification Rule is reviewed with each BA to make certain that the BA has a thorough understanding of their responsibilities under the Rule, since both covered entities and BAs are responsible for breaches of unsecured protected health
- In the case of breaches, SAW LLC will consider whether the business associate or the practice is in the best position to provide notice to the individual, which may depend on circumstances such as the functions the BA performs for the The practice and BA will also make sure both parties don’t notify individuals about the same breach.
- The BA must notify the CE of a breach as soon as it becomes SAW LLC must perform notifications within 60 days of the discovery of the breach.
- SAW LLC may require business associates to notify them whenever the BA hires subcontractors who will have access to
- If the practice establishes a working relationship with organizations that provide data transmission of PHI to the practice (or its business associates) who require routine access to the PHI, a business associate agreement will be used to govern the responsibilities of each Under HITECH Section 13408, a written contract or other arrangement is required, and these organizations must be considered business associates of the practice. Examples of these
organizations include:
Health Information Exchange Organizations, Regional Health Information Organizations, E-prescribing Gateways,
Each vendor that contracts with the practice to allow the practice to offer a personal health record to patients as part of its electronic health record.
On the following pages is an explanation on how to determine if an entity is a business associate in need of a business associate agreement, Business Associate and Vendor Tracking Forms to assist with documentation, and a model Business Associate Agreement (BAA).
The BAA and Vendor Confidentiality Agreement forms contain an “Indemnification Clause” (section 7 m) which requires the Business Associate to compensate the practice for loss or damage in cases of breaches caused by the BA. The Indemnification Clause is not a HIPAA requirement, but is provided as an extra assurance which the practice may wish to incorporate in their BA Agreements.
DETERMINING BUSINESS ASSOCIATES AND NEED FOR CONTRACTS
Instructions:
HIPAA / HITECH requires that covered entities and business associates have business associate contracts in place, which describe the written safeguards the business associate will use to protect the PHI, among other items. HIPAA does not require that covered entities have BAAs in place with each other; they are allowed to share PHI for treatment, payment and health care operations (see definitions) without a written agreement, and without patient authorization (with a few exceptions, such as psychotherapy notes). In order to determine which entities or individuals are considered business associates and must have a contract, it is important to know the differences between a covered entity and a business associate.
This document will examine these differences, ask some important questions you will find helpful when trying to decide if you must have business associate agreements (BAAs) in place with various entities, and provide a “ BAA / CE Decision Grid” you may use to document your findings. Several definitions and explanations are also provided. When in doubt, you may always err on the side of caution and establish a BAA.
If your organization has multiple facilities in different locations, a separate worksheet can be used for each location. The worksheet is designed to ask three basic questions (listed below).
- Does the entity need access to PHI to perform their functions (ex. lawyers, accountants,
transcription, data destruction, answering services)? If not, they are not a BA.
- Is the entity a “covered entity” (CE)? CEs may share PHI for treatment, payment and health care operations without using a However, there are some instances where a CE may perform functions of a BA for another CE under contract, and a BAA would be required.
- Can an individual be considered a member of the “workforce”? (see definitions) If so, generally a BAA is not needed for that
Business Associate Defined
The department of Health and Human Services defines a “business associate” as a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity (or an “organized health care arrangement.”) A member of the covered entity’s workforce (see definitions) is not a business associate.
- A covered health care provider, health plan, or health care clearinghouse can be a business associate of another covered entity. The Privacy Rule lists some of the functions or activities, as well as the particular services, which make a person or entity a business associate, if the activity or service involves the use or disclosure of protected health information. The types of functions or activities that may make a person or entity a business associate include payment or health care operations activities, as well as other functions or activities regulated by the Administrative Simplification The HIPAA Omnibus Rule states:
“Except as provided in paragraph (4) of this definition, business associate means, with respect to a covered entity, a person who:
- On behalf of such covered entity or of an organized health care arrangement (as defined in this section) in which the covered entity participates, but other than in the capacity of a member of the workforce of such covered entity or arrangement, creates, receives, maintains, or transmits protected health information for a function or activity regulated by this subchapter, including claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, patient safety activities listed at 42 CFR 3.20, billing, benefit management, practice management, and repricing; or
- Provides, other than in the capacity of a member of the workforce of such covered entity, legal, actuarial, accounting, consulting, data aggregation (as defined in 164.501 of this subchapter), management, administrative, accreditation, or financial services to or for such covered entity, or to or for an organized health care arrangement in which the covered entity participates, where the provision of the service involves the disclosure of protected health information from such covered entity or arrangement, or from another business associate of such covered entity or arrangement, to the person.
- A covered entity may be a business associate of another covered
- Business associate includes:
- A Health Information Organization, E-prescribing Gateway, or other person that provides data transmission services with respect to protected health information to a covered entity and that requires access on a routine basis to such protected health (Courier services such as the U.S. Postal Service or United Parcel Service and their electronic equivalents, such as internet service providers (ISPs) providing data transmission services are excluded. A conduit transports information in digital or hard copy form, but does not access it other than on a random or infrequent basis, as necessary to perform the transportation service or as required by other law. Example: a telecommunications company having random, occasional access to PHI when reviewing whether data transmitted over its network is arriving at its destination.)
- A person that offers a personal health record to one or more individuals on behalf of a covered (Personal health record vendors are only considered business associates of the covered entity if they are providing the records on behalf of the covered entity. If an individual has authorized that a personal health record vendor receive their records, the vendor does not automatically become a business associate.)”
A business associate agreement is required only where a person or entity is conducting a function or activity regulated by the Administrative Simplification Rules on behalf of a covered entity, such as payment or health care operations, or providing one of the services listed in the definition of “business associate.”
Exceptions to the Business Associate Standard
The Department of Health and Human Services states the following:
The Privacy Rule includes the following exceptions to the business associate standard. See 45 CFR 164.502(e). In these situations, a covered entity is not required to have a business associate contract or other written agreement in place before protected health information may be disclosed to the person or entity.
Disclosures by a covered entity to a health care provider for treatment of the individual. For example:
A hospital is not required to have a business associate contract with the specialist to whom it refers a patient and transmits the patient’s medical chart for treatment purposes.
A physician is not required to have a business associate contract with a laboratory as a condition of disclosing protected health information for the treatment of an individual.
A hospital laboratory is not required to have a business associate contract to disclose protected health information to a reference laboratory for treatment of the individual.
Disclosures to a health plan sponsor, such as an employer, by a group health plan, or by the health insurance issuer or HMO that provides the health insurance benefits or coverage for the group health plan, provided that the group health plan’s documents have been amended to limit the disclosures or one of the exceptions at 45 CFR 164.504(f) have been met.
The collection and sharing of protected health information by a health plan that is a public benefits program, such as Medicare, and an agency other than the agency administering the health plan, such as the Social Security Administration, that collects protected health information to determine eligibility or enrollment, or determines eligibility or enrollment, for the government program, where the joint activities are authorized by law.
Decision-Making
Below are some points to examine when making decisions on whether a particular entity is actually a business associate, and a BAA is needed, vs. a vendor where a confidentiality agreement is sufficient:
Does equipment from the vendor have PHI stored on it? (copy machines, diagnostic equipment units etc.)
Is it necessary to give a vendor PHI in order for them to deliver goods to the patient? (such as oxygen equipment)
Accreditation organizations are business associates of the covered entities they accredit. Are appointment confirmations performed live, and are the employees given access to PHI? Do you contract with an answering service?
Building remodeling / construction: will they be given access to and need to physically move patient files (where they are actually handling files)? If so, they need a BAA. If they would only see something inadvertently, a vendor confidentiality agreement can be used.
Is billing performed in-house by employees or through a private agency?
Examples
An attorney whose legal services to a health plan involve access to protected health information is a BA.
Certified Telecommunications Relay Services: TRS providers must comply with FCC regulations, and is considered a public service, available without cost. TRS companies do not contract their services, thus, there is no business relationship with a CE. Also, the patient has the opportunity to agree or object to using the service. They are not a BA.
A consultant that performs utilization reviews for a hospital is a BA.
A CPA firm whose accounting services to a health care provider involves access to protected health information is a BA.
Data destruction or disposal: most organizations will be BAs and need BAAs, but if the work is performed under the direct control of the CE, on their premises, the service can be treated as members of the CE’s “workforce” and a BAA is not required.
Collection agencies: If the agency is contracted directly with the covered entity as a business associate, then a BAA is needed. If the collection agency is a third party to the covered entity (for example, has been hired by another of the CE’s business associates such as a billing agency, as a contractor), then the BA is responsible for having an agreement in place with the collection agency. Location information agencies hired directly by a CE would also need a BAA.
Cleaning services: do they need to work with PHI in order to do their jobs? (If they do not need access to patient files, but may see something inadvertently, they are not a BA; use only a vendor confidentiality agreement.)
Consultants: Will they perform consultation services for billing/coding, or any other duty where PHI will be needed (practice management etc.)? If so, they are a BA.
Couriers: The US Postal Service, United Parcel Service, delivery truck line employees and/or management, or certain private couriers, and their electronic counterparts, are not business associates, as long as PHI is transported but not accessed except on a very infrequent basis for performance of the service or as required by law.
A health care clearinghouse that translates a claim from a non-standard format into a standard transaction on behalf of a health care provider and forwards the processed transaction to a payer is a BA.
Health information organizations (HIO): These entities can manage the exchange of PHI through networks, on behalf of one or more covered entities. The HIO needs a BAA with CEs.
Examples of the duties an HIO might perform for covered entities:
Manage authorized requests for, and disclosures of, PHI among participants in the network; Create and maintain a master patient index;
Provide a record locater or patient matching service; Standardize data formats;
Implement business rules to assist in the automation of data exchange;
Facilitate the identification and correction of errors in health information records; and Aggregate data on behalf of multiple covered entities.
A covered entity may give protected health information to another CE for treatment purposes, through the HIO. An HIO may be a business associate of an Organized Health Care Arrangement (OHCA), (see definitions), if the HIO performs functions or activities on behalf of the OHCA. Interpreters: A covered health care provider might use interpreter services to communicate with patients who speak a language other than English or who are deaf or hard of hearing, and provision of interpreter services usually will be a health care operations function of the covered entity. A BA would be needed. However, if a contracted service, family members or friends are not
available to interpret, and the provider locates a service to assist, the patient has the opportunity to approve or reject the service and a BA would not be needed. A patient’s family members or friends who assist as interpreters would not be business associates.
IT functions: Are they handled in-house by employees, or are vendors used? Do IT personnel have access to PHI—through patient website portals, billing systems, EMRs, etc.? Will internet service providers who perform troubleshooting have access to PHI-containing systems?
(The mere selling or providing of software to a covered entity does not give rise to a business associate relationship if the vendor does not have access to the protected health information of the covered entity. For example, a software company that hosts the software containing patient information on its own server or accesses patient information when troubleshooting the software function, is a business associate of a covered entity. In these examples, a covered entity would be required to enter into a business associate agreement before allowing the software company access to protected health information. However, when an employee of a contractor, like a software or information technology vendor, has his or her primary duty station on-site at a covered entity, the covered entity may choose to treat the employee of the vendor as a member of the covered entity’s workforce, rather than as a business associate. See the definition of “workforce.”) Employee benefits contractors (401K, etc.): do they have access to employee PHI?
Medical device company representatives: HIPAA allows a CE to disclose PHI to a medical device company for the covered provider’s own treatment, payment or health operations purposes, or for the treatment or payment purposes of a medical device company that is also a health care provider. A medical device company meets the Privacy Rule’s definition of “health care provider” if it furnishes, bills, or is paid for “health care” in the normal course of business. “Health care” under the Rule means care, services or supplies related to the health of an individual. Thus, a device manufacturer is a health care provider under the Privacy Rule if it needs protected health information to counsel a surgeon on or determine the appropriate size or type of prosthesis for the surgeon to use during a patient’s surgery, or otherwise assists the doctor in adjusting a device for a particular patient. Similarly, when a device company needs protected health information to provide support and guidance to a patient, or to a doctor with respect to a particular patient, regarding the proper use or insertion of the device, it is providing “health care” and, therefore, is a health care provider when engaged in these services.
Additionally, the public health provisions of the Privacy Rule permit a covered provider to make
disclosures, without an authorization, to a medical device company or other person that is subject to the jurisdiction of the Food and Drug Administration (FDA) for activities related to the quality, safety, or effectiveness of an FDA-regulated product or activity for which the person has responsibility.
The following are some examples of circumstances in which a covered provider may share protected health information with a medical device company, without the individual’s authorization:
A covered provider may disclose protected health information needed for an orthopedic device manufacturer or its representative to determine and deliver the appropriate range of sizes of a prosthesis for the surgeon to use during a particular patient’s surgery. (This would be a treatment disclosure to the device company as a health care provider. Exchanges of protected health information between health care providers for treatment of the individual are not subject to the
minimum necessary standards. 45 CFR 164.502(b).)
The device manufacturer or its representative may be present in the operating room, as requested by the surgeon, to provide support and guidance regarding the appropriate use, implantation, calibration or adjustment of a medical device for that particular patient. (This would be treatment by the device company as a health care provider. As noted in the prior example, treatment disclosures between health care providers are not subject to the minimum necessary standards.)
A covered provider may allow a representative of a medical device manufacturer to view protected health information, such as films or patient records, to provide consultation, advice or assistance where the provider, in her professional judgment, believes that this will assist with a particular patient’s treatment. (This would also be a treatment disclosure and minimum necessary would not apply.)
A covered provider may share protected health information with a medical device company as necessary for the device company to receive payment for the health care it provides. (This would be a disclosure for payment of a health care provider and subject to minimum necessary standards.)
A covered provider may disclose protected health information to a medical device manufacturer that is subject to FDA jurisdiction to report an adverse event, to track an FDA-regulated product, or other purposes related to the quality, safety, or effectiveness of the FDA-regulated product. (This would be a public health disclosure and subject to minimum necessary standards.)
A business associate agreement would not usually be required for the disclosures noted above. For example, a business associate agreement would not be needed for disclosures between health care providers for the treatment of the individual (45 CFR 164.502(e)(1)(ii)(A)). Likewise, a medical device company would not be a business associate of a covered provider with respect to public health disclosures to a device company that is subject to FDA jurisdiction or disclosures to a device company as a health care provider for that company’s payment purposes, as in neither case is the device company performing a function or activity on behalf of, nor providing a specified service to, the covered provider.
In other circumstances, however, a business associate agreement may be required even if the disclosure were permitted without an authorization. For example, a business associate agreement would be required if a covered entity asked the medical device company to provide an estimate of the cost savings it might expect from the use of a particular medical device; and to do so, the device company needed access to the covered entity’s protected health information. In this case, the medical device company is performing a health care operations function (business planning and development) on behalf of the covered provider, which requires a business associate agreement even though the disclosure is permitted without an authorization.
A pharmacy benefits manager that manages a health plan’s pharmacist network is a BA.
Plumbers/electricians, etc. are not BAs.
Photocopy repair persons: are not BAs if they do not assist the provider with erasing PHI from copier hardrive.
Physicians: A health care provider can be a business associate of another healthcare provider, if the provider has been hired to perform another activity unrelated to patient treatment, such as a hospital hiring a provider to assist with training students. A BAA would be required. Physicians may be business associates of health plans, if the health plan contracts the physician to perform services such as case management.
Researchers would not need a BAA, since they are not performing functions regulated under the Administrative Simplification Rules, even if the CE has hired the researcher to perform research on the CE’s behalf.
A third-party administrator (TPA) to a group health plan is a business associate of the health plan, unless the TPA can meet the definition of a covered entity based on its other activities. Transcription services: If contracted (not employee), are BAs.
(HHS does not have the authority to regulate employers, life insurance companies or state agencies.)
Limited data sets:
If the only PHI a BA receives is a limited data set (see definitions), the HIPAA rule does not require a BAA. A CE may hire a BA to create a limited data set, in which case a BAA is needed. The CE may hire a public health authority as a business associate to create the limited data set, even if the public health authority will be the entity using the data set. (Ex: the public health authority is hired to review medical charts and extract unidentifiable information needed for a particular public health surveillance activity.)
Situations in Which a Business Associate Contract Is NOT Required.
When a health care provider discloses protected health information to a health plan for payment purposes, or when the health care provider simply accepts a discounted rate to participate in the health plan’s network. A provider that submits a claim to a health plan and a health plan that assesses and pays the claim are each acting on its own behalf as a covered entity, and not as the “business associate” of the other.
With persons or organizations (e.g., janitorial service or electrician) whose functions or services do not involve the use or disclosure of protected health information, and where any access to protected health information by such persons would be incidental, if at all.
With a person or organization that acts merely as a conduit for protected health information, for example, the US Postal Service, certain private couriers, and their electronic equivalents.
