HIPAA PRIVACY AND SECURITY POLICIES · HIPAA PRIVACY AND SECURITY POLICIES TABLE OF CONTENTS . 35 Research 36 Limited Data Sets 37 De-Identified Information 38 Breach Notification

FAIRFAX MEDICAL FACILITIES, INC.

HIPAA PRIVACY AND SECURITY POLICIES

1 Introduction 2 Definitions 3 Personal Representative – Oklahoma 03 Verification 4 Notice of Privacy Practices 5 Patient Access to Protected Health Information 06 Accounting of Disclosures 07 Communication by Alternative Means 08 Right to Amend Records 09 Right to Request Restriction on Disclosure 10 Privacy Official – Contact Information 11 Privacy Complaint Reporting and Tracking 12 Documentation 13 Non-Retaliation 14 Mitigation 15 Amendment of Privacy Practices and Policies 16 Waiver of Rights 17 Training 18 Sanctions 19 Uses and Disclosures-General 20 Minimum Necessary Rule 21 Treatment, Payment and Health Care Operations 22 Authorizations 23 Mental Health Records 24 Required by Law-Abuse and Neglect Report – Oklahoma Law 25 Required by Law-Court Orders and Subpoenas – Oklahoma 26 Required by Law-Law Enforcement Officials 27 Required by Law-Avert Serious Harm or Threat 28 Required by Law-Special Government Functions 29 Required by Law-Public Health Reporting and Oversight Activities – Oklahoma 30 Required by Law-Workers Compensation – Oklahoma 31 Disclosures to Family and Others Involved in Patient's Care 32 Business Associates 33 Marketing 34 Fundraising

Name Policy Number

Fairfax Medical Facilities, Inc. HIPAA PRIVACY AND SECURITY POLICIES

TABLE OF CONTENTS

35 Research 36 Limited Data Sets 37 De-Identified Information 38 Breach Notification 39 Security Rule Compliance 40 Administrative Safeguards 41 Physical Safeguards 42 Technical Safeguards 43 Oklahoma Standard Authorization Form-5A 44 Privacy Security Official Form-10 45 Business Associate Agreement Form-31

Fairfax Medical Facilities, Inc. HIPAA Privacy and Security Policies

Subject: Introduction Page: 1 of 1 Policy #: Policy - 00 Approved: 2011 HIPAA Section: Revised: 02/2012 04/2013

11/2016

I. POLICY

Fairfax Medical Facilities, Inc., a [federally qualified health center or community health center"] ("[FMFI]"), located in Fairfax, Oklahoma, will protect and safeguard the protected health information ("PHI") created, acquired and maintained by FMFI in accordance with the Privacy Regulations and the Security Rule promulgated pursuant to the Health Insurance Portability and Accountability Act of 1996, as amended, including without limitation amendments by the Health Information Technology for Economic and Clinical Health ("HITECH") Act (collectively referred to herein as “HIPAA”) and applicable state laws.

The Policies contained in this manual are intended to (a) establish rules related

to the internal and external use and disclosure of PHI; (b) implement the individual rights and administrative requirements set forth in HIPAA; and (c) implement physical, administrative, and technical safeguards to minimize inappropriate access and disclosures of PHI.

These Policies will apply to all PHI collected and maintained by FMFI since April

14, 2003, the date that HIPAA went into effect. The Policies apply to all FMFI personnel.

These Policies apply to all PHI, regardless of the form in which it is created or maintained (i.e., whether oral, written or electronic).

These Policies apply to the PHI of both living and deceased patients.

Introduction 1


Subject: Definitions Page: 1 of 7 Policy #: Policy - 01 Approved: 2011 HIPAA Section: 164.510(a) Revised: 02/2012 04/2013

11/2016

I. DEFINITIONS

Unless otherwise provided, the definitions set forth below apply to all of the Privacy and Security Policies. Certain terms will be capitalized when used in these Policies to indicate that they have been uniquely defined by FMFI.

1. Business Associate. A person or entity not employed by FMFI that

provides certain functions, activities, or services for or on behalf of FMFI, that involves the use and/or disclosure of PHI. A business associate may be a covered entity. The definition of a business associate excludes a person who is part of the covered entity’s workforce. 45 C.F.R. § 160.103.

2. FMFI. Fairfax Medical Facilities, Inc., a [federally qualified health center or

community health center], located in Fairfax, Oklahoma.

3. FMFI Personnel. Any of the employees, contractors, students or volunteers retained by or providing services at or on behalf of FMFI to provide any administrative, operational or patient care services on its behalf.

4. Correctional Institution. Any penal or correctional facility, jail, reformatory,

detention center, work farm, halfway house, or residential community program center operated by, or under contract to, the United States, a State, a territory, a political subdivision of a State or territory, or an Indian tribe, for the confinement or rehabilitation of persons charged with or convicted of a criminal offense or other persons held in lawful custody. 45 C.F.R. § 164.501.

5. Covered Entity. The entities to which the Privacy Regulations apply, which

include:

(a) A health plan;

(b) A health care clearinghouse; and

(c) A health care provider who transmits any health information in electronic form in connection with one of the following eleven (11) transactions: (i) health care claims or equivalent encounter information; (ii) health care payment and remittance advice; (iii)

Definitions 1

coordination of benefits; (iv) health care claims status; (v) enrollment and disenrollment in a health plan; (vi) eligibility for a health plan; (vii) health plan premium payments; (viii) referral certification and authorization; (ix) first report of injury; (x) health claims attachments; and (xi) other transactions that the Secretary of DHHS may prescribe by regulation. 45 C.F.R. § 160.103.

6. Covered Functions. Those functions of a covered entity the performance

of which makes the entity a health care provider. 45 C.F.R. § 160.103.

7. Designated Record Set. A group of records maintained by or for FMFI that includes the medical and billing records about individuals or that are used, in whole or in part, by FMFI personnel to make decisions about individuals, regardless of who originally created the information. A designated record set does not include: (a) duplicate information maintained in other systems; (b) data collected and maintained for research; (c) data collected and maintained for peer review purposes; (d) psychotherapy notes; (e) information compiled in reasonable anticipation of litigation or administrative action; (f) employment records; (g) student records; and (h) source data interpreted or summarized in the individual's medical record (example: pathology slide and diagnostic film).

8. Disclose or Disclosure. The release, transfer, provision of access to, or

divulging in any other manner of information outside FMFI. 45 CFR § 164.501.

9. Direct Treatment Relationship. A treatment relationship between an

individual and a health care provider that is not an indirect treatment relationship. 45 CFR § 164.501. An indirect treatment relationship means a relationship between an individual and a health care provider in which: (a) The health care provider delivers health care to the individual based on the orders of another health care provider; and (2) The health care provider typically provide services or products, or reports the diagnosis or results associated with the health care, directly to another health care provider, who provides the services or products ore reports to the individual.

10. Electronic Health Record or EHR. An electronic record of health-related

information pertaining to an individual that is created, gathered, managed, and consulted by authorized health care personnel.

11. Electronic Protected Health Information or ePHI. The subset of protected

health information (or "PHI"), as defined below, that is transmitted by, or maintained in, electronic media or form (often referred to as "ePHI"). Both PHI and ePHI are collectively referred to herein as PHI.

Definitions 2

12. Health Care. Care, services, or supplies related to the health of an individual. Health care includes, but is not limited to, the following:

(a) Preventive, diagnostic, therapeutic, rehabilitative, maintenance, or

palliative care, and counseling, service, assessment, or procedure with respect to the physical or mental condition, or functional status, of an individual or that affects the structure or function of the body; and

(b) Sale or dispensing of a drug, device equipment, or other item in

accordance with a prescription. 45 C.F.R. § 160.103.

13. Health Care Operations. Any of the following activities of FMFI to the extent that the activities are related to covered functions:

(a) Conducting quality assessment and improvement activities, including outcomes evaluation and development of clinical guidelines, population-based activities relating to improving health or reducing health care costs, protocol development, case management and care coordination, contacting of FMFI personnel and patients with information about treatment alternatives; and related functions that do not include treatment;

(b) Reviewing the competence or qualifications of health care professionals, evaluating practitioner and provider performance, conducting training programs in which students, trainees, or practitioners in areas of health care learn under supervision to practice or improve their skills as FMFI personnel, training of non- health care professionals, accreditation, certification, licensing, or credentialing activities;

(c) Conducting or arranging for medical review, legal services, and auditing functions, including fraud and abuse detection and compliance programs;

(d) Business planning and development, such as conducting cost- management and planning-related analyses related to managing and operating FMFI; and

(e) Business management and general administrative activities of FMFI, including, but not limited to: (i) management activities relating to implementation of and compliance with FMFI’s Privacy and Security Policies; (ii) resolution of internal grievances; (iii) due diligence related to the sale, transfer, merger or consolidation of all or part of FMFI with another covered entity; and (iv) creating de- identified health information or a limited data set, and fundraising for, the benefit of FMFI. 45 C.F.R § 164.501.

Definitions

3

14. Health Information. Any information, whether oral or recorded in any form or medium, that: (a) is created or received by a health care provider, and (b) relates to the past, present or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual. 45 C.F.R. § 160.103.

15. Health Oversight Agency. An agency or authority of the United States, a

State, a territory, a political subdivision of a State or territory, or an Indian tribe, or a person or entity acting under a grant of authority from or contract with such public agency, including the employees or agents of such public agency or its contractors or persons or entities to whom it has granted authority, that is authorized by law to oversee the health care system (whether public or private) or government programs in which health information is necessary to determine eligibility or compliance, or to enforce civil rights laws for which health information is relevant. 45 C.F.R. § 164.501.

16. HIPAA. The Health Insurance Portability and Accountability Act of 1996.

17. HITECH Act. The Health Information Technology for Economic and

Clinical Health Act which was included in the American Recovery and Reinvestment Act of 2009 ("ARRA") and signed into law on February 17, 2009.

18. Individually Identifiable Health Information. Information that is a subset of

health information, including demographic information collected from an individual, and: (a) is created or received by a health care provider, health plan, employer, or health care clearinghouse; and (b) relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and (i) that identifies the individual; or (ii) with respect to which there is a reasonable basis to believe the information can be used to identify the individual. 45 C.F.R. § 160.503.

19. Inmate. A person incarcerated in or otherwise confined to a correctional

institution. 45 C.F.R. § 164.501.

20. Law Enforcement Official. An officer or employee of any agency or authority of the United States, a State, a territory, a political subdivision of a State or territory, or an Indian tribe, who is empowered by law to: (a) investigate or conduct an official inquiry into a potential violation of law; or (b) prosecute or otherwise conduct a criminal, civil, or administrative proceeding arising from an alleged violation of law. 45 C.F.R. § 164.501.

Definitions 4

21. Marketing. To make a communication about a product or service that encourages recipients of the communication to purchase or use the product or services unless the communication is made:

(a) To describe a health-related product or service (or payment for

such product or service) that is provided by FMFI;

(b) For treatment of the individual; or

(c) For case management or care coordination, or to direct or recommend alternative treatments, therapies, health care providers, or settings of care to the individual.

Marketing also would include an arrangement between FMFI and any other entity whereby FMFI discloses PHI to the other entity, in exchange for direct or indirect remuneration, for the other entity or its affiliate to make a communication about its own product or service that encourages recipients of the communication to purchase or use that product or service. For purposes of this definition, "financial remuneration" means direct or indirect payment from or on behalf of a third party whose product or service is being described.

22. Organized Health Care Arrangement. A clinically integrated care setting

in which the individuals typically receive health care from more than one health care provider. 45 CFR § 164.501.

23. Particularly Sensitive Health Information. PHI that is generally considered

highly confidential including, but not limited to, mental health, drug and alcohol abuse, and communicable disease information.

24. Payment. Any activities by FMFI to obtain payment for providing health

care. Such activities relate to the individual to whom health care is provided and included, but are not limited to:

(a) Billing, claims management, collection activities, and related health

care data processing; and

(b) Disclosure to consumer reporting agencies of any of the following PHI relating to collection of reimbursement: (i) name and address; (ii) date of birth; (iii) social security number; (iv) payment history; (v) account number; and (vi) name and address of the health care provider. 45 CFR §164.501.

25. Privacy Official. FMFI’s designated Privacy and Security Official and

his/her designee. The same person fulfills both roles and is referred to as the "Privacy Official."

Definitions 5

26. Privacy and Security Policies or Policies. This set of policies and procedures drafted and adopted by FMFI relating to the protection and confidentiality of PHI.

27. Privacy Regulations. The regulations issued by the Department of Health

and Human Services implementing the privacy requirements of the Health Insurance Portability Act of 1996,42 CFR Parts 160 and 164, and are aimed at protecting a patient’s right to privacy in matters involving his or her health care.

28. Protected Health Information or PHI. Individually identifiable health

information that is transmitted by, or maintained in, electronic media or any other form or medium. PHI excludes health information in employment records held by FMFI in its role as employer.

29. Psychotherapy Notes. Notes recorded (in any medium) by a health care provider who is a mental health professional documenting or analyzing the contents of conversation during a private counseling session or a group, joint, or family counseling session and that are separated from the rest of the individual’s medical record. Psychotherapy notes excludes medication prescription and monitoring, counseling sessions start and stop times, the modalities and frequencies of treatment furnished, results of clinical tests and any summary of the following items: diagnosis, functional status, the treatment plan, symptoms, prognosis, and progress to date. 45 C.F.R § 164.501.

30. Public Health Authority. An agency or authority of the United States, a

State, a territory, a political subdivision of a State or territory, or an Indian tribe, or a person or entity acting under a grant of authority from or contract with such public agency, including the employees or agents of such public agency or its contractors or persons or entities to whom it has granted authority, that is responsible for public health matters as part of its official mandate. 45 CFR § 164.501.

31. Required by Law. A mandate contained in law that compels an entity to

make a use or disclosure of PHI and that is enforceable in a court of law. Required by law includes, but is not limited to, court orders and court- ordered warrants; subpoenas or summons issued by a court, grand jury, a governmental or tribal inspector general, or an administrative body authorized to require the production of information; a civil or an authorized investigative demand; Medicare conditions of participation with respect to health care providers participating in the program; and statutes or regulations that require the production of information, including statutes or regulations that require such information if payment is sought under a government program providing public benefits. 45 C.F.R § 164.501.

Definitions 6

7 Definitions

32. Research. A systematic investigation, including research development, testing, and evaluation, designed to develop or contribute to generalizable knowledge. 45 CF R § 164.501.

33. Secretary. The Secretary of the Federal Department of Health and

Human Services or his/her designee. 34. Security Rule. The final rule adopting standards for the security of electronic

protected health information as required by the Health Insurance Portability Act of 1996, 42 CFR Parts 160, 162 and 164, as amended from time to time.

35. Treatment. The provision, coordination, or management of health care

and related services by FMFI personnel. 45 C.F.R. § 164.501. Treatment includes: (a) the coordination or management of health care by a

health care provider with a third party; (b) consultation between health care providers relating to a patient; or (c) the referral of a patient for health care from one care provider to another. 45 C.F.R. § 164.501.

36. Unsecured Protected Health Information or Unsecured PHI. PHI that is not

secured through the use of one of the following technologies or methods that renders PHI unusable, unreadable, or indecipherable to unauthorized individuals, or as otherwise further defined or clarified by the Secretary:

(a) Encryption: Electronic PHI has been encrypted as specified by the

HIPAA Security Rule. See, 45 C.F.R. § 164.304 and the regulations related thereto.

(b) Destruction: The media on which PHI is stored or recorded has

been destroyed in one of the following ways:

(i) Paper, film, or other hard copy media have been shredded or destroyed such that the PHI cannot be read or otherwise cannot be reconstructed.

(ii) Electronic media have been cleared, purged, or

destroyed consistent with NIST Special Publication 800-88, Guidelines for Media Sanitation, such that PHI cannot be retrieved.

37. Use. With respect to individually identifiable health information, the sharing,

employment, application, utilization, examination, or analysis of such information within FMFI. 45 C.F.R. § 164.501.


Subject: Personal Representative – Oklahoma

Page: 1 of 7

Policy #: Policy - 02 Approved: 2011 HIPAA Section: 164.510(a) Revised: 02/2012 04/2013

11/2016

I. PURPOSE

To establish who can act on behalf of the patient for purposes of authorizing uses

and disclosures and effectuating the patient rights afforded by these Policies.

II. POLICY

FMFI personnel must, except in the limited circumstances set forth in this Policy, treat a personal representative as the patient for purposes of authorizing uses and disclosures and effectuating the patient rights afforded by these Policies.

The personal representative must only be treated as the individual patient to the

extent that the PHI is relevant to matters on which the personal representative is authorized to represent the patient.

If FMFI personnel have a reasonable belief that the personal representative has

abused or neglected the individual patient, or that treating the personal representative as the patient could endanger the patient, and believe it is not in the patient’s best interest to treat the person as the personal representative, FMFI personnel are not required to do so. See, Policy-05, Patient Access to Protected Health Information.

Adults

The following is a guide as to whom may act as an authorized personal

representative under Oklahoma law and the documentation needed to verify such authority.

1. Durable Power of Attorney for Health Care. The person named as a

patient's durable power of attorney for health care generally qualifies as a personal representative of a patient. A durable power of attorney is a document by which the patient may designate another as his/her agent to perform certain acts on behalf of the patient. Pursuant to a valid durable power of attorney, and depending on the scope of the power of attorney, the agent may make health and medical care decisions on the patient’s behalf. This does not give the agent the power to execute on behalf of the patient an advance directive for health care, living will, or other document purporting to authorize life-sustaining treatment decisions, or make life-

Personal Representatives 1

2 Personal Representatives

sustaining treatment decisions unless the power of attorney complies with the requirements for a health care proxy set forth below.

A valid durable power of attorney must:

(a) be in writing;

(b) contain the words “This power of attorney shall not be affected by subsequent disability or incapacity of the principal, or lapse of time,” or “This power of attorney shall become effective upon disability or incapacity of the principal,” or similar words showing the intent of the principal that the authority conferred will be exercisable notwithstanding the principal’s subsequent disability or incapacity;

(c) state whether FMFI personnel may rely on the power of attorney

while the patient is still competent or whether it is only effective once the patient becomes incompetent;

(d) be witnessed by two witnesses who are at least 18 years old;

(e) be signed by the patient and witnesses; and

(f) be notarized.

The patient may revoke the power of attorney at any time if competent. Death of the patient also will revoke and terminate the power of attorney. 2. Health Care Proxy. A health care proxy is an adult appointed by a patient

to make health care decisions, including but not limited to withholding or withdrawal of life-sustaining treatment, in certain circumstances pursuant to an advanced directive for health care decision. In particular, a health care proxy’s authority only becomes effective (a) when the patient is incompetent and (b) when the patient has been diagnosed with a terminal condition or as persistently unconscious.

A valid health care proxy must:

(a) be in writing;

(b) be witnessed by two disinterested witnesses who are at least 18 years old; and

(c) be signed by the patient and witnesses.

The appointment of the health care proxy may be completely or partially revoked at any time and in any manner by the patient. A revocation is effective upon communication of the desire to revoke to the attending physician or other FMFI personnel. If the patient revokes the advanced directive, a health care proxy


may no longer qualify as a personal representative. A health care proxy only has the right to access a patient's PHI over which the proxy has authority.

3. Court Appointed Guardian. This is a person appointed by the court in a

court order who legally has authority over the care and management of the person, estate, or both, of a patient who cannot act for him/herself. This order may place certain limitations on the legal activities of the guardian.

Minors Generally, patients must be of the age of majority, 18 years of age or older, to sign a binding authorization for the use and disclosure of PHI. However, there are several exceptions to this requirement as outlined below.

For minor patients who are under the age 18 and who do not fall within one of the exceptions listed below, either parent (including the non-custodial parent unless a court order specifically limits this right), the legal guardian or the legal custodian appointed by a court may sign an authorization form on the minor's behalf as the minor's personal representative and also may have access to the minor's PHI.

