Marion Polk Community Health Plan manual.pdf · Start with a gap analysis to help you understand the difference between the requirements of the law and your current practice activities

January 7, 2003 Dear Physician: HIPAA Privacy is here. The good news is that the final privacy rule is much less onerous than what the federal government originally processed. Marion Polk Community Health Plan (MPCHP) has received the attached Privacy Kit from Quality Care Associates (QCA) with permission and caveat that this document cannot be sold. QCA received the Privacy Kit from the American Dental Association, whom compiled this privacy kit. Currently, the Privacy Kit with permission has been adapted in Linn /Benton County where it is in use and has been and well received. Compliance will be manageable with the help of the Privacy Kit. The Privacy Kit contains documents to guide your office to become HIPAA compliant. Key points to keep in mind are to: make a good faith effort to secure patient acknowledgement of receipt of your privacy notice and to DOCUMENT. Furthermore, the final rule does not anticipate a one-size-fits-all compliance approach—each office will need to customize their policies and procedures to best comply with their office practices. “Reasonable” appears in the rule 265 times and you will have to make some judgment calls regarding your practice philosophy, profile, and physician environment. Also, remember that the documents are generic—in addition, the documents may need to be edited to comply with state law. MPCHP is available; once your privacy officer has read through the kit, please call if you have further questions. MPCHP will assist in any way possible. Sincerely,

Marion Polk Community Health Plan

Mid-Valley Independent Association Privacy for Physicians

HIPAA will change your privacy practices, but not as dramatically as once thought. Don’t panic, compliance is manageable!

Chapter 1 Introduction This overview will help you understand the key privacy aspects of the Health Insurance Portability and Accountability Act (HIPAA), as well as introduce you to the contents of this Privacy Kit. Working as a medical professional, you may have many unanswered questions regarding HIPAA. This Privacy Kit will provide you with the following to help you comply with HIPAA regulations:

HIPAA compliance checklist; Sample forms;

Sample policies and business agreements;

Employee training suggestions;

FAQs; and

Additional HIPAA resources.

In addition, the “HIPAA Privacy Top 10 List,” located in this chapter of the Overview, will break down you compliance tasks into basic, easy-to-understand steps. Do not be reluctant to tackle HIPAA compliance issues. We are here to help. Will HIPAA compliance be difficult?

HIPAA laws may seem daunting, but look at the issues in a positive way. These laws are designed to protect and enhance the rights of patients. We need to learn about these laws—after all, we are all patients. Also, you may have encountered some dire HIPAA privacy myths. For example, you may have heard that offices need to be soundproofed, and that mailing reminder cards can send you to jail. Neither of these examples is true. Soon, after reading this Privacy Kit, you’ll be quite familiar with the HIPAA Privacy requirements. You’ll learn that compliance is readily achievable—physical changes and disruption of the typical medical practice is not necessary! Overview The ADA, along with other organizations, has worked to lessen the negative impact that was anticipated for the original privacy compliance rules. As a result, the U.S. Department of Health and Human Services (HHS) made changes to the requirements and provided helpful clarifications. As a result of the ADA’s attention to these privacy issues, compliance requirements are now more easily achieved. For example, medical practices are entitled to some flexibility to create their own privacy procedures tailored to meet their size and needs. Furthermore, most medical practices can meet these requirements using existing resources, including the ADA. Why should I care about HIPPA privacy? Protecting health information is the right thing to do. It is also good risk management. HIPAA Privacy regulations will heighten patients’ awareness about privacy rights—and, as mentioned earlier in this overview, we are all patients, so we should understand the issues. Under HIPAA, most physicians are considered a covered entity—a healthcare provider who transmits certain health information (including claims) in electronic form, either directly or indirectly, through a vendor or billing service. As a covered entity, you can be subject to severe civil fines and even criminal penalties for violations of HIPAA regulations. These sanctions could vary depending on circumstances and nature of the violation, and could include jail time for certain knowing offenses. More strict state laws could impose additional sanctions. HIPAA provides you with a general, federal “road map” regarding privacy issues, which can also help you to understand your state privacy laws. However, also be aware that federal and state privacy laws may vary. Your state privacy laws may be much more strict.