Among covered entities who participate in an organized health care arrangement (OHCA) to make disclosures that relate to the joint health care activities of the OHCA.
Where a group health plan purchases insurance from a health insurance issuer or HMO. The relationship between the group health plan and the health insurance issuer or HMO is defined by the Privacy Rule as an OHCA, with respect to the individuals they jointly serve or have served.
Thus, these covered entities are permitted to share protected health information that relates to the joint health care activities of the OHCA.
Where one covered entity purchases a health plan product or other insurance, for example,
reinsurance, from an insurer. Each entity is acting on its own behalf when the covered entity purchases the insurance benefits, and when the covered entity submits a claim to the insurer and the insurer pays the claim.
To disclose protected health information to a researcher for research purposes, either with patient authorization, pursuant to a waiver under 45 CFR 164.512(i), or as a limited data set pursuant to 45 CFR 164.514(e). Because the researcher is not conducting a function or activity regulated by the Administrative Simplification Rules, such as payment or health care operations, or providing one of the services listed in the definition of “business associate” at 45 CFR 160.103, the researcher is not a business associate of the covered entity, and no business associate agreement is required.
When a financial institution processes consumer-conducted financial transactions by debit, credit, or other payment card, clears checks, initiates or processes electronic funds transfers, or conducts any other activity that directly facilitates or effects the transfer of funds for payment for health care or health plan premiums. When it conducts these activities, the financial institution is providing its normal banking or other financial transaction services to its customers; it is not performing a function or activity for, or on behalf of, the covered entity.
Definitions
Data aggregation means, with respect to protected health information created or received by a business associate in its capacity as the BA of a covered entity, the combining of such protected health information by the business associate with the protected health information received by the business associate as a BA of another covered entity, to permit data analyses that relate to the health care operations of the respective covered entities.
Disclosure means the release, transfer, provision of, access to, or divulging in any other manner of information outside the entity holding the information.
Health care means care, services or supplies related to the health of an individual, including
diagnostic services.
Health care operations means any of the following activities of the covered entity to the extent that the activities are related to covered functions, and any of the following activities of an organized health care arrangement in which the covered entity participates:
- Conducting quality assessment and improvement activities, including outcomes evaluation and development of clinical guidelines, provided that the obtaining of generalizable knowledge is not the primary purpose of any studies resulting from such activities; population-based activities relating to improving health or reducing health care costs, protocol development, case management and care coordination, contacting of health care providers and patients with information about treatment alternatives; and related functions that do not include treatment;
- Reviewing the competence or qualifications of health care professionals, evaluating practitioner and provider performance, health plan performance, conducting training programs in which students, trainees, or practitioners in areas of health care learn under supervision to practice or improve their skills as health care providers, training of non-health care professionals, accreditation, certification, licensing, or credentialing activities;
- Underwriting, premium rating, and other activities relating to the creation, renewal or replacement of a contract of health insurance or health benefits, and ceding, securing, or placing a contract for reinsurance of risk relating to claims for health care (including stop-loss insurance and excess of loss insurance), provided that the requirements of Sec. 164.514(g) are met, if applicable;
- Conducting or arranging for medical review, legal services, and auditing functions, including fraud and abuse detection and compliance programs;
- Business planning and development, such as conducting cost-management and planning- related analyses related to managing and operating the entity, including formulary development and administration, development or improvement of methods of payment or coverage policies; and
- Business management and general administrative activities of the entity, including, but not limited to:
Management activities relating to implementation of and compliance with the requirements of this subchapter;
Customer service, including the provision of data analyses for policy holders, plan sponsors, or other customers, provided that protected health information is not disclosed to such policy holder, plan sponsor, or customer.
Resolution of internal grievances;
Due diligence in connection with the sale or transfer of assets to a potential successor in interest, if the potential successor in interest is a covered entity or, following completion of the sale or transfer, will become a covered entity; and
Consistent with the applicable requirements of Sec. 164.514, creating de-identified health information, fundraising for the benefit of the covered entity, and marketing for which an individual authorization is not required as described in Sec. 164.514(e)(2).
Health plans are health insurance companies, HMOs, company health plans, and government programs like Medicare.
In electronic form means: using electronic media, electronic storage media including memory
devices in computers (hard drives) and any removable/transportable digital memory medium, such as magnetic tape or disk, optical disk, or digital memory card; or transmission media used to exchange information already in electronic storage media. Transmission media include, for example, the internet (wide-open), extranet (using internet technology to link a business with information accessible only to collaborating parties), leased lines, dial-up lines, private networks, and the physical movement of removable/transportable electronic storage media. Certain transmissions, including of paper, via facsimile, and of voice, via telephone, are not considered to be transmissions via electronic media, because the information being exchanged did not exist in electronic form before the transmission.
Limited Data Set is protected health information from which certain specified direct identifiers of individuals and their relatives, household members, and employers have been removed. A limited data set may be used and disclosed for research, health care operations, and public health
purposes, provided the recipient enters into a data use agreement.
Organized health care arrangement means:
- A clinically integrated care setting in which individuals typically receive health care from more than one health care provider;
- An organized system of health care in which more than one covered entity participates and in which the participating covered entities:
- Hold themselves out to the public as participating in a joint arrangement; and
- Participate in joint activities that include at least one of the following:
- Utilization review, in which health care decisions by participating covered entities are reviewed by other participating covered entities or by a third party on their behalf;
- Quality assessment and improvement activities, in which treatment provided by participating covered entities is assessed by other participating covered entities or by a third party on their behalf; or
- Payment activities, if the financial risk for delivering health care is shared, in part or in whole, by participating covered entities through the joint arrangement and if protected health information created or received by a covered entity is reviewed by other participating covered entities or by a third party on their behalf for the purpose of administering the sharing of financial
- A group health plan and a health insurance issuer or HMO with respect to such group health plan, but only with respect to protected health information created or received by such health insurance issuer or HMO that relates to individuals who are or who have been participants or beneficiaries in such group health plan;
- A group health plan and one or more other group health plans each of which are maintained by the same plan sponsor; or
- The group health plans described in paragraph (4) of this definition and health insurance issuers or HMOs with respect to such group health plans, but only with respect to protected health information created or received by such health insurance issuers or HMOs that relates to individuals who are or have been participants or beneficiaries in any of such group health
Payment means:
- The activities undertaken by:
A health plan to obtain premiums or to determine or fulfill its responsibility for coverage and provision of benefits under the health plan; or
A health care provider or health plan to obtain or provide reimbursement for the provision of health care; and
- The activities in paragraph (1) of this definition relate to the individual to whom health care is provided and include, but are not limited to:
Determinations of eligibility or coverage (including coordination of benefits or the determination of cost sharing amounts), and adjudication or subrogation of health benefit claims;
Risk adjusting amounts due based on enrollee health status and demographic characteristics;
Billing, claims management, collection activities, obtaining payment under a contract for reinsurance (including stop-loss insurance and excess of loss insurance), and related health care data processing;
Review of health care services with respect to medical necessity, coverage under a health plan, appropriateness of care, or justification of charges;
Utilization review activities, including precertification and preauthorization of services, concurrent and retrospective review of services; and
Disclosure to consumer reporting agencies of any of the following protected health information relating to collection of premiums or reimbursement:
- Name and address;
- Date of birth;
- Social security number;
- Payment history;
- Account number; and
- Name and address of the health care provider and/or health
Plan sponsor is the employer, union, or other employee organization that sponsors and maintains the group health plan:
Treatment refers to the provision, coordination, or management of health care and related services by one or more health care providers, including the coordination or management of health care by a health care provider with a third party; consultation between health care providers relating to a patient; or the referral of a patient for health care from one health care provider to another.
Use means, with respect to individually identifiable health information, the sharing, employment, application, utilization, examination, or analysis of such information within an entity that maintains such information.
Workforce means employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a covered entity, is under the direct control of such entity, whether or not they are paid by the covered entity. If a BA has an employee whose main workstation is physically on the CE’s premises, it can be inferred that the employee is under the control of the CE, and can be considered a member of their “workforce.”
=
Please refer to the “Forms” section to find the “BAA/CE Decision Grid” form.
=
Please refer to the “Forms” section to find the “Business Associate Contract Tracking Form”.
=
Please refer to the “Forms” section to find the “Vendor Confidentiality Agreement Tracking Form”.
=
Please refer to the “Forms” section to find the “HIPAA Business Associate Agreement” form.
=
Please refer to the “Forms” section to find the “HIPAA Vendor Confidentiality Agreement” form.
HIPAA SECURITY POLICIES AND PROCEDURES INTRODUCTION
INTRODUCTION TO THE HIPAA SECURITY STANDARDS
The purpose of the HIPAA Security Rule is to adopt standards for the security of all electronic protected health information (ePHI) created or maintained by health plans, health care clearinghouses, certain health care providers, and business associates of covered entities. As with the HIPAA Privacy Rule, it applies to health plans, health care clearinghouses, health care providers, and business associates of covered entities who transmit any health information in electronic form in connection with a covered transaction.
Under the HIPAA law, the Department of Health and Human Services (HHS) was responsible for issuing the final HIPAA Security Rule. The Final Rule was released on January 17, 2013, and becomes effective on March 26, 2013, with September 23, 2013 as the compliance deadline. The Officer for Civil Rights (OCR) is the federal entity responsible for implementing and enforcing the HIPAA Rules.
In implementing the Rule, HHS wanted to improve the effectiveness and efficiency of the health care industry in general, by establishing a level of protection for certain electronic health information. The HHS Medicare Program, other federal agencies operating health plans or providing health care, state Medicaid agencies, private health plans, health care providers, and health care clearinghouses must assure their customers (for example, patients, insured individuals, providers, and health plans) that the integrity, confidentiality, and availability of ePHI they collect, maintain, use, or transmit is protected. The confidentiality of health information is threatened not only by the risk of improper access to stored information, but also by the risk of interception during electronic transmission of the information. The purpose of the Final Rule is to adopt national standards for safeguards to protect the confidentiality, integrity, and availability of ePHI.
The Security Rule requires implementation of three types of security safeguards that covered entities and business associates can use to assure the confidentiality of electronic protected health information
–administrative, physical, and technical. They are divided into either “Required” or “Addressable” implementation specifications. These terms are explained in the “Definitions” section of this manual on the following pages.
Security Risk Analysis
Each security safeguard will be addressed separately within the following Policies and Procedures. Corresponding Model Documents can be found within the appropriate sections. The Security Risk Analysis Tool is an important component and should be completed first, since many of the following Policies and Procedures are determined by the results of this assessment.
SECURITY DEFINITIONS
The HIPAA Security Rule includes several definitions that are important to understand in order to interpret the rule and its application to the practice. Under § 164.304, the definitions are as follows:
Access means the ability or the means necessary to read, write, modify, or communicate data/information or otherwise use any system resource. (This definition applies to “access” as used in this subpart, not as used in subparts D or E of this part.)
Administrative safeguards are administrative actions, and policies and procedures, to manage the selection, development, implementation, and maintenance of security measures to protect electronic protected health information and to manage the conduct of the covered entity’s or business associate’s workforce in relation to the protection of that information.
Authentication means the corroboration that a person is the one claimed.
Availability means the property that data or information is accessible and useable upon demand by an authorized person.
Confidentiality means the property that data or information is not made available or disclosed to unauthorized persons or processes.
Encryption means the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key. Facility means the physical premises and the interior and exterior of a building(s).
Facility means the physical premises and the interior and exterior of a building(s).
Information system means an interconnected set of information resources under the same direct management control that shares common functionality. A system normally includes hardware, software, information, data, applications, communications, and people.
Integrity means the property that data or information have not been altered or destroyed in an unauthorized manner.
Malicious software means software, for example, a virus, designed to damage or disrupt a system.
Password means confidential authentication information composed of a string of characters.
Physical safeguards are physical measures, policies, and procedures to protect a covered entity’s or a business associate’s electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion.
Security or Security measures encompass all of the administrative, physical, and technical safeguards in an information system.
Security incident means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.
Technical safeguards means the technology and the policy and procedures for its use that protect electronic protected health information and control access to it.
User means a person or entity with authorized access.
Workstation means an electronic computing device, for example, a laptop or desktop computer, or any other device that performs similar functions, and electronic media stored in its immediate environment.
SECURITY STANDARDS, GENERAL RULES POLICY
REFERENCE: HIPAA SECURITY §164.306
PURPOSE
It is the policy of SAW LLC to comply with the HIPAA Security Rule, and the practice has established appropriate administrative, technical, and physical safeguards to ensure the confidentiality, integrity and availability of all electronic protected health information (ePHI) the practice creates, receives, maintains or transmits.
SAW LLC will attempt to protect ePHI against any reasonably anticipated threats or hazards to the security or integrity of the information, and to provide reasonable safeguards of ePHI from any intentional or unintentional use or disclosure that is in violation of the standards, implementation specifications or other requirements of the HIPAA rules. SAW LLC will attempt to ensure that the workforce complies with the HIPAA Security Rule.
In complying with the HIPAA Security Rule, a flexibility approach is used, as allowed by the Rule, in which the practice may take into account the following factors:
- The size, complexity and capabilities of the practice;
- The technical infrastructure, hardware, and software security capabilities;
- The costs of the security measures;
- The probability and criticality of potential risks to electronic health
The Security Rule allows the practice to balance the risks of inappropriate use or disclosure of ePHI against the impact of various protective measures.
Important Note: It should be noted that the Security Rule does not apply to PHI in paper form. The preamble of the Rule discusses the typesD of electronic PHI that the Rule applies to, including telephone voice response and “faxback” (that is, a request for information from a computer made via voice or telephone keypad input with the requested information returned as a fax). Systems fall under this rule because they are used as input and output devices for computers.
When the final Security Rule was published, the security standards were designed to be “technology neutral” to accommodate changes. The rule does not prescribe the use of specific technologies, so that the health care community will not be bound by specific systems and/or software that may become obsolete. HHS also recognizes that the security needs of covered entities can vary significantly. This flexibility within the rule enables each entity to choose technologies that best meet its specific needs and comply with the standards.
The term “computer” includes only software programmable computers, for example, personal computers, minicomputers, and mainframes. Copy machines, fax machines, and telephones, even those that contain memory and can produce multiple copies for multiple people, are not intended to be included in the term “computer” under the Security Rule. Because “paper-to- paper” faxes, person-to-person telephone calls, video teleconferencing, or messages left on voice-mail were not in electronic form before the transmission, those activities are not covered by the Security Rule, although they are covered by the Privacy Rule.
Information being transmitted via a telephone (either by voice or a DTMP tone pad) is not in electronic form (as defined in the first paragraph of the definition of “electronic media”) before transmission, and therefore is not subject to the Security Rule. Information being returned via a telephone voice response system in response to a telephone request is data that is already in electronic form and stored in a computer. This latter transmission does require protection under the Security Rule.
PROCEDURE:
The practice reviews and modifies the security measures used to protect ePHI on an ongoing basis as needed, in response to environmental and operational changes. Policies and procedures may be changed at any time, provided that the changes are documented and are implemented in accordance with the Security Rule.
An “implementation specification” is an additional detailed instruction for implementing a particular standard. Each set of safeguards is comprised of a number of standards, which, in turn, are generally comprised of a number of implementation specifications that are either “Required” or “Addressable.”
The following terms are used after each standard, to annotate whether the standard must be implemented, versus whether the practice is allowed to access if the standard will protect ePHI for the particular situation. The practice institutes, at a minimum, the Required elements of the HIPAA Security Rule, and reviews Addressable specifications using a security analysis, risk analysis, and financial analysis to determine the appropriateness of the specification, instituting or changing these as necessary.
Required Implementation Specifications: the word “Required” appears after Administrative, Physical, Technical, Organizational, and Policy and Procedure/Documentation implementation specifications that must be performed by a covered entity in order to be in compliance with the Security Rule.
Addressable Implementation Specifications: the word “Addressable” appears after Administrative, Physical, Technical, Organizational, and Policy and Procedure/Documentation implementation specifications that must be employed only if “reasonable and appropriate” according to the Security Rule. Before implementing these standards, the practice must evaluate whether the specification is a reasonable and appropriate safeguard for its environment, taking into consideration how the safeguard will protect ePHI. If the practice determines that the specification is NOT a reasonable and appropriate approach, then the practice must document the reasons it cannot be done. The practice must also attempt to implement an alternate method that may be more feasible.
SECURITY ORGANIZATION REQUIREMENTS POLICY
REFERENCE: HIPAA SECURITY §164.314
POLICY
SAW LLC has implemented policies and procedures for electronic information systems that maintain ePHI to comply with, at a minimum, the “Required” standards of the HIPAA Security Rule, Organizational Requirements.
“Addressable” implementation specifications are reviewed to determine whether the specification is appropriate for the practice. If the specification is reasonable and appropriate, the practice must implement it. If not reasonable and appropriate, the reasons are documented, and alternate methods are considered and implemented.