Exceptions: FMFI shall treat the minor, rather than the personal representative, as the person authorized to sign an authorization for the disclosure of the minor's PHI, in the following instances:

(a) Any minor who is married, has a dependent child or is

emancipated,

(b) Any minor who is separated from his/her parents or legal guardian and is not supported by them,

(c) Any minor who is or has been pregnant, afflicted with any

reportable communicable disease, drug and substance abuse or abusive use of alcohol, but only if the minor is seeking treatment, diagnosis or prevention services related to such conditions, If the minor is found not to be pregnant, suffering from a communicable disease, drug or substance abuse, nor abusive use of alcohol, FMFI personnel shall not reveal any information to the spouse, parent or personal representative of the minor without the minor’s consent,

(d) Any minor as to his/her minor child,

(e) The spouse of a minor if the minor is incapable of consenting

because of physical or mental incapacity.


III. PROCEDURES

1. FMFI personnel will obtain verification of the identity of a legal representative prior to the disclosure if there is doubt about the person's identity.

(f) Any minor who by reason of physical or mental capacity cannot give consent and has no known relatives or legal guardian, if two physicians agree on the health service to be given.

(g) Any minor in need of emergency services for conditions which will

endanger his/her life if delay would result by obtaining consent from his/her spouse, parent or legal guardian. The prescribing of medicine or any device for the prevention of pregnancy shall not be considered such an emergency service.

Deceased Individuals

A deceased individual's PHI shall be protected in the same manner as that of a living person for fifty (50) years following the date of death of the individual. FMFI personnel may use and disclose such information for payment and health care operations. FMFI may disclose such information to a family member, or other person who was involved in the individual’s health care or payment for care prior to the individual’s death, unless doing so is inconsistent with any prior expressed preference of the deceased individual that is known to FMFI. In situations where an authorization is required, the authorization must be signed by a court-appointed personal representative (including an executor or administrator of the deceased patient's estate). This document is known as the Letters Testamentary or Letters of Administration and should be signed by a judge.

In addition, FMFI personnel may disclose PHI of a deceased individual for the following reasons:

1. To alert law enforcement of the death of the individual, when there is a suspicion that the death may have resulted from criminal conduct,

2. To coroners or medical examiners and funeral directors,

3. To organ procurement organizations or other entities engaged in the procurement, banking, or transplantation of cadaveric organs, eyes, or tissue for the purpose of facilitating organ, eye, or tissue donation and transplantation,

4. For research that is solely on the PHI of decedents.


2. In situations in which a court document is involved, FMFI personnel must review the court document appointing the individual to verify the individual's authority to act on behalf of the patient and to verify that the document meets the state law requirements described above. A personal representative's authority may be limited in scope to give the representative authority only in specific situations. Any questions regarding the validity of a document purporting to confer personal representative status must be directed to FMFI’s Privacy Official who should consult with legal counsel if necessary.

3. A copy of any court documents, with the appropriate stamp or certification

if applicable, must be placed in the patient’s medical record.


Subject: Verification Page: 1 of 1 Policy #: Policy - 03 Approved: 2011 HIPAA Section:

164.514(h) Revised: 02/2012 04/2013 11/2016

I. PURPOSE

To establish an identity verification process.

II. POLICY

Prior to making a disclosure or processing a patient right request permitted by these Policies, FMFI personnel must:

1. Verify the identity of a person requesting PHI and the authority of any such

person to have access to PHI, if the identity or any such authority of such person is not known to FMFI personnel; and

2. Obtain any documentation, statements, or representations, whether oral or

written, from the person requesting the PHI when such documentation, statement, or representation is a condition of the disclosure or processing.

III. PROCEDURES

Any questions regarding verification or reliance on identity or authority should be

directed to the Privacy Official, who should contact legal counsel if necessary. The Privacy Official should be contacted prior to responding to any request by law enforcement officials, if possible.

Verification of identity can be accomplished by: (1) presentation of picture I.D.; (2) signature comparison; or (3) some other appropriate method. In the case of a public official, verification of identity can be accomplished by presentation of his/her badge or other official credentials if in person or the appropriate letterhead if the request is made in writing.

Verification 1


Subject: Notice of Privacy Practices Page: 1 of 3 Policy #: Policy - 04 Approved: 2011 HIPAA Section:

164.520 Revised: 02/2012 04/2013 11/2016

I. PURPOSE

To require the development of a Notice of Privacy Practices, independently or as

part of an organized health care arrangement, and to provide or arrange for general distribution procedures.

II. POLICY

FMFI will (i) develop and distribute a Notice of Privacy Practices and/or (ii)

ensure that a joint Notice of Privacy is developed with other members of an organized health care arrangement that includes the information required by § 164.520 of the Privacy Regulations. A copy of the Notice of Privacy Practices is attached hereto as Form-04. A patient’s receipt of the Notice of Privacy Practices must be acknowledged as required by the Privacy Regulations.

The Notice of Privacy Practices must be translated into other languages as

required by regulations issued by the Federal Office of Civil Rights regarding accommodations for people with Limited English Proficiency.

FMFI personnel may not use or disclose PHI in a manner inconsistent with the applicable Notice of Privacy Practices.

III. PROCEDURE

Acknowledgement

In situations in which FMFI utilizes its own Notice of Privacy Practices, FMFI personnel must make a good faith effort to obtain a written acknowledgement from the patient of his/her receipt of the Notice of Privacy Practices. Patient’s will be asked to initial or sign the following statement (or the equivalent thereof): “I acknowledge that I have received a copy of FMFI’s Notice of Privacy Practices and I consent to the use of my PHI for treatment, payment and the healthcare operations of FMFI as summarized in the Notice of Privacy Practices.“

If the patient does not acknowledge receipt of the Notice of Privacy Practices, a

note should be made on the registration form or in the patient’s medical record indicating why the acknowledgement was not obtained. FMFI cannot condition treatment on the patient’s acknowledgement of the receipt of the Notice of Privacy Practices.

Notice of Privacy Practices 1

2 Notice of Privacy Practices

In situations in which a joint notice is utilized and provided to the patient by a direct treatment provider participating in the organized health care arrangement, the provider must make a good faith effort to obtain the individual's written acknowledgement of receipt of the joint notice. Where the joint notice is provided to the individual by a participating covered entity other than a direct treatment provider, no acknowledgement need be obtained. During emergency treatment situations, the Notice of Privacy Practices may be provided and the acknowledgement obtained at a time reasonably practicable after the emergency treatment situation is resolved. Distribution

1. FMFI will make its Notice of Privacy Practices available to any person who requests it. The individual making the request does not have to be a current patient of FMFI.

2. As a direct treatment provider, FMFI will:

(a) Provide the Notice of Privacy Practices to each patient.

(b) Make the Notice of Privacy Practices available at the service

delivery site upon request.

(c) Post the Notice of Privacy Practices in a clear and prominent location where it is reasonable to expect individuals seeking service from the health care provider to be able to read the notice.

3. The Notice may be distributed by mail, if the patient agrees to the

electronic notice and the agreement has not been withdrawn. All timing requirements still apply to electronic notices. If FMFI personnel know that the electronic transmission has failed, a hard copy must be provided. When electronic notice is provided, an acknowledgement of receipt must be obtained.

4. If FMFI provides services as an indirect treatment provider or only as a

business associate, it must provide the Notice of Privacy Practices to individuals upon request.

5. If FMFI is participating in an organized health care arrangement, it may

permit another provider participating in the arrangement to provide the Notice of Privacy Practice and obtain the appropriate acknowledgement.

6. FMFI’s Notice of Privacy Practices must be posted and made available

electronically on its web site. Amendment

3 Notice of Privacy Practices

If FMFI's Notice of Privacy Practices is amended, it must be made available upon request on or after the effective date. Retention

The Notice of Privacy Practices must be retained by the Privacy Official for six years.


Subject: Patient Access to Protected Health Information

Page: 1 of 5

Policy #: Policy - 05 Approved: 2011 HIPAA Section:

164.524(a) Revised: 02/2012 04/2013 11/2016

I. PURPOSE

To permit patients access to their PHI.

II. POLICY

Rights to Access

FMFI will permit patients to inspect and obtain a copy of PHI about the patient included in a designated record set, for as long as the PHI is maintained in the designated record set. If the same information is kept in more than one designated record set or in more than one location, FMFI is required to produce the information only once per request for access.

Unless an exception applies, a patient should be granted access to the entire medical record, including records received from other providers that were used to make treatment decisions.

FMFI may charge a fee for access to PHI. The fee for paper copies may only include the costs of copying and postage and must be consistent with any limit set by State law. Oklahoma law permits a charge of $.50 for each page for paper records and $5.00 per film for radiology films.

The fee for providing an electronic copy may not be greater than FMFI's labor costs in responding to the request for such copy.

FMFI must provide the patient with access to PHI in the form or format requested

by the patient, if it is readily producible in such form or format; or, if not, in a readable hard copy form or such other form or format as agreed to by FMFI and the patient.

FMFI must arrange with the patient for a convenient time and place to inspect or

obtain a copy of the PHI, or mail a copy of the information at the patient’s request. FMFI personnel may discuss the scope, format, and other aspects of the request for access with the patient as necessary to facilitate the timely provision of access.

If FMFI uses or maintains an electronic health record, or EHR, FMFI will provide

a copy of such information in an electronic format if the patient requests an electronic copy.

Patient Access to PHI 1

In addition, if the patient directs, FMFI will transmit the copy, whether in electronic or paper form, directly to an entity or person designated by the patient, provided that the patient's directions are clear, conspicuous and specific.

If FMFI does not maintain the PHI that is the subject of the patient’s request for

access, and FMFI personnel knows where the requested information is maintained, FMFI must inform the patient where to direct the request for access.

Psychotherapy Notes

A patient does not have the right to access psychotherapy notes relating to

him/herself except (i) to the extent the patient’s treating professional approves such access in writing; or (ii) the patient obtains a court order authorizing such access See, definition of psychotherapy notes in Policy-0l, Definitions and Policy-23, Mental Health.

Denial of Right to Access

A patient may be denied access under the limited circumstances listed below.

The following exceptions should be narrowly construed and rarely used:

1. Legal Information. FMFI may deny a patient access to information compiled in reasonable anticipation of, or for use in, a civil, criminal or administrative action or proceeding. The advice of legal counsel should be obtained prior to denying a patient access on this basis.

2. Inmate Information. FMFI, acting under the direction of a correctional

institution, may deny, in whole or in part, an inmate’s request to obtain a copy of PHI, if obtaining such copy would jeopardize the health, safety, security, custody, or rehabilitation of the patient or of other inmates, or the safety of any officer, employee, or other person at the correctional institution or responsible for the transporting of the inmate.

3. Research. FMFI may temporarily suspend a patient’s access to PHI

created or obtained in the course of research that includes treatment. The suspension may last for as long as the research is in progress, provided that the patient has agreed to the denial of access when consenting to participate in the research, and the patient has been informed that the right of access will be reinstated upon completion of the research.

4. Information from Other Source. FMFI may deny a patient’s access to PHI

if the information was obtained from someone other than a Health Care Provider under a promise of confidentiality and the access requested would be reasonably likely to reveal the source of the information.

5. Endangerment. FMFI may deny a patient access in the event a licensed

health care professional has determined, in the exercise of professional judgment, that the access requested is reasonably likely to endanger the life or physical safety of the patient or another person. Access may not be


denied on the basis of the sensitivity of the health information or the potential for causing emotional or psychological harm.

6. Reference to Other People. FMFI may deny a patient access if the PHI

makes reference to another person and a licensed health care professional has determined, in the exercise of professional judgment that the access requested is reasonably likely to cause substantial harm to such other person.

7. Personal Representative. FMFI may deny access if the request is made

by a patient’s personal representative and a licensed health care professional has determined, in the exercise of professional judgment, that the provision of access to such personal representative is reasonably likely to cause substantial harm to the patient or another person.

FMFI must, to the extent possible, give the patient access to any other PHI

requested, after excluding the PHI as to which access is being denied.

8. Psychotherapy Notes. See, preceding section of this policy.

Review of Denied Access

If access is denied for the reasons set forth in Number 5, 6 and 7 above, the patient must be given the opportunity to have the denial reviewed by FMFI's HIPAA Privacy Official or some other appropriate person designated by FMFI ("Reviewer"). The Reviewer cannot have participated in the original denial.

III. PROCEDURES

Rights to Access

1. Patients must make their requests for access in writing using the form attached hereto as Form-05.A. Patients making their request for access by telephone or e-mail should be forwarded a copy of the form. Verification of the requester’s identity must be obtained prior to granting access. The request form must be maintained in the patient’s medical record for a minimum of six (6) years.

2. A patient’s request for access to PHI must be acted upon as soon as

reasonably possible, but in no event more than thirty (30) days after receiving the request.

3. FMFI’s medical records department [or other designated person or

department] will be responsible for receiving and processing requests for access by patients.

4. Any questions regarding a patient’s right of access should be forwarded to

the Privacy Official.


4 Patient Access to PHI

Denial of Right to Access

If a patient’s request for access is denied, the individual must be provided with a written denial using the form attached hereto as Form-05.B within no more than thirty (30) calendar days of the request. The denial form must be maintained in the patient’s medical record for a minimum of six (6) years. Review of Denied Access

FMFI will promptly forward requests for review to the Reviewer and the Reviewer is required to review the denial within a reasonable period of time, but no later than thirty (30) days after receiving the request for review. Access must be provided to the patient in accordance with the determination of the Reviewer who reviewed the request. The patient making the request should be notified promptly, in writing, of the Reviewer’s decision.


Subject: Accounting of Disclosures Page: 1 of 3 Policy #: Policy - 06 Approved: 2011 HIPAA Section:

164.528(a) Revised: 02/2012 04/2013 11/2016

I. PURPOSE

To permit patients to request an accounting of the disclosures of their PHI.

II. POLICY

FMFI will permit patients to request an accounting of disclosures of PHI made by FMFI. The accounting must include disclosures made by FMFI in the six (6) years prior to the date of the request (unless limited at the request of the patient), except that disclosures to carry out treatment, payment and health care operations documented in an EHR must be made for only the three (3) years prior to the date of the request.

Accounting Requirements - General

The accounting must include all disclosures, except for disclosures:

1. to carry out treatment, payment and health care operations (unless the

PHI is maintained in an EHR as set forth in the subsequent paragraph);

2. to patients of PHI about them;

3. incident to a use or disclosure otherwise permitted or required by the Privacy Regulations;

4. pursuant to the patient’s authorization;

5. for a facility directory or to persons involved in the patient’s care;

6. for national security or intelligence purposes;

7. to correctional institutions or law enforcement officials to provide them with

information about a person in their custody;

8. as part of a limited data set; or

9. that occurred prior to April 14, 2003, the effective date of HIPAA.

The exception set forth in Number 1 above will not apply to disclosures through an EHR. Accountings of disclosures through an EHR must include disclosures for purposes of treatment, payment and health care operations. Note that this requirement applies to

Accounting of Disclosures 1

disclosures and not to uses of the PHI. See, the definitions of "use" and "disclosure" in Policy-01, Definitions.

Examples of disclosures subject to the accounting requirement include disclosures for, or pursuant to: (1) research, unless authorized by patient; (2) subpoenas, court orders or discovery requests; (3) abuse and/or neglect reporting; (4) communicable disease reporting; (5) other reports to the Department of Health such as tumor registry, etc.; or (6) disclosures for treatment, payment and health care operations for PHI maintained in an electronic health record.

Suspension of Accounting

A patient’s right to receive an accounting of disclosures may be suspended at the

request of a health oversight agency or law enforcement official if certain conditions are satisfied. If FMFI receives a request to suspend a patient’s right to receive an accounting from a health oversight agency or law enforcement official, the Privacy Official should be contacted to determine if the appropriate conditions have been satisfied.

III. PROCEDURES

1. A patient must request an accounting for disclosure in writing using the

form attached hereto as Form-06.A. Verification of the requester’s identity must be obtained prior to granting the request for an accounting. Patients making their request for an accounting by telephone or e-mail should be forwarded a copy of the form. The request form must be maintained in the patient’s medical record for a minimum of six (6) years.

2. FMFI’s medical record department will be responsible for processing

requests for accountings of disclosures.

3. In response to a request for an accounting, FMFI will elect to provide either an:

(a) accounting for disclosures of PHI that are made by FMFI and by a

business associate acting on behalf of FMFI; or

(b) accounting for disclosures that are made by FMFI and provide a list of all business associates acting on behalf of FMFI (including contact information such as mailing address, phone number, or e- mail address).

4. For each disclosure of PHI maintained in paper/hard-copy format that

must be recorded, the accounting must include the following information:

(a) the date of the disclosure;

Accounting of Disclosures 2

3 Accounting of Disclosures

(b) the name of the entity or person who received the PHI and, if known, the address of such entity or person;

(c) a brief description of the PHI disclosed; and

(d) a brief statement of the purpose of the disclosure that reasonably

informs the patient of the basis for the disclosure.

5. The form attached hereto as Form-06.B must be used to record disclosures of PHI maintained in paper/hard-copy format and must be maintained in a patient’s medical record for a period of at least six (6) years from the date of the last accounting. The format for accountings of PHI maintained in an EHR will be consistent with regulations and guidance issued by the Secretary.

6. If, during the period covered by the accounting, FMFI has made multiple

disclosures of PHI to the same person or entity for a single purpose, or pursuant to a single authorization, the accounting may, with respect to such multiple disclosures, provide:

(a) the information set forth in section 2 above for the first disclosure

during the accounting period;

(b) the frequency or number of the disclosures made during the accounting period; and

7. The date of the last such disclosure during the accounting period.

FMFI will act on the patient’s request for an accounting no later than sixty (60) days after receipt of such a request.

8. The first accounting to a patient in any twelve (12) month period must be provided at no charge. FMFI may impose a reasonable, cost-based fee for each subsequent request for an accounting by the same patient within the twelve (12) month period, provided that FMFI informs the patient in advance of the fee and provides the patient with an opportunity to withdraw or modify the request for a subsequent accounting in order to avoid or reduce the fee.


Subject: Communication by Alternative Means

Page: 1 of 2


164.522(b)(1) Revised: 02/2012 04/2013 11/2016

I. PURPOSE

To permit patients to request communication of PHI by alternative means or at alternative locations.

II. POLICY

FMFI will permit patients to request, and will accommodate reasonable requests

by patients, to receive communications of PHI by alternative means or at alternative locations. If a request for communication by alternative means is granted, FMFI must communicate with the patient in accordance with the patient’s request.

FMFI cannot require an explanation from the patient as to the basis for the

request as a condition of considering or granting the request.

FMFI can condition the provision of an alternative means of communication on: (a) information as to how payment will be handled, if applicable and (b) the specification of an alternative address or other method of contact.

III. PROCEDURE

1. A patient must request communication by alternative means or at

alternative locations in writing by using the sample form attached hereto as Form-07.

2. A FMFI Privacy Official will be responsible for determining if a particular

request for alternative means of communication is reasonable in light of the expense and administrative burden involved with complying with the request.

3. FMFI should, if possible, notify the patient making the request in writing at

the time of his/her visit if the request is denied by providing the patient with a copy of the form attached hereto as Form-07 with the reason for the denial noted. If the patient cannot be notified of the denial at the time of his/her visit, the form for requesting an alternative means of communication, with the denial noted, should be sent to the patient. In order to protect the patient, the denial should be sent to the alternative address, if specified.

Communication by Alternative Means 1

2 Communication by Alternative Means

4. Requests for alternative means of communication, and documentation of any denials of such requests, should be maintained in a patient’s medical record for a minimum of six (6) years.

5. FMFI must ensure that agreed upon alternative means of communication

are communicated to the billing department and other departments and providers and business associates who may be sending the patient communications on behalf of FMFI.

6. If a request for communication by alternative means is granted, FMFI must

place or affix a clear indication of the communication by alternative means on the patient’s medical record, whether it be paper or electronic.