How should I approach HIPAA compliance? Knowing your federal and state law requirements and breaking down the requirements for HIPAA privacy implementation into manageable tasks will make compliance easier. Document your progress, expenses, and what you do to comply. This will help you establish the framework for ensuring that things get done and can provide some protection if a complaint is ever brought against you. When do I need to be ready for HIPAA Privacy? The key HIPAA privacy date is April 14 2003. However, you should be ready before this date with the correct use of privacy forms, policies, business associate agreements, and employee training procedures. (Existing business associate agreements need not contain required terms and conditions until renewal or modification of the agreement, or by April 14, 2004.) This Privacy Kit will provide you with samples of these privacy compliance forms, policies, and procedures.

HIPAA Privacy Top 10 List

The following HIPAA Privacy Top 10 List will help you break down the compliance requirements of HIPAA regulations. Use this helpful “TO DO LIST” as you embark on you compliance tasks. 1. Get Started Now The HIPAA Privacy compliance date is April 14, 2003. Develop a compliance timeline(see the HIPAA Privacy Rule Checklist in this Privacy Kit). Think in terms of implementing reasonable safeguards that reflect your particular circumstances. When in doubt, do what you think is right and necessary to comply, and be prepared to justify your decisions, if asked. However, do not be too quick to decide that any given measure that enhances privacy is “unreasonable” and therefore unnecessary for you to take. 2. Know the Law Know the federal requirements of HIPAA. Be familiar with how HIPAA regulations define certain terms. For example, a key element of HIPAA privacy is the protection, use, and disclosure of Protected Health Information (PHI). That requires knowing how HIPAA defines Health Information (HI) and PHI. You should also know the requirements of your state privacy laws. They may be more stringent. 3. Develop Written Privacy Policies and Forms

Start with a gap analysis to help you understand the difference between the requirements of the law and your current practice activities. Put your policies and procedures in writing. Adopt or develop required forms to implement your privacy policies and procedures. This Privacy Kit will provide you with samples of these privacy compliance forms, policies, and procedures. 6. Train Your Staff Train your medical team about your privacy policies and procedures, and designate a Privacy Officer and a Contact Person to receive complaints as required by the regulations. This Privacy Kit will provide you with samples of these privacy compliance forms, policies, and procedures. 5. Notify Your Patients and Get Their Permissions, as Needed HIPAA Privacy regulations give patients the right to be aware of how you will use and disclose their health information. Disclosures that HIPAA defines as for “treatment, payment, or healthcare operations” (TPO), which includes most typical medical office disclosures, must be accomplished via your Notice of Privacy Practices and related Acknowledgement. Simply post and distribute your Notice of Privacy Practices at the time of first delivery of services after April 14, 2003 and make a good faith effort to obtain the patient’s written Acknowledgement of Receipt of Notice of Privacy Practices. (A physician has the discretion to go beyond this minimal requirement by also obtaining a written consent for use and disclosure of protected health information for TPO, which in some cases may be required by state law.) Specific authorization is needed for certain other uses and disclosures beyond TPO. This Privacy Kit will provide you with samples of these privacy compliance forms. 6. Use the Minimum Necessary Standard Use the minimum necessary standard when disclosing health information. Where is applies, only use or disclose the information that is needed to accomplish the intended purpose. The Privacy Rule encourages a common sense approach. For example, for most oral communications, the rule does not require guaranteed protection against every risk of disclosure. Reasonable safeguards should be used to limit incidental disclosures. However, careless errors and improper disclosures could still violate the rule and lead to serious consequences for the violator. 7. Honor Your Patients’ Rights Honor Patients’ rights established by HIPAA. Under HIPAA, patients have the following rights:

To access, copy, inspect, and amend their healthcare information; To obtain an accounting of and the right to request restrictions on disclosures; and To offer complaints regarding their healthcare information.