When a standard does not have implementation specifications associated with it, then the standard itself is “Required.” This standard contains the following implementation specifications.
PROCEDURE:
Standard: Business Associate Contracts or Other Arrangements
The contract or other arrangement between the practice and its business associate must meet the requirements of this section.
Implementation specifications (Required)
Business associate contracts: The contract between a covered entity and a business associate will comply with the requirements of this section, and must provide that the business associate will:
- Comply with the applicable requirements of this section;
- Ensure that any subcontractor that creates, receives, transmits or maintains ePHI on behalf of the business associate, agrees to implement reasonable and appropriate safeguards to protect it in compliance with this section by entering into a contract or business associate agreement;
- Report to the covered entity any security incident of which it becomes aware, including breaches of unsecured PHI as required by 164.410.
Other Arrangements
If a business associate is required by law to perform a function or activity on behalf of the practice, or to provide a service described in the definition of business associate as described in the Definitions portion of the HIPAA Rule, the practice may permit the business associate to create, receive, maintain, or transmit electronic protected health information on its behalf.
Standard: Requirements for Group Health Plans
Except when the only electronic protected health information disclosed to a plan sponsor is disclosed pursuant to §164.504(f)(1)(ii) or (iii), or as authorized under §164.508, a group health plan must ensure that its plan documents provide that the plan sponsor will reasonably and appropriately safeguard electronic protected health information created, received, maintained, or transmitted to or by the plan sponsor on behalf of the group health plan.
Implementation specifications (Required)
The plan documents of the group health plan must be amended to incorporate provisions to require the plan sponsor to:
- Implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the electronic protected health information that it creates, receives, maintains, or transmits on behalf of the group health plan;
- Ensure that the adequate separation required by 164.504(f)(2)(iii) is supported by reasonable and appropriate security measures;
- Ensure that any agent to whom it provides this information agrees to implement reasonable and appropriate security measures to protect the information; and
- Report to the group health plan any security incident of which it becomes
SECURITY POLICIES AND PROCEDURES AND DOCUMENTATION REQUIREMENTS POLICY
REFERENCE: HIPAA SECURITY §164.316
POLICY
As required under standard (a) of §164.316, “Policies and Procedures and Documentation Requirements,” SAW LLC has implemented reasonable and appropriate policies and procedures to comply with the HIPAA Security standards, implementation specifications, or other requirements of the Security Rule, taking into account the following factors:
- The size, complexity, and capabilities of the covered entity;
- The covered entity’s technical infrastructure, hardware, and software security capabilities;
- The costs of security measures;
- The probability and criticality of potential risks to electronic protected health
The practice may change its policies and procedures at any time, provided that the changes are documented and are implemented in accordance with this subpart.
“Addressable” implementation specifications are reviewed to determine whether the specification is appropriate for the practice. If the specification is reasonable and appropriate, the practice must implement it. If not reasonable and appropriate, the reasons are documented
and alternate methods are considered and implemented.
When a standard does not have implementation specifications associated with it, then the standard itself is “Required.” This standard contains the following implementation specifications.
PROCEDURES:
Standard: Documentation (Required)
The practice maintains the policies and procedures implemented to comply with the Security Rule in written (which may be electronic) form.
If an action, activity or assessment is required to be documented by the Security Rule, the practice maintains a written (which may be electronic) record of the action, activity, or assessment.
Implementation Specifications
Time limit (Required): The Policy and Procedure documentation required by the above is retained for a minimum of six years from the date of its creation, or the date when it last was in effect, whichever is later.
The covered entity’s Security Policies and Procedures and Documentation Policy date of implementation or last date it was in effect is: N/A
Availability (Required): Documentation is available to those persons responsible for implementing the procedures to which the documentation pertains.
The person(s) is/are responsible for implementing the procedures to which documentation pertains is/are: N/A
Updates (Required): Documentation must be reviewed periodically, and updated as needed, in response to environmental or operational changes affecting the security of the electronic protected health information.
The most current date the documentation was reviewed and/or updated is: N/A
SECURITY ADMINISTRATIVE SAFEGUARDS
SECURITY ADMINISTRATIVE SAFEGUARDS POLICY
REFERENCE: HIPAA SECURITY §164.308
POLICY
SAW LLC has implemented policies and procedures to prevent, detect, contain, and correct security violations of ePHI. Several implementation specifications are contained in the Administrative Safeguards section of the Security Rule.
The Security Rule defines administrative safeguards as, “administrative actions, and policies and procedures, to manage the selection, development, implementation, and maintenance of security measures to protect electronic protected health information and to manage the conduct of the covered entity’s workforce in relation to the protection of that information.”
In general, Administrative Safeguards are the administrative functions that should be implemented to meet the security standards. These include assignment or delegation of security responsibility to an individual and security training requirements.
All “Required” implementation specifications are adopted, and “Addressable” implementation specifications are reviewed to determine whether the specification is appropriate for the practice. If the specification is reasonable and appropriate, the practice must implement it. If not reasonable and appropriate, the reasons are documented and alternate methods are considered and implemented.
When a standard does not have implementation specifications associated with it, then the standard itself is “Required.”
PROCEDURES:
Standard: Security Management Process
This standard contains the following implementation specifications; they are all “Required” under the Security Rule.
Implementation Specifications
Risk analysis (Required): An accurate and thorough assessment is conducted of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the practice. The practice evaluates the security controls already in place, and performs an accurate and thorough risk analysis to arrive at solutions to potential security issues. A helpful guide to risk analysis is “An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule,” NIST Special Publication 800-66 Revision 1, October 2008.
Risk management (Required): Security measures are implemented in order to reduce risks and vulnerabilities, found during the risk analysis, to a reasonable and appropriate level, to comply with the.§164.306(a), “Security Standards General Rules.”
Regarding both risk analysis and risk management, the Security Rule does not prescribe a specific methodology. The practice is expected to formulate its own approach to these items, depending on the special circumstances of the practice. There are several types of threats that may occur within an
information system or operating environment:
- Natural threats: floods, earthquakes, tornadoes and landslides;
- Human threats: intentional such as network and computer based attacks, and unintentional such as errors in data entry or deletion of files;
- Environmental threats: power failures, chemicals, liquid
Sanction policy (Required): Appropriate sanctions are applied against workforce members who fail to comply with the security policies and procedures of the practice. An Employee Confidentiality Agreement must be signed by each member of the workforce.
Information system activity review (Required): Procedures are implemented to regularly review records of information system activity. These may include audit logs, access reports, and security incident tracking reports. Information system activity review procedures enables covered entities to determine if any ePHI is used or disclosed in an inappropriate manner. The practice Security Officer, together with the practice’s hardware and software vendors, will implement the information system functionality that generates audit logs and access reports on all practice information systems that contain electronic protected health information. These reports will be documented and retained for six years from the date of creation, or from the date when the document was last in effect, whichever is later.
Standard: Assigned Security Responsibility (Required)
The practice has identified Viorica Timosca as the security official who is responsible for the development and implementation of the policies and procedures required by the HIPAA Security Rule. The Security Rule allows the practice to appoint either the same person or a different person as the Security Official and Privacy Official. Other individuals may be given assigned specific security responsibilities.
Standard: Workforce Security
The practice has implemented policies and procedures to ensure that all members of the workforce have appropriate access to electronic protected health information if needed to perform their job functions, and to prevent workforce members who do not need to have access from obtaining access to ePHI. This standard contains the following implementation specifications. They are all “Addressable” under the Security Rule.
Implementation Specifications
Authorization and/or supervision (Addressable): Procedures for the authorization and/or supervision of workforce members who work with electronic protected health information, or in locations where it might be accessed, are reviewed and implemented as needed. Authorization is the process of determining whether a particular user (or a computer system) has the right to carry out a certain
activity, such as reading a file or running a program. For example, operations or maintenance personnel who either work with ePHI, or work in locations where ePHI resides, must be supervised or have authorization to work with ePHI.
Workforce clearance procedure (Addressable): Procedures to determine whether a workforce member’s access to electronic protected health information is appropriate are reviewed and implemented as needed. The intent of the law was not to expect background checks on each individual, but rather use a screening process, determined by the practice, and based on risk, cost, benefit, and feasibility, etc. A record of access authorizations is kept to ensure that operating and maintenance personnel have proper access authorization.
Termination procedures (Addressable): Procedures for terminating access to electronic protected health information when the employment of a workforce member ends, or is deemed not appropriate to the tasks required, are reviewed and implemented as needed. Termination procedures include contractors, employees or other individuals previously allowed access to ePHI. Procedures such as changing combination locks, removal from access lists, removal of user accounts(s), and turning in keys, tokens, or access cards are implemented as needed.
Standard: Information Access Management
The practice has implemented policies and procedures for authorizing access to electronic protected health information that are consistent with the applicable requirements of the HIPAA Privacy Rule, including minimum necessary requirements. This standard contains the following implementation specifications.
Implementation Specifications
Isolating health care clearinghouse functions (Required): If the organization is a health care clearinghouse and part of a larger organization, the clearinghouse must implement policies and procedures that protect the electronic protected health information of the clearinghouse from unauthorized access by the larger organization. If the practice has established a business associate relationship with a health care clearinghouse, then business associate agreements must be in place as required by the HITECH Act. An important point to consider is whether the practice shares a separate network or subsystem with a health care clearinghouse, and if the clearinghouse is part of a larger organization, whether PHI is protected within that system.
Access authorization (Addressable): Policies and procedures for granting access to electronic protected health information, for example, through access to a workstation, transaction, program, process, or other mechanism, are reviewed and implemented as needed. The practice may identify who has authority to grant access privileges, and the process used for granting access. These items should be documented.
Access establishment and modification (Addressable): Policies and procedures that are based upon the practice’s access authorization policies to establish, document, review, and modify a user’s right of access to a workstation, transaction, program, or process are reviewed and implemented as needed.
Standard: Security Awareness and Training
The practice has implemented a security awareness and training program for all members of its workforce (including management). Periodic retraining should be given whenever environmental or operational changes affect the security of ePHI. Changes may include new or updated policies and procedures; new or upgraded software or hardware; new security technology; or changes in the Security Rule.
Implementation Specification
Security reminders (Addressable): Periodic security updates are implemented as needed. There are many types of security reminders that the practice may choose to implement. Examples might include notices in printed or electronic form, agenda items and specific discussion topics at monthly meetings, focused reminders posted in affected areas, as well as formal retraining on security policies and procedures.
Protection from malicious software (Addressable): Procedures for guarding against, detecting, and reporting malicious software are implemented as needed. Malicious software can be thought of as any program that harms information systems, such as viruses, Trojan horses, or worms. As a result of an unauthorized infiltration, ePHI and other data can be damaged or destroyed, or at a minimum, require expensive and time-consuming repairs. Malicious software is frequently brought into an organization through e-mail attachments and programs that are downloaded from the internet. Under the Security Awareness and Training standard, the workforce must also be trained regarding its role in protecting against malicious software and system protection capabilities. It is important to note that training must be an ongoing process.
Log-in monitoring (Addressable): Procedures for monitoring log-in attempts and reporting discrepancies are implemented as needed. Typically, an inappropriate or attempted log-in is when someone enters multiple combinations of usernames and/or passwords to attempt to access a system. Fortunately, many information systems can be set to identify multiple unsuccessful attempts to log in. Other systems might record the attempts in a log or audit trail. Still others might require resetting of a password after a specified number of unsuccessful log-in attempts.
Password management (Addressable): Procedures for creating, changing, and safeguarding passwords are implemented as needed. Users should be trained on how to safeguard the information. Users should not be allowed to share passwords, and they should not be written down in areas where others can view them.
SAW LLC’s password management policies are as follows:
Manager changes passwords every 2 months 3 attempts
Standard: Security Incident Procedures
Implement policies and procedures to address security incidents. All incidents will be documented.
Implementation Specification
Response and Reporting (Required): The practice identifies and responds to suspected or known security incidents; mitigates, to the extent practicable, harmful effects of security incidents that are known to the covered entity; and documents security incidents and their outcomes. Procedures address how to identify security incidents and provide that the incident be reported to the appropriate person.
Standard: Contingency Plan
Policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain electronic protected health information are established (and implemented as needed).
Implementation Specification
Data backup plan (Required): Procedures are established and implemented to create and maintain retrievable exact copies of electronic protected health information. The practice must consider all important sources of data such as patient accounting systems, electronic medical records, health maintenance and case management information, digital recordings of diagnostic images, electronic test results, or any other electronic documents created or used. Storage of backups must be in a safe, secure location. The practice also determines the frequency of backups.
Disaster recovery plan (Required): Procedures are established (and implemented as needed) to restore any loss of ePHI.
Emergency mode operation plan (Required): Procedures are established (and implemented as needed) to enable continuation of critical business processes for protection of the security of electronic protected health information while operating in emergency mode. The practice determines if any alternative security measures are needed to protect ePHI.
Testing and revision procedures (Addressable): Implement procedures for periodic testing and revision of contingency plans — this includes the Data Backup Plan, Disaster Recovery Plan, and Emergency Mode Operations Plan. Disaster recovery and emergency mode operations plans might be tested by using a scenario-based walk-through, or by performing complete live tests.
Applications and data criticality analysis (Addressable): Assess the relative criticality of specific applications and data in support of other contingency plan components. The practice may identify software applications (data applications that store, maintain or transmit ePHI) and determine how important each is to patient care and business needs in order to prioritize for data backup, disaster recovery and/or emergency operations plans.
Standard: Evaluation (Required)
Periodic technical and non-technical evaluations are performed based initially upon the standards implemented under this rule and subsequently, in response to environmental or operational changes affecting the security of electronic protected health information, that establishes the extent to which an entity’s security policies and procedures meet the requirements of the Security Rule. According to guidance issued by the Centers for Medicare and Medicaid Services, the evaluation should be performed on a scheduled basis, such as annually or every two years.
Standard: Business Associate Contracts and Other Arrangements
The practice, in accordance with the Security Rule, may permit a business associate to create, receive, maintain, or transmit electronic protected health information on the covered entity’s behalf only if the covered entity obtains satisfactory assurances that the business associate will appropriately safeguard the information. A covered entity is not required to obtain such satisfactory assurances from a business associate that is a subcontractor. A business associate may permit a business associate that is a subcontractor to create, receive, maintain or transmit ePHI on its behalf only if the business associate obtains satisfactory assurances, in accordance with §164.314(a), that the subcontractor will appropriately safeguard the information.
Implementation specifications
Written contract or other arrangement (Required): Satisfactory assurances required by this standard are documented through a written contract or other arrangement with the business associate that meets the applicable requirements of §164.314(a).
»>
INFORMATION SECURITY RISK ANALYSIS POLICY
REFERENCE: HIPAA SECURITY §164.308
PURPOSE
The Risk Analysis Policy documents the commitment of SAW LLC to conduct regular assessments of the risks to the confidentiality, integrity and availability of its Confidential Information, in accordance with SAW LLC’s Information Security Risk Management Policy. “Confidential Information” means protected health information, financial information, confidential and proprietary information of SAW LLC.
In addition to regular risk assessments, a risk analysis may be performed whenever environmental or operational changes have occurred that might impact the system security. SAW LLC will take reasonable steps to ensure the risk analysis is completed, documented, and remediated in accordance with the SAW LLC Information Security Risk Management Policy. This policy complies with the HIPAA Security Regulation, Section 45 CFR 164.308(a)(1)(ii)(A), Implementation Specification for Security Management Standard. POLICY:
Risk Analysis Requirements and Responsibilities
- SAW LLC identifies and prioritizes the risks to the confidentiality, integrity and availability of the Confidential Information on an ongoing
- A documented risk analysis process is used as the basis for the identification, definition and prioritization of risks to the Confidential The risk analysis process should include the following:
- Identification and prioritization of the threats to the Confidential
- Identification and prioritization of the vulnerabilities of the Confidential
- Identification of the probability that a threat will exploit a vulnerability of the Confidential
- Identification of the impact to the confidentiality, integrity and availability of the confidential Information, if a threat exploits a specific
- Identification and definition of measures used to protect the confidentiality, integrity and availability of the Confidential
- SAW LLC conducts risk assessments on an ongoing The risk assessment is used with the SAW LLC Information Security Risk Management Policy to identify, select and implement appropriate security measures to protect the confidentiality, integrity and availability of the Confidential Information.
- SAW LLC may require an updated risk analysis when environmental or operational changes arise that may impact the confidentiality, integrity or availability of the confidential Such changes include:
- New threats or risks that impact the Confidential
- A security incident that impacts the Confidential
- A breach of unsecured protected health information as defined in the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH).