Subject: Right to Amend Records Page: 1 of 3 Policy #: Policy - 08 Approved: 2011 HIPAA Section:

164.526(a) Revised: 02/2012 04/2013 11/2016

I. PURPOSE

To permit patients to request amendments to their PHI.

II. POLICY

FMFI will permit patients to request amendments to their PHI, or a particular record, contained in a designated record set.

FMFI may deny a patient’s request for amendment, if it determines that the PHI

or record that is the subject of the request:

1. Was not created by FMFI personnel, unless the patient provides a reasonable basis to believe that the originator of PHI is no longer available to act on the requested amendment;

2. Is not part of the designated record set;

3. Is not available for inspection by the individual pursuant to Policy-05,

Individual Access Policy; or

4. Is accurate and complete.

Patients requesting an amendment to their PHI must provide a reason to support a requested amendment.

III. PROCEDURE

1. Patients must request amendments to their PHI in writing by using the

form attached hereto as Form-08.A. Patients making their request for an amendment by telephone or e-mail should be forwarded a copy of the form. Verification of the requester’s identity must be obtained prior to considering the amendment request. The request form must be maintained in the patient’s medical record for a minimum of six (6) years.

2. FMFI’s medical record department will be responsible for processing

amendment requests. The specific provider responsible for recording the PHI or originating the record must be consulted, if possible, prior to making an amendment decision and should sign the amendment form.

Right to Amend Records 1

3. FMFI must act on the patient’s request, no later than sixty (60) days after receipt of a request, as set forth below:

(a) Accepting the Amendment. If FMFI accepts the requested

amendment, in whole or in part, FMFI must: (i) Make the appropriate amendment by identifying the records in the designated record set that are affected by the amendment and appending the amendment to such record; (ii) Inform the patient, in writing, that the amendment is accepted by sending the patient a copy of the form attached hereto as Form-08.A with the acceptance noted; (iii) Obtain the patient’s identification of and agreement to have FMFI notify the relevant persons with whom the amendment needs to be shared by using the form attached hereto as Form-08.B and (iv) Make reasonable efforts to inform and provide the amendment within a reasonable time to persons identified by the patient as having received PHI about the patient and needing the amendment; and persons, including business associates, that FMFI knows have the PHI that is the subject of the amendment and that may have relied, or could foreseeably rely, on such information to the detriment of the patient.

(b) Denying the Amendment. If FMFI denies the requested

amendment, in whole or in part, FMFI must: (i) Inform the patient, in writing, that the amendment is denied by sending the patient a copy of the form attached hereto as Form-08.A; (ii) Permit the patient to submit to the covered entity a written statement disagreeing with the denial of all or part of a requested amendment and the basis of such disagreement; (iii) Identify, as appropriate, the record or PHI in the designated record set that is the subject of the disputed amendment and append or otherwise link the patient’s request for an amendment, FMFI’s denial of the request, the patient’s statement of disagreement, if any, and FMFI’s rebuttal, if any, to the designated record set. FMFI may, but is not required, to prepare a written rebuttal to the patient’s statement of disagreement. If a rebuttal statement is prepared, a copy of it must be provided to the patient who submitted the statement of disagreement.

4. If a statement of disagreement has been submitted by the patient, FMFI

must include the material set forth in subsection (iii) of the preceding paragraph, or, at the election of FMFI, an accurate summary of any such information, with any subsequent disclosure of the PHI to which the disagreement related.

5. If the patient has not submitted a written statement of disagreement, FMFI

must include the patient’s request for amendment and its denial, or an accurate summary of such information, with any subsequent disclosure of the PHI only if the patient has requested such action.

Right to Amend Records 2

3 Right to Amend Records

6. If FMFI is informed by another covered entity of an amendment to a patient’s PHI, FMFI must amend the PHI in its designated record sets.

7. Requests for amendments, and documentation of the response to such

requests, must be maintained in a patient’s medical record for a minimum of six (6) years.


Subject: Right to Request Restriction on Disclosure

Page: 1 of 3


164.522(a)(1) Revised: 02/2012 04/2013 11/2016

I. PURPOSE

To permit patients to request certain restrictions on the use and disclosure of their PHI.

II. POLICY

FMFI will permit patients to request restrictions on the use and disclosure of their

PHI: (a) to carry out treatment, payment or health care operations and/or (b) to people involved in their care or for notification purposes as described in § 164.510(b) of the Privacy Regulations. Generally, FMFI is not required to agree to any request to restrict the use and disclosure of PHI with one exception. FMFI must comply with the requested restriction if:

(a) the patient requests restriction on disclosure of PHI to a health plan

for purposes of carrying out payment or health care operations (and not for purpose of carrying out treatment), except as otherwise required by law; and

(b) the PHI pertains solely to a health care item or service for which

FMFI or other health care provider involved has been paid out of pocket in full.

If FMFI agrees to a restriction, it may not use or disclose PHI in violation of the

restriction, except in emergency situations when the PHI is needed to treat the patient. If restricted PHI is disclosed to a health care provider for emergency treatment, FMFI must request that the health care provider that received the information not further use or disclose the information.

Any agreed to restriction will not be effective to prevent uses and disclosures to

the patient or required by law.

FMFI must adhere to any agreed to restriction until the restriction is terminated according to the procedures set forth below. FMFI personnel may not use or disclose PHI subject to a restriction, except to provide emergency treatment or unless required by law.

Right to Request Restriction on Disclosure 1

2 Right to Request Restriction on Disclosure

III. PROCEDURE

1. Patients must request restrictions on the use and disclosure of their PHI in writing by using the sample form attached hereto as Form-09. Patients making their restriction requests by telephone or e-mail should be forwarded a copy of the form. Verification of the requester’s identity must be obtained prior to considering the request. The request form must be maintained in the patient’s medical record for a minimum of six (6) years.

2. FMFI’s medical records department will be responsible for determining if a

particular restriction will be permitted. The Privacy Official will review all requests.

3. FMFI must notify the patient making the request in writing at the time of

his/her visit if the request is denied by providing the patient with a copy of the form attached hereto as Form-09 with the reason for the denial noted. If the patient cannot be notified of the denial at the time of his/her visit, the form for requesting a restriction, with the denial noted, should be sent to the patient.

4. Requests for restrictions, and documentation of any denials of such

requests, should be maintained in a patient’s medical record for a minimum of six (6) years.

5. FMFI must ensure that agreed upon restrictions on the use and disclosure

of PHI are communicated to the billing department and other departments, providers and business associates who may be sending the patient communications on behalf of FMFI.

6. A restriction on the use and disclosure of PHI can be terminated if: (a) the

patient requests the termination in writing; (b) the patient orally agrees to or requests the termination and the oral request or agreement is documented in the patient’s medical record and communicated to the Privacy Official; or (c) FMFI informs the patient that it is terminating its agreement to a restriction in which case the termination only will apply to PHI created or received after the patient has been notified of the termination.

7. If a restriction request is granted, FMFI must place or affix a clear

indication of the restriction on the patient’s medical record, whether it be paper or electronic.


Subject: Privacy Official – Contact Information

Page: 1 of 1


164.530(a)(1) Revised: 02/2012 04/2013 11/2016

I. PURPOSE

To provide for the designation of a Privacy Official and to set forth contact information as required by the Privacy Regulations. FMFI's Privacy Official will also serve as the Security Officer.

II. POLICY

FMFI will designate a Privacy Official who is responsible for the development and

implementation of FMFI’s Privacy and Security Policies and who will be responsible for answering questions regarding FMFI’s Privacy and Security Policies and Notice of Privacy Practices. The Privacy Official also will be responsible for receiving complaints regarding compliance with the Policies and the Notice.

The Privacy Official will monitor FMFI's operations to ensure that all FMFI

personnel are accessing PHI appropriately. Ongoing training and education about the need to access only PHI required for each specific job task is a key part of the supervision.

III. PROCEDURE

1. Documentation regarding the designation of the Privacy Official and

his/her contact information must be retained, in written or electronic format, for at least six (6) years by the Privacy Official.

2. The contact information for the Privacy Official is set forth on Form-10 and

will be revised in the event a new Privacy Official is designated or the contact information changes.

Privacy Official Contact Information 1


Subject: Privacy Complaint Reporting and Tracking

Page: 1 of 1


164.530(d)(1) Revised: 02/2012 04/2013 11/2016

I. PURPOSE

To establish the procedures for individuals to submit complaints regarding FMFI’s

Privacy and Security Policies and the failure of FMFI personnel to comply with such Policies.

II. POLICY

All complaints regarding FMFI’s Privacy and Security Policies and compliance

with such Policies, regardless of the form in which it was received, will be documented, reviewed, and acted upon, if necessary, by FMFI’s Privacy Official.

Documentation regarding complaints received and the resolution of such

complaints will be retained, in written or electronic format, for at least six (6) years.

III. PROCEDURE

1. Persons with privacy related complaints will be instructed to contact FMFI’s Privacy Official, either by mail, telephone, or in writing using the complaint form available on our website. The contact information for FMFI’s Privacy Official is located on Form-10.

2. The Privacy Official will document each complaint received and maintain

such documentation for the minimum retention period stated above.

3. The Privacy Official will investigate each complaint, in conjunction with relevant FMFI employees and will document the resolution of the investigation and any corrective actions required.

Privacy Complaint Reporting and Tracking 1


Subject: Documentation Page: 1 of 2 Policy #: Policy - 12 Approved: 2011 HIPAA Section:

164.530(d)(1) Revised: 02/2012 04/2013 11/2016

I. PURPOSE

To establish documentation requirements as required by the Privacy

Regulations.

II. POLICY

FMFI will maintain, for at least six (6) years, the following:

(a) Written or electronic copies of its Privacy and Security Policies;

(b) Written or electronic copies of any communication that is required by the Privacy Regulations to be in writing; and

(c) Written or electronic records of any action, activity or designation

that is required by the Privacy Regulations to be documented.

III. PROCEDURE

1. Documentation of Privacy and Security Policies. Written or electronic copies of FMFI’s Privacy and Security Policies will be maintained by the Privacy Official for at least six (6) years from the date any such Policy or Policies were created or were last in effect, whichever is later.

2. Documentation of communications required by the Privacy Regulations.

Such documentation will be retained for a period of at least six (6) years from the date of creation and will be maintained in the location specified in the particular Privacy Policy in which such communication is specifically addressed. For example: The policy addressing the right of patients to have access to their PHI (Policy-05) states that the Access Request Form must be maintained in a patient’s medical record for a minimum of six (6) years.

3. Documentation of any action, activity or designation required by Privacy

Regulations. Such documentation will be retained for a period of at least six (6) years from the date of creation and will be maintained in the location specified in the particular privacy Policy in which such action, activity or designation is specifically addressed. For example: The policy addressing the appointment of a Privacy Official (Policy-10) specifies that

Documentation 1

2 Documentation

the designation of the Privacy Official will be maintained by the Privacy Official, in written or electronic format, for at least six (6) years.


Subject: Non-Retaliation Page: 1 of 2 Policy #: Policy - 13 Approved: 2011 HIPAA Section:

164.530(g) Revised: 02/2012 04/2013 11/2016

I. PURPOSE

To prohibit retaliation against individuals and others who exercise their rights under the Privacy Regulations.

II. POLICY

Neither FMFI, nor FMFI personnel, will intimidate, threaten, coerce, discriminate

against, or take other retaliatory action against:

1. Individuals. Any individual for the exercise by the individual of any right under, or for participation by the individual in any process established by the Privacy Regulations.

2. Individuals and Others. Any individual or other person for:

(a) Filing a complaint with the Secretary of the Department of Health

and Human Services as permitted by the Privacy Regulations;

(b) Testifying, assisting, or participating in an investigation, compliance review, proceeding, or hearing conducted by a government enforcement agency; or

(c) Opposing any act or practice made unlawful by the Privacy

Regulations, provided the individual or person has a good faith belief that the practice opposed is unlawful, and the manner of the opposition is reasonable and does not involve a disclosure of PHI in violation of the Privacy Regulations or FMFI’s Privacy and Security Policies.

For purposes of this policy, the term “person” is not limited to natural persons, but

includes any type of organization, association or group such as other covered entities, health oversight agencies, and advocacy groups.

III. PROCEDURE

1. Any person who believes that some form of retaliation is occurring, or has

occurred, should report the incident to the Privacy Official.

Non-Retaliation 1

2 Non-Retaliation

2. If the Privacy Official receives a report of retaliation or intimidation, the Privacy Official will conduct an investigation to determine if retaliation has occurred. If the report is substantiated, sanctions will be imposed.


Subject: Mitigation Page: 1 of 1 Policy #: Policy - 14 Approved: 2011 HIPAA Section:

164.530(f) Revised: 02/2012 04/2013 11/2016

I. PURPOSE

To establish procedures regarding the mitigation of harmful effects of inappropriate disclosures of PHI.

II. POLICY

FMFI will mitigate, to the extent practicable, any harmful effect that is known to

FMFI of a use or disclosure of PHI in violation of FMFI’s Privacy and Security Policies or the Privacy Regulations by FMFI, FMFI personnel, or a business associate of FMFI.

III. PROCEDURE

1. FMFI must take all practicable steps to mitigate the harmful effects of a

confirmed inappropriate use or disclosure. The type of mitigation that occurs will be based on the facts and circumstances of each case based on the following factors:

(a) knowledge of where the information has been disclosed;

(b) how the information might be used to cause harm to the patient or

another individual; and

(c) what steps can actually have a mitigating effect under the facts and circumstances of any specific situation.

2. FMFI personnel must notify the Privacy Official of inappropriate uses and

disclosures. The Privacy Official must investigate the cause of the inappropriate use and/or disclosure and take corrective actions to prevent such uses and/or disclosures from re-occurring.

3. If legal action is threatened, or is a distinct possibility, legal counsel must

be notified.

Mitigation 1


Subject: Amendment of Privacy Practices and Policies

Page: 1 of 2


164.530(i)(2) Revised: 02/2012 04/2013 11/2016

I. PURPOSE

To outline the requirements for changes to FMFI’s Notice of Privacy Practices

and amendment of its Privacy and Security Policies.

II. POLICY

FMFI will promptly change its privacy practices and amend its Privacy and Security Policies as necessary and appropriate to comply with changes in the law, including the Privacy Regulations, or to accommodate changes in the structure or operations of FMFI.

FMFI has reserved, in its Notice of Privacy Practices, the right to change its

privacy practices and amend its Privacy and Security Policies. Therefore, any such changes or amendments will be effective for PHI created or received by FMFI prior to the effective date of the amendment.

III. PROCEDURE

1. Changes to Privacy Practices and Policies Addressed in the Notice of

Privacy Practices. In order to effectuate changes to privacy practices and policies addressed in the Notice of Privacy Practices, FMFI will:

(a) Ensure that the Privacy and Security Policies, if revised to reflect a

change in FMFI’s privacy practices, comply with the Privacy Regulations and applicable state laws that are not preempted.

(b) Document the revised Privacy Policy, in written or electronic format,

and retain such documentation for at least six (6) years.

(c) Revise FMFI’s Notice of Privacy Practices as required by § 164.520(b)(3) of the Privacy Regulations to state the changed practice and make the revised Notice available as required by § 164.520(c) and Policy-04. FMFI may not implement an amendment to a Privacy Policy addressed in the Notice of Privacy Practices prior to the effective date of the revised Notice.

Amendment of Privacy Practices/Policies 1

2 Amendment of Privacy Practices/Policies

2. Amendments to Privacy and Security Policies Not Addressed in the Notice of Privacy Practices. FMFI may amend, at any time, a Privacy Policy that does not materially affect the content of its Notice of Privacy Practices. In order to effectuate such an amendment, FMFI will:

(a) Ensure that the Privacy Policy, as amended, complies with the

Privacy Regulations; and

(b) Document the revised Privacy Policy, in written or electronic format, and retain such documentation for at least six (6) years.


Subject: Waiver of Rights Page: 1 of 1 Policy #: Policy - 16 Approved: 2011 HIPAA Section:

164.530(h) Revised: 02/2012 04/2013 11/2016

I. PURPOSE

To prohibit requiring patients to waive their rights under the Privacy Regulations.

II. POLICY

FMFI will not require patients to waive: (a) their right to file a complaint with the Secretary of the Department of Health and Human Services or any other enforcement agency regarding FMFI’s compliance with the Privacy Regulations or (b) any other rights under the Privacy Regulations as a condition of treatment or payment.

III. PROCEDURE

1. Any person with knowledge of a violation of this policy should report the

incident to the Privacy Official.

2. If the Privacy Official receives a report of a violation of this policy, the Privacy Official will conduct an investigation to determine if a violation has occurred. If the report is substantiated, sanctions will be imposed pursuant to Policy-18, Sanctions.

Waiver of Rights 1


Subject: Training Page: 1 of 2 Policy #: Policy - 17 Approved: 2011 HIPAA Section:

164.530(b)(1) Revised: 02/2012 04/2013 11/2016

I. PURPOSE

To establish a method for providing training regarding FMFI’s Privacy and

Security Policies.

II. POLICY

FMFI will train FMFI personnel regarding the Privacy and Security Policies and the manner in which such Policies relate to their function within FMFI.

III. PROCEDURE

1. FMFI, through the Privacy Official, will designate the methods and manner

in which training will be accomplished and will develop a Training Plan.

2. It will be the responsibility of the Privacy Official, in coordination with Human Resource personnel, to ensure that all FMFI personnel receive training.

3. Training will be tracked by utilizing the sign-in sheet on Form-17.

Formatted: Highlight

4. FMFI personnel must receive some type of refresher training, as specified in the Training Plan.

5. Each new employee, volunteer and student must receive training within a

reasonable period of time after the person becomes an employee, volunteer or student The failure of an employee, volunteer or student to complete the required training within 30 days of becoming an employee, volunteer or student is grounds for sanctions, up to and including termination or dismissal.

6. Each employee, volunteer or student whose job or academic functions are

affected by a material change in FMFI’s Privacy and Security Policies should receive training regarding the material change within a reasonable period of time after the change becomes effective.

7. FMFI personnel who fail to complete the training will be subject to

sanctions pursuant to Policy -18, Sanctions. Students and volunteers who

Training 1

2 Training

fail to complete training, or provide evidence of training, whichever is applicable, will not be permitted to provide services at FMFI facilities.

8. Documentation regarding training must be maintained by the Privacy

Official, in written or electronic format, for at least six (6) years.


Subject: Sanctions Page: 1 of 2 Policy #: Policy - 18 Approved: 2011 HIPAA Section:

164.530(e) Revised: 02/2012 04/2013 11/2016

I. PURPOSE

To establish a process for imposing sanctions in the event FMFI’s Privacy and Security Policies are violated.

II. POLICY

FMFI will apply appropriate sanctions against FMFI personnel, members of its

medical staff, and its business associates, who fail to comply with FMFI’s Privacy and Security Policies and/or the Privacy Regulations and/or Security Rule.

FMFI will not impose sanctions against FMFI personnel or business associate

for: (a) engaging in whistleblower activities; (b) submitting a complaint to the Secretary of the Department of Health and Human Services; (c) participating in an investigation; or (d) registering opposition to a violation of the Privacy Regulations.

III. PROCEDURE

1. Employees. A violation of FMFI’s Privacy and Security Policies by an

employee also will be considered a violation of FMFI’s Employment Manual. Therefore, the sanctions set forth in the Employment Manual will apply equally to violations of FMFI’s Privacy and Security Policies. The sanction imposed for a violation of the Privacy and Security Policies will depend on the severity of the violation.

2. Students. Students who materially violate FMFI’s Privacy and Security

Policies will not be permitted to further their education by providing services at FMFI.

3. Volunteers. Volunteers who materially violate FMFI’s Privacy and Security

Policies will not be permitted to provide further assistance to FMFI as a volunteer.