Keep in mind HIPAA’s marketing restrictions, which require authorization for marketing that is not face-to-face or a promotional gift of nominal value. Under HIPAA, the following are not considered “marketing”:

Communications related to the treatment of the patient; Communications used for case management or care coordination of the patient; and Communications used to direct or recommend alternative treatments, therapies,

healthcare providers, or settings of care to the patient. 8. Follow Business Associates Rule Evaluate all your business relationships, determine which require a Business Associate Agreement, and execute all required new agreements by April 14, 2003 or amendments to existing written business agreements by April 14, 2004 (or when the agreement renews or is modified, if earlier). This Privacy Kit will provide you with sample contract terms for a Business Associate Agreement. 9. Develop a Self-Audit Program Make sure your policies and procedures are up-to-date and fully implemented. In addition, modify your policies and procedures as indicated by the audit results. This privacy Kit will provide you with samples of these privacy compliance forms, policies, and procedures. 10. Mitigate Limit the harm if you or your Business Associates use or disclose protected health information in violation of your policies and procedures or the requirements of HIPAA.

Chapter 2 THE HIPAA MAZE: AND INTRODUCTION Under the HIPAA Privacy Rule, medical offices that transmit certain health information (including claims) in electronic form, either directly or indirectly through a vendor or billing service, must appropriately safeguard and disclose protected health information (PHI) in compliance with HIPAA’s minimum federal requirements. More stringent state privacy laws may also apply. Federal HIPAA privacy requirements can be divided into three categories:

Privacy Standards (what you have to do): Patients’ Rights (why you have to do it); and

Administrative Requirements (how to do it).

These categories are intended to help organize our thinking and are not specifically identified in the regulations. PRIVACY STANDARDS HIPAA sets minimum federal privacy requirements. More stringent state laws for safeguarding information may also apply. Generally, at the time of the patient’s first visit after April 14, 2003, you should give the patient a copy of your Notice of Privacy Practices. You should ask them to sign a Acknowledgement of Receipt of Notice of Privacy Practices. Document your good faith attempt to do so if you are unable to obtain a signed Acknowledgement. Among other things, this permits uses and disclosures in your practice for TPO. You should obtain Authorization for most other uses and disclosures. (A written Consent may be secured in addition to an Acknowledgement.) You will be using or disclosing protected healthcare information by reasonably applying the minimum necessary standard—meaning that you will use of disclose only an much information as is needed to accomplish the intended purpose.

The Privacy forms, policies, and other administrative guidelines discussed in this overview are available as samples in this Privacy Kit. The HIPAA compliance requirements are explained in more detail in the next section. Keep in mind that any more stringent state law requirements must also be followed. When you develop your HIPAA compliance policy, incorporate whatever is necessary to address state law requirements as well. When you hear “HIPAA,” ask what part of HIPAA, for the law covers a wide range of issues. This Privacy Kit focuses on the privacy issues. PATIENTS’ RIGHTS HIPAA establishes patients’ rights over their own PHI, including:

The right to access and copy their protected healthcare information; The right to amend the protected information contained in their patient record; The right to an accounting of non-routine or non-authorized disclosures; The right to confidential communication; and The right to complain to the practice and/or the Security of Health and Human Services.

ADMINISTRATIVE REQUIREMENTS To implement privacy practices, you must first:

Develop policies, procedures, and documentation practices; Designate a Privacy Officer and a Contact Person to receive complaints; Provide adequate training to employees in both privacy and the safeguarding of PHI; Provide Notice of Privacy Practices to patients; Establish complaint systems; Comply with a Business Associate Contract Terms; and Mitigate the consequences if there is a breach of confidentiality by you and/or your

Business Associates.