- Changes to SAW LLC information security requirements or responsibilities that impact the Confidential
- Changes to SAW LLC’s organizational or technical infrastructure that impacts the Confidential
- The risk analysis completed bySAW LLC is based on the following steps:
- Inventory – An ongoing inventory of SAW LLC Systems that process Confidential Information and the security measures implemented to protect those systems will be
- Security measures analysis – The security measures already implemented are to be analyzed for adequacy of Such measures include both preventative and forensic controls.
- Risk likelihood determination – The identified risks are rated by assigning a ratio or percentage that indicates the probability that vulnerability is exploited by an actual Three factors are considered when assigning the rating: 1) type of vulnerability, 2) existence and effectiveness of current security controls, and 3) threat motivation and capability.
- Vulnerability identification – Vulnerabilities of SAW LLC’s systems are to be
- Threat identification – Potential threats to the confidentiality, integrity and availability of SAW LLC’s data (whether natural, human, or environmental) are to be
- Impact analysis – The impact analysis determines the effect on the confidentiality, integrity or availability of the Confidential Information that results from a successfully exploited
- Risk determination – The information obtained in the six steps above will be used by SAW LLC to identify the level of risk to the Confidential SAW LLC makes a risk determination based on:
- The likelihood a certain threat will attempt to exploit a
- The likely level of impact should the threat successfully exploit the
- The adequacy of protective security
- The results of the risk analysis conducted by SAW LLC are to be documented in writing, and maintained in a secure
- Following the risk analysis, a Plan will be developed and
=
Please refer to the “Forms” section to find the “HIPAA Security Risk Analysis Tool” form.
=
Please refer to the “Forms” section to find the “Securtiy Standards Matrix” form.
INFORMATION SECURITY RISK MANAGEMENT POLICY
REFERENCE: HIPAA SECURITY §164.308
PURPOSE
The Information Security Risk Management Policy defines the process by which SAW LLC selects and implements security measures sufficient to reduce the risks to SAW LLC’s electronic Confidential Information. Confidential Information means protected health information, financial information, confidential and proprietary information (“Confidential Information”).
The Risk Management process implemented by SAW LLC will be based on SAW LLC’s risk analysis, as defined in the SAW LLC Information Security Risk Analysis Policy, and will involve a documented process that is used as a basis for selection and implementation of security measures.
This policy complies with Administrative Safeguard Section 45 CFR 164.308(a)(1)(ii)(B) of the HIPAA Security Regulation, Implementation Specification for Security Management Standard.
POLICY:
Information Security Risk Management Roles and Responsibilities
- SAW LLC will implement logical processes and technical controls to reduce the risks to the Confidential Information to a reasonable and appropriate
- The Risk Management process implemented by SAW LLC is based on a documented process that is used as a basis for selection and implementation of the security SAW LLC’s Risk Management process includes the following:
- Assessment and prioritization of the risks to SAW LLC’s systems storing, processing or transmitting Confidential Information
- Selection and implementation of reasonable, appropriate and cost-effective security measures to manage, mitigate or accept identified risks
- Security training and awareness on implemented security measures to SAW LLC’s workforce members
- Documentation of the process and its results
- Ongoing evaluation and revision of SAW LLC’s security measures, as necessary
- The results of the Risk Management process are documented in writing, and reviewed and maintained by the Privacy Officer or Security Officer.
INFORMATION SECURITY DISCIPLINARY ACTION POLICY
REFERENCE: HIPAA SECURITY §164.308
PURPOSE
The information and information systems that SAW LLC relies on contain sensitive data that must be protected. Pursuant to the Health Insurance Portability and Accountability Act (HIPAA), specific disciplinary action must be administered to users that violate policies concerning security in a degree commensurate with the seriousness of the violation. These disciplinary actions are key in ensuring that specific violations are not repeated.
This policy addresses all violations pertaining to Confidential Information in any form, and is not limited to only electronic information. “Confidential Information” means protected health information, financial information, confidential and proprietary information. This policy addresses every user including, but not limited to, employees, volunteers, consultants, or temporary workers.
POLICY:
Roles and Responsibilities
- The Disciplinary Officer will oversee and administer all disciplinary action taken as a result of any violation of a security policy to ensure that actions are taken in accordance with applicable law, and to ensure consistent, fair and just action is taken at all levels. Viorica Timosca has been named as the Disciplinary Officer, and is responsible for establishing disciplinary action to be carried out
- For those actions that involve violations or suspected violations of a privacy policy, Viorica Timosca will consult with, and involve, if necessary, other members of
- In any circumstance where Federal, State or local law has been broken, a discussion between the Privacy Officer, Security Officer, and appropriate management shall take place before any outside authorities are
- The Privacy Officer (if not the same person) has the responsibility to communicate the level of
seriousness of the violation to Viorica Timosca. Any communication to any user regarding a breach or violation of policy will be administered through the Disciplinary Officer.
- It is the responsibility of the Disciplinary Officer to ensure that all users are acquainted with all Information Security Policies and
- If this policy is violated by a third party, which would include but not be limited to volunteers, temporary workers, consultants, or other third party contractors, the management that oversees those workers will be responsible for
- The Privacy Officer will be consulted in all security incidents or incidents of unauthorized access, use or disclosure, and will be responsible for documenting all
Levels of Violation
Level 1 – A violation that is considered to be minor and usually accidental. This type of incident can result from accidental misuse of information, carelessness, or a lack of security awareness education. These types of violations are not considered a direct threat to security or privacy, although each case must be examined. Repeat incidents from these types of violations from the same user or area may indicate a more serious problem that may need to be addressed differently. Additionally, a user that repeats the same violation requires a more stringent disciplinary action.
Some examples of Level 1 violation are as follows:
- User fails to log off of a session, terminal or application when left unattended. This can allow another user to access Confidential Information to which they are not entitled, or to enter orders without
- User fails to protect Confidential Information in a reasonable manner that results in an inadvertent “leak” or
- The use of organizational resources to send non-business related e-mail such as newsletters, chain letters, personal announcements, or attachments of a non-business related nature.
Level 2 – This type of incident usually occurs from intentional disregard of established Information Security policy or procedure. The user is aware of the security policies and procedures, but is willing to circumvent them in order to achieve a personal goal.
Some examples of a Level 2 violation are as follows:
- Accessing of any Confidential Information without utilizing the proper documented procedure. This can be done by intentionally attempting to circumvent procedures such as viewing Confidential Information without authorization or by knowingly using a workstation logged on with another user’s credentials to access Confidential
- Accessing Confidential Information that is not under the direct care and/or supervision of the user or, accessing the record of any patient that would not normally be accessed in the normal course of his or her job This would include, but not be limited to, a user
accessing birth dates, addresses of friends or relatives, or accessing records out of curiosity.
- Collecting Confidential Information on any patient or sets of patients without permission outside of the scope of job
- Releasing records or other Confidential Information in an inappropriate
- Circumventing established policies for access for other than what it was intended for. For example, a user that gains access to a restricted device such as a CD-ROM to read updates to manuals, and the user is now utilizing it to load software or other copyrighted material without
- Loading or utilizing any software or copyrighted material without proper authorization and licensing agreements by any
- Storing or retaining any sexually explicit or pornographic material from any other user or
- Discouraging, willfully prohibiting or preventing a user from reporting a security
- User accesses a record or other Confidential Information on behalf of another user that would not normally have access under normal
- User allows another user to use his or her login ID and/or password to gain access to
- Visiting inappropriate sites on the internet or attempting to bypass
- Modifying system logs to mask inappropriate behavior by them or another
Level 3 – The intentional actions of any user when he or she access, reviews, discloses, or discusses patient information for personal gain, or with malicious intent. This type of incident is considered to be the most serious and must be dealt with accordingly. It could cause personal damage to some party, and fines and/or civil action to the organization as well as to the violator.
Some examples of a level 3 violations are as follows:
- Intentionally releasing personal, corporate, or medical information for personal gain or
- Collecting information such as lists of patients or mailing addresses for personal gain or
- Intentionally destroying or altering any Confidential Information or information system with intent to
- Releasing Confidential Information of any individual with the intent to cause harm or adverse publicity, or for personal profit or
- Intentionally attempting to bypass security controls and attempting to gain unauthorized entry into a system by utilizing methodologies such as password guessing, or by attempting to cause a system slowdown by tying up
- Releasing of any other information or intellectual property in an unauthorized manner that includes, but is not limited to, software design, system design, security advantages or disadvantages of the network, application or system, financial information, or corporate
- Sending or displaying of any sexually explicit or pornographic material to any other person, whether internal or external, while utilizing organization
INFORMATION SECURITY AUDIT CONTROLS & SYSTEMS ACTIVITY REVIEW POLICY
REFERENCE: HIPAA SECURITY §164.308 PURPOSE
This policy details the requirements of SAW LLC for IT audit controls, and monitoring and review of system activity to safeguard systems that contain Confidential Information, such as electronic protected health information (“ePHI”) and personally identifiable information (“PII”).
The policy complies with HIPAA Security Regulations, Technical Safeguards, 45 C.F.R 164.312(b). In addition, this policy supports the Information Security Breach Notification, the Health Information Technology for Economic and Clinical Health Act (HITECH) and other state laws that require safeguards in systems that contain Confidential Information.
POLICY:
SAW LLC will implement, where technically feasible, appropriate hardware, software or procedural mechanisms on all systems containing Confidential Information, and will review the logs created by these audit mechanisms on an ongoing basis.
The term “ePHI” refers to electronic protected health information that SAW LLC receives, maintains or transmits. “PII” refers to personal information that can identify an individual, combined with one or more data elements such as a Social Security number, driver’s license ID (or non-driver id card), or financial information such as bank account numbers, and credit/debit card information.
Requirements and Responsibilities
- SAW LLC records and reviews significant activity on all of its systems that contain Confidential
- SAW LLC will conduct a risk analysis, to identify and define what constitutes “significant or unusual activity” on any information system, repository or conduit that contains Confidential
- SAW LLC must implement appropriate hardware, software and procedural mechanisms on any information system, repository or conduit that contains Confidential Information to log all At a minimum, such logs should contain, the following information:
Date and time of activity;
Origin of activity (e.g., I/P address, workstation ID); Identification of individual performing activity; Description of activity (view, modification of data, etc.);
Identity of the individual whose private information was accessed.
- In addition to logging authorized access of Confidential Information, SAW LLC will also monitor and log its systems to provide additional information for detecting and analyzing suspicious activity by logging, where possible, information such as:
Access of data (e.g. sensitive ePHI or Confidential Information); Use of software programs or utilities (e.g. system logs);
Use of privileged accounts;
Identification of administrator activity (e.g. account or access creation, modification, or deletion);
System start up or shutdown; Failed authentication attempts; Deletion of Confidential Information.
- The appropriate level and type of auditing that is required is determined by a risk analysis which takes into consideration the following factors:
The merit or sensitivity of the information on the systems.
The importance of the applications operating on the information systems.
The degree to which the information systems are connected to other systems and the degree to which that connection poses a risk to the system.
- SAW LLC implements and documents a process for regular review of all audit This process may be contained in-house or an outside party may be engaged to perform log analysis and correlation. The documented procedure must identify:
Workforce members, or the third party responsible for reviewing logs; Specific logs which are included in the review;
Frequency of the review (weekly, daily, realtime 24X7, etc); Response to incidents detected by log review;
Audit record retention period.
- SAW LLC’s workforce members cannot be responsible for reviewing audit logs that pertain to their system activities, and the administrator of a particular system may not be responsible for auditing the logs for that same
- Audit logs must be stored in such a way that they cannot be deleted or modified in any The following procedures are in place to regularly review records of information system activity: N/A
POLICY ENFORCEMENT
Anyone who violates this policy will be subject to disciplinary action, up to and including termination of employment.
Anyone who knows or has reason to believe that another person has violated this policy should report the matter promptly to the Privacy Officer. Any attempt to retaliate against a person for reporting a violation of this policy will itself be considered a violation of this policy that may result in disciplinary action up to and including termination of employment.
ASSIGNED SECURITY RESPONSIBILITY POLICY
REFERENCE: HIPAA SECURITY §164.308
PURPOSE
The Assigned Security Responsibility Policy is a reflection of SAW LLC commitment to selecting and assigning a single official for the responsibility of developing and implementing SAW LLC’s Information Security policies and procedures to protect the confidentiality, integrity, and availability of the data and Confidential Information of SAW LLC. “Confidential Information” includes information such as protected health information and financial information.
SAW LLC has named Viorica Timosca as the Security Officer.
Under the HIPAA Security Regulations, Administrative Safeguards, Section 45 C.F.R 164.308(a)(2), requires SAW LLC to “Identify the security official who is responsible for the development and implementation of the policies and procedures required by this subpart for the entity.”
POLICY:
The SAW LLC Security Officer is responsible for developing and implementing the necessary policies and procedures to protect the confidentiality, integrity and availability of all the data, including all electronic protected health information (“ePHI”) that SAW LLC creates, receives, maintains or transmits, personally identifiable information (“PII”) related to patients and staff, financial data, confidential business information and plans, and any and all other Confidential Information.
POLICY ENFORCEMENT:
SAW LLC employees who violate this policy will be subject to disciplinary action, up to and including termination of employment, or revocation of medical staff privileges with SAW LLC.
SECURITY OFFICER RESPONSIBILITIES
The responsibilities of the Security Officer include, but are not limited to:
- Confirming that SAW LLC information systems does not compromise the confidentiality, integrity or availability of any Confidential Information. This includes all SAW LLC information systems, repositories and conduits that contain Confidential Information;
- Developing, documenting, and maintaining information security controls and system review that provide cost effective protection of information and information assets owned by, or in the custody of SAW LLC without an adverse impact to patient care, and support compliance with the HIPAA Privacy and Security Rules and other applicable regulations
- Confirming that SAW LLC is compliant with the Health Insurance Portability and Accountability Act (“HIPAA”) and Health Information Technology for Economic and Clinical Health (“HITECH”) regulations and standards (specifically the Security Rule);
- Confirming that SAW LLC’s information systems support required and/or addressable implementation specifications of the HIPAA Security Rule and SAW LLC’s internal security requirements;
- Developing, documenting and disseminating appropriate security policies, procedures and standards for users and administrators of ’s information systems;
- Confirming that an inventory of SAW LLC’s ePHI Systems is maintained and updated on an ongoing basis;
- Overseeing the implementation of an effective risk management program;
- Confirming that threats and risks to the confidentiality, integrity and availability of the information received from covered entities and information assets are monitored and evaluated;
- Confirming that access to Confidential Information is recorded, monitored and audited to identify security incidents and malicious activity and that, in the case of ePHI, processes are in place to provide patients with an audit report and an accounting of disclosures;
- Overseeing that the process of granting levels of appropriate access to information, including access authorization, access establishment, access modification and management of passwords are in place and developing and implementing policies and procedures to support them;
- Overseeing the development and implementation of an effective security incident response policy and related procedures;
- Confirming that adequate physical security controls exist to protect the Confidential Information received from covered entities;
- Develop, implement and maintaining security procedures that address contingency plans for emergencies and disaster recovery, security incident response processes, and security incident reporting mechanisms;
- Conducting and/or overseeing functionality and gap analyses to determine compliance with
statutory and regulatory requirements;
- Overseeing the development and implementation of a breach notification compliance program and related procedures and serving on the Breach Response Team;
- Confirming effective processes are in place to sanction employees, vendors, contractors, and volunteers;
- In conjunction with the Privacy Officer, to report any violations of HIPAA or HITECH to the Department of Health and Human Services;
- To oversee that document and record keeping procedures are conducted in accordance with HIPAA and HITECH, which includes working closely with computer technicians and the information technology personnel;
- To collaborate with legal counsel regarding compliance with HIPAA and HITECH standards;
- To maintain a mobile device tracking log;
- To be the primary authority and primary contact for managing the addition, termination, or suspension of authorized users within the electronic system;
- To serve as the primary contact during audits;
- To oversee compliance with the minimum necessary rule for the access, use and disclosure of data;
- To develop, implement and perform ongoing monitoring of security risk analysis / risk management processes;
- To oversee data backup and storage;
- In conjunction with the Privacy Officer, to oversee that all HIPAA and HITECH regulations and procedures are followed by business associates and/or covered entities;
- In conjunction with the Privacy Officer, to develop and implement employee HIPAA and breach notification compliance
SECURITY AWARENESS & TRAINING POLICY
REFERENCE: HIPAA SECURITY §164.308
PURPOSE
The Security Awareness and Training policy is a reflection of SAW LLC’s commitment to provide security awareness and training to SAW LLC workforce members who have access to protected health information (PHI). “PHI” means protected health information that SAW LLC creates, receives, maintains or transmits.