4. Business Associates. If FMFI knows of a pattern of activity or practice of a

business associate that constitutes a material breach or violation of the business associate’s obligations under his/her/its contract with FMFI, FMFI will take reasonable steps to cure the breach or end the violation, as applicable, and, if such steps are unsuccessful: (a) terminate the contract, if feasible as required by HIPAA; or (b) report the problem to the Secretary

Sanctions 1

2 Sanctions

of the Department of Health and Human Services or other applicable government agency.

5. Documentation regarding any sanction imposed for a violation of the

Privacy and Security Policies should be retained in the sanctioned person’s personnel or student file, whichever is applicable, in written or electronic format, for at least six (6) years. Copies of such documentation should be forwarded to the Privacy Official who also should maintain such documentation for the minimum retention period. Documentation of any sanction imposed against a business associate should be retained by the Privacy Official for the minimum retention period.

6. When imposing sanctions for the inappropriate use and disclosure of PHI,

consideration should be given to whether the use or disclosure was made as a result of (a) carelessness or negligence, (b) curiosity or concern, or (c) the desire for personal gain or malice.


Subject: Uses and Disclosures-General Page: 1 of 2 Policy #: Policy - 19 Approved: 2011 HIPAA Section:

164.502 Revised: 02/2012 04/2013 11/2016

I. PURPOSE

To outline required and permitted uses and disclosures.

II. POLICY

FMFI cannot use or disclose PHI, except as permitted by the Privacy Regulations and these Policies.

Required Disclosures

FMFI will use or disclose PHI: (a) to a patient, when requested under, and as

required by Policy-05, Patient Access to Protected Health Information, and Policy-06, Accounting of Disclosures; and (b) when required by the Secretary of the Department of Health and Human Services to investigate FMFI’s compliance with the Privacy Regulations.

Permitted Uses and Disclosures

FMFI and FMFI personnel are permitted to use or disclose PHI as follows:

(a) For treatment, payment or health care operations, as permitted by

and in compliance with Policy-21, Treatment, Payment and Health Care Operations;

(b) Incident to a use or disclosure otherwise permitted or required by

the Privacy Regulations as long as the minimum necessary, Policy- 20, and Administrative, Physical and Technical Safeguards, Policy- 40-42, policies have been followed;

(c) Pursuant to an authorization as permitted by Policy-22,

Authorization and Policy-33, Marketing;

(d) Pursuant to an agreement under, or as otherwise permitted by Policy-32, Disclosures to Family and Others Involved in Patient’s Care; and

(e) As permitted by and in compliance with Policy-23, Mental Health

Records; Policy-24 through 30, Required or Permitted by Law

Uses and Disclosures - General 1

2 Uses and Disclosures - General

(Abuse and Neglect; Court Orders and Subpoenas; Law Enforcement Officials; Avert Serious Threat; Special Government Functions; Public Health and Workers Compensation); Policy-32, Business Associate; Policy-34, Fundraising; and Policy-36, Limited Data Set.

Prohibited Uses and Disclosures

FMFI will not directly or indirectly receive remuneration or payment in exchange for any PHI unless FMFI obtains a valid authorization that includes a specification of whether the PHI can be further exchanged for remuneration by the entity receiving PHI of the individual. The prohibition against selling PHI will not apply if the purpose of the exchange is for:

(a) public health activities. (The Secretary may issue regulations limiting the price charged for PHI under this exception for public health activities.)

(b) research, but only if the price charged reflects the costs of preparation and

transmittal of the data for such purpose.

(c) treatment of the individual, subject to any regulation that the Secretary may promulgate to prevent PHI from inappropriate access, use, or disclosure.

(d) health care operations associated with the sale, transfer, merger or

consolidation of all or part of FMFI.

(e) remuneration provided by FMFI to a Business Associate pursuant to a legitimate Business Associate services contract or arrangement.

(f) providing an individual with a copy of his/her medical record; and

(g) any other purpose approved by the Secretary.


Subject: Minimum Necessary Rule Page: 1 of 3 Policy #: Policy - 20 Approved: 2011 HIPAA Section:

164.502(b) and 164.514(d) Revised: 02/2012 04/2013 11/2016

I. PURPOSE

To describe the application of the minimum necessary rule to uses, disclosure and requests for PHI.

II. POLICY

FMFI personnel will be granted the minimum access to PHI necessary to enable

them to perform their job functions. To the extent FMFI personnel are granted access, personnel must make reasonable efforts to limit the Use, Disclosure of, and requests for PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure or request. Disclosures, uses, and requests must be limited to a "limited data set" to the extent practicable and comply with any other regulations or guidance defining the "minimum necessary" issued by the Secretary. The term "limited data set" is defined in Privacy Policy-37.

The minimum necessary rule does not apply to:

(a) Disclosures to or requests by a Health Care Provider for treatment;

(b) Uses or Disclosures made to the patient or his/her legal

representative (See, Policy-02, Personal Representatives, or Policy-05, Patient Access to Protected Health Information.);

(c) Uses or disclosures made pursuant to an authorization (See,

Policy-22, Authorization);

(d) Disclosures made to the Secretary of the Department of Health and Human Services for compliance and enforcement of the Privacy Regulations;

(e) Uses and Disclosures required by law (See, Policy-24 through 30,

Required by Law (Abuse and Neglect; Court Orders and Subpoenas; Law Enforcement Officials; Avert Serious Threat; Special Government Functions; Public Health and Workers Compensation);

(f) Uses and Disclosures required by compliance with HIPAA

standardized transactions. FMFI personnel may not use, disclose

Minimum Necessary Rule 1

or request an entire medical record, except when the entire medical record is specifically justified as the amount that is reasonably necessary to accomplish the purpose for the use, disclosure, or request.

FMFI must designate: (1) FMFI personnel who need access to PHI to carry out their duties and (2) the level of access needed and the conditions appropriate to such access.

III. PROCEDURE

The Personnel Action Request form must be completed by a member of

management for each employee and volunteer. A copy of the form must be included in the employee's file. The IT Department will assign individuals the appropriate level of access based on the information provided in the Personnel Action Request form. FMFI will periodically review the level of access assigned to each employee to ensure that only minimum access necessary has been granted. If there is a position status change within FMFI, the form must be updated and the IT Department notified and instructed to make the requested changes.

FMFI personnel who are directly involved in a patient’s treatment and care (e.g., physicians and nurses) may have access to all of the patient’s PHI. FMFI personnel who are not directly involved in a patient’s treatment may not have unlimited access to a patient’s PHI. It is a violation of the minimum necessary rule for a health care provider to access the PHI of patients with whom the provider has no treatment relationship, unless for research purposes as permitted by the Privacy Regulations and these Policies.

Disclosures

1. Routine Disclosures: FMFI will implement standard protocols, when

appropriate, to limit the PHI disclosed on a routine or recurring basis.

2. Non-Routine Disclosures: All non-routine disclosures (those that do not occur on a day-to-day basis as part of treatment, payment or health care operation activities or which are required by law on a regular basis) must be reviewed by the Privacy Official. When considering non-routine disclosures, the Privacy Official should consider the following criteria: (a) the purpose of the request; (b) any potential harm that would result to the patient, FMFI, or any other third party as a result of the disclosure; (c) the relevancy of the information requested; (d) specificity of request; (e) likelihood of re-disclosure: (f) ability to achieve the same purpose with de- identified information; (g) technology available to limit disclosures of PHI; (h) cost of limiting disclosure of PHI; and (d) other applicable state and federal laws and regulations. FMFI personnel may rely, if such reliance is reasonable under the circumstances, on a requested disclosure as the minimum necessary for the stated purpose when: (a) making disclosures

Minimum Necessary Rule 2

3 Minimum Necessary Rule

to public officials as required by law, if the public official represents that the information requested is minimum necessary for the stated purpose; (b) the information is requested by another covered entity; or (c) the information is requested by a professional who is an employee of FMFI or is a business associate of FMFI providing professional services, if the professional or business associate represents the information is the minimum necessary for the stated purpose(s).

Requests

3. Routine Requests: FMFI will implement standard protocols, when appropriate, to limit the PHI requested on a routine or recurring basis.

4. Non-Routine Requests: All non-routine requests for disclosures (those that

do not occur on a day-to-day basis as part of treatment, payment or health care operation activities or which are required by law on a regular basis) must be reviewed by the Privacy Official who will consult with legal counsel as needed. Any questions regarding the propriety of a particular request must be submitted to the Privacy Official. When considering non- routine disclosures, the following criteria must be considered: (a) the reason for the request; (b) any potential harm that would result to the patient, FMFI, or any other third party as a result of the request; (c) the relevancy of the information requested; and (d) other applicable state and federal laws and regulations.


Subject: Treatment, Payment and Health Care Operations

Page: 1 of 2


164.506 Revised: 02/2012 04/2013 11/2016

I. PURPOSE

To establish consent requirements and permitted uses and disclosures for treatment, payment and health care operations.

II. POLICY

FMFI can use or disclose PHI for its own treatment, payment or health care

operations.

FMFI can disclose PHI:

(a) for treatment activities of another health care provider:

(b) to another covered entity or a health care provider for the payment activities of the entity that receives the information; and

(c) to another covered entity for certain enumerated health care

operations activities of the entity that receives the information, if each entity either has or had a relationship with the patient who is the subject of the PHI being requested, the health information pertains to such relationship.

PHI can be exchanged between two covered entities for the following health care operations: (1) conducting quality assessment and improvement activities, including outcomes evaluation and development of clinical guidelines, provided that the obtaining of generalizable knowledge is not the primary purposed of any studies resulting from such activities; (2) population-based activities relating to improving health or reducing health care costs; (3) protocol development, (4) case management and care coordination; (5) contacting of health care providers and patients with information about treatment alternatives; (6) reviewing the comptetence or qualifications of health care professionals; (7) evaluating practitioner and provider performance, (8) conducting training programs in which students. Trainees, or practitioners in areas of health care, learn under supervision to practice or improve their skills as health care providers; (9) training of non-health care professionals, and (10) accreditation, certification, licensing or credentialing activities. Treatment, Payment and Health Care 1 Operations

2 Treatment, Payment and Health Care

Operations

FMFI can disclose PHI about an individual to another covered entity that participates in an organized health care arrangement with FMFI for any health care operation activities of the organized health care arrangement.

For uses and disclosures of a patient’s PHI other than for treatment, payment activities and health care operations of FMFI or another covered entity, an authorization of the patient pursuant to Policy-22 must be obtained unless disclosure pursuant to another Policy is permitted and/or required.


Subject: Authorizations Page: 1 of 3 Policy #: Policy - 22 Approved: 2011 HIPAA Section:

164.508 Revised: 02/2012 04/2013 11/2016

I. PURPOSE

To establish authorization requirements for uses and disclosures other than for treatment, payment and health care operations.

II. POLICY

FMFI cannot use or disclose PHI, for purposes other than treatments, payment

and health care operations, without a valid written authorization from the patient, except as otherwise permitted by these Policies. When FMFI obtains or receives a valid authorization for its use or disclosure of PHI, such use or disclosure must be consistent with the authorization.

Information released pursuant to this authorization may include alcohol and/or

drug abuse records protected under federal and/or state law. Re-disclosure of such alcohol and/or drug abuse records by the recipient is prohibited without specific authorization. An authorization is required to disclose information to third parties for purposes other than treatment, payment or health care operations.

Psychotherapy Notes

FMFI personnel must obtain an authorization for any use or disclosure of

psychotherapy notes, except in certain circumstances. See, Policy-23, Mental Health Records.

Marketing

FMFI must obtain an authorization for any use or disclosure of PHI for marketing,

except in certain circumstances. See, Policy-33, Marketing.

Fundraising

FMFI must obtain an authorization for any use or disclosure of PHI for fundraising for breast cancer awareness, research or other charitable activities of a third party entity. See, Policy-34, Fundraising.

Authorization 1

2 Authorization

Sale of Protected Health Information

Pursuant to the Notice of Proposed Rule-Making released in July 2010, if adopted, would prohibit FMFI from receiving, directly or indirectly, remuneration in exchange for PHI without an authorization from the individual specifically addressing exchanges for remuneration. There are limited exceptions that include treatment, limited healthcare operations, public health activities, research where the payment reflects the cost of preparation and transmission of data, and for other disclosures either required by law or otherwise permitted by HIPAA. Research

FMFI must obtain an authorization for any use or disclosure of PHI for research pursuant to the requirements more specifically set forth in Privacy – 35, Research. Conditioning of Authorizations

Generally, FMFI may not condition the provision of treatment to a patient on the provision of an authorization. One exception to the prohibition on conditioning authorization relates to health care services provided at the request of a third party. For example, FMFI can require an authorization as a condition to providing a drug screening test or physical requested by an employer. Revocation of Authorizations

FMFI must permit patients to revoke their authorizations, except to the extent FMFI has taken action in reliance on the authorization. III. PROCEDURES

1. A valid authorization must contain all of the elements required by the Privacy Regulations. See, Form-05.A.

The Oklahoma State Department of Health ("OSDH") has drafted and approved a standard authorization form which is available on the OSDH website and is attached as Form-05.A.

2. Prior to using or disclosing PHI pursuant to an authorization, FMFI personnel must review the authorization to determine if it is valid. An authorization is not valid, if it contains any of the following defects:

(a) the expiration date has passed or the expiration event is known to

have occurred;

(b) the authorization has not been filled out completely;

(c) FMFI personnel have knowledge that the authorization has been revoked;

3 Authorization

(d) FMFI personnel have knowledge that some material information in the authorization is false;

(e) the authorization was obtained by improperly conditioning treatment

upon its receipt; or

(f) if the authorization is for psychotherapy notes, it is improperly combined with another type of authorization or document.

3. If FMFI seeks an authorization from a patient for a use or disclosure of

PHI, FMFI must provide the patient with a copy of the signed authorization.

4. FMFI must keep copies of authorizations for at least six (6) years.

See also, (a) 42 C.F.R. 2.31 (authorization that relates to alcohol and drug abuse); and (b) 63 Okla. Stat. § 1-502.2 (authorization that relates to communicable diseases).


Subject: Mental Health Records Page: 1 of 2 Policy #: Policy - 23 Approved: 2011 HIPAA Section:

164.508 Revised: 02/2012 04/2013 11/2016

I. PURPOSE

To establish permitted uses and disclosures of mental health records, including psychotherapy notes.

II. POLICY

Mental Health Records - General

A patient generally has the right to access his/her mental health records other

than psychotherapy notes. See, the definition of psychotherapy notes is set forth in Policy-01. A patient can be denied access to his/her mental health records for one of the reasons set forth in Policy-05, Patient Access to Protected Health Information.

Mental health records, other than psychotherapy notes may be used and disclosed by FMFI personnel for treatment, payment and health care operations to the same extent, and subject to the same limitations, applicable to other types of PHI as set forth in these Policies.

Persons or entities not covered by the Privacy Regulations who desire access to

a patient’s mental health records for purposes other than treatment, payment or health care operations must obtain an authorization as required by Policy-22, Authorization, unless otherwise permitted by these Policies. An authorization for the use or disclosure of psychotherapy notes cannot be combined with another authorization.

Psychotherapy Notes

A patient does not have a right to access psychotherapy notes relating to him/herself except (i) to the extent the patient’s treatment professional approves such access in writing; or (ii) the patient obtains a court order authorizing such access.

Mental Health 1

Remember: Psychotherapy notes have a very limited definition. They are notes recorded (in any medium) by a health care provider who is a mental health professional documenting or analyzing the contents of conversation during a private counseling session or a group, joint, or family counseling session and that are separated from the rest of the individual’s medical record.

2 Mental Health

A patient authorization must be obtained for any use or disclosure of psychotherapy notes, except for the following purposes:

1. Use by the originator (the creator) of the psychotherapy notes for treatment purposes;

2. Use or disclosure of psychotherapy notes by FMFI personnel for

conducting FMFI-related training programs in which students, trainees, or practitioners in mental health learn under supervision to practice or improve their skills in group, joint, family, or individual counseling;

3. Use or disclosure to legal counsel to defend FMFI in a legal action or other

proceeding brought by the patient;

4. Use or disclosure of psychotherapy notes to the Secretary of Health and Human Services, or any other officer or employee of the Department of Health and Human Services to whom the authority has been delegated, to conduct enforcement activities;

5. Use or disclosure needed for oversight of FMFI personnel who created the

psychotherapy notes;

6. Use or disclosure needed by a coroner or medical examiner for the purpose of identifying a deceased person, determining a cause of death, or other duties as authorized by law; or

7. When FMFI personnel, in good faith, believe the use or disclosure is

necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public.


Subject: Required by Law-Abuse and Neglect Report – Oklahoma Law

Page: 1 of 4


164.510 Revised: 02/2012 04/2013 11/2016

I. PURPOSE

To set forth requirements for abuse and neglect reporting.

II. POLICY

FMFI personnel may disclose PHI (without the patient’s consent, authorization or the opportunity to agree or object) as required by state laws regarding abuse and neglect reporting. Questions regarding whether a particular use of disclosure is required by law must be submitted to the Privacy Official, who will consult legal counsel if necessary.

III. PROCEDURE

1. Child Abuse or Neglect.

All FMFI personnel who have reason to believe that a child under the age of 18 is

a victim of abuse or neglect must promptly notify the State Department of Human Services. 10A O.S. § 1-2-101 et seq. Reports of abuse or neglect may be made by telephone, in writing, or in person. Verbal reports must be reduced to writing as soon as practicable.

2. Adult Victims of Abuse and Neglect.

FMFI personnel who have reasonable cause to believe that a Vulnerable Adult is

suffering from abuse, neglect, or financial exploitation shall promptly report the matter to either the State Department of Human Services, the office of the district attorney in the county in which the suspected abuse, neglect, or exploitation occurred or the appropriate City Police Department or sheriff’s department. 43A O.S. § 10-101 et seq.

The report must contain the name and address of the Vulnerable Adult, the name

and address of the caretaker, if any, and a description of the current location and current condition of the Vulnerable Adult and of the situation which may constitute abuse, neglect or exploitation of the Vulnerable Adult.

3. Domestic Abuse.

Required by Law-Abuse and Neglect 1

2 Required by Law-Abuse and Neglect

FMFI personnel are not required to report what appears to be domestic abuse unless requested to do so by the victim. 22 O.S. § 58.


Subject: Required by Law-Court Orders and Subpoenas – Oklahoma

Page: 1 of 2


164.510(a) Revised: 02/2012 04/2013 11/2016

I. PURPOSE

To set forth requirements for disclosing PHI pursuant to court orders and subpoenas.

II. POLICY

FMFI personnel may disclose PHI pursuant to a court order or subpoena as set

forth below. Questions regarding whether a particular use of disclosure is required by law must be submitted to the Privacy Official, who will consult legal counsel if necessary. All legal documents, such as subpoenas and court orders, must be submitted to the Privacy Official to determine if they are legally valid.

III. PROCEDURE

1. Court Orders. A court order is a direction of the court which directs a party

to produce certain specified documents. FMFI personnel must immediately forward each court order to FMFI’s Privacy Official. Upon determining that the court order is valid and meets all legal requirements, FMFI should release the information requested. The patient whose records are being requested is not required to provide an authorization to disclose the records pursuant to a court order.

(a) Special Requirements for Court Orders Relating to Substance

Abuse Records. Records of the identity, diagnosis, prognosis, or treatment of FMFI patients maintained in connection with substance abuse education, prevention, training, treatment, rehabilitation, or research, which is conducted, regulated by, or assisted by any United States department or agency, shall be confidential.

The content of these records may be disclosed to third parties as follows: (i) in accordance with the patient’s prior written consent; (ii) to medical personnel to the extent necessary to meet a bona fide medical emergency; (iii) to qualified personnel for the purpose of conducting scientific research, management audits, financial audits, or program evaluation only if the patient is not identified directly or indirectly; (iv) upon receipt of a valid court order that meets all of the requirements of 42 C.F.R. Part 2.

Required by Law-Court Orders/Subpoenas 1

2 Required by Law-Court Orders/Subpoenas

2. Subpoenas. A subpoena is a unilateral request of a party for the production of documents. A subpoena is not generally approved by a judge. Therefore, it is important for FMFI to determine whether the patient’s authorization or a court order is required for the release.