THE LAW

HIPAA is not new. The enabling legislation (Health Insurance Portability and Accountability Act) was passed in 1996. The law covers a wide range of issues including:

Assuring portability of health insurance coverage; Mandating a fraud and abuse control program; Creating Medical Savings Accounts; and Administrative simplification provisions, such as privacy. HIPAA privacy legislation

requires maintaining reasonable and appropriate administrative, technical, and physical safeguards to ensure the integrity and confidentiality of the PHI; protecting against any reasonably anticipated threats or hazards to the security or integrity of the information; protecting against unauthorized uses or disclosures of the information; and ensuring compliance by the Privacy Officers and employees.

The Regulation

The federal privacy regulation is the second administrative simplification standard (transactions and code sets were first) to be issued under HIPAA that the Department of Health and Human Services has released in final form. In addition to privacy and standards for electronic transactions and medical data code sets, future regulations could address consistent identifiers for patients, providers, health plans, and employers; claims attachments that support a request for payment; data security; and enforcement issues. Taken together, the standards are intended to streamline the flow of information integral to the operation of the healthcare system while protecting confidential health information form inappropriate access, disclosure, and use. According to the Preamble to the HIPAA privacy regulation, the three major purposes of HIPAA are:

To protect and enhance the rights of consumers by providing them access to their health information and controlling the inappropriate use or disclosure of that information;

To improve the quality of healthcare in the U.S. by restoring trust in the healthcare system among consumers, healthcare professionals, and the multitude of organizations and individuals committed to the delivery of care; and

To improve the efficiency and effectiveness of healthcare delivery by creating a national framework for health privacy protection that builds on efforts by states, health systems, and individual organizations and individuals.

The Guidance

The privacy regulations were published, along with an extensive Preamble, in the December 28, 2000 Federal Register on pages 82462 through 82829. The regulations themselves begin on page 82798. You can download a copy of the entire HIPAA privacy document, the Preamble, or just the privacy regulation themselves, from the HHS Administrative Simplification Website at http://www.hhs.gov/ocr/hipaa/finalreg.html. This version of the regulations may contain different information than is set forth in this Overview, because this Overview is based on the presumption that the rule will be changed in accordance with modifications proposed by HHS Administrative Simplification Web sit at http://www.hhs.gov/ocr/hipaa/assist.html. A copy of HHS ‘s proposed modifications to the final rule can be obtained at http:www.hhs.gov/ocr/hipaa/privruletxt.txt or http://www.hhs.gov/ocr/hipaa/privrulepd.pdf. This Privacy Kit reflects the HIPAA proposed HHS released guidance on July 6, 2001 that provides additional explanation concerning the HIPAA Privacy Rule that was published on December 28, 2000. The guidance responds to many of the concerns raised by the ADA and other healthcare organizations. As a result, HHS clarified that some of the rumored “requirements” are not required and others can be scaled to meet the needs of small practices. For example, the Privacy Rule does not require soundproofing of medical offices and appointment reminder postcards can be mailed if there is a HIPAA patient Consent or Acknowledgement of file.

The Final Modifications On March 27, 2002, HHS released long-anticipated proposed modifications of the final rule. Nearly all of these proposed changes were adopted by HHS in final modifications of the rule, issued August 14, 2002. The most significant of the final modifications is the elimination of the need for written patient consent for uses and disclosures of PHI. HHS has clarified that a physician with a direct treatment relationship with an individual must make a good faith effort to obtain that person’s Acknowledgement, which must be in writing, is left to the physician. The final modifications also, in many cases, allow an additional year (until April 14, 2004) for providers to modify existing Business Associate Contracts to include require privacy provisions. The final modifications also address marketing, minimum necessary disclosures, and the rights of parent and minors. These changes are addressed in the following chapters of this Overview.