SAW LLC will develop, implement and provide security training and awareness to SAW LLC workforce members who have access to PHI. SAW LLC workforce members will be provided with training to enable them to appropriately protect SAW LLC’s PHI. New SAW LLC workforce members will receive the appropriate security training prior to being provided access to SAW LLC’s PHI. New England
Dental, LLC will make business associates aware of SAW LLC’s security policies and procedures when and if appropriate. Additionally, third parties who have access to SAW LLC’s PHI will also be informed of SAW LLC’s security policies and procedures when and if appropriate and will be required to execute an Acknowledgment form indicating that they have received certain policies and will abide by them. Documentation will be maintained regarding the individuals who have undergone training.
Under the HIPAA Security Regulations, Administrative Safeguards, Section 45 C.F.R. 164.308(a)(5)(i), the standard requires that SAW LLC “Implement a security awareness and training program for all members of a covered entity’s workforce (including management).”
POLICY:
- SAW LLC has developed, implemented and reviews on an ongoing basis a documented program for providing security training and awareness to SAW LLC workforce members who have access to PHI, including
- SAW LLC provides workforce members who have access to PHI Systems, including management, with training to enable them to appropriately protect the confidentiality, integrity and availability of SAW LLC’s PHI. Training is provided onsite at SAW LLC, through approved training Training includes:
- SAW LLC’s security policies, procedures and
- The secure usage of SAW LLC’s
- Risks to the confidentiality, integrity and availability of SAW LLC’s
- Legal and business responsibilities of SAW LLC for protecting its
- Approved security practices of SAW LLC including procedures for guarding against, detecting, and reporting malicious software are implemented as
- SAW LLC workforce members who have access to PHI receive training on SAW LLC’s security measures adopted to protect the confidentiality, integrity and availability of its
- After the training has been conducted, SAW LLC workforce members confirm in writing, by signing the HIPAA and HITECH and Breach Notification Training Acknowledgement form, that they have received the training, understand the materials presented and agree to comply with SAW LLC’s security policies and
- New SAW LLC workforce members receive the appropriate security training prior to being provided access to SAW LLC’s After the training has been conducted, SAW LLC’s new workforce members confirm, in writing, they have received the training, understand the materials presented, and agree to comply.
- SAW LLC is responsible for maintaining the Acknowledgment
- SAW LLC makes business associates aware of SAW LLC’s security policies and procedures when and if This awareness is performed through
contractual language or other means.
- SAW LLC makes third parties who have access to SAW LLC’s PHI aware of its security policies and procedures when and if SAW LLC workforce members who retain the services of a third-party are responsible for taking reasonable steps to ensure the third party adheres to SAW LLC’s security policies and procedures.
- SAW LLC makes its written security policies and procedures available for reference and review by its workforce members, business associates, and third party
- In accordance with its Breach Notification and Security Incident Response Policies, SAW LLC trains and reminds SAW LLC workforce members the proper procedures for reporting a security incident or a
- As SAW LLC performs system updates, employees are re-trained as
- Procedures for monitoring log-in attempts and reporting discrepancies are implemented as
POLICY AUTHORITY/ENFORCEMENT:
Anyone who violates this policy will be subject to disciplinary action, up to and including termination of employment.
Anyone who knows or has reason to believe that another person has violated this policy should report the matter promptly to the Privacy Officer. Any attempt to retaliate against a person for reporting a violation of this policy will itself be considered a violation of this policy that may result in disciplinary action up to and including termination of employment with SAW LLC.
SECURITY INCIDENT RESPONSE & REPORTING POLICY
REFERENCE: HIPAA SECURITY §164.308
PURPOSE
The Security Incident Response & Reporting Policy is a reflection of SAW LLC commitment to promptly identify and respond to security incidents in order to protect the confidentiality, integrity and availability of electronic protected health information (ePHI). “ePHI” means electronic protected health information that SAW LLC receives, maintains or transmits.
SAW LLC will promptly identify, report, and respond to security incidents in order to protect the confidentiality, integrity and availability of SAW LLC’s ePHI Systems and Confidential Information. “ePHI Systems” means SAW LLC’s information systems,
repositories and conduits that contain ePHI. SAW LLC will perform an investigation when evidence shows that a security incident has occurred and will respond to the security incident. “Confidential Information” means protected health information and financial information.
This policy complies with HIPAA Security Regulations, Administrative Safeguards, Implementation Specification for Security Incident Procedures Standard 45 C.F.R 164.308(a)(6)(i) and 45 C.F.R 164.308(a)(6)(ii).
POLICY:
- SAW LLC promptly identifies and responds to security incidents in order to protect the confidentiality, integrity and availability of its ePHI
- SAW LLC has implemented a documented process for promptly identifying security The process includes:
Risk analysis of SAW LLC’s electronic protected health information (ePHI) Systems. “ePHI” means electronic protected health information that SAW LLC receives, maintains or transmits. “ePHI Systems” means SAW LLC’s information systems, repositories and conduits that contain ePHI.
On the basis of the risk analysis, identify what events constitute a security incident in the context of SAW LLC’s operations.
Analyze, identify and report a security incident.
Train workforce members on reporting security incidents.
Implement a process to allow access by an appropriately authorized and trained workforce member or vendor to affected ePHI Systems to respond to and recover from a security incident.
Mitigate the harmful effects of a security incident, including minimizing its impact and preventing additional damage.
Collect and preserve evidence of a security incident.
Assess a security incident and implement security controls to prevent a recurrence.
- SAW LLC conducts an investigation when a security incident has The investigation seeks appropriate information on the basis of which he / she may identify the vulnerability which led to the incident and take reasonable steps to ensure that the harmful effects of the security incident are mitigated and that security controls are implemented to mitigate the vulnerability and prevent recurrence. Another workforce member will not prohibit or otherwise attempt to hinder or prevent another SAW LLC workforce member from reporting a security incident.
A possible security incident is reported to N/A
The following procedures are in place to report a possible security incident: N/A
DATA BACKUP & STORAGE POLICY
REFERENCE: HIPAA SECURITY §164.308
PURPOSE
The Data Backup and Storage Policy defines the procedures that SAW LLC requires for protecting the availability of SAW LLC’s electronic data when planned activities may impact it, or in response to a disaster. Electronic data means the critical and Confidential Information maintained or stored electronically. “Confidential Information” means electronic protected health information, financial information, confidential and proprietary information.
This policy complies with the HIPAA Security Regulation, under the Physical Safeguards requirements, Section 45 CFR 164.310(d)(2)(iv), Implementation Specification for Device and Media Controls Standard, which requires SAW LLC to, “Create a retrievable, exact copy of electronic protected health information, when needed, before movement of equipment” and the Administrative Safeguards requirements, Section 45 CFR 106.308(a)(7), Data Backup Plan, which requires the establishment and implementation of “procedures to create and maintain exact retrievable copies of electronic protected health information.”
POLICY:
Data Backup & Storage Responsibilities
- SAW LLC makes exact, retrievable backup copies of all electronic
- The backup process includes electronic data stored on hardware or electronic media, such as:
Computers Floppy disks Backup tapes DVDs and CDs Zip drives
Portable hard drives (such as USB drives) PDAs, and smart phones
- SAW LLC takes reasonable steps to ensure that all electronic data that is backed up in connection with movement of equipment into, out of, or within its facilities can be recovered following a disaster or other emergency, or a failure of the equipment during
movement.
- If applicable, SAW LLC has contracted with a secure offsite storage facility and transportation company to securely transport and store backup copies of its SAW LLC ensures that all storage facility and transportation companies enter into Business Associate Agreements with SAW LLC, and requires that each storage facility or transportation company implement appropriate administrative, technical and physical safeguards to ensure the confidentiality of the data.
- SAW LLC will store its backup copies of data and its records of the backup copies and restoration procedures in a secure remote location, within sufficient distance from SAW LLC’s facilities to allow for prompt retrieval in the event of a disaster or other emergency, or a failure of the equipment, during
- SAW LLC will make the backup copies of data stored at the remote location accessible only to authorized workforce members for retrieval when needed in the event of a disaster or other emergency, or a failure of the equipment, during
- SAW LLC will test the backup and restoration procedures on a regular SAW LLC will take reasonable steps to ensure that the procedures are effective and can be completed within a reasonable amount of time.
SAW LLC’s data back-ups are conducted in the following manner: N/A
SAW LLC’s data back-ups are tested and documented N/A
DISASTER RECOVERY PLAN POLICY
REFERENCE: HIPAA SECURITY §164.308
PURPOSE
The Disaster Recovery Plan Policy documents SAW LLC detailed and documented disaster recovery plans to facilitate the recovery of any lost, damaged or corrupted data, and business critical systems (“systems”) in a disaster or other emergency.
This policy complies with Administrative Safeguard Section 45 C.F.R 164.308(a)(7)(ii)(B), Implementation Specification for Contingency Plan Standard of the HIPAA Security Regulation.
POLICY:
Disaster Recovery Plan Requirements and Responsibilities
- SAW LLC will maintain a documented disaster recovery plan to recover systems
that are lost, damaged or corrupted in the event of a disaster or other emergency.
- The disaster recovery plan should include:
The conditions under which the disaster recovery plan may be activated;
SAW LLC’s staff members’ roles and responsibilities in executing the disaster recovery plan;
Recommended procedures outlining the actions to be taken to restore systems, and to return those systems to normal operations, within acceptable and defined timeframes;
The sequence in which systems must be restored; Acceptable methods for reporting and notification;
- In the event of a disaster or other emergency, procedures for granting appropriate specified staff members physical access to the SAW LLC’s facilities and to any backup media on which systems are stored (whether onsite or offsite), in order to carry out the recovery plan;
- Testing procedures that specify how and when disaster recovery drills and tests of the plan will be
- SAW LLC will provide regular training and awareness on the disaster recovery plan to appropriate staff
- SAW LLC provides current copies of the Disaster Recovery Plan to appropriate staff Copies of the Disaster Recovery Plan are also kept off-site.
SAW LLC’s documented Disaster Recovery Plan that focuses on restoring the organization’s PHI and when was it last reviewed and tested is:
N/A
EMERGENCY MODE OPERATIONS POLICY
REFERENCE: HIPAA SECURITY §164.308
PURPOSE
The Emergency Mode Operations Policy is a reflection of SAW LLC’s commitment to take reasonable steps to ensure that in the event of a disaster or other emergency, appropriate SAW LLC workforce members can enter its facilities to take the necessary actions documented in its Disaster Recovery Plan.
SAW LLC will implement a documented procedure for allowing designated workforce members to enter SAW LLC facilities to take necessary actions as documented in its Disaster Recovery Plan in order to protect the confidentiality, availability and integrity of electronic protected health information (ePHI) while operating in emergency mode. “ePHI” means electronic protected health information that SAW LLC creates, receives, maintains or transmits.
Under the HIPAA Security Regulations, Physical Safeguards, the Implementation Specification for Facility Access Controls Standard under section 45 C.F.R 164.310(a)(2)(i), requires that SAW LLC “Establish (and implement as needed) procedures that allow facility access in support of restoration of lost data under the disaster recovery plan and emergency mode operations plan in the event of an emergency.”
POLICY:
- SAW LLC takes reasonable steps to ensure that in the event of a disaster or emergency, appropriate workforce members can enter its facilities to take the necessary actions as documented in its Disaster Recovery
- Based on its Disaster Recovery Plan, SAW LLC develops, implements and periodically reviews a documented procedure to allow authorized workforce members access to SAW LLC’s facilities to support restoration of lost SAW LLC defines workforce members’ roles in its Disaster Recovery Plan, and addresses all facilities, ePHI Systems and electronic media involved. SAW LLC’s Disaster Recovery Plan defines how the actions taken by such workforce members are tracked and logged, and how unauthorized accesses can be detected and prevented.
- In the event of a disaster or other emergency, only authorized SAW LLC workforce members are permitted to administer or modify processes and controls that protect the security of
- SAW LLC tests the Emergency Mode Operations
POLICY ENFORCEMENT:
The SAW LLC Privacy Officer has general responsibility for implementation of this policy. Members of the SAW LLC staff who violate this policy will be subject to disciplinary action in accordance with the Information Security Disciplinary Action Policy, up to and including termination of employment, contract or medical staff privileges with SAW LLC.
Anyone who knows or has reason to believe that another person has violated this policy should report the matter promptly to his or her supervisor or the SAW LLC Privacy Officer. Any attempt to retaliate against a person for reporting a violation of this policy will itself be considered a violation of this policy that may result in disciplinary action up to and including termination of employment or contract with SAW LLC.
SAW LLC’s documented Emergency Mode Operating Procedures that focus on maintaining and protecting critical functions that protect the security of protected health data are: N/A
The staff member(s) responsible for implementing these procedures and their role assignments are: N/A
SAW LLC’s Emergency Mode Operation Plan last reviewed and tested on N/A
INFORMATION SECURITY EVALUATION POLICY
REFERENCE: HIPAA SECURITY §164.308
PURPOSE
The Information Security Evaluation Policy details the periodic technical and non-technical evaluations of security safeguards that SAW LLC performs in order to demonstrate and document the extent of its compliance with security policies, the HIPAA Security Regulations, and all other applicable and appropriate local, state, and federal Regulations that pertain to Information Security Controls.
POLICY:
SAW LLC will conduct periodic technical and non-technical evaluations of security safeguards in order to demonstrate and document the extent of its compliance with HIPAA Security Regulations, and all other applicable regulations that pertain to information security controls.
This policy supports HIPAA Security Regulations, Administrative Safeguards Standard, 45 CFR 164.308(a)(8)(i), which requires that SAW LLC: “Perform a periodic technical and non- technical evaluation, based initially upon the standards implemented under this rule and subsequently, in response to environmental or operational changes affecting the security of electronic protected health information that establishes the extent to which an entity’s security policies and procedures meet the requirements of this subpart.”
General
- SAW LLC will conduct periodic technical and non-technical evaluations of security safeguards, including policies, controls and processes in order to demonstrate and document the extent of its compliance with its security policies, and the HIPAA Security
- The technical and non-technical assessments may be conducted more frequently as a result of environmental or operational changes in the SAW LLC Changes that might trigger a re-evaluation include:
- An identified security incident or breach of confidential information;
- Evolving threats and risks to data security;
- Changes to SAW LLC’s organizational or technical infrastructure;
- Changes to information security roles or responsibilities;
- Newly emerging security technologies and industry recommendations;
- New laws or regulatory
- Evaluations will be conducted internally or by a third
- Evaluations will include:
- A review of SAW LLC’s security policies and procedures to evaluate their appropriateness and effectiveness at protecting against any reasonably anticipated threats or hazards to the confidentiality, integrity and availability of ePHI and a gap analysis to compare the policies and procedures against actual
- An identification of threats and risks to SAW LLC’s systems and
- An assessment of SAW LLC’s security controls and processes as reasonable and appropriate protections against the risks identified for the systems and confidential
- Testing and verification of SAW LLC’s security controls and processes to determine whether they have been implemented properly and whether those controls and processes appropriately protect SAW LLC’s This testing may be conducted by an authorized workforce member or a third party acting on SAW LLC’s behalf.
- The evaluation process and results are documented in a report that is provided to the Security Officer.
- Following each evaluation, SAW LLC will update its security policies, procedures, controls and processes as needed to protect against any reasonably anticipated threats or hazards to the confidentiality, integrity and availability of SAW LLC’s systems and data and to align with local, state, and federal regulations pertaining to security
- Documentation of the evaluation process and the report shall be completed and maintained by the
SECURITY PHYSICAL SAFEGUARDS
SECURITY PHYSICAL SAFEGUARDS POLICY
REFERENCE: HIPAA SECURITY §164.310
POLICY
SAW LLC has implemented policies and procedures that comply with, at a minimum, the “Required” standards of the HIPAA Security Rule, Physical Safeguards. The practice complies with the requirement to implement policies and procedures to limit physical access to its electronic information systems and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed. In the Rule, a “facility” is defined as “the physical premises and the interior and exterior of a building(s).”
In general, Physical Safeguards are the mechanisms required to protect electronic systems, equipment, and the data they hold, from threats, environmental hazards and unauthorized intrusion. It includes restricting access to EPHI and retaining off-site computer backups.
“Addressable” implementation specifications are reviewed to determine whether the specification is appropriate for the practice. If the specification is reasonable and appropriate, the practice must implement it. If not reasonable and appropriate, the reasons are documented, and alternate methods are considered and implemented.
When a standard does not have implementation specifications associated with it, then the standard itself is “Required.” This standard contains the following implementation specifications.
PROCEDURES:
Standard: Facility Access Controls
The practice has instituted policies and procedures to limit physical access to its electronic information systems and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed.
Implementation Specifications
Contingency Operations (Addressable): Establish (and implement as needed) procedures that allow facility access while lost data is restored under the disaster recovery plan and emergency mode operations plan, in the event of an emergency.