If a subpoena is served on FMFI requesting a patient's PHI, the safest course of action is to obtain a patient authorization to the disclosure. Such authorization must comply with the HIPAA Privacy Regulations. Under Oklahoma law, in a negligence action, upon written request by the defendant, the plaintiff is required to furnish the defendant with an authorization for the release of any and all relevant medical records related to the plaintiff for the five (5) years preceding the incident giving rise to the lawsuit. 12 Okla. Stat. § 19.1. If it is not clear that the physician-patient privilege has been waived and the circumstances for the exception have been met, then the safest course of action is to obtain patient authorization for the release. FMFI's Privacy Official should consult with legal counsel to determine whether FMFI should file an appropriate motion or written objection.


Subject: Required by Law-Law Enforcement Officials

Page: 1 of 3


164.510(a) Revised: 02/2012 04/2013 11/2016

I. PURPOSE

To set forth requirements for disclosing PHI law enforcement officials.

II. POLICY

FMFI personnel may disclose PHI (without the patient’s consent, authorization or the opportunity to agree or object) to law enforcement officials as set forth below. Questions regarding whether PHI should be disclosed to a law enforcement officer should be submitted to the Privacy Official, who will consult legal counsel if necessary.

III. PROCEDURE

1. Certain limited PHI may be disclosed regarding a patient to a law enforcement official who requests such information to identify or locate a suspect, fugitive, material witness, or missing person. Absent a request, such information may not be disclosed. A request may be made orally or in writing and may include a general request seeking the public’s assistance in identifying a suspect, fugitive, material witness, or missing person. A “law enforcement official” means an officer or employee of any agency or authority of the United States, State, Indian tribe, county, city, town or municipality, who is empowered by law to (i) investigate or conduct an official inquiry into a potential violation of law; or (ii) prosecute or otherwise conduct a criminal, civil, or administrative proceeding arising from an alleged violation of law.

If a request is made by a law enforcement official for a patient’s PHI, the Privacy Official should be immediately contacted to authenticate the request for disclosure and to determine whether the official is authorized to make such a request Before releasing any information to the law enforcement official, a signed and dated agreement must be obtained from the official stating that the official will take reasonable steps to safeguard the information and will either return the disclosed PHI or notify FMFI that the PHI has been destroyed. A record of the disclosure and a copy of the agreement shall be placed in the patient’s file.

The disclosure of PHI pursuant to this section is limited only to the following:

Required by Law-Law Enforcement 1 Officials

(a) Name and address

(b) Date and place of birth

(c) Social security number

(d) ABO, blood type and RH factor

(e) Type of injury, if applicable

(f) Date and time of treatment

(g) Date and time of death, if applicable

(h) A description of distinguishing physical characteristics, including height, weight, gender, race, hair and eye color, presence or absence of facial hair, scars and tattoos.

2. FMFI may disclose PHI to law enforcement officials pursuant to an

administrative request (including an administrative subpoena or summons, a civil or an authorized investigative demand, or similar process authorized by Federal or State law, so long as (i) the information sought is relevant and material to a legitimate law enforcement inquiry; (ii) the request is specific and limited in scope to the extent reasonably possible; and (iii) de-identified information cannot be reasonably used.

3. In addition to other disclosures regarding potential victims of a crime

discussed in this policy, FMFI may disclose to law enforcement officials information about a patient who is suspected to be a victim of a crime, if (i) the patient consents to the disclosure; or (ii) if the patient is unable to provide consent, all of the following requirements are met: (a) the law enforcement official represents that such information is needed to determine whether a violation of law by a person other than the patient has occurred, and such information is not intended to be used against the patient and that immediate law enforcement activity that depends on the disclosure would be materially and adversely affected by waiting until the patient is able to consent; and (b) the disclosure is in the best interest of the patient as determined by FMFI personnel, in the exercise of professional judgment.

4. FMFI may disclose to law enforcement official PHI that FMFI personnel

believe in good faith constitutes evidence of criminal conduct that occurred on FMFI property.

5. FMFI personnel providing emergency health care in response to a medical

emergency, other than an emergency on FMFI property, may disclose PHI to a law enforcement official if the disclosure appears necessary to alert law enforcement to: (I) the commission and nature of a crime; (ii) the

Required by Law-Law Enforcement 2 Officials

3 Required by Law-Law Enforcement

Officials

location of such crime or that of the victim(s) of such crime; and (iii) the identity, description, and location of the perpetrator of such crime.

Do not disclose any of the following information: DNA data and analyses, health records or typing samples or analyses of tissue or bodily fluids other than blood.


Subject: Required by Law-Avert Serious Harm or Threat

Page: 1 of 1

Policy #: Policy - 27 (Uses & Disclosures) Approved: 2011 HIPAA Section:

164.510(a) Revised: 02/2012 04/2013 11/2016

I. PURPOSE

To set forth requirements for disclosing PHI to avert serious harm or threats.

II. POLICY

FMFI personnel may disclose PHI (without the patient’s consent, authorization or the opportunity to agree or object) to avert serious threats to health and safety.

III. PROCEDURE

FMFI personnel may, consistent with applicable law and ethical standards, use or

disclose PHI if FMFI personnel, in good faith, believe such use and disclosure:

(a) is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public and the disclosure is to a person or persons reasonably able to prevent or lessen the threat, including the target of the threat; or

(b) is necessary for law enforcement authorities to identify or

apprehend an individual who (i) has made a statement admitting participation in a violent crime that FMFI personnel reasonably believes may have caused serious physical harm to the victim (provided that no disclosure may be made under this circumstance if the disclosure is made during the course of treatment to affect the propensity to commit the criminal conduct that is the basis for the disclosure, or actual counseling or therapy, or if the disclosure is made during a request to initiate such treatment); or (ii) escaped from a correctional institution or from lawful custody.

Required by Law - Avert Serious Threat 1


Subject: Required by Law-Special Government Functions

Page: 1 of 2


164.510(a) Revised: 02/2012 04/2013 11/2016

I. PURPOSE

To set forth requirements for disclosing PHI for special government functions.

II. POLICY

FMFI personnel may disclose PHI (without the patient’s consent, authorization or

the opportunity to agree or object) for special government functions as set forth below.

III. PROCEDURE

1. FMFI may use and disclose PHI of patients in the United States and foreign armed forced for activities deemed necessary by appropriate military command authorities to assure the proper execution of the military mission.

2. FMFI may disclose PHI to authorize federal officials for the conduct of lawful intelligence, counter-intelligence and other national security activities authorized by the National Security Act, and to protect the President of the United States and certain other public officials as authorized by law.

3. FMFI may disclose to a correctional institution or law enforcement official

having lawful custody of an inmate or other individual, and the correctional institution or law enforcement official may use PHI about such individual, if the correctional institution or such law enforcement official represents that such PHI is necessary for: (i) the provision of health care to such individuals; (ii) the health and safety of such individual or other inmates; (ii) the health and safety of the officers or employees of or others at the correctional institution or other persons responsible for the transporting of inmates; (iv) law enforcement on the premises of the correctional institution; and/or (v) the administration and maintenance of the safety, security, and good order of the correctional institution.

Required by Law-Special Government 1 Functions


Subject: Required by Law-Public Health Reporting and Oversight Activities – Oklahoma

Page: 1 of 5


164.510(a) Revised: 02/2012 04/2013 11/2016

I. PURPOSE

To set forth requirements for disclosing PHI pursuant to state laws related to

public health reporting.

II. POLICY

FMFI personnel may disclose PHI (without the patient’s consent, authorization or the opportunity to agree or object) as required by state laws related to public health reporting. Questions regarding whether a particular use of disclosure is required by law must be submitted to the Privacy Official, who will consult legal counsel if necessary.

III. PROCEDURE

FMFI personnel may disclose PHI without the written authorization of the patient

to the appropriate state or federal health authority conducting public health surveillance, public health investigations, public health interventions and the Food and Drug Administration regulatory oversight in accordance with the requirements and conditions specified in the statutes governing such disclosures. Examples of such permitted disclosures shall include, but may not be limited to, the following:

Subject OK Statute/OK Regulation

Reports of Disease – Public Hazard 63 O.S. § 1-503/OAC 310:515-1-1 et seq.

Reports of Communicable Diseases 63 O.S. § 1-502/OAC 310:515-1-1 et seq.

Tumor/Cancer Registry 63 O.S. § 1-551.1/OAC 310:567-3- 1 et seq.

Organ/Tissue Donation 63 O.S. § 2200.1A et seq.

Federal Law OK Statute

42 U.S.C. § 1320a-7(b) 56 Okla. Stat. § 1003 and 1004

Required by Law-Public Health 1

DHHS authority to verify compliance with Conditions of Participation and payment fraud and abuse laws

Creation of Medicaid Fraud Control Unit

45 C.F.R. § 80.6

Office of Civil Rights Authority for compliance reviews of discrimination laws

56 Okla. Stat. § 63 Responsibilities of Department of Human Services – rules and regulations

50 U.S.C. § 403q(e)(5), 42 U.S.C. § 1320a-7(b)(12)(c) and 42 U.S.C. § 1320a-7b(12)(D)

DHHS OIG authority to issue subpoenas and conduct investigations

31 U.S.C. §§ 3729-3733; 18 U.S.C. § 3486

State Attorney General Authority and Administrative Subpoenas

31 U.S.C. § 3733

Civil Investigative Demands

Required by Law-Public Health 2


Subject: Required by Law-Workers Compensation – Oklahoma

Page: 1 of 2


Revised: 02/2012 04/2013 11/2016

I. PURPOSE

cases.

To set forth requirements for disclosing PHI related to Workers Compensation

II. POLICY


the opportunity to agree or object) as required by state workers compensation laws.

III. PROCEDURE

Under the Oklahoma Workers’ Compensation Code, an employer is required to provide to an injured employee certain medical services as may be necessary after an injury which occurred during the course of his/her employment.

The attending or treating physician is required and authorized to supply the

injured employee or employee’s dependents, the employer, the employer's insurer, the Workers’ Compensation Commission, and the Workers’ Compensation Fraud Investigation Unit with certain medical information. Patient authorization is not needed to supply the information required by the Workers' Compensation Code.

Under the Oklahoma Workers’ Compensation Act, an employee who participates

in the benefits of the Act is deemed to consent to the treating physician in making these reports. Thus, the patient authorization is not required. However, uses and disclosures made under this section must be limited only to that PHI which is relevant to the injury for which benefits are sought.

See, 85A O.S. §§ 50 and 58, et seq.

Required by Law-Workers Compensation 1


Subject: Disclosures to Family and Others Involved in Patient's Care

Page: 1 of 2


164.510(b) Revised: 02/2012 04/2013 11/2016

I. PURPOSE

To articulate conditions under which family and friends can be notified of patient’s

condition.

II. POLICY

FMFI personnel may disclose PHI to a patient’s family member, other relative, or a close personal friend of the individual, or any other person identified by the individual, as long as the PHI disclosed is relevant to the person’s involvement with the patient’s care or payment related to the patient’s health care.

FMFI personnel may use or disclose PHI to notify, or assist in the notification of

(including identifying or locating), a family member, a personal representative of the patient, or another person responsible for the care of the patient of the individual’s location, general condition, or death.

FMFI personnel may use or disclose PHI to a public or private entity authorized

by law or by its charter to assist in disaster relief efforts. The PHI that may be released is limited to the individual’s location, general condition, or death.

III. PROCEDURES

1. Patient is Present - If the patient is present for, or otherwise available prior

to, a use or disclosure to a family member or friend as described above and has the capacity to make health care decisions, FMFI personnel may use or disclose the PHI if he/she:

(a) Obtains the patient’s agreement and documents the agreement in

the patient’s medical record;

(b) Provides the patient with the opportunity to object to the disclosure, and the patient does not express an objection and documents the lack of objection in the patient’s medical record; or

Disclosures to Family and Others 1 Involved in Patient Care

2 Disclosures to Family and Others

Involved in Patient Care

(c) Reasonably infers from the circumstances, based on the exercise of professional judgment that the individual does not object to the disclosure.

2. Patient is not Present - If the patient is not present, or the opportunity to

agree or object to the use of disclosure cannot practicably be provided because of the patient’s incapacity or an emergency circumstance, FMFI personnel may, in the exercise of professional judgment, determine whether the disclosure is in the best interests of the patient and, if so, disclose only the PHI that is directly relevant to the person’s involvement with the patient’s health care. FMFI personnel may use professional judgment and his/her experience with common practice to make reasonable inferences of the patient’s best interest in allowing a person to act on behalf of the patient to pick up filled prescriptions, medical supplies, X-rays, or other similar forms of PHI.

3. The following criteria should be considered when determining whether it is

in the patient’s best interest to disclose the PHI to a family member or friend:

(a) Whether the potential disclosure is common practice;

(b) The nature of the relationship between the parties;

(c) The sensitive nature of the information being disclosed;

(d) The ability of the patient to manage necessary tasks (i.e. pick up

prescriptions, medical supplies, x-rays, or other forms of PHI); and

(e) Whether the incapacitated patient is a suspected victim of domestic violence and whether the person seeking information about the patient may have abused the patient In these instances FMFI personnel should not disclose information to the suspected abuser if there is reason to believe that such a disclosure could cause the patient harm.

4. FMFI personnel are not required to verify the relationship of relatives or

other individuals involved in the patient’s care. FMFI personnel may simply inquire into the individual’s relationship with the patient. The patient’s act of involving the other person in his/her care also may suffice as verification of their identity.


Subject: Business Associates Page: 1 of 1 Policy #: Policy - 32 (Uses & Disclosures) Approved: 2011 HIPAA Section:

164.502(e), 164.504(e) and 164.532

Revised: 02/2012 04/2013 11/2016

I. PURPOSE

To establish requirements regarding uses and disclosures of PHI to business associates.

II. POLICY

FMFI may disclose PHI to a business associate, and may allow a business

associate to create or receive PHI on its behalf, if FMFI has executed an agreement with the business associate which contains language requiring the business associate to appropriately safeguard the PHI.

If FMFI knows of a pattern of activity or practice of a business associate that

constitutes a material breach or violation of the business associate’s obligation under the business associate agreement, FMFI must take reasonable steps to cure the breach or end the violation. If such steps are unsuccessful, the business associate agreement must be terminated or, if termination is not possible, the problem with the business associate must be reported to the Secretary of the Department of Health and Human Services.

Business associates must implement administrative, physical and technical

safeguards, in addition to implementing appropriate policies and procedures to comply with such safeguards, in accordance with the HIPAA Security Rule in the same manner that such requirements apply to Covered Entities. Business associates also will be required to comply with the provisions of the HIPAA Privacy Rule and to ensure Covered Entities address material violations of the business associate arrangement. Business associates who provide any services through subcontractors must enter into written business associate agreements with such subcontractors that comply with all requirements of the HIPAA Privacy and Security Rules.

III. PROCEDURE

The FMFI Privacy Official will be responsible for identifying business associates

and drafting and implementing the appropriate business associate language and/or agreements. All contracts must be reviewed in accordance with FMFI policies.

A Business Associate Agreement is attached as Form-31.

Business Associates 1


Subject: Marketing Page: 1 of 1 Policy #: Policy - 33 (Uses & Disclosures) Approved: 2011 HIPAA Section:

164.506(a173) Revised: 02/2012 04/2013 11/2016

I. PURPOSE

To establish requirements pertaining to the use and disclosure of PHI for

marketing purposes.

II. POLICY

FMFI must obtain an authorization for any use or disclosure of PHI for marketing, except if the communication is in the form of : (a) a face-to-face communication made by FMFI Personnel to an individual; or (b) a promotional gift of nominal value. (See, Policy-01, Definitions, for definition of "marketing").

As noted in Policy-01, Definitions, the term "marketing" does not include

communications made without any form of remuneration which are made (a) to describe medical services or products provided by FMFI; (ii) for treatment of the individual or (c) for case management or care coordination for the individual or to direct or recommend alternative treatments, therapies, providers or settings.

III. PROCEDURE

If FMFI receives any direct or indirect payment from a third party for making a

communication, even if it falls within one of the exclusions to the definition of "marketing" set forth above, an authorization from the patient must be obtained. For example, if FMFI receives payment to recommend a specific product to a patient, it would be deemed 'marketing' and a patient authorization would be required. Such authorization must specifically state that payment is involved. See, Policy-22, Authorization, for the requirements of a valid authorization.

Authorizations for marketing should be kept in a patient’s medical record for at

least six (6) years from the date it was signed. The definition of “marketing” contains several very limited exceptions. Authorization is not required for activities that are expressly excluded from the definition unless remuneration from a third party is received.

Marketing 1


Subject: Fundraising Page: 1 of 2 Policy #: Policy - 34 (Uses & Disclosures) Approved: 2011 HIPAA Section:

164.514(1)(1) Revised: 02/2012 04/2013 11/2016

I. PURPOSE

To establish requirements pertaining to the use and disclosure of PHI for fund-

raising purposes.

II. POLICY

FMFI may use, or disclose to a business associate or to an institutionally related foundation, the following PHI for the purpose of raising funds for its own benefit, without an authorization: (a) demographic information relating to an individual; (b) health insurance status; (c) dates of health care provided to an individual; (d) general type of department in which patient was serviced; (e) treating physician information; (f) and outcome information. Any use or disclosure for fundraising purposes beyond the above-stated, permissible information requires the patient’s authorization. Demographic information includes the patient’s name, address, age and gender. It does not include the use or disclosure of any information about the patient’s illness or treatment. See, Policy-22, Authorization, for requirements of a valid authorization. This restriction makes “grateful patient” campaigns for particular FMFI services infeasible.

A patient’s demographic information and dates of receipt of health care services may not be used or disclosed with the patient’s authorization for fundraising purposes unless the following requirements are met:

1. FMFI’s Privacy Notice must contain a statement that FMFI may contact

the patient to raise money for FMFI; and

2. The Privacy Notice and all fundraising materials must describe the procedures for a patient to opt out of receiving any additional fundraising communications.

3. When a patient elects to opt out of receiving further fundraising

communications, such election will be treated as a revocation of authorization and no further fundraising communications may be sent by FMFI.

Fundraising 1

2 Fundraising

III. PROCEDURE

1. All fund raising materials directed to patients, as well as the Notice of Privacy Practices, must indicate that a patient can opt out of receiving fundraising materials from FMFI, or a Business Associate or related foundation on FMFI’s behalf, by sending a letter or e-mail to FMFI’s Privacy Official.

2. All fundraising campaigns directed at patients must be approved by FMFI's

Privacy Official.


Subject: Research Page: 1 of 1 Policy #: Policy - 35 (Uses & Disclosures) Approved: 2011 HIPAA Section:

164.514(i)(1) Revised: 02/2012 04/2013 11/2016

I. PURPOSE

To establish requirements pertaining to the use and disclosure of PHI for research purposes.

II. POLICY


the opportunity to agree or object) for research, regardless of the source of the funding of the research, provided that the requirements set forth below are met.

III. PROCEDURE

1. Board Approval of a Waiver of Authorization. FMFI obtains documentation

that an alteration to or waiver (the documentation must meet all of the requirements set forth in paragraph 4 below), in whole or in part, of the individual authorization required by 45 C.F.R. § 164.508 has been approved by either:

(a) An Institutional Review Board (IRB), established in accordance with

7 C.F.R. § 1c.107; 10 C.F.R. § 745.107; 14 C.F.R. § 1230.107; 15 C.F.R. § 27.107; 16 C.F.R. § 1028.107; 21 C.F.R. § 56.107; 22 C.F.R. § 225.107; 24 C.F.R. § 60.107; 28 C.F.R. § 46.107; 32 C.F.R. § 319.107; 34 C.F.R. § 97.107; 38 C.F.R. § 16.107; 40 C.F.R. § 26.107; 45 C.F.R. § 46.107; 45 C.F.R. § 690.107 or 49 C.F.R. § 11.107; or

(b) a privacy board that satisfies the requirements set forth at 45

C.F.R. § 164.514(i)(1)(B).