HHS Enforcement and Sanctions Enforcements is through the HHS Office for Civil Rights. (The Department of Justice and/or office of Inspector General may also become involved.) While HIPAA privacy does not provide the basis for a private lawsuit, it may trigger private lawsuits under state privacy laws. HHS plans to issue an Enforcement Rule that applies to all HIPAA regulations. This regulation will address the imposition of civil and criminal penalties and the referral of criminal cases. The OMA will provide that information when it becomes available. As noted above, HIPAA violations can trigger both civil and criminal penalties. Let’s look at them each, in tern. A SINGLE ACT CAN VIOLATE MULTIPLE HIPA REQUIREMENTS. CIVIL PENALTIES Civil Penalties for HIPAA privacy violation can be up to $100 for each offense with an annual cap of $25,000 for repeated violations of the same requirement. Under HIPAA, civil penalties can be reduced for any of the following reasons:

Noncompliance Not Discovered (“I did not know and I could not have reasonably know”)—If it is established to the satisfaction of the Secretary of HHS that the person liable for the penalty did not know, and by exercising reasonable diligence would not have known, that they violated the provision.

Failure Due To Reasonable Cause (“There’s a valid reason I didn’t comply, but I’ve corrected the problem.”)—The failure to comply was due to reasonable cause and not to willful neglect; and is corrected 30 days after the person knew, or should have know by exercising reasonable diligence, that the failure to comply occurred.

Extension Of Period (“I need more time.”)—The time period for correction may be extended by the Secretary.

Assistance (“I need more help.”)—If the Secretary determines that a person failed to comply, the Secretary may provide technical assistance to the person.

Reduction (“The fines are too much.”)—In the case of a failure to comply, which is due to reasonable cause and not to willful neglect, any penalty may be waived to the extent that the payment of such penalty would be excessive relative to the compliance failure involved.

CRIMINAL PENALTIES Let’s now turn to criminal penalties. Knowing, wrongful misuse of individually identifiable health information is punishable by:

For knowing misuse of individually identifiable health information: up to $50,000 and/or 1 year in prison;

For misuse under false pretenses: up to $100,000 and/or 5 years in prison; and For offenses to sell for profit or malicious harm: up to $250,000 and/or 10 years in

prison. When in doubt, do what you think is right and necessary to comply. In addition, be prepared to justify your decisions. The U.S. Department of Health and Human Services may challenge what you believe is “reasonable.”

Dealing with the “Mixed” Messages

You will most likely encounter competing messages while engaged in you HIPAA compliance efforts. Some of these opposing, “mixed messages” include the following:

Between the severe penalties that can be imposed upon you and defenses HIPAA allows to avoid them;

Between expressed compliance rules and some leeway as to how to comply; and Between respecting your patients’ rights and efficiently managing your practice.

Chapter 3 PRIVACY STANDARDS You may find it easier for administration purposes to consider all personally identifiable information you receive about any patient to be protected by the regulations. Know What PHI means To begin to understand privacy issues, you should know what Protected Health Information (PHI) means for HIPAA purposes. The core of HIPAA privacy is the protection, use, and disclosure of Protected Health Information (PHI). This requires knowing how HIPAA defines the terms: Health Information (HI) and Protected Health Information (PHI). Health Information (HI) means any information, whether oral or recorded in any form or medium, that:

Is created or received by a healthcare provider, health plan, public health authority, employer, life insurer, school or university, or healthcare clearinghouse; and

Relates to the past, present, or future physical or mental health or condition of an individual; the provision of healthcare to an individual; or the past, present, or future payment for the provision of healthcare to an individual.

Protected Health Information (PHI) means individually identifiable health information that is transmitted or maintained by electronic (or other) media. ORAL COMMUNICATIONS As noted, PHI includes oral communications. This can include verbal communications among staff members, patients, and/or other providers. What does this mean to you in your practice? According to HHS, the Privacy Rule is not intended to prohibit providers from talking to each other and to their patients. HHS acknowledges the importance of oral communications occurring freely and quickly in treatment settings. The Privacy Rule does not require soundproofing, structural, or systems changes to rooms. However, the use of curtains or

screens in areas where oral communications often occur may be appropriate. YOU MUST MAKE A GOOD FAITH EFFORT TO OBTAIN A WRITTEN hipaa PRIVACY ACKNOWLEGEMENT AS A ROUTINE MATTER FROM ALL PATIENTS. HAVE ACKNOWLEDGEMENT S (AND CONSENTS, IF YOU CHOOSE TO SECURE THOSE AS WELL) ON FILE FROM ALL PATIENTS AFTER APRIL 14, 2003. The following practices would be permissible, if reasonable precautions are taken to minimize the change of inadvertent disclosures to others who may be nearby:

The physician and staff may discuss a patient’s condition over the phone with the patient, a provider, healthcare professional, or an authorized family member;

The physician and staff may discuss lab test results with a patient or other provider in a joint treatment area; and

The physician and staff may discuss a patient’s condition during training rounds in an academic or training institution.

HHS does not consider facility restructuring to be a requirement under this standard. In determining what is reasonable, HHS will take into account the concerns of covered entities regarding potential effects on patient care and financial burden. Relying on HIPAA acknowledgement and authorizations to comply, you must make a good faith attempt to obtain a written Acknowledgement of Receipt Notice of Privacy Practices. This allows you to use or disclose a patient’s protected health information for purposes of “treatment, payment, or healthcare operations.” A written consent can also be used for this purpose, and may be required in some states. In addition, a written Authorization is required before using or disclosing PHI for most other purposes. Acknowledgement or Consent? Given the importance of written Consent in earlier versions of the Privacy Rule, you may be wondering about relying on a good faith effort to secure the patient’s Acknowledgement of Receipt of Notice of Privacy Practices instead. You must make a good faith effort to secure an Acknowledgement. You may also wish to use a Consent for this purpose or to comply with your state law. Whatever you decide, start soon, so your right to use and disclose PHI is not questioned. Getting your Acknowledgements (and Consents) early in the process will permit you to use or disclose PHI for purpose of treatment, payment, or healthcare operations. This is the basis to permit a number of routine activities that might otherwise be hindered, such as the ones listed below.

Send an appointment reminder to the patient. Transferring a patient’s records to a purchaser who is also a covered entity (medical

office) or will become a covered entity upon purchase of the practice. Authorization An authorization is a customized document that gives physicians permission to use PHI for specified purposes, other than for treatment, payment or healthcare operations (TPO), or to disclose protected health information (PHI) to third party. An Authorization id detailed, specific, and contains the following information:

An expiration date; A purpose of the uses and disclosures of PHI specific to the Authorization; and

A permission of the uses and disclosures of PHI specific to the Authorization.

Example: Your state laws may impose more stringent requirements regarding the protection of patient information. Be sure your forms are developed to meet their requirements as well.

A physician would need an Authorization from the patient to send their name and address to a company marketing a new medical product. This restriction does not apply to most newsletters.

Special Circumstances Physicians can make a disclosure of PHI without an Acknowledgement, Consent, or Authorization in certain situations, such as the following:

For reasons of public health surveillance; Suspected child abuse, neglect, or domestic violence investigations;

Healthcare fraud investigation;

Oversight by the Secretary of HHS; and

Law enforcement with a valid warrant, court order, or administrative request.

Minimum Necessary Disclosures

When using or disclosing protected health information, or when requesting protected health information from another medical office, a physician must make reasonable efforts to limit the use or disclosure to the minimum amount of PHI necessary to accomplish the intended purpose. Minimum necessary means taking reasonable safeguards to protect a person’s health information from incidental disclosure. Minimum necessary rules do NOT apply to:

Disclosures to or requests by staff members or another healthcare provider for treatment purposes;

Disclosures to the individual who is the subject of the information; Uses or disclosures made pursuant to an authorization requested by the individual; Uses or disclosures required for compliance with HIPAA-mandated standard

transactions; Disclosures to HHS when required under the rule for enforcement purposes; and Uses or disclosures that are required by law.