Facility Security Plan (Addressable): Implement policies and procedures to safeguard the facility and the equipment therein from unauthorized physical access, tampering, and theft. Facility security plans must document the use of physical access controls. The controls must ensure that only authorized individuals have access to facilities and equipment that contain EPHI. Some examples of methods that can be used to accomplish this include locked doors, “restricted area” warning signs, surveillance cameras, alarms, identification badges, escorts for large facilities, or private security services. The plan should be reviewed annually.
Access Control and Validation Procedures (Addressable): Implement procedures to control and validate a person’s access to facilities based on their role or function, including visitor control, and control of access to software programs for testing and revision.
Maintenance Records (Addressable): Implement policies and procedures to document repairs and modifications to the physical components of a facility that are related to security (for example, hardware, walls, doors, and locks). Documentation can be done by either using a logbook noting the date, reason for repair/modification and who authorized it, or by using a database for more extensive repairs.
Standard: Workstation Use and Security (Required)
Policies and procedures are implemented that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access electronic protected health information. A workstation is defined in the Rule as an “electronic computing device, for example, a laptop or desktop computer, or any other device that performs similar functions, and electronic media stored in its immediate environment.” This standard also applies to workforce members that work off- site using workstations that can access EPHI. It includes employees who work from home, in satellite offices, or in another facility. Some examples of practices that may be used include logging off before leaving a workstation for an extended period, and using and continually updating antivirus software. Portable wireless devices should be secured/encrypted in order to avoid breach notifications, as required under the HITECH Act Breach Notification Rule.
Physical safeguards are implemented for all workstations that access electronic protected health information, to restrict access to authorized users. This addresses how workstations are physically protected from other users. This includes relocating workstations, allowing unprotected access by other unauthorized users, and policies on removal of mobile devices from controlled areas.
Standard: Device and Media Controls (Required)
Policies and procedures are implemented that govern the receipt and removal of hardware and electronic media that contain electronic protected health information into and out of a facility, and the movement of these items within the facility such as “electronic storage media,” including memory devices in computers (hard drives) and any removable/transportable digital memory medium, such as magnetic tape or disk, optical disk, or digital memory card. This standard covers the proper handling of electronic media including receipt, removal, backup, storage, reuse, disposal and accountability.
Implementation Specifications
Disposal (Required): Policies and procedures are implemented to address the final disposition of electronic protected health information, and/or the hardware or electronic media on which it is stored. The practice must ensure that any discarded electronic media is unusable and/or inaccessible. One of the methods that can be used is degaussing—using a magnetic field to erase the data. Another is to physically damage it beyond repair. It should be noted that simple “file delete” commands do not permanently erase data from a computer hard drive.
Media re-use (Required): Procedures are implemented for removal of electronic protected health information from electronic media before the media are made available for re-use.
Accountability (Addressable): Maintain a record of the movements of hardware and electronic media from one location to another, and any person responsible for the movements. Since portable workstations and media are becoming smaller, there may be special challenges in meeting this
addressable specification.
Data backup and storage (Addressable): Create a retrievable, exact copy of electronic protected health information, when needed, before moving equipment. Data backups must be done very frequently and on a routine basis.
WORKSTATION USE POLICY
REFERENCE: HIPAA SECURITY §164.310
PURPOSE:
The Workstation Use Policy is intended to provide security for any workstation used in SAW LLC’s offices. This policy applies to all users of SAW LLC’s information systems and information, and all users must be familiar and comply with this policy.
POLICY:
General
- All workstations used in SAW LLC’s offices shall be placed in such a way that they can be secured from public access and public view using reasonable Workstations that access protected health information shall be placed so that the general public cannot view information on the monitor. This may also be accomplished through the use of software and/or hardware.
- Active workstations shall not be left logged on to systems, and/or applications, while unattended for extended periods of time. Workstations that are inactive for more than five (5) minutes shall employ a screen saver, and workstations that are inactive for more than fifteen (15) minutes, shall be logged off unless a specific exemption has been granted by SAW LLC. All users are expected to properly log out of all applications and networks when a user leaves a workstation so that unauthorized access to information can be
- All workstations used for SAW LLC business activity, no matter where located, must use an access
- All access is to be granted to workstations, folders, applications, or any information through the use of unique, controlled login IDs assigned to specific users and All users must be authenticated to the network, system, or application through the use of an approved authentication method.
- All physical devices should employ some mechanism for preventing Locking mechanisms are mandatory for devices that are located in obscure locations.
- Laptops must be secured or in the possession of the workforce member to whom it is assigned at all Laptops should not be left in hotel rooms, automobiles or public locations.
SAW LLC’s ensures that any discarded electronic media is unusable and/or inaccessible. We; N/A
Failure To Comply
Failure to comply with this policy shall result in disciplinary action up to and including termination, as well as the possibility of appropriate legal action including, but not limited to, the right to seek compensation and or prosecution.
Users are prohibited from gaining unauthorized access to any information or information system in any way that damages, alters, or otherwise disrupts the operations of these systems.
DISPOSAL POLICY
REFERENCE: HIPAA SECURITY §164.310
PURPOSE:
The Disposal Policy specifies the requirements set forth by SAW LLC for the proper disposal of electronic protected health information (ePHI), financial information, confidential and proprietary information (“Confidential Information”), and the hardware and electronic media on which such information has been stored. “ePHI” means electronic protected health information that SAW LLC receives, maintains or transmits.
This policy complies with HIPAA Security Regulation, under the Physical Safeguards, Section 45 C.F.R 64.310(d)(2)(i), Implementation Specification for Device and Media Controls Standard.
POLICY:
When Confidential Information or the hardware or electronic media on which it has been stored is no longer needed, it must be erased in such a manner as to permanently and completely delete all data to prevent future access by unauthorized individuals. SAW LLC will log and track the disposal of the hardware and electronic media on which Confidential Information is stored.
Disposal Requirements and Responsibilities
According to the Breach Notification Rule, notifications are NOT required for breaches originating from PHI that is secure. To be considered secure, PHI must be destroyed through the use of a technology or methodology specified by the Secretary of the Department of Health and Human Services in guidance that renders PHI unusable, unreadable or indecipherable. In guidance, these methods are:
Paper, film or other hard copy media must be shredded or destroyed so it cannot be read or reconstructed.
Electronic media must be cleared, purged, or destroyed consistent with NIST Special Publications 800-88 so PHI cannot be retrieved.
Disposal Requirements and Responsibilities
Hardware and electronic media on which Confidential Information may be stored, and to which this policy applies, includes but is not limited to:
Computers (desktops, laptops, tablet devices) Smartphones, PDAs
Floppy disks, hard disks CDs, DVDs
Magnetic tape, videotape, audiotape Zip drives, portable hard drives
USB storage devices
Flash memory
SAW LLC must log and track the final disposal of all hardware and electronic media on which Confidential Information or ePHI has been stored. This logging and tracking provides the following information:
Date and time of disposal
Who administered the disposal
Description of the hardware and electronic media being disposed Disposal method
Source and description of the ePHI being disposed
PHI must not be discarded in trash bins, unsecured recycle bags, or other publicly accessible locations. Instead, this information must be personally shredded, or placed in a secured recycling bag.
If hardware or electronic media on which Confidential Information has been stored is to be reused within SAW LLC, reasonable and appropriate steps must be taken to completely and permanently remove all traces of the data utilizing approved erasure tools. SAW LLC is responsible for approval of the erasure tool and method to be used and to take reasonable steps to ensure that it is used properly.
Hardware or electronic media that has been determined to have reached end-of-life is to be physically destroyed utilizing an approved destruction method in accordance with HHS Guidelines. Proof of destruction must be maintained. Original documents shall be destroyed in accordance with SAW LLC’s Record Retention Policy.
Documentation of Destruction
To ensure that destruction is in fact performed, SAW LLC personnel or a bonded destruction service must carry out the destruction of PHI. If SAW LLC personnel undertakes the destruction of the records, the SAW LLC personnel must use a practice records destruction form. (A sample form is available on the following pages.)
If a bonded shredding company undertakes the destruction, the bonded shredding company must provide SAW LLC with the document of destruction that contains the following information:
Date of destruction; Method of destruction;
Description of the disposed records; Inclusive dates covered;
A statement that the records have been destroyed in the normal course of business;
The signatures of the individuals supervising and witnessing the destruction. SAW LLC will maintain certificates of destruction.
POLICY ENFORCEMENT
Anyone who violates this policy will be subject to disciplinary action, up to and including termination of employment or contract with SAW LLC.
Anyone who knows or has reason to believe that another person has violated this policy should report the matter promptly in accordance with applicable policy and procedure. Any attempt to retaliate against a person for reporting a violation of this policy will itself be considered a violation of this policy that may result in disciplinary action up to and including termination of employment or contract with SAW LLC.
MEDIA RE-USE POLICY
REFERENCE: HIPAA SECURITY §164.310
PURPOSE:
The Media Re-Use Policy specifies the requirements to be followed when erasing Confidential Information from all electronic media before the media may be re-used. “Confidential Information” means protected health information, financial information, confidential and proprietary information.
SAW LLC must remove all Confidential Information from any electronic media before the media may be re-used for any purpose.
This Policy complies with the required Implementation Specification for Device and Media Controls Standard under section 45 C.F.R 164.310(d)(2)(ii), of the HIPAA Security Regulations, Physical Safeguards, which states, “Implement procedures for removal of electronic protected health information from electronic media before the media are made available for re-use.”
POLICY:
- SAW LLC must remove all Confidential Information, including ePHI, on any electronic media before the media may be re-used.
- SAW LLC follows a documented process, taking reasonable and appropriate steps to completely and permanently remove all traces of the information, utilizing approved erasure
- The process applies to hardware and electronic media on which Confidential Information is stored, including but not limited to:
- Copiers with data storage capability
- Computer Hard drives (desktops, laptops)
- Floppy disks, hard disks
- Magnetic tape, videotape, audiotape
- Zip drives, portable hard drives
- USB storage devices
- SAW LLC is responsible for approval of the erasure tools and methods to be used and will take reasonable steps to ensure that they are used
POLICY ENFORCEMENT:
Anyone who violates this policy will be subject to disciplinary action, up to and including termination of employment.
Anyone who knows or has reason to believe that another person has violated this policy should report the matter promptly to the Privacy Officer. Any attempt to retaliate against a person for reporting a violation of this policy will itself be considered a violation of this policy that may result in disciplinary action up to and including termination of employment.
FACILITY SECURITY PLAN POLICY
REFERENCE: HIPAA SECURITY §164.310
PURPOSE:
This policy outlines the requirement for SAW LLC to develop and implement Facility Security plans that detail how it protects its facilities and confidential data from unauthorized access, tampering and theft.
This policy supports HIPAA Security Regulation, under the Physical Safeguards, Section 45 C.F.R. 164.310(a)(2)(ii), Implementation Specification for Facility Access Controls Standard, requires that SAW LLC “Implement policies and procedures to safeguard the facility and the equipment therein from unauthorized physical access, tampering, and theft.”
POLICY:
- SAW LLC must develop, implement and document a Facility Security Plan that details how it protects its facilities and systems from unauthorized access, tampering or theft the Facility Security Plan includes evaluations of the implemented physical safeguards for confidential information. The basis of the Facility Security Plan will come from SAW LLC’s annual risk
- The Facility Security Plan must be reviewed, and revised if necessary, on an annual
- The Facility Security Plan must addresses the following:
- Identification of all systems which access or contain SAW LLC’s confidential data;
- Identification of security processes and controls used to protect SAW LLC’s confidential data from unauthorized access, tampering or theft;
- Actions to be taken if unauthorized access, tampering or theft attempts have been made against SAW LLC’s systems;
- Identification of SAW LLC’s workforce members’ roles and responsibilities in the Facility Security Plan;
- Notification and reporting procedures;
- Maintenance schedule that specifies how and when the plan will be tested and a process for maintaining the Facility Security
- The Privacy Officer is responsible for taking whatever steps are necessary to ensure the plan is tested and maintained appropriately;
- SAW LLC will distribute the Facility Security Plan to the appropriate workforce In addition, copies of the Facility Security Plan will be maintained off-site.
- N/A
N/A is responsible for creating, maintaining and updating SAW LLC’s security plan.
POLICY AUTHORITY/ENFORCEMENT
The Privacy Officer has general responsibility for implementation of this policy, as well as the standards defined or implied by this policy. Members of the SAW LLC staff and health care professionals who violate this policy will be subject to disciplinary action in accordance with the Information Security Disciplinary Policy, up to and including termination of employment, contract or medical staff privileges with SAW LLC.
Anyone who knows or has reason to believe that another person has violated this policy should report the matter promptly in accordance with applicable policy and procedure. All reported matters will be investigated, and, where appropriate, steps will be taken to remedy the situation. Where possible, SAW LLC will make every effort to handle the reported matter confidentially. Any attempt to retaliate against a person for reporting a violation of this policy will itself be considered a violation of this policy that may result in disciplinary action up to and including termination of employment, contract or medical staff privileges with SAW LLC.
EXCEPTIONS:
Exceptions to this policy can be made with written approval of the Privacy Officer.
REVIEW OF POLICY
In the event that a significant regulatory change occurs, the policy will be reviewed and updated as needed. The policy will be reviewed annually to determine its effectiveness in complying with the HIPAA Security Regulations, as well as meeting business needs.
=
Please refer to the “Forms” section to find the “Information Systems and Telecommunications Hardware Inventory Worksheet”.
=
Please refer to the “Forms” section to find the “Certificate of Destruction” form.
SECURITY TECHNICAL SAFEGUARDS
SECURITY TECHNICAL SAFEGUARDS POLICY
REFERENCE: HIPAA SECURITY §164.310
POLICY
SAW LLC has implemented policies and procedures for electronic information systems that maintain EPHI to comply with, at a minimum, the “Required” standards of the HIPAA Security Rule, Technical Safeguards. Technical Safeguards are defined as “the technology and the policy and procedures for its use that protect electronic protected health information and control access to it.”
In general, these are primarily the automated processes used to protect data and control access to data. They include using authentication controls to verify that the person signing onto a computer is authorized to access that EPHI, or encrypting and decrypting data as it is being stored and/or transmitted.
The results of the required risk analysis and risk management processes are used to determine the security measures needed.
The Security Rule itself does not require specific technology solutions, however, the HITECH Breach Notification Rule does suggest some technology solutions. Although these solutions are not required under the Breach rule, breach notifications may be avoided if they are used.
“Addressable” implementation specifications are reviewed to determine whether the specification is appropriate for the practice. If the specification is reasonable and appropriate, the practice must implement it. If not reasonable and appropriate, the reasons are documented and alternate methods are considered and implemented.
When a standard does not have implementation specifications associated with it, then the standard itself is “Required.” This standard contains the following implementation specifications.
PROCEDURES:
Standard: Access Control
Technical policies and procedures are implemented for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in the Administrative Safeguards Information Access Management section of the Security Rule. Access controls provide users with rights and/or privileges to access and perform functions using information systems, applications, programs or files. Specific methods are not identified in the Security Rule.
Implementation Specifications
Unique user identification (Required): A unique name and/or number for identifying and tracking user identity is assigned. The Rule does not describe or provide a specific format for user identification.
Possible best practice methods for user identification management are to require users to change initial passwords to user-selected passwords, and to change passwords occasionally, depending on the results of the risk assessment. The Security Officer may be given the passwords for emergency access.
Emergency access procedure (Required): Procedures are established (and implemented as needed) for obtaining necessary electronic protected health information during an emergency. Procedures must be established to instruct workforce members on possible ways to gain access to needed EPHI in situations where normal environmental systems, such as electrical power, have been damaged or are inoperative. The practice IT staff or vendor should be asked to provide a unique password for emergency access.
Automatic logoff (Addressable): Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity. This can protect EPHI in situations when the user did not have time, or had forgotten, to log off.
Encryption and decryption (Addressable): Implement a mechanism to encrypt and decrypt electronic protected health information. Encryption is a method of converting an original message of regular text into encoded text. There is a low probability that anyone other than the receiving party, or one with a key to the code, would be able to decrypt the information.
Standard: Audit Controls (Required)
Hardware, software, and/or procedural mechanisms are implemented that record and examine activity in information systems that contain or use electronic protected health information. These mechanisms are helpful when determining if a security violation occurred. The risk analysis and organizational factors must be considered when determining reasonable and appropriate audit controls for information systems that contain or use EPHI. Audit controls should be performed often, on a routine basis, as this may be the only way to know that a breach has occurred. If the practice was not aware of a breach of security, but should have been aware, then enforcement sanctions by HHS increase. Audit logs must remain accessible to authorized users, and retained for six years after the last dated entry.
Standard: Integrity
Implement policies and procedures to protect electronic protected health information from improper alteration or destruction.
Implementation Specification
Mechanism to authenticate electronic protected health information (Addressable): Implement electronic mechanisms to corroborate that electronic protected health information has not been altered or destroyed in an unauthorized manner. In order to determine which electronic mechanisms to
implement to ensure that EPHI is not altered or destroyed in an unauthorized manner, a covered entity must consider the various risks to the integrity of EPHI identified during the risk analysis.