2. Review Preparatory to Research. FMFI obtains from the researcher representations that:

(a) Use or disclosure is sought solely to review PHI as necessary to

prepare a research protocol or for similar purposes preparatory to research;

(b) No PHI is to be removed from the covered entity by the researcher

in the course of the review; and

Research 1

2 Research

(c) The PHI for which use or access is sought is necessary for the research purposes.

3. Research on Decedent's Information. FMFI obtains from the researcher:

(a) Representation that the use or disclosure is sought solely for research on the PHI of decedents;

(b) Documentation, at the request of the covered entity, of the death of

such individuals; and

(c) Representation that the PHI for which use or disclosure is sought is necessary for the research purposes.

4. Documentation of Waiver Approval. For a use or disclosure to be

permitted based on documentation of approval of an alternation or waiver, under Paragraph 1 above, the documentation must include all of the following:

(a) Identification and date of action: A statement identifying the IRB or

privacy board and the date on which the alternation or waiver of authorization was approved.

(b) Waiver criteria: A statement that the IRB or privacy board has

determined that the alteration or waiver, in whole or in part, of authorization satisfies the following criteria:

(i) the use or disclosure of PHI involves no more than

minimal risk to the individuals;

(ii) The alteration or waiver will not adversely affect the privacy rights and the welfare of the individuals;

(iii) The research could not practicably be conducted

without the alteration or waiver;

(iv) The research could not practicably be conducted without access to and use of the PHI;

(v) The privacy risks to individuals whose PHI is to be

used or disclosed are reasonable in relation to the anticipated benefits if any to the individuals, and the importance of the knowledge that may reasonably be expected to result from the research;

(vi) There is an adequate plan to protect the identifiers

from improper use and disclosure;

3 Research

(vii) There is an adequate plan to destroy the identifiers at the earliest opportunity consistent with conduct of the research, unless there is a health or research justification for retaining the identifiers, or such retention is otherwise required by law; and

(viii) There are adequate written assurances that the PHI

will not be reused or disclosed to any other person or entity, except as required by law, for authorized oversight of the research project; or for other research for which the use or disclosure of PHI would be permitted by the HIPAA regulations.

(c) Protected Health Information Needed: A brief description of the

PHI for which use or access has been determined to be necessary by the IRB or privacy board has determined, pursuant to paragraph 4.b.iv above.

(d) Review and Approval Procedures: A statement that the alteration

or waiver of authorization has been reviewed and approved under either normal or expedited review procedures, as follows:

(i) An IRB must follow the requirements of the Common

Rule, including the normal review procedures;

(ii) A privacy board must review the proposed research at convened meetings at which a majority of the privacy board members are present, including at least one member who is not affiliated with the covered entity, not affiliated with any entity conducting or sponsoring the research, and not related to any person who is affiliated with any of such entities;

(iii) A privacy board may use an expedited review

procedure if the research involves no more than minimal risk to the privacy of the individuals who are the subject of the PHI for which use or disclosure is being sought. If the privacy board elects to use an expedited review procedure, the review and approval of the alteration or waiver of authorization may be carried out by the chair of the privacy board, or by one or more members of the privacy board as designated by the chair; and

(e) Required Signature: The documentation of the alteration or waiver

of authorization must be signed by the chair or other member, as

4 Research

designated by the chair, of the IRB or the privacy board, as applicable.


Subject: Limited Data Sets Page: 1 of 3 Policy #: Policy - 36 (Uses & Disclosures) Approved: 2011 HIPAA Section:

164.514(e) Revised: 02/2012 04/2013 11/2016

I. PURPOSE

them.

To establish permitted uses of limited data sets and the method for creating

II. POLICY

FMFI may use and disclose a limited data set without patient authorization only

for the purposes of research, public health or health care operations if FMFI enters into a data use agreement with the intended recipient of the limited data set.

FMFI may use PHI to create a limited data set, or disclose PHI to a business

associate to create a limited data set on behalf of FMFI.

If FMFI knows of a pattern of activity or practice of the limited data set recipient that constitutes a material breach or end the violation, as applicable. If such steps are unsuccessful, FMFI must discontinue disclosure of PHI to the recipient and report the problem to the Secretary of the Department of Health and Human Services. A limited data set is PHI that does not directly identify the patient, but which contains certain potentially identifying information.

III. PROCEDURE

1. Limited Data Set. In order to create a limited data set, the following direct

identifiers of the patient or of relatives, employers or household members of the patient must be removed:

(a) Names

(b) Postal address information, other than town, city, state, and zip

codes

(c) Telephone numbers

(d) Fax numbers

(e) Electronic mail addresses

(f) Social security numbers

Limited Data Sets 1

2 Limited Data Sets

(g) Medical record numbers

(h) Health plan beneficiary numbers

(i) Account numbers

(j) Certificate/license numbers

(k) Vehicle identifiers and serial numbers, including license plate numbers

(l) Device identifiers and serial numbers

(m) Web Universal Resource Locators (URLs)

(n) Internet Protocol (IP) address numbers

(o) Biometric identifiers, including finger and voiceprints

(p) Full-face photographs and comparable images

The patient’s birth date should only be disclosed if FMFI and the recipient of the information agree that it is needed for their purpose.

2. All data use agreements must be approved by the Privacy Official prior to

execution. A Data Use Agreement must:

(a) Establish the permitted uses and disclosures of the limited data set

(b) Establish who is permitted to use or receive the limited data set

(c) Provide that the recipient of the information will:

(i) Not use or further disclose the information other than as permitted by the agreement

(ii) Use appropriate safeguards to prevent use or

disclosure other than as permitted by the agreement

(iii) Report to FMFI any uses or disclosures the recipient is aware of that is not provided for by the agreement

(iv) Ensure that the recipient’s agents who have access to

the information agree to the same restrictions as imposed on the recipient

(v) Not identify the information or contact the patients


Subject: De-Identified Information Page: 1 of 3 Policy #: Policy - 37 (Uses & Disclosures) Approved: 2011 HIPAA Section:

164.502(d) and 164.514(a) & (b) Revised: 02/2012 04/2013 11/2016

I. PURPOSE

To establish the method for de-identifying health information.

II. POLICY

De-Identified Information

FMFI can use and disclose de-identified health information without regard to the policies, as long as the code or other means of identification designed to permit re- identification is not disclosed.

FMFI may use PHI to create information that is not individually identifiable health

information or disclose PHI to a Business Associate to de-identify health information on behalf of FMFI. If de-identified information is re-identified, its use and disclosure becomes subject to regulation under the Policies. Health information that does not identify the patient and in which there is no reasonable basis to believe that the health information can be used to identify the patient, or “de-identified information” is not considered PHI and is not subject to the requirements of this policy.

III. PROCEDURE

below:

Health information can be de-identified by using one of the two methods listed

1. Safe Harbor. The following identifiers of the patient or of the relatives, employers, or household members of the patient are removed:

(a) Names

(b) Geographic subdivision, such as street address, city, county, and

zip code

(c) The geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people, and if it has fewer than 20,000 the zip code is changed to 000 (example, for the zip code 73069, all areas using the zip code beginning with 730 have more than 20,000 in the aggregate).

De-Identified Information 1

2 De-Identified Information

(d) All elements of dates (except year) for dates directly related to the patient, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age.

(e) Telephone numbers

(f) Fax Numbers

(g) E-mail addresses

(h) Social security numbers

(i) Medical record numbers

(j) Health plan beneficiary numbers

(k) Account numbers

(l) Certificate/license numbers

(m) Vehicle identifiers, serial numbers, license plate numbers

(n) Device identifiers and serial numbers

(o) Web Universal Resource Locators (URLs)

(p) Internet Protocol address numbers (IP)

(q) Biometric identifiers, including finger and voiceprints

(r) Full face photographic images and other comparable images

(s) All other unique identifying number, characteristic, or code.

2. Alternative Method of De-Identification. A biostatistician or some other

person with appropriate knowledge of and experience with generally accepted statistical and scientific principles and methods for rendering information not individually identifiable, must apply such principles and methods and determine that the risk is very small that the information could be used, alone or in combination with other reasonably available information, by an anticipated recipient to identify the individual who is the subject of the information. The person making this determination must document the methods and results of the analysis that justify the determination.

FMFI may assign a code or other means of record identification to allow de- identified information to be re-identified, provided that:

3 De-Identified Information

(a) Derivation. The code or other means of record identification is not derived from or related to information about the individual and is not otherwise capable of being translated so as to identify the individual; and

(b) Security. The code, and/or mechanism for re-identification, is not used or disclosed for any other purpose.


Subject: Breach Notification Page: 1 of 4 Policy #: Policy - 38 Approved: 2011 HIPAA Section: 164.402-414 Revised: 02/2012 04/2013

11/2016

I. PURPOSE

To establish a breach notification process applicable to unsecured PHI.

II. POLICY

In the event FMFI discovers a breach of unsecured PHI (as defined in Policy-01), FMFI will conduct and document a risk assessment and notify each individual whose unsecured PHI has been, or is reasonably believed by FMFI to have been, accessed, acquired, or disclosed as a result of such breach. The notification requirement applies to any Unsecured PHI accessed, maintained, retained, modified, recorded, stored, destroyed, or otherwise held, used or disclosed by FMFI. The notification requirements also apply to breaches committed by FMFI or one of its business associates.

For purposes of this Policy, a breach will be treated as discovered by FMFI or a

business associate as of the first day on which the breach is known to FMFI or one of its business associates, respectively, (including any person, other than the individual committing the breach, that is an employee, officer, or other agent of FMFI or a business associate, respectively or should reasonably have known to FMFI or a business associate to have occurred).

DEFINITION OF 'BREACH':

The term 'breach' means the unauthorized acquisition, access, use, or disclosure

of PHI which compromises the security or privacy of such information, except where an unauthorized person to whom such information is disclosed would not reasonably have been able to retain such information.

The term 'breach' does not include:

(a) any unintentional acquisition, access, or use of PHI by an employee

or individual acting under the authority of FMFI or business associate if:

(i) such acquisition, access, or use was made in good

faith and within the course and scope of the employment or other professional relationship of such employee or individual, respectively, with FMFI or a business associate; and

Breach Notification

(ii) such information is not further acquired, accessed, used, or disclosed by any person; or

(b) any inadvertent disclosure from an individual who is otherwise

authorized to access PHI at a facility operated by FMFI or business associate to another similarly situated individual at the same facility; and

(c) any such information received as a result of such disclosure is not

further acquired, accessed, used, or disclosed without authorization by any person.

III. PROCEDURES

1. Risk Assessment. FMFI must perform a breach notification risk

assessment to determine if notification of patients and others is required.

2. Deadline for Notice. FMFI must provide notification of a breach of unsecured PHI without unreasonable delay, but in no case later than sixty (60) calendar days after discovery of the breach, unless immediate notice is required as set forth in Sections 3(a)(iii) or 3(c) below, except a delay of notification is required where a law enforcement official determines that a notification would impede a criminal investigation or cause damage to national security.

3. Methods of Notice.

(a) Individual Notice. Notice of a breach provided to an individual must

meet the following requirements:

(i) The notice must be written and delivered to the individual by first-class mail addressed to the individual (or the next of kin of the individual if the individual is deceased) at the individual's (or next of kin's) last known address. In the alternative, if the individual (or next of kin) has so specified, the notification may be delivered by electronic mail. The notification may be provided in one or more mailings as information becomes available.

(ii) In the case in which there is insufficient, or out-of-date

contact information (including a phone number, email address, or any other form of appropriate communication) that precludes direct written (or, if specified by the individual, electronic) notification, a substitute form of notice must be provided, including, in the case that there are ten (10) or more individuals for which there is insufficient or out-of-date contact

Breach Notification

information, a conspicuous posting for a period (determined by the Secretary) on the home page of the Web site of FMFI or notice in major print or broadcast media, including major media in geographic areas where the individuals affected by the breach likely reside. Such a notice in media or web posting will include a toll-free number where an individual can learn whether or not the individual's unsecured PHI is possibly included in the breach.

(iii) If FMFI determines that immediate notification is

required because of possible imminent misuse of unsecured PHI, FMFI may provide information by telephone or other means, as appropriate, in addition to the written notification required.

(b) Media Notice. Notice shall be provided to prominent media outlets

in the state, following the discovery of a breach of unsecured PHI, if the unsecured PHI of more than 500 residents is, or is reasonably believed to have been, accessed, acquired, or disclosed during such breach.

(c) Notice to Secretary. Notice shall be provided to the Secretary of

unsecured PHI that has been acquired or disclosed in a breach. If the breach was with respect to 500 or more individuals then such notice must be provided immediately, and in no case more than sixty (60) calendar days from the discovery of the breach. If the breach was with respect to less than 500 individuals, FMFI may maintain a log of any such breach occurring and annually submit the log to the Secretary within sixty (60) calendar days of the end of the calendar year in which the breach was discovered..

4. Content of Notification. Regardless of the method by which notice is

provided to individuals as set forth above in Section 2.a., notice of a breach shall include, to the extent possible, the following:

(a) A brief description of what happened, including the date of the

breach and the date of the discovery of the breach, if known.

(b) A description of the types of unsecured PHI that were involved in the breach (such as full name, Social Security number, date of birth, home address, account number, or disability code).

(c) The steps individuals should take to protect themselves from

potential harm resulting from the breach.

(d) A brief description of what FMFI is doing to investigate the breach, to mitigate losses, and to protect against any further breaches.

Breach Notification

(e) Contact procedures for individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an e-mail address, Web site, or postal address.

5. Delay of Notification. Notification may be delayed if a law enforcement

official determines that a notification, notice or posting would impede a criminal investigation or cause damage to national security.

Breach Notification


Subject: Security Rule Compliance Page: 1 of 4 Policy #: Policy - 39 Approved: 2011 HIPAA Section:

HITECH 13401, 164.306, 164.308, 164.310, 164.312, 164.314 and 164,316

Revised: 02/2012 04/2013 11/2016

I. PURPOSE

To establish the general policy and intent to comply with the Security Rule.

II. POLICY

FMFI will use its best efforts, and implement appropriate administrative, technical and physical safeguards, to do the following:

1. Ensure the confidentiality, integrity, and availability of all electronic PHI

FMFI creates, receives, maintains, or transmits.

2. Protect against any reasonably anticipated threats or hazards to the security or integrity of such information.

3. Protect against any reasonably anticipated uses or disclosures of such

information that are not permitted or required by HIPAA.

4. Ensure compliance with the Security Rule by its workforce.

III. PROCEDURES

FMFI may use any security measures that allow it to reasonably and appropriately implement the standards and implementation specifications as specified in the Security Rule. In deciding which security measures to use, FMFI must take into account the following factors: (a) The size, complexity, and capabilities of FMFI; (b) FMFI's technical infrastructure, hardware, and software security capabilities; (c) The costs of security measures; and (d) The probability and criticality of potential risks to electronic PHI.

Standards: FMFI will comply with the standards as provided in sections 164.306,

164.308, 164.310, 164.312, 164.314, and 164.316 of the Security Rule with respect to all ePHI.

Implementation Specifications: Implementation specifications are required or

addressable. If an implementation specification is required, the word “Required” appears in parentheses after the title of the implementation specification. If an

Security Rule Compliance 1

implementation specification is addressable, the word “Addressable” appears in parentheses after the title of the implementation specification.

When a standard adopted in Sections 164.308, 164.310, 164.312, 164.314, or

164.316 includes required implementation specifications, FMFI will implement the implementation specifications.

When a standard adopted in Sections 164.308, 164.310, 164.312, 164.314, or

164.316 includes addressable implementation specifications, FMFI will:

1. Assess whether each implementation specification is a reasonable and appropriate safeguard in its environment, when analyzed with reference to the likely contribution to protecting FMFI's ePHI; and

2. As applicable to FMFI

(a) Implement the implementation specification if reasonable and

appropriate; or

(b) If implementing the implementation specification is not reasonable and appropriate

(i) Document why it would not be reasonable and

appropriate to implement the implementation specification; and

(ii) Implement an equivalent alternative measure if

reasonable and appropriate.

Security measures implemented to comply with standards and implementation specifications must be reviewed and modified as needed to continue provision of reasonable and appropriate protection of ePHI as described at Section 164.316 of the Security Rule.

The Security Rule Standards and Implementation Specifications are summarized

in the matrix below:

Security Standards: Matrix

Standards

Sections

Implementation Specifications (R)=Required, (A)=Addressable

Administrative Safeguards

Security Management Process 164.308(a)(1) Risk Analysis (R) Risk Management (R) Sanction Policy (R)


Information System Activity Review (R)

Assigned Security Responsibility

164.308(a)(2) (R)

Workforce Security 164.308(a)(3) Authorization and/or Supervision (A) Workforce Clearance Procedure Termination Procedures (A)

Information Access Management

164.308(a)(4) Isolating Health care Clearinghouse Function (R)

Access Authorization (A) Access Establishment and Modification

(A)

Security Awareness and Training

164.308(a)(5) Security Reminders (A)

Protection from Malicious Software (A) Log-in Monitoring (A) Password Management (A)

Security Incident Procedures 164.308(a)(6) Response and Reporting (R)

Contingency Plan 164.308(a)(7) Data Backup Plan (R) Disaster Recovery Plan (R) Emergency Mode Operation Plan (R) Testing and Revision Procedure (A) Applications and Data Criticality Analysis

(A)

Evaluation 164.308(a)(8) (R)

Business Associate Contracts and Other Arrangement

164.308(b)(1) Written Contract or Other Arrangement (R)

Physical Safeguards

Facility Access Controls 164.310(a)(1) Contingency Operations (A) Facility Security Plan (A) Access Control and Validation

Procedures (A) Maintenance Records (A)


Workstation Use 164.310(b) (R)

Workstation Security 164.310(c) (R)

Device and Media Controls 164.310(d)(1) Disposal (R) Media Re-use (R) Accountability (A) Data Backup and Storage (A)

Technical Safeguards(see §164.312)

Access Control 164.312(a)(1) Unique User Identification (R) Emergency Access Procedure (R) Automatic Logoff (A) Encryption and Decryption (A)

Audit Controls 164.312(b) (R)

Integrity 164.312(c)(1) Mechanism to Authenticate Electronic Protected Health Information (A)

Person or Entity Authentication 164.312(d) (R)

Transmission Security 164.312(e)(1) Integrity Controls (A) Encryption (A)



Subject: Administrative Safeguards Page: 1 of 4 Policy #: Policy - 40 Approved: 2011 HIPAA Section:

164.530(c)(1) and 164.308 Revised: 02/2012 04/2013 11/2016

I. PURPOSE

To establish administrative safeguards that must be implemented by FMFI to

protect the confidentiality of PHI.

II. POLICY

FMFI will implement appropriate administrative safeguards that will reasonably safeguard PHI from any intentional or unintentional use or disclosure that is in violation of FMFI’s Privacy and Security Policies and/or the Privacy Regulations and Security Rule. FMFI personnel must reasonably safeguard PHI to limit incidental uses or disclosures made pursuant to an otherwise permitted or required use or disclosure.

1. Risk Assessment. FMFI has completed a risk assessment. See, Form- 40, Security Risk Analysis. The risk assessment addressed the full range of PHI maintained by FMFI, both paper and electronic.

2. Evaluation. FMFI will evaluate is security annually. This evaluation will

involve updating the Risk Analysis to ensure that all potential risks are identified and to identify any new or evolving risks that need to be managed. In addition to the periodic scheduled evaluations, FMFI will complete an evaluation whenever there is a significant change to any of its systems, e.g., new programs or hardware are implemented, physical plan, e.g., space is added or modified, or administration operations, e.g., the flow of information in the office is modified.

3. Risk Management. On the basis of the risk assessment and ongoing

evaluations, FMFI will manage its risks and will revise or modify its policies and procedures accordingly.

4. Criticality Analysis. FMFI maintains logs of its devices and media and the

software on each of its devices that may contain PHI. These logs note which systems contain PHI and specifically which files contain PHI so that those files can be backed up and are maintained by the Privacy Official.

5. Data Backup Plan. FMFI will back up all PHI on its computer systems.

The information is backed up on a nightly basis to a tape drive and every other night to an external server. The information is password protected. Two copies are made. One copy is stored at FMFI and the second copy is

Administrative Safeguards 1

stored offsite. In an emergency, the information is backed up as soon as possible and removed offsite. In addition, PHI is backed up prior to moving any computer or modifying any software containing PHI. Backups are recorded on a backup log. Copies are retained four (4) weeks and then destroyed or recycled. FMFI IT personnel have access to and may retrieve the backups.

6. Testing Restoration. Once a year, when critical new software is installed,

and when new devices are installed, FMFI will check to make sure it can recover lost data from its backup. Specifically, FMFI reviews the backup files and compares them to the files on its computers. This is accomplished by comparing the size and dates of the files to ensure they are identical.

7. Disaster Recovery Plan. When a disaster has occurred – when electronic

information is lost for whatever reason – the Privacy Official will implement the disaster recovery plan. The specific plan depends on the type and scope of the disaster:

• If PHI has been lost and the computer systems still function, FMFI

will attempt to restore the information from backup media.

• If PHI has been lost and some portion of the computer systems still function, FMFI will attempt to restore the information from backup media to that portion of the computer system.

• If PHI has been lost and: (i) the computer systems still function, but

FMFI is unable to restore the information from backup media; (ii) some portion of the computer systems still function, but FMFI unable to restore the information from backup media to that portion of the computer system; or (iii) the entire computer system has failed, FMFI will obtain new computer equipment, install appropriate software, and restore the PHI in a timely fashion.

8. Emergency Mode Operation. FMFI IT staff is notified and will retrieve the

data.

9. Contingency Planning. FMFI trains all of its employees regarding its contingency plans. The Privacy Official is responsible for ensuring that back ups are made and stored offsite as required by these Policies.

10. Security Incidents. FMFI monitors information system activity to detect

security incidents – "the attempted or successful unauthorized access, use, disclosure, modification, or destruction" of electronic PHI. FMFI will record and follow up when it determines (i) someone or some program has entered its computer system from outside the practice, e.g., a virus or worm, or (ii) someone inside the practice accesses, uses, or changes PHI

Administrative Safeguards 2

3 Administrative Safeguards

in an unauthorized manner. In the event a security incident, FMFI will document the occurrence. If the Privacy Official determines there has been a harmful effect as a result of the incident or that PHI has been breached, the Privacy Official will take steps to mitigate the effects or provide notification pursuant to these Policies.


Subject: Physical Safeguards Page: 1 of 4 Policy #: Policy - 41 Approved: 2011 HIPAA Section:

164.530(c)(1), 164.308, 164.312 Revised: 02/2012 04/2013 11/2016

I. PURPOSE

To establish physical safeguards that must be implemented by FMFI to protect the confidentiality of PHI.

II. POLICY

FMFI will implement appropriate physical safeguards that will reasonably

safeguard PHI from any intentional or unintentional use or disclosure that is in violation of FMFI’s Privacy and Security Policies and/or the Privacy Regulations and Security Rule.

1. Oral Communications. FMFI personnel must exercise due care to avoid

unnecessary disclosures of PHI through oral communications. Conversations in public areas should be avoided, unless necessary to further patient care, research or teaching purposes Voices should be modulated and attention should be paid to unauthorized listeners in order to avoid unnecessary disclosures of PHI. Patient identifying information only should be disclosed during oral conversations when necessary to further treatment, payment, teaching, research or operational purposes. Dictation and telephone conversations should be conducted away from public areas if possible. Speakerphones only should be used in secure areas.

Conversations with a patient present should occur in an exam room or a physician's office with the doors closed. Conversations in hallways or the reception are avoided whenever possible. FMFI personnel do not take patient telephone calls in an exam room or in their office when another patient is present.

2. Cellular Telephones. Digital or landline telephones should be used if the

conversation will involve the disclosure of Particularly Sensitive Health Information. “Particularly Sensitive Health Information” means PHI that is generally considered highly confidential including, but not limited to, genetic testing information, biopsy or diagnostic results, mental health, drug and alcohol abuse, and communicable disease information. See Policy-01.

3. Telephone Messages. Telephone messages and appointment reminders may be left on answering machines and voice mail systems, unless the patient has requested an alternative means of communication pursuant to Policy-07, Communication by Alternative Means. However, FMFI will limit the amount of PHI that is disclosed in a telephone message. Telephone messages should never be left that includes Particularly Sensitive Health Information. The content of appointment reminders should not reveal Particularly Sensitive Health Information, directly or indirectly. Telephone messages regarding test results or that contain information that links a patient’s name to a particular medical condition should be avoided.

4. Faxes. The following procedures must be followed when faxing PHI:

• Only the PHI necessary to meet the requester’s needs should be

faxed;

• Particularly Sensitive Health Information should not be transmitted by fax, except in emergency situations or if required by a government agency. If Particularly Sensitive Health Information must be faxed, the recipient should be notified immediately prior to the transmission and the sender should immediately confirm that the transmission was completed, if possible;

• FMFI will designate employees who can fax, or approve the faxing

of, PHI. Unauthorized employees, students and volunteers should never fax PHI;

• Unless otherwise permitted or required by law, a properly

completed and signed authorization must be obtained before releasing PHI to third parties for purposes other than treatment, payment or health care operations as provided in Policy-22, Authorization. PHI may be faxed to an individual if the individual requests access to his/her own PHI in accordance with Policy-05, Patient Access to Protected Health Information;

• All faxes containing PHI must be accompanied by a cover sheet

that includes a confidentiality notice. A sample fax cover sheet is attached hereto as Form-41;

• Reasonable efforts should be made to ensure that fax

transmissions are sent to the correct destination. Frequently used numbers should be preprogrammed into fax machines or computers to avoid misdialing errors. Preprogrammed numbers should be verified on a routine basis. The numbers of new recipients should be verified prior to transmission;

• Fax machines must be located in secure areas not readily accessible to visitors and patients. Incoming faxes containing PHI should not be left sitting on or near the machine;

• Fax confirmation sheets should be reviewed to ensure the intended

destination matches the number on the confirmation. The confirmation sheet should be attached to the document that was faxed;

• If there is any concern about whether the fax was received by the

intended recipient, the FMFI employee who sent the fax should call the intended recipient by phone to verify receipt; and

• All instances of misdirected faxes containing PHI should be

investigated and mitigated pursuant to Policy-14, Mitigation.

5. Mail. PHI mailed outside FMFI should go via first class mail and should be concealed. Appointment reminders may be mailed to a patient, unless the patient has requested an alternative means of communication pursuant to Policy-07, Communication by Alternative Means. FMFI stamps or labels all packages and envelopes containing PHI as "CONFIDENTIAL PROTECTED HEALTH INFORMATION ENCLOSED" or alternatively "CONFIDENTIAL."

6. Copying. Copies only should be made by authorized persons designated

by FMFI. Photocopying PHI should be done only when necessary for treatment, payment or health care operations, when authorized by the patient or the patient’s legal representative or when required by law. Photocopying of Particularly Sensitive Health Information should be strictly monitored,

All copies provided to the patient or another third party in response to a request for access should be date stamped in a color other than black, or bear some other unique identifying mark or symbol, so that a copy can be distinguished from the original. Date stamping or making records provided to patients will protect FMFI in the event there is a dispute as to how certain records were acquired or disclosed.

7. Sign-in Sheets. Sign-in sheets that involve Particularly Sensitive Health Information should be formatted in a manner that does not permit subsequent signers to identify previous signers. For example, this can be accomplished by using tear-off registration forms.

8. Destruction Standards. PHI must be discarded in a manner that protects

the confidentiality of such information. Paper and other printed materials containing PHI should be destroyed or shredded. FMFI will dispose of ePHI in a manner that ensures that no trace of the PHI remains and that

the PHI cannot be restored using commonly available commercial programs.

9. Storage of Paper Records. Paper records and medical charts must be

stored or filed in such a way as to avoid access by unauthorized persons. Some type of physical barrier should be used to protect paper records from unauthorized access. Paper records and medical charts on desks, counters or nurses stations must be placed face down or concealed to avoid access by unauthorized persons. Paper records should be secured when the office is unattended by persons authorized to have access to paper records.

Original paper records and medical charts should not be removed from FMFI premises unless necessary to provide care or treatment to a patient or required by law. FMFI personnel should not remove paper records or medical charts for their own convenience. Any paper records and medical charts removed from FMFI premises should be checked out according to any applicable FMFI policies and procedures and should be returned as quickly as possible. The safety and return of the medical records checked out or removed are the sole responsibility of the person who checked them out or removed them.

Paper records and medical charts that are removed from FMFI premises must not be left unattended in places in which unauthorized persons can gain access. Paper records and medical charts must not be left in unlocked automobiles or in view of passers-by.

The theft or loss of any paper record or medical chart should be reported to the Privacy Official so that mitigation options can be considered.

10. Storage of Electronic Records. The information is backed up on a nightly

basis to a tape drive and every other night to an external server. The information is password protected. Two copies are made. One copy is stored at FMFI and the second copy is stored offsite.

11. Escorting Visitors and Patients. Visitors and patients must be

appropriately monitored when on FMFI premises where PHI is located to ensure they do not access PHI about other patients without permission. This means persons that are not employed by FMFI should not be in areas in which patients are being seen or treated or where PHI is stored without appropriate supervision. This includes pharmaceutical representatives and device salespeople.

12. Computer/Work Stations. Computer monitors must be positioned away from common areas or a privacy screen must be installed to prevent unauthorized access or observation. The screens on unattended computers must be returned to the main menu or to a password protected screen saver. Each FMFI employee has his or her personal password and computers have password-protected screen savers. Each FMFI employee logs off their computer when they are finished for the day or when they are away from their computer for longer than 1 hour.

13. Access Control. FMFI terminates an employee's access to all PHI when

the employee is terminated. The terminated employee is required to turn in any keys or other access devices that may have been issued by FMFI and all passwords are deactivated.

14. Posting of PHI. FMFI does not post any PHI including schedules, where it

could be viewed by visitors or patients. Schedules and other PHI needed for the functioning of the practice is kept in places not accessible by patients and referred to as needed by workforce personnel.

15. Office Equipment. FMFI will ensure that any PHI stored in the memory of

fax machines and copiers will be deleted when such office equipment is removed from the FMFI office.

16. Protection of Mobile Devices. FMFI protects PHI on mobile devices,

including laptop computers, PDAs and cell phones.

• Laptop computers. Laptop computers are logged in and out of FMFI. The computers are password protected and the screen savers set to password protect the computers after 15 minutes of inactivity.

• PDAs. PDAs commonly include patient schedule information and

notes. The PDAs are password protected and synchronized with the computer workstations regularly to ensure timely backup. Software cannot be added to PDAs without approval from the Privacy Official. All PDAs owned by FMFI must be returned to FMFI upon an employee's termination.

• Cell Phones. Cell phones contain phone numbers and, often,

names of patients. They may also include text messaging, notes, and e-mail. Cell phones are password protected to limit inappropriate access. In addition, the call lists are periodically reviewed and unneeded telephone numbers deleted.

17. Device and Media Controls. FMFI will ensure that PHI is appropriately

protected when computer hardware and software and computer devices

are received by FMFI, transported by FMFI or moved within FMFI facilities or removed from FMFI facilities.

• Accountability. FMFI maintains a record of all computer hardware

and electronic media that store PHI. This log indicates which FMFI personnel are authorized to access PHI on each computer and electronic media and when the computer or media is removed from the FMFI facilities. This log is an integral part of the FMFI's risk assessment and ongoing evaluation.

FMFI records all devices and media that may contain PHI. This includes computers and related devices as well as other equipment, e.g., cell phones, personal digital assistants ("PDAs"), clinical devices that store patient-specific information, fax machines, and duplicating machines and printers that may store images.

• Media Re-Use. Media may be reused only when all electronic PHI

previously stored on the media is removed and unrecoverable. FMFI only reuses media internally. Such media are always maintained securely and considered to contain PHI, even when they have been "cleaned." Media are not "cleaned" for reuse and then sent out of the FMFI facilities to be used by others. Rather, media are disposed of as discussed below.

• Disposal of Devices and Media. FMFI disposes of devices and

media in a fashion that prevents the disclosure of PHI. FMFI understands that simply deleting files does not remove the PHI from the media. Whenever possible, FMFI overwrites the media completely using a commercially available program. The media is overwritten three times to ensure all PHI is destroyed. This includes data drives. When data cannot be overwritten, e.g., on a CD or DVD that cannot be overwritten, FMFI first makes a series of deep scratches on the media and then breaks the media in two pieces.

18. Data Backup and Storage. An important aspect of controlling PHI on

devices and media is ensuring PHI is appropriately backed-up and securely stored. In addition, it is vital to backup PHI prior to movement of equipment and media.

19. Security of Server Rooms. Access to the FMFI server rooms will be

monitored. No unauthorized persons are permitted access to the server rooms. FMFI Personnel that are not responsible for IT or server maintenance should only enter the server rooms if accompanied by designated personnel. All FMFI servers are housed within one of two designated server rooms.


Subject: Technical Safeguards Page: 1 of 3 Policy #: Policy - 42 Approved: 2011 HIPAA Section:

164.530(c), 164.308, 164.312, 164.314

Revised: 02/2012 04/2013 11/2016

I. PURPOSE

To establish technical safeguards that must be implemented by FMFI to protect the confidentiality of PHI.

II. POLICY

FMFI will implement appropriate technical safeguards that will reasonably

safeguard PHI from any intentional or unintentional use or disclosure that is in violation of FMFI’s Privacy and Security Policies and/or the Privacy Regulations and Security Rule.

1. Authentication. All information systems will implement authentication

procedures in conjunction with the level of confidentiality of the data they store and process. The authentication methods at FMFI will be the following: a user ID and a password.

• User IDs. Each user will be assigned a unique user ID. FMFI

issues user IDs at the time of employment/affiliation or at the time it becomes necessary for the individual to have a user ID. User IDs are issued to individuals for the term of their employment or affiliation with FMFI. Each user will have only one user ID. In the event a user has made a name change, a written request should be made to the Privacy Official for a Name Change to be processed. A user ID will not be reassigned or otherwise associated with someone other than the original user. User IDs will be disabled rather than deleted upon termination or discontinuance of affiliation.

• Passwords. Strong passwords are imperative in the protection of

FMFI information systems. Passwords must meet the following criteria: (i) must be at least 8 characters in length; (ii) must be composed of mixed case alphabetic characters, numbers, and symbols; (iii) cannot be the same as the person's login name; (iv) cannot include the person's first, middle or last name; (v) cannot be the same as the person's license plate number; (vi) cannot be the person's telephone or cell phone number; (vii) cannot be the person's social security number; (viii) cannot be the same as the person's street address; (ix) cannot be consecutive numbers or

letters, such as 123456 or abcdefg. (x) cannot be single numbers or letters, such as 1111111 or aaaaaaa; (xi) cannot be based on keyboard progression, such as asdfgh, (xii) should not be based on easily-guessed personal or work associations, such as children's names; and (xiii) should not be based on easily guessed words such as password1.

The passwords used to access FMFI resources and systems should not be re-used in any non-FMFI context, such as to access Facebook, Yahoo, othmxzer personal e-mail accounts. Software passwords will expire every 60 days. Disclosure of passwords is prohibited. If a person believes his/her password has been compromised, he/she should notify the Privacy Official so that it can be changed.

FMFI personnel are prohibited from (i) writing their passwords down; and (ii)

sharing or disclosing their passwords. An account will lockout after four attempts to log on with an inaccurate username and/or password.

2. Security Configuration – Testing. FMFI tests all hardware and software to

ensure it meets FMFI's security policies and procedures. This testing occurs when the hardware or software is installed and not less than once a year thereafter.

3. Security Configuration- Inventory. FMFI maintains an inventory of all

hardware and software used by FMFI. This inventory lists each computer and its hardware configuration.

4. Virus Detection. FMFI will employ anti-virus software to protect email

users. The software filters e-mail to detect common viruses. Any e-mails containing malicious content are blocked. If a virus is detected, the message is discarded shielding the e-mail recipient. All workstations and services must employ the approved anti-virus programs at all times, including laptop and notebook computers. Laptops and notebook computers that are temporarily taken off-line must be updated with anti- virus programs prior to being placed back in service. This is done automatically through FMFI software program. FMFI personnel may not remove or disable anti-virus programs without prior approval of the Privacy Official or IT personnel.

If response to a virus incident reveals that the infected workstation is not running virus protection software, the software will be installed immediately to prevent future incidents. If a user suspects infection by a computer virus, the user must stop use of the involved computer or workstation immediately and notify the Privacy Official. Users may not attempt to eradicate or "clean" viruses from their systems on their own.

5. Home Use of FMFI Hardware. Home use of FMFI hardware is only

permitted for FMFI personnel working on FMFI business when at home.

Users may not alter, upgrade, or otherwise change FMFI hardware. All changes made to hardware must be done through the Privacy Official or appropriately designated consultants. FMFI hardware must only be used for intended business purposes and must never be used for unethical or illegal activities.

6. Home Use of FMFI Software. Computers owned by FMFI must only be

loaded with legal software. Only software purchased through appropriate channels in conjunction with current FMFI approval may be used on FMFI machines. Software owned by FMFI cannot be loaded on users personal computers unless the specific software company permits home use in the license agreement. FMFI software will only be used from home for intended business purposes and will not be used in unethical or illegal activities.

7. Internet Access/Use: Firewall. FMFI utilizes a firewall to ensure

appropriate access to FMFI's information systems. FMFI uses a commercially available program and updates it as recommended by the vendor. All connections to the Internet must go through a properly secured connection point to ensure that the network is protected.

8. Audit Controls and Intrusion Detection. FMFI will audit use of its PHI –

both paper and electronic. This is done through monitoring and controlling access to its computers and paper records as set forth in these Policies. FMFI will monitor its information systems in order to detect illegitimate or prohibited activity. The following methods will be used: (i) operating system and application software audit logging; (ii) recurring audit log reviews; (iii) network traffic monitoring; (iv) system access monitoring; and (v) any other methods deemed appropriate and consistent with industry standards and best practices.

9. Windows Update. FMFI uses the Windows operating system but does not

use "Windows Update." It is disabled due to software conflicts.

10. Transmission Security. FMFI uses eClinicalWorks to protect PHI sent electronically. Specifically, FMFI locks all data files using an encryption methodology, secure passwords, or both. Passwords and/or encryption keys are sent to the receiving party in a separate secure transaction.

3128288.3

Oklahoma State Department of Health ODH 206 Community and Family Health Services/ Administration HIPAA Document - retain for a minimum of 6 years August 2014

OKLAHOMA STANDARD AUTHORIZATION TO USE OR SHARE PROTECTED HEALTH INFORMATION (PHI)

Patient Name: Medical Record #: Date of Birth: Social Security #: I hereby authorize

Name of Person/Organization Disclosing PHI to release the following information to

Name and Address of Person/Organization Receiving PHI Information to be shared: □ Psychotherapy Notes (if checking this box, no other boxes may be checked) □ Entire Medical Record

□ Billing Information for □Mental Health Records

□ Substance Abuse Records □ Medical information compiled between_ and

□ Other: The information may be disclosed for the following purpose(s) only: □ Insurance □ Continued Treatment □ Legal □ At my or my representative’s request

□ Other: I understand that by voluntarily signing this authorization:

• I authorize the use or disclosure of my PHI as described above for the purpose(s) listed. • I have the right to withdraw permission for the release of my information. If I sign this authorization

to use or disclose information, I can revoke this authorization at any time. The revocation must be made in writing to the person/organization disclosing the information and will not affect information that has already been used or disclosed.