Standard: Person or Entity Authentication (Required)
Procedures are implemented to verify that a person or entity seeking access to electronic protected health information is the one claimed. Proof of identity is accomplished in several ways, including requiring something such as a password or PIN, a smart card, a token, a key, or a biometric such as fingerprints, voice patterns, facial patterns or iris patterns.
Standard: Transmission Security
Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network. The practice reviews the current methods used to transmit EPHI, such as e-mail, over the internet, or some other means. Then the practice identifies the available and appropriate means to protect EPHI as it is transmitted, selects appropriate solutions, and documents its decisions. In particular, wireless devices can pose a significant threat and should either be banned or secured.
Implementation Specifications
Integrity controls (Addressable): Implement security measures to ensure that electronically transmitted electronic protected health information is not improperly modified without detection until disposed of. Integrity in this context is focused on making sure the EPHI is not improperly modified during transmission. A primary way to accomplish this is by using network communication protocols. This ensures that the data sent is the same as the data received. Data or message authentication codes may also be considered.
Encryption (Addressable): Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate. There may be situations where EPHI being transmitted from the practice would be at significant risk of being accessed by unauthorized entities. Where risk analysis shows such risk to be significant, a covered entity must encrypt those transmissions under the addressable implementation specification for encryption.
INFORMATION SYSTEMS ACCESS POLICY
REFERENCE: HIPAA SECURITY §164.312
PURPOSE:
This policy defines the requirements that SAW LLC must take to protect SAW LLC information and information systems from unauthorized use and/or disclosure. This policy applies to all users of SAW LLC information systems and information, and all users must be familiar with and comply with this policy as well as with the Confidentiality and Non-Disclosure Agreement and sign an Acknowledgment Form that they will do so. POLICY:
General
- Only authorized users are granted access to SAW LLC’s information systems and related Access levels are defined based on job responsibilities, and as such, specific roles and access levels have been established. This role-based access is granted following the principal of “least-privilege.
- All users must access information and information systems with an assigned, unique login ID established by SAW LLC. Users are not permitted to use another user’s credentials, or allow another user to use
- This policy applies to all computer and/or information systems owned or operated by SAW LLC. Additionally, this policy applies to all platforms, operating systems, and/or applications owned or leased by SAW LLC.
- In addition to using their unique login ID, the identity of any user that accesses SAW LLC’s information systems must be authenticated by utilizing at least one of the following: biometric identification, password, personal identification number, telephone callback procedure, or one-time password
- Access to systems and/or applications shall not be granted without appropriate, authorized User access is to be immediately revoked if the individual has been terminated. If the user’s job reponsibilities have changed as a reult of a transfer or new role within SAW LLC, the user’s access rights will be changed appropriately.
- All users shall be required to sign the “Staff Member Confidentiality and Non-Disclosure Agreement” prior to receiving any access
- In accordance with the nature of the data stored or processed, access to confidential systems will, where feasible, be logged and audited in a manner that allows for the following information to be tracked: access date and time, login ID, method of access, and any sensitive or privileged commands that were
- Audit trails shall be backed up and stored, and must not be accessible, modifiable, or readable by unauthorized
- All passwords are to be stored and strictly controlled using either physical security or information security
- All programs, networks, and applications, whether developed internally, or purchased via third party must be password
- All systems require a valid, unique, and assigned login ID and
- All system access levels and login IDs shall be reviewed All obsolete access shall be removed.
Failure To Comply
Failure to comply with this policy shall result in disciplinary action up to and including termination.
Users are prohibited from gaining unauthorized access to any information or information system in any way that damages, alters, or otherwise disrupts the operations of these systems.
EPHI MOVEMENT POLICY
REFERENCE: HIPAA SECURITY §164.312
PURPOSE:
SAW LLC will log and track the movement of SAW LLC ’s hardware and electronic media on which ePHI is stored into, out of, and within its facilities. SAW LLC will hold its workforce members accountable for such movement.
This accountability policy is a reflection of SAW LLC ’s commitment to establishing and maintaining a complete, accurate and up-to-date inventory of hardware and electronic media on which electronic protected health information (ePHI) is stored; logging and tracking the movement of SAW LLC ’s hardware and electronic media; and holding SAW LLC workforce members accountable for such movement. “ePHI” means electronic protected health information that SAW LLC receives, maintains or transmits.
This policy complies with the HIPAA Security Regulation, under the Physical Safeguards, Implementation Specification for Device and Media Controls Standard, section 45 C.F.R. 164.310(d)(2) (iii), which states that SAW LLC must, “Maintain a record of the movements of hardware and electronic media and any person responsible therefore.”
POLICY:
- SAW LLC has established and maintains a complete, accurate and up-to-date inventory of hardware and electronic media on which ePHI is stored and uses that inventory to log and track the movement of SAW LLC’s hardware and electronic media on
which ePHI is stored. SAW LLC’s Privacy Officer takes reasonable steps to ensure that all such movement is promptly and accurately logged and tracked in accordance with SAW LLC’s documented procedure.
- Hardware and electronic media on which ePHI is stored that is logged and tracked pursuant to this Policy includes:
- Computers (desktops, laptops)
- Floppy disks
- Backup tapes
- CD-ROMs
- Zip drives, USB drives
- Portable hard drives
- PDAs
- The Privacy Officer and/or designee must maintain a record of the inventory of hardware and electronic media, and document the movement of
- SAW LLC workforce members who move hardware or electronic media on which ePHI is stored into, out of, and within SAW LLC’s facilities must follow SAW LLC’s ePHI Movement Procedures and Guidelines and are responsible for the use of the eHPI and are required to take reasonable steps to ensure that the ePHI is protected against damage, theft and unauthorized
POLICY AUTHORITY/ENFORCEMENT
The SAW LLC Privacy Officer has general responsibility for implementation of this policy, as well as the standards defined or implied by this policy. Members of our SAW LLC staff who violate this policy will be subject to disciplinary action in accordance with the Information Security Disciplinary Policy, up to and including termination of employment or contract with SAW LLC.
Anyone who knows or has reason to believe that another person has violated this policy should report the matter promptly in accordance with applicable policy and procedure. All reported matters will be investigated, and, where appropriate, steps will be taken to remedy the situation. Where possible, SAW LLC will make every effort to handle the reported matter confidentially. Any attempt to retaliate against a person for reporting a violation of this policy will itself be considered a violation of this policy that may result in disciplinary action up to and including termination of employment, contract or medical staff privileges with SAW LLC.
EXCEPTIONS:
Exceptions to this policy can be made with written approval of the Privacy Officer.
REVIEW OF POLICY
In the event that a significant regulatory change occurs, the policy will be reviewed and updated as needed. The policy will be reviewed periodically to determine its effectiveness in complying with the HIPAA Security Regulations, as well as meeting business needs.
=
Please refer to the “Forms” section to find the “Sources of EPHI” form.
MOBILE DEVICE REQUIREMENTS POLICY
REFERENCE: HIPAA SECURITY §164.312
PURPOSE
The following requirements concerning SAW LLC laptops, tablets, notebooks, or any other device that falls within the category of portable computing or data storage device, are designed to allow appropriate usage of this technology while minimizing the security exposures that these devices can bring. Without the implementation of the requirements, damages could include the loss of confidential data, intellectual property, or damage to SAW LLC systems. All users who use this type of device must agree to these requirements.
POLICY
General Requirements
- Devices that are allowed to access SAW LLC information on or connect to SAW LLC network(s) or system(s) containing confidential data are N/A
- Devices may not be shared or used by other individuals, including household
- Protection of User ID and Password: At no time may any SAW LLC user provide their SAW LLC login credentials to anyone, including family members or other office staff Users must not post or display their login credentials in any way on the device with sticky notes, taped notes, or any other affixed message, or keep login credentials stored in the same location as the device.
- Storage of Device: Devices must be kept secured, never unattended, and must remain with the assigned user at all times as is reasonably Devices may not be left in vehicles, or in other places where the risk of theft is increased.
- Loss or Theft of Device: If a device is lost, stolen, or otherwise missing, the New England
Dental, LLC Privacy Officer must be notified immediately as defined in the Security Incident Response and Reporting Policy and Procedure.
- Connecting to networks with portable devices: Only approved connections and methodologies may be used to connect to the SAW LLC network, and authorization must be obtained through the
- Connecting to SAW LLC Remotely: It is the responsibility of any user who connects to the SAW LLC network remotely to ensure that all of the same security requirements are in accordance with the SAW LLC’s Remote Access Requirements and Acceptance The same security measures must be applied at the remote location that would be applied while at a SAW LLC location.
The policy for connecting to SAW LLC system remotely is as follows:
N/A
- Use with Wireless networks: If the device will be connected to any type of wireless network or connection, prior approval must be obtained through SAW LLC Information Security so that appropriate wireless protocols can be Connecting to wireless networks without prior permission is expressly prohibited.
- Connection to other networks: The user may connect to their internet provider with the device, only for the purposes of connecting with a SAW LLC The device cannot be used to connect to non-SAW LLC networks, or used to connect to external email providers.
- Idle Sessions: Users must ensure that active remote sessions are not left unattended thereby preventing non-SAW LLC users from accessing
- Software Installation: All SAW LLC devices must have only SAW LLC approved software Users may not remove or install any software. Users are not permitted to disable the Anti-Virus software that has been installed.
- All SAW LLC devices must connect locally to the SAW LLC network on a regular basis to ensure that any software or program updates are
- Transferring data to personal computing devices: SAW LLC sensitive data and ePHI may not be stored on personal or “non-SAW LLC devices, without written approval of SAW LLC Information
- Device Inspections: All SAW LLC devices must be subject to examination by authorized SAW LLC staff on a periodic basis, but not less than once The inspections can be done at a SAW LLC location, or can be performed remotely by a SAW LLC authorized third party. The user’s department must coordinate the inspection with Information Technology and pay any fees associated with third party vendors.
- Storage of Information on hard drive: Users may not save, store, or copy any sensitive data including ePHI to the hard drive of the Laptop unless it has been specifically authorized by SAW LLC Information Where approval has been granted for ePHI or
sensitive data storage on the device; SAW LLC approved encryption is required.
- Device Tracking Log: The Security Officer must maintain a tracking log of all devices that store This log must include the device serial number, the assigned user, and the location of the device. These logs must be made available to IT upon request and are subject to periodic audit.
- User responsibility for device: If the device is missing or stolen or misused because the user has not complied with these guidelines, the SAW LLC user who was issued the device bears responsibility for the consequences; disciplinary actions and fines could
REMOTE ACCESS REQUIREMENTS POLICY
REFERENCE: HIPAA SECURITY §164.312
PURPOSE
The purpose of this document is to define standards for connecting to SAW LLC networks from any location remotely. These standards are designed to minimize potential security exposures while connecting to SAW LLC Networks remotely. Damages could include the loss of confidential data, intellectual property, or damage to SAW LLC systems. These guidelines apply to any user that possesses a SAW LLC device or personally owned device used to connect to the SAW LLC network from an external location. POLICY
General Requirements
- Before any user connects remotely, authorization must be granted through the
- Only approved connections and methodologies may be used to connect to the SAW LLC
- It is the responsibility of any user who connects remotely to ensure that all of the same security requirements in accordance with SAW LLC Security Policy are applied at the remote location that would be applied while at a SAW LLC
- All SAW LLC related data received, transmitted or displayed must be kept confidential, and only used for approved business
- SAW LLC users with remote privileges to the SAW LLC network
must not use non-SAW LLC email accounts or other external resources to conduct SAW LLC business, thereby ensuring that official business is never confused with personal business.
- The SAW LLC user bears responsibility for the consequences should access be
- SAW LLC applications that run on the SAW LLC network, outside of “Web-Based” applications, generally require a SAW LLC device to remotely connect and access those
SAW LLC Owned Device Requirements – Required for SAW LLC applications which are not “web based”
- All SAW LLC owned devices are to be used for SAW LLC business use only, in accordance with the SAW LLC Acceptable Use of Information Policy (found within this manual) and any applicable Information Security
- SAW LLC devices may not be shared or used by other individuals including household
- At no time should any SAW LLC user provide their practice login credentials to anyone, including family members or other office staff
- SAW LLC devices may only connect to a SAW LLC network through the user’s Internet provider, and may not be used to connect to non-SAW LLC networks, or used to connect to external email
- All SAW LLC devices must have only SAW LLC approved software Users may not remove or install any software.
- Users are not permitted to disable the anti-virus software that has been
- Users must ensure that active remote sessions are not left unattended thereby preventing non- SAW LLC users from accessing
- All SAW LLC devices are subject to audit at any time, so no right of privacy is
- All SAW LLC devices must be subject to examination by authorized SAW LLC staff on a periodic basis, but not less than once every quarter. The inspections can be done at a SAW LLC location, or can be performed remotely by a SAW LLC authorized third The user’s supervisor must coordinate the inspection with Information Technology. There may be fees associated with third party vendors.
Personally Owned Device Requirements – Can be used for applications which are “web based”:
- All personal devices connected to any SAW LLCnetwork are to be used for New
England Dental, LLC business use only while connected to a SAW LLC network in accordance with the SAW LLC Acceptable Use of Information Policy and any other applicable SAW LLC Security Policies.
- All personal devices used to connect to SAW LLC resources may not connect to other services while connected to any SAW LLC network, which includes email
- Personal devices will only have the ability to connect to SAW LLC applications that have been web-enabled unless specifically
- SAW LLC Users are not permitted to save or copy any SAW LLC data to a personal This includes email messages.
- The use of wireless networks may not be employed while connecting to the SAW LLC network unless prior approval has been granted, and wireless encryption must be enabled before conducting SAW LLC business, since wireless networking has a number of
- Personal devices must not be left unattended while connected to SAW LLC
- SAW LLC bears no responsibility for device malfunctions or failures on personal
- SAW LLC Users are not permitted to share SAW LLC login credentials with anyone, including household
- All SAW LLC users are required to follow the terms of this Policy as well as all other SAW LLC security policies while working remotely, even if connected with a personal
ACCEPTABLE USE OF INFORMATION POLICY
REFERENCE: HIPAA SECURITY §164.312
PURPOSE:
SAW LLC relies on its information and Information Technology Resources (Resources) to support its business processes. To ensure that its Resources are used properly by its employees, independent contractors, agents, and other Users, SAW LLC has implemented this Acceptable Use of Information Policy (AUIP).
POLICY:
Compliance
- This Policy apply to all Users of SAW LLC’s Resources, wherever they may be
located. It is each User’s duty to use SAW LLC’s Resources responsibly, professionally, ethically, and lawfully. Each User who is not specifically covered in this AUIP (e.g., affiliates, vendors, contractors, etc.) will also be required to sign, in order to obtain access to the Environment, the Acceptable Use of Information Policy Acknowledgment form verifying that he or she has read, understands, and agrees to follow this Acceptable Use of Information Policy.
- Each User is responsible for the security of the Information Technology A User should notify the SAW LLC IT Security Office if he or she feels that security may have been compromised in any way. Users responsible for implementing new applications, services or hardware should coordinate activities with the SAW LLC IT Security personnel to determine if the new application, service or hardware complies with the previously defined SAW LLC security architecture.
- Any violation of this Policy may lead to disciplinary action which will be based on the severity and context of the violation and shall be in accordance with existing SAW LLC policies and/or appropriate legal Disciplinary action may include without limitation, verbal or written reprimand, suspension or termination of employment and/or appropriate legal action. The SAW LLC Security Officer or any designee may deny or revoke access privileges if there is a reasonable belief that a violation has occurred. Access privileges may be restored only after consultation between the Security Officer and SAW LLC Management and/or SAW LLC Senior Management personnel.
- The policies stated in this AUIP are intended as guidelines only for SAW LLC Resource The language should not be construed as creating a contract of employment, express or implied, between SAW LLC and any SAW LLC employee. Unless SAW LLC employees have a written employment contract, either the employee or SAW LLC may terminate the employment relationship at any time, for any reason, with or without cause. In addition, no provision of this AUIP shall create an employer-employee relationship between SAW LLC and any User who is not a SAW LLC employee, such as an affiliate contractor, third party vendor, or other User of SAW LLC Resources who is not a SAW LLC employee.
- SAW LLC reserves the right to add, delete, or revise any provision of the AUIP at any time, or any Information Security Policy without prior notice to
- Users shall adhere to SAW LLC retention and destruction schedules for all electronic files, including e-mails, electronic documents and records, and other electronic
Acceptable Use of Information Procedures
- No Expectation of The SAW LLC Resources and User accounts are issued to Users to assist them in the performance of their jobs, and as such, remain the property of SAW LLC. Users do not have an expectation of privacy in anything Users create, store, send, or receive on SAW LLC Resources. Resources belong to SAW LLC and are to be used solely for the purpose of SAW LLC business, the User’s usual duties, and or other purposes authorized by management.
- Waiver of Privacy Rights. Users expressly waive any right of privacy in anything Users create, store, send, or receive on SAW LLC Resources, through the Internet or any other SAW LLC Users consent to allowing authorized SAW LLC IT Services personnel to access and review all materials Users create, store, send, or receive on SAW LLC Resources. SAW LLC may, but is not obligated to, use human or automated means to monitor use of its Resources.
- No Privacy in Users must never consider electronic communications to be either private or secure. E-mail could potentially be stored indefinitely on any number of SAW LLC Resources as well as non-SAW LLC resources. Copies of your message may be forwarded to others electronically or on paper. In addition, e-mail sent to non existent or incorrect usernames may be delivered to the wrong person(s).
Prohibited Activities
- _Inappropriate or Unlawful Material. _Material that is fraudulent, harassing, embarrassing, sexually explicit, profane, obscene, intimidating, defamatory, or otherwise unlawful or inappropriate may not be sent by e-mail, electronic text messages or any other form of electronic communication (such as bulletin board systems, newsgroups, chat groups) or displayed on or stored in any SAW LLC Users encountering or receiving this kind of material should immediately report the incident to the Security Officer.
- _Disclaimer of Liability for Internet Use. _The Internet is a worldwide network of computers that contains millions of pages of information, some of which may contain offensive or inappropriate SAW LLC has implemented Internet blocking software to restrict access to inappropriate Internet sites. In the event Users nonetheless encounter inappropriate material on the Internet, Users should immediately disconnect from the site and report the site to the practice. SAW LLC is not responsible for material viewed by Users on the Internet. In addition, posting your e-mail address on the Internet may lead to receipt of unsolicited e-mail containing offensive content. Users accessing the Internet do so at their own risk.
- Prohibited SAW LLC Resources may not be used for dissemination or storage of commercial or personal advertisements, solicitations, promotions, destructive programs (viruses), political material, or any other use prohibited by this Policy.
- Waste of IT Users may not perform acts that waste SAW LLC Resources or unfairly monopolize SAW LLC Resources to the exclusion of other Users. These acts include, but are not limited to: sending non-business related mass distribution e-mails or chain letters; subscribing to non-business related mailing lists; spending excessive amounts of time on the Internet; social networking; playing non-business related computer games, music or video; or otherwise creating unnecessary network traffic.
- Communication of Confidential Information. Unless expressly authorized by SAW LLC Senior Management, sending, transmitting, or otherwise disseminating proprietary data, trade secrets or other confidential information, including medical records and/or patient
data is strictly prohibited. Always keep in mind that e-mail and the Internet are public methods of communication. When you send information via e-mail or make it available on the Internet, there is always a possibility that the information will be viewed by unauthorized individuals. This type of information is a valuable asset of the company and each of us must make sure that it is protected from unauthorized disclosure.
- Altering Identity (Spoofing). Users may not alter the “From:” line or other attribution-of-origin information in e-mail, messages, or Anonymous or pseudonymous electronic communication is forbidden. Users must identify themselves honestly and accurately when sending e-mail.
- Personal Any use of SAW LLC Resources not approved by SAW LLC IT Management is prohibited. SAW LLC management is aware that personal communications between SAW LLC coworkers and external contacts does occur, as well as some limited personal use. Management expects Users to limit such communications and personal use to a minimum. Excessive or abusive volume of personal communications, activities of a personal nature that tie up resources or employees, or violate any other provision of this agreement are expressly prohibited. Users are reminded that there are no expectations of privacy when using SAW LLC Systems.
- Software and Copyright Violations. The distribution, retrieval, or reproduction of any material without the permission of the copyright holder is expressly The import or installation of any software which has not been properly authorized and purchased by SAW LLC IT management is expressly prohibited. No User may modify, revise, transform, adapt, disassemble, decompile, or otherwise alter any software licensed to SAW LLC without prior written authorization from SAW LLC.
- No Forward Some information that is transmitted via electronic communications is intended for specific individuals, and therefore, should not be shared with others. Users should exercise caution when forwarding communications to other SAW LLC users. SAW LLC information that is sensitive in nature may not be forwarded to external parties without the expressed permission of senior management. SAW LLC e-mail users are prohibited from modifying the settings of their e-mail account or otherwise causing e-mail received by them to be automatically forwarded to a non-SAW LLC e-mail address.
Logins and Passwords
- Login A unique login account consisting of a User ID and password (see D-2, D-3, D- 4) is required for each User of the IT Environment. Users are responsible for all transactions made using his or her User ID. No User may access SAW LLC Resources using another User’s account. All Users are expected to logoff the workstation when they are away from their work area for extended periods of time. All Users are required to logoff at the end of each day before they leave. Users may not disguise their identity while using any SAW LLC Resource.
- Responsibility for Users are responsible for safeguarding their passwords for access to SAW LLC Resources. Individual passwords should not be printed, stored online, shared or given to others. Users are prohibited from using or disclosing another User’s password.
- Password Passwords should be obscure and a minimum of six characters in length. Passwords must include uppercase, lowercase and numerical characters. The use of special characters (e.g. “@”,”!”,”&”,”%”) if supported, is strongly suggested.
- Passwords do not Imply Use of passwords to gain access to SAW LLC Resources does not imply that Users have an expectation of privacy in the material they create or receive on SAW LLC Resources. SAW LLC has the right to inspect and or read and or print without prior notice, all material stored on SAW LLC Resources.
- Disclosure of All information accessed by Users of SAW LLC systems is to be kept confidential, and only discussed or shared with another User who has been properly authorized to view the information as part of his or her job responsibilities. Information is stored with the expectation that it will only be used or accessed by authorized persons.
Security
- Physical Users shall take all reasonable and prudent measures to physically secure all SAW LLC Resources. Users shall not attempt to circumvent any system that secures SAW LLC Resources or its components.
- Accessing Other Computers and A User’s ability to connect to other computers or networks does not imply a right to connect to those systems or to make use of those systems unless specifically authorized by the operators of those systems. Users should not view any information without proper authorization.
- Computer Each User is responsible for ensuring that the use of external computers and networks, such as the Internet, does not compromise the security of the SAW LLC Environment. This duty includes preventing intruders from accessing the SAW LLC Network without authorization and taking reasonable precautions to avoid the introduction and spread of viruses, malware and other harmful software.
- Information Technology Users shall not connect to the SAW LLC Network by any means other than by those specifically defined by the SAW LLC IT: personnel. Personally owned computers should not be connected to the SAW LLC network without prior approval of SAW LLC IT: personnel. Users shall not disable SAW LLC Resource functions (passwords, virus scan, distribution software, audit trails) implemented by SAW LLC IT Services.
- Monitoring includes without limitation reviewing Internet sites visited, reviewing material downloaded/uploaded by Users to/from the Internet, and reviewing e-mail sent and received by Users. This may be done at any time and without prior notice to Users. Reasons for
review include but are not limited to, preventing or investigating allegations of abuse, assuring compliance with copyright laws, or complying with legal or regulatory requests for information.
- Circumventing Established Users may not attempt to circumvent SAW LLC’s data protection measures or attempt to uncover security loopholes. Users may not gain or attempt to gain unauthorized access to restricted areas or files on SAW LLC Resources. Users should not tamper with any software protections or restrictions placed on computer applications, files or directories.
- Users sending e-mail containing Protected Health Information (PHI) as defined by HIPAA and HITECH or other confidential or sensitive information such as business plans or budgets to non-SAW LLC e-mail addresses must encrypt the e-mail message. Encryption instructions may be found on the SAW LLC Intranet under the ‘Links’
– ‘Job Aids’ section.
- Sending E-mail to Verified You must verify that the e-mail address to which you are sending SAW LLC information is correct. Patient information should be sent only to verified business addresses and not to personal addresses (e.g. @Hotmail.com, @gmail.com, @AOL.com) unless otherwise authorized by SAW LLC Management. It is generally safer to ‘reply to’ an address rather than typing the address yourself.
Malware
Malware Detection Malware can cause substantial damage to computer systems. Each User is responsible for taking reasonable precautions to ensure he or she does not introduce malware into the SAW LLC Environment. To that end, Users should not disable malware protection software installed on SAW LLC Resources. Users should comply with malware software update announcements as required, and report suspected malware activity to the SAW LLC IT personnel as soon as possible.
When Malware is detected N/A
Voicemail
- Voicemail Once training is attended, each User should record an internal and external greeting in accordance with the guidelines presented in training. Users should also change the voicemail password from the system default.
- Voicemail Users should be cautious when including confidential information in voicemail messages. Users should take care not to play voicemail over speakerphones where other employees might overhear inappropriate information.
Intellectual Property Rights
Any information developed or compiled by the User, including documents such as writings, diagrams, spreadsheets, databases, regardless of form and any invention, discovery, development, modification, system, program, or design that results from the use of SAW LLC Environment by the User shall be the exclusive property of SAW LLC.
Malicious Destruction of SAW LLC Software/Hardware
SAW LLC has considerable investments in software and hardware to provide the environment needed by the employees. Users shall not maliciously destroy or otherwise damage/delete any software licensed to or owned by, or any hardware owned, leased, or otherwise in the possession of SAW LLC. Any such damage or destruction shall subject the User to disciplinary action under this Policy. In addition, SAW LLC reserves the right to seek compensation through legal action for any damages maliciously caused by the User.
Attorney-client Communications
E-mail sent to or from in-house counsel or an attorney representing SAW LLC should include this warning: “ATTORNEY-CLIENT PRIVILEGED. DO NOT FORWARD WITHOUT
PERMISSION.” Users who receive communication from counsel should not forward such communication without the permission of counsel. Users are reminded that e-mail should not be considered as a secure means of communication.
Incident Response
Users must immediately report to the Security Officer or his or her designee any suspected or confirmed security incident. This would include, but not be limited to, a computer virus, breach of security, or security weakness, loss or disclosure of data, or any unauthorized access or use of data. Users should not discuss the specifics of a security problem with any one else except the Security Officer or other designee, unless specifically authorized to do so. Additionally, Users must take no independent actions unless expressly authorized to do so and should not attempt to remedy the situation.
Exceptions
Exceptions to this Policy can be made with written approval of both the Security Officer and SAW LLC Management.
Termination
Upon termination of employment, or any other termination of access rights, all programs, files, hardware or any other data defined as intellectual property, must be returned to SAW LLC, and any further access to SAW LLC systems is strictly prohibited.
Acceptable Use of Information Policy Acknowledgement
By my signature below, I attest that I have read and understand the above policies regarding acceptable use of information.
Users Signature: Witness Signature:
Appendix: State Laws and Preemption
STATE LAWS AND PREEMPTION TO FEDERAL HIPAA
Most states have their own laws regarding the confidentiality of individual health care information. The HIPAA Privacy Rule and Section 13421 within the HITECH Act, (Subtitle D-Privacy, Part 2, Relationship To Other Laws, Regulatory References, Effective Date; Reports), addresses state Preemption.
The following Questions and Answers were obtained directly from the U.S. Department of Health & Human Services, current as of April, 2013.
QUESTION:
How does the HIPAA Privacy Rule reduce the potential for conflict with State laws?
(www.hhs.gov/ocr/privacy/hipaa/faq/preemptio… (http://www.hhs.gov/ocr/privacy/hipaa/faq/preemption\_of\_state\_law/401.html))
ANSWER:
The Privacy Rule is designed to minimize conflicts between Federal requirements and those of State law in the following ways:
The Privacy Rule establishes a floor of Federal privacy protections and individual rights with respect to individually identifiable health information held by covered entities and their business associates. Covered entities may provide greater privacy rights to individuals and greater protections on such information. In addition, covered entities may comply with State laws that provide greater protections for individually identifiable health information and greater privacy rights for individuals.
The Privacy Rule permits a covered entity to use or disclose protected health information if a State law requires the use or disclosure. See 45 C.F.R. 164.512(a).
The Privacy Rule permits a covered entity to disclose protected health information to a public health authority who is authorized by law to collect such information for the purposes of preventing or controlling disease, injury, or disability, including, but not limited to, the reporting of disease, injury, vital events such as birth or death, and the conduct of public health surveillance, public health investigations, and public health interventions. (See 45 C.F.R. 164.512(b) for all of the public health disclosures permitted by the Privacy Rule.) Thus, State laws that provide for the reporting of disease or injury, child abuse, birth or death, or for the conduct of public health surveillance, investigation, or intervention, likely will not conflict with the Privacy Rule. In the unusual case where there is a conflict, the State law would stand. See 45 C.F.R. 160.203(c).
Because the Administrative Simplification Rules themselves exempt such State laws from preemption, a request for the Department of Health and Human Services (HHS) to issue a preemption exception determination is unnecessary and inappropriate.
The Privacy Rule permits a covered entity to disclose protected health information to a health oversight agency for oversight activities authorized by law, such as audits and licensure activities. See 45 C.F.R. 164.512(d). Thus, State laws that provide for certain health plan reporting for the purpose of management or financial audits, program monitoring and evaluation, or the licensure or certification of facilities or individuals, likely will not conflict with the Privacy Rule. In the unusual case where there is a conflict, the State law would stand. See 45 C.F.R. 160.203(d). Because the Administrative Simplification Rules themselves exempt such State laws from preemption, a request for the Department of Health and Human Services (HHS) to issue a preemption exception determination is unnecessary and inappropriate.
QUESTION:
How do I know if a State law is “contrary” to the HIPAA Privacy Rule? (www.hhs.gov/ocr/privacy/hipaa/faq/preemptio… (http://www.hhs.gov/ocr/privacy/hipaa/faq/preemption\_of\_state\_law/402.html))
ANSWER:
A State law is “contrary” to the HIPAA Privacy Rule if it would be impossible for a covered entity to comply with both the State law and the Federal Privacy Rule requirements, or if the State law is an obstacle to accomplishing the full purposes and objectives of the Administrative Simplification provisions of HIPAA. See the definition of “contrary” at 45 C.F.R. 160.202.
For example, a State law that prohibits the disclosure of protected health information to an individual who is the subject of the information may be contrary to the Privacy Rule, which requires the disclosure of protected health information to an individual in certain circumstances. With certain exceptions, the Privacy Rule preempts “contrary” State laws. See 45 C.F.R. Part 160, Subpart B.
QUESTION:
Does the HIPAA Privacy Rule preempt state laws?
(www.hhs.gov/ocr/privacy/hipaa/faq/preemptio… (http://www.hhs.gov/ocr/privacy/hipaa/faq/preemption\_of\_state\_law/399.html))
ANSWER:
The HIPAA Privacy Rule provides a federal floor of privacy protections for individuals’ individually identifiable health information where that information is held by a covered entity or by a business associate of the covered entity. State laws that are contrary to the Privacy Rule are preempted by the federal requirements, unless a specific exception applies. These exceptions include if the state law:
- Relates to the privacy of individually identifiable health information and provides greater privacy protections or privacy rights with respect to such information,
- Provides for the reporting of disease or injury, child abuse, birth, or death, or for public health surveillance, investigation, or intervention, or
- Requires certain health plan reporting, such as for management or financial audits. In these circumstances, a covered entity is not required to comply with a contrary provision of the Privacy
In addition, the Department of Health and Human Services (HHS) may, upon specific request from a state or other entity or person, determine that a provision of state law which is “contrary” to the federal requirements – as defined by the HIPAA Administrative Simplification Rules (see below for definition) – and which meets certain additional criteria, will not be preempted by the federal requirements. Thus, preemption of a contrary state law will not occur if the Secretary or designated HHS official determines, in response to a request, that one of the following criteria applies. The state law:
- Is necessary to prevent fraud and abuse related to the provision of or payment for health care,
- Is necessary to ensure appropriate state regulation of insurance and health plans to the extent expressly authorized by statute or regulation,
- Is necessary for state reporting on health care delivery or costs,
- Is necessary for purposes of serving a compelling public health, safety, or welfare need, and, if a Privacy Rule provision is at issue, if the Secretary determines that the intrusion into privacy is warranted when balanced against the need to be served; or
- Has as its principal purpose the regulation of the manufacture, registration, distribution, dispensing, or other control of any controlled substances (as defined in 21 S.C. 802), or that is deemed a controlled substance by state law.
It is important to recognize that only state laws that are “contrary” to the federal requirements are eligible for an exemption determination.
As defined by the Administrative Simplification Rules, contrary means that it would be impossible for a covered entity to comply with both the state and federal requirements, or that the provision of state law is an obstacle to accomplishing the full purposes and
objectives of the Administrative Simplification provisions of HIPAA.
See 45 C.F.R. Part 160, Subpart B, for specific requirements related to preemption of State law.