• I have the right to receive a copy of this authorization. • I understand that unless the purpose of this authorization is to determine payment of a claim for

benefits, signing this authorization will not affect my eligibility for benefits, treatment, enrollment or payment of claims.

• My medical information may indicate that I have a communicable and/or non-communicable disease which may include, but is not limited to diseases such as hepatitis, syphilis, gonorrhea or HIV or AIDS and/or may indicate that I have or have been treated for psychological or psychiatric conditions or substance abuse.

• I understand I may change this authorization at any time by writing to the person/organization disclosing my PHI.

• I understand I cannot restrict information that may have already been shared based on this authorization.

• Information used or disclosed pursuant to the authorization may be subject to redisclosure by the recipient and no longer be protected by the Privacy Regulation.

Unless revoked or otherwise indicated, this authorization’s automatic expiration date will be one year from the date of my signature or upon the occurrence of the following event:

Signature of Patient or Legal Representative Date

Description of Legal Representative’s Authority Expiration date (if longer than one year from date of signature or no event is indicated)Oklahoma State Department of Health ODH 206 Community and Family Health Services/ Administration HIPAA Document - retain for a minimum of 6 years August 2014

Instructions for Oklahoma Standard Authorization to Use or Share Protected Health Information (PHI)

1. Indicate patient name and date of birth. 2. OPTIONAL: Indicate Medical Record # and/or Social Security #. 3. Indicate the name of person/organization disclosing PHI. 4. Indicate the name and address of person/organization receiving PHI.

Information to be shared:

1. Check the appropriate box. 2. If the information to be shared is not listed, check the “other” box and indicate what information is

to be shared in the space provided. a. If billing information is shared, indicate which billing information is requested. If all billing information is requested, just check the box.

b. If psychotherapy notes are requested, no other information can be shared. A separate Authorization must be completed for additional information.

Purpose for disclosing information: 1. Check the appropriate box. 2. If the purpose is not listed, check the “other” box and indicate the purpose in the space provided.

Expiration Date:

1. Unless otherwise indicated at the bottom of the form, the expiration date is one year from the date of the patient’s signature or upon the occurrence of an event chosen by the individual. a. If the patient chooses an event, list the event in the space provided.

b. If the patient chooses to make the expiration date longer than one year, indicate in the space provided at the bottom of the form.

Signature: 1. Obtain the signature of the patient or Legal Representative 2. If a Legal Representative signs the form, indicate the description of the Legal Representative’s

authority.

Date: 1. The date is the date the form is signed.

FAIRFAX MEDICAL FACILITIES, INC.

PRIVACY/SECURITY OFFICAL

FORM 10

PRIVACY/SECURITY OFFICAL

Effective Dates:

Name:

Facility Name:

Facility Address:

Office Number:

Fax Number:

Cell Number:

Email:

BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement (the “BAA”) is entered into between

and the individual or entity whose signature appears below as evidence of agreement to these the terms hereinafter referred to as “Covered Entity.” This BAA and any agreement for accreditation, certification, distinction, or recognition entered into by Covered Entity and establish the terms of the relationship between and Covered Entity. WHEREAS, Covered Entity is seeking accreditation, certification or recognition by

and desires to input data into data collection tools stored and maintained by and which data may include certain Protected Health Information (as defined in 45 C.F.R. § 160.103) that is subject to protection under the Federal Privacy, Security, Breach Notification, and Enforcement Rules established at 45 C.F.R. Parts 160 and 164, as amended from time to time (collectively the “HIPAA Rules”), promulgated pursuant to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), and the Health Information Technology for Economic and Clinical Health Act provisions of the American Recovery and Reinvestment Act of 2009, Pub. Law No. 111-5 (“ARRA”); WHEREAS, may act in the role of a Business

Associate (as defined in 45 C.F.R. § 160.103) for purposes of Covered Entity’s health care quality assessment and review by against standards and requirements and the HIPAA Rules dictate that the Covered Entity shall enter into an agreement with a Business Associate to whom it provides PHI, and this BAA shall apply to that PHI; WHEREAS, Covered Entity may have entered into, may subsequently enter into, or

may enter into simultaneously with this BAA, an agreement with to seek accreditation, certification or recognition (hereinafter any such agreement will be referred to as a “Contract”) and this BAA shall be applicable to any such Contract entered into by Covered Entity and when acts as a Business Associate of Covered Entity, as defined under the HIPAA Rules; and WHEREAS, the purpose of this BAA is to satisfy certain standards and requirements of the HIPAA Rules, as the same may be amended from time to time. NOW THEREFORE, in consideration of the mutual promises below, the receipt and

sufficiency of which is hereby acknowledged, the parties agree as follows: I. GENERAL PROVISIONS Section 1. Definitions. Unless otherwise specified in the Contract or this BAA, all capitalized terms used herein and not otherwise defined shall have the meanings established by 45 C.F.R. Parts 160 and 164, as amended from time to time. “PHI” shall mean Protected Health 2 Information, as defined in 45 C.F.R. § 160.103, limited to the information received from or on behalf of Covered Entity. “Electronic PHI” shall mean Electronic Protected Health Information, as defined in 45 C.F.R. § 160.103, limited to the information received from or on behalf of Covered Entity. The terms “use” and “disclosure” and any and all other terms with defined meanings established by 45 C.F.R. Parts 160 and 164, as amended from time to time, shall have the same meaning for the purpose of this BAA. References in the Contract or this BAA to a section or subsection of 45 C.F.R. Parts 160 and 164, and/or ARRA under Title 42 of the United States Code are references to provisions of ARRA and shall be deemed a reference to

that provision and its existing and future implementing regulations, when and as each is effective and compliance is required under the applicable provision. Section 2. Effect. This BAA shall apply to any PHI subject to the Contract and to any PHI provided by Covered Entity in the process of using data collection tools stored and maintained by for purposes of Covered Entity’s health care quality assessment against standards and requirements. Any provision of the Contract, including all exhibits or other attachments thereto and all documents incorporated therein by reference, that is directly contradictory to one or more terms of this BAA (“Contradictory Term”), shall be superseded by the terms of this BAA to the extent and only to the extent of the contradiction and only to the extent that it is reasonably impossible to comply with both the Contradictory Term and the terms of this BAA. Notwithstanding anything in this Agreement to the contrary, nothing in this BAA shall alter the rights and obligations of the respective parties under the HIPAA Rules. II. RESPONSIBILITIES OF Section 1. Use and Disclosure of Protected Health Information.

may: (a) use and/or disclose PHI only as permitted or required by the Contract, this BAA, or as Required By Law, and in compliance with each applicable requirement of 45 C.F.R. § 164.504(e); (b) use the PHI in its possession for its proper management and administration and to fulfill any legal responsibilities of ; (c) disclose PHI in its possession to a third party for the purpose of proper management and administration or to fulfill any legal responsibilities of if the disclosures are Required by Law, and has received from the third party written assurances that (i) the information will be held confidentially and be used or further disclosed only as Required by Law or for the purposes for which it was disclosed to the third party, and (ii) the third party will notify (and, in accordance with Article II, Section 3 of this BAA, shall notify Covered Entity) of any instances of which it becomes aware in which the confidentiality of the information has been breached; (d) create a Limited Data Set and use and disclose such Limited Data Set pursuant to the Data Use Agreement as set forth in Article VI of this BAA; and (e) de-identify PHI obtained by under this BAA and/or the Contract, and use and/or disclose such de-identified data on own behalf, all in accordance with the de-identification requirements of the HIPAA Rules. shall request, use and/or disclose the minimum amount of PHI

necessary with regard to its use and/or disclosure of PHI under this Section 1. shall not use or disclose PHI in a manner that would violate Subpart E of 45 C.F.R. Part 164 if done by Covered Entity. All other uses and disclosures of PHI not authorized by this BAA or the Contract are prohibited. acknowledges that it may be subject to the civil and criminal enforcement provisions set forth at 42 U.S.C. 1320d-5 and 1320d-6, as amended from time to time, for failure to comply with the use and disclosure requirements and any guidance issued by the Secretary from time to time.

Section 2. Appropriate Safeguards. will use appropriate administrative, technical and physical safeguards to prevent the use or disclosure of PHI, other than as provided for by the Contract, this BAA or as Required by Law, in accordance with the requirements set forth in Subpart C of 45 C.F.R. Part 164, including implementing administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the Electronic PHI that it creates, receives, maintains, or transmits on behalf of Covered Entity. will also keep current and document such security measures in written policies, procedures or guidelines, and make its policies and procedures, and documentation relating to such safeguards, available to the Secretary in accordance with the HIPAA Rules. Section 3. Reporting of Improper Use or Disclosure of PHI.

will within ten (10) business days of becoming aware of any use or disclosure of PHI not permitted or required by the Contract or this BAA, or of any Security Incident with respect to Electronic PHI of which it becomes aware, report such use, disclosure or Security Incident to Covered Entity. agrees to mitigate, to the extent practicable, any harmful effect that is known to of a use or disclosure of PHI by in violation of the requirements of this BAA. further agrees to report without unreasonable delay, and in no case later than thirty (30) calendar days after discovery, any Breach of any Unsecured PHI in accordance with the security breach notification requirements set forth in 45 C.F.R. §§ 164.400, 164.402, and 164.410 and any guidance issued by the Secretary from time to time. Section 4. Subcontractors and Agents. agrees that any time PHI is provided or made available to its subcontractors or agents, will enter into an agreement with the subcontractor or agent that contains the same conditions and restrictions on the use and disclosure of PHI as contained in the Contract and this BAA in accordance with 45 C.F.R. §§ 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, and will ensure that all of its subcontractors and agents to whom it provides Electronic PHI agree to implement reasonable and appropriate safeguards to protect such Electronic PHI. Section 5. Right of Access, Amendment and Accounting of Disclosures. With

respect to the PHI in possession, agrees to the following: (a) within fifteen (15) calendar days of receiving a written request from Covered Entity,

will make available to Covered Entity information necessary for Covered Entity to make an Accounting of Disclosures of PHI about an Individual in accordance with the Privacy 4 Regulations as set forth in 45 C.F.R. § 164.528 and, in accordance with the requirements for Accounting for Disclosures made through an Electronic Health Record in 42 U.S.C. 17935(c), and when directed by Covered Entity, shall make that accounting directly to the Individual. (b) shall record the following information regarding each disclosure

of PHI subject to an Accounting of Disclosures pursuant to 45 C.F.R. § 164.528: (1) date of disclosure; (2) name of entity or person who received the PHI and, if known, the address of such entity or person; (3) a brief description of the PHI; and (4) a brief statement of the purpose of the disclosure that reasonably informs the Individual of the

basis for the disclosure or a copy of a written request for disclosure. For multiple such disclosures of PHI to the same person or entity for a single purpose, shall provide Covered Entity, pursuant to Article II, Section 5(a) of this BAA, (1) the information set forth in Article II, Section 5(b) of this BAA regarding the first disclosure; (2) the frequency, periodicity or number of disclosures made during the accounting period; and (3) the date of the last such disclosure during the accounting period. (c) make available its internal practices, books, and records relating to the use and disclosure of PHI to the Secretary of the Department of Health and Human Services in accordance with the HIPAA Rules ; and (d) forward to Covered Entity within five (5) business days of receiving any requests an Individual makes of pursuant to 45 C.F.R. §§ 164.524 or 164.526, so that Covered Entity may respond to such requests. shall not respond directly to those Individual requests. Section 6. Exchange of PHI and Communications. agrees to the following: (a) shall not directly or indirectly receive remuneration in

exchange for any PHI in compliance with 45 C.F.R. §§ 164.502(a)(5), 164.504(e)(2)(i), and 164.508(a); (b) shall not make or cause to be made any communication

about a product or service that is prohibited by45. C.F.R. §§ 164.502(a)(5), 164.504(e)(2)(i), and 164.508(a); (c) shall not make or cause to be made any written fundraising communication that is prohibited by 45 C.F.R. § 164.514(f). III. OBLIGATIONS OF COVERED ENTITY

Section 1. Limitations on Protected Health Information. Covered Entity agrees that it will not furnish to any PHI that is subject to any restrictions on the use and/or disclosure of PHI as provided for in 45 C.F.R. § 164.522 that will affect +++ use or disclosure of the PHI under this BAA; provided that, with respect to restrictions that Covered Entity is required to agree to under 45 C.F.R. § 164.522(a), Covered Entity shall provide with clear written notice of those restrictions and the PHI to which they pertain. Section 2. Compliance with HIPAA and ARRA. Covered Entity in performing its obligations and exercising its rights under this Agreement shall use and disclose Protected Health Information in compliance with the HIPAA Rules and ARRA. Covered Entity agrees that it will 5 not provide to PHI unless expressly requested by in the fulfillment of the Contract. Section 3. Covered Entity Requests. Covered Entity shall not request or require to use or disclose Protected Health Information in any manner that would not be permissible under the HIPAA Rules or ARRA if done by Covered Entity. IV. TERMINATION OF AGREEMENT Section 1. Termination of Agreement by Covered Entity. Upon Covered Entity’s knowledge of a breach of a material term of this BAA by , Covered Entity shall provide with written notice of that breach in sufficient detail to enable to understand the specific nature of that breach and afford the opportunity to cure the breach; provided, however, that if fails to cure the breach within a reasonable

time specified by Covered Entity, Covered Entity may terminate this BAA. Upon termination of this BAA under this Section, will comply with the return or destruction provisions of Article IV, Section 3 below, and Covered Entity may terminate the Contract, unless the parties mutually agree that may review Covered Entity pursuant to the Contract using only a Limited Data Set, pursuant to the Data Use Agreement in Article VI of this BAA, or with information that has been de-identified. If after termination of this BAA pursuant to this Section the parties agree that will continue its review of Covered Entity under the Contract using a Limited Data Set or de-identified information, the Contract shall continue in effect and the terms of this BAA that apply to such review of Covered Entity pursuant to the Contract shall survive to the extent necessary for to conduct the Survey of Covered Entity. Section 2. Termination of Agreement by _ , Upon knowledge of a breach of a material term of this BAA by Covered Entity, shall provide Covered Entity with written notice of that breach in sufficient detail to enable Covered Entity to understand the specific nature of that breach and afford Covered Entity the opportunity to cure the breach; provided, however, that if Covered Entity fails to cure the breach within a reasonable time specified by , may terminate this BAA as well as terminate the Contract. Section 3. Return or Destruction of PHI. Within thirty (30) calendar days after termination or expiration of the Contract or this BAA, agrees to either return to Covered Entity or destroy all PHI received from the Covered Entity or created or received by on behalf of the Covered Entity and which still maintains in any form, including such information in possession of subcontractors. agrees not to retain any copies of such PHI. If return or destruction of the PHI is not feasible, agrees to extend the protections, limitations and restrictions of this BAA to use and disclosure of PHI retained after termination and to limit any further uses or disclosures to the purposes that make return or destruction infeasible. Any de-identified information retained by shall not be re-identified except for a purpose permitted under this BAA.

V. LIMITATION OF LIABILITY Section 1. Hold Harmless. Each party agrees to hold harmless the other party to this BAA from and against any and all claims, losses, liabilities, costs and other expenses (including 6 reasonable attorney fees and costs associated with any suits, actions, proceedings, claims, or official investigations or inquiries) incurred as a result of: (i) any misrepresentation or nonfulfillment of any undertaking on the part of the party pursuant to this BAA; and (ii) negligent or intentional acts or omissions in the party’s performance under this BAA. In no event will a party be responsible for any damages, caused by the failure of the other party to perform its responsibilities. If Covered Entity is an institution of a state government, this Article V shall apply only to the extent permitted under applicable state law, and nothing herein shall be deemed an express or implied waiver of sovereign immunity.

Section 2. Damages. NO PARTY SHALL BE LIABLE TO ANOTHER PARTY HERETO FOR ANY INCIDENTAL, CONSEQUENTIAL, SPECIAL, OR PUNITIVE DAMAGES OF ANY KIND OR NATURE RELATING TO OR ARISING FROM THE PERFORMANCE OR BREACH OF OBLIGATIONS SET FORTH IN THIS BAA, WHETHER SUCH LIABILITY IS ASSERTED ON THE BASIS OF CONTRACT, TORT (INCLUDING NEGLIGENCE OR STRICT LIABILITY), OR OTHERWISE, EVEN IF THE PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH LOSS OR DAMAGES. VI. DATA USE AGREEMENT Section 1. Preparation of the Limited Data Set. In accordance with Article II, Section 1(e) of this BAA may, on behalf of Covered Entity, prepare a Limited Data Set (“LDS”) in accordance with the requirements set forth in this BAA. Section 2. Minimum Necessary Data Fields in the LDS. In preparing the LDS,

will include the data fields which are the minimum necessary to accomplish the purposes set forth in Section 4 of this Article VI. Section 3. Responsibilities of . All of the restrictions, obligations,

requirements and conditions of this BAA shall apply to such LDS in the same manner as they apply to PHI under this BAA. agrees to not use or further disclose the LDS other than as permitted by this Article VI or as otherwise Required by Law. ---------------------- further agrees that it will not identify the information in the LDS or contact the Individuals whose PHI is in the LDS, except where such contact is based on information derived entirely from a source other than the LDS. Section 4. Permitted Uses and Disclosures of the LDS. may use

and/or disclose the LDS for its Research and Public Health activities and the Health Care Operations of the Covered Entity. VII. MISCELLANEOUS Section 1. Choice of Law and Jurisdiction. The law of the District of Columbia shall govern this BAA. The parties agree that any dispute arising under this BAA shall only be resolved in a court of competent jurisdiction in the District of Columbia. Notwithstanding the foregoing, this choice of law and venue provision shall not apply if Covered Entity is an institution of a state government and afforded sovereign immunity under applicable state law. 7 Section 2. Change in Law. The parties agree to negotiate to amend this BAA (a) as necessary to comply with any amendment to any provision of HIPAA or its implementing regulations, ARRA, or to comply with any other applicable laws or regulations, or amendments thereto, and/or (b) in the event any such law or regulation or amendment thereto materially alters either party or both parties’ obligations under this BAA. The parties agree to negotiate in good faith mutually acceptable and appropriate amendment(s) to this BAA to give effect to such revised obligations. If the parties are unable to agree to mutually acceptable amendment(s) within sixty (60) calendar days of the relevant change in law or regulations, either party may terminate this BAA and the Contract consistent with the terms of this BAA and the Contract. Notwithstanding the preceding sentence, the parties agree that this BAA is written to encompass ARRA and its implementing regulations. Section 3. Third Party Beneficiaries. Nothing in this BAA shall confer upon any

person other than the parties and their respective successors or assigns, any rights, remedies, obligations, or liabilities whatsoever.

Section 4. Survival. Article I; Article II; Article IV, Section 3; and Article V, and Article VII of this BAA shall survive termination of this BAA and continue indefinitely solely with respect to PHI retains in accordance with Article IV, Section 3. Article VI shall survive the termination of this BAA with regard to any LDS that possesses. The last sentence of Article IV Section 1 shall survive termination of this BAA with regard to any de-identified information creates using Covered Entity’s PHI. Section 5. Notice. Any notice, consent, request or waiver, or other communications to be given hereunder by either party shall be given in writing and will be deemed to have been given when delivered personally or by registered mail, postage prepaid and return receipt requested or by facsimile with a confirming copy placed in the United States mail addressed as provided below or to such other address as either party may designate by written notice to the other. If

Copy to: Entity: Name of Individual/Entity: Address: City/State/Zip: Fax:

IN WITNESS WHEREOF, the parties hereto have duly executed this Agreement effective as of the date of the contract. Covered Entity Print Name of Covered Entity: By: Print Name: Title: Date: Assurance By: Print Name: Title: Date:

Documents

HIPAA PRIVACY AND SECURITY POLICIES · HIPAA PRIVACY AND SECURITY POLICIES TABLE OF CONTENTS . 35 Research 36 Limited Data Sets 37 De-Identified Information 38 Breach Notification