Chapter 4 PATIENT RIGHTS Under HIPAA, patients will have an increased awareness of their health information privacy rights, including the following:

The right to access, copy, and inspect their health information; The right to request an amendment to their healthcare information; The right to obtain an accounting of certain disclosures of their health information; The right to request restrictions on disclosures for TPO; The right to alternative means of receiving communications from physicians; and The right to complain about alleged violations of the regulations and the physician’s own

information policies. The following are other examples of patients’ rights in more detail.

Patients (even those who are not yet your patients) have the right to obtain a Notice of Privacy Practices. (See the sample Form 1.)

Patients have the right of access to inspect and obtain a copy of their PHI about the individual for as long as the protected health information is maintained by or for you.

Physicians may charge for making and sending copies in accordance with the regulations and state law, which allow a cost-based fee.

Access to the patient’s PHI can be denied in certain limited circumstances as specified in the regulations. (See the sample Form 5.)

Requests can be denied if the information is correct and complete as is or if the physician did not create the information.

If the request is denied, the physician must allow the patient to include in the record a statement disagreeing with the denial. The physician must then note the record to indicate the material and the patient’s requested amendment.

If the amendment is approved, the record must be amended. When erroneous information is found, do not delete and replace information in the record; instead, simply note the erroneous information and append the record with the correction.

HIPAA regulations describe “individual” rights and actions. This Overview uses the more familiar word “patient” instead; “patient” should be read broadly to include prospective patients, patients of record, former patients, their authorized representatives, and any other “individuals.” Throughout this section you will see references to sample forms. These sample compliance forms are contained in this Privacy Kit.

Starting a dialogue with patients about what their health information privacy rights are and explaining the limits of those rights can be beneficial as the privacy regulations are implemented in your office. In addition to good risk management, it can also assist in minimizing complaints to you or the Department of Health and Human Services. If the amendment is accepted the physician must alert:

Any individuals who have received an who may have acted on the erroneous information to the detriment of the patient (e.g. insurers); and

Any individuals identified by the patient. Patients have the right to request an accounting of disclosures of the health information made for purposes other than for TPO. (See the sample Form 1.) The physician must maintain appropriate records of such disclosures and make them available to patients upon request. A notation in the patient’s chart should be sufficient.

Patients have the right to require reasonable alternative means of receiving, and locations to receive, PHI communicated by the physician.(See the sample Form 1.)

Patients have the right to request restrictions on the use or disclosure of PHI for TPO. (See the sample Form 1.)

Patients have the right to request uses or disclosures of PHI. (See the sample Form 1.)

Patients have the right to revoke their Consent or Authorization. (See the sample Form 3.)

Patients have the right to require their authorization for uses of their PHI for most marketing purposes. Marketing that is done face-to-face with the patient or consists of the provision of a promotional gift of nominal value can be done without patient authorization.

Communications with a patient that are not considered marketing include those that are:

Patients have the right to complain to the physician and/or the Secretary of Health and Human Services about alleged violations of the Rules’ provisions. (See the sample Form 6.) 1. related to the treatment of the patient 2. used for case management or case coordination of the patient; and 3. used to direct or recommend alternative treatments, therapies, healthcare

providers, or settings of care to the patient. These communications do not require an authorization.

Patients have the right to complain to the physician and/or the Secretary of Health and Human Services about alleged violations of the Rules’ provisions. (See the sample Form 6.)

A complaint must be filed within 180 days of when the complainant knew or should have known that the act or omission complained of occurred, unless this time limit is waived by the Secretary for good cause. Who has these “Rights”?

Patients whose Protected Health Information you maintain Legal/authorized representatives Parents and minors

RIGHTS OF PARENTS AND MINORS HHS has provided specific guidance about the rights of parents and minors. Under the Privacy Rule, a parent is generally considered a “personal representative” and has the right to access health information about their minor child. The Final Rule, as modified, includes the following exceptions to a parent’s right to access as a “personal representative”:

When a state or other law does not parental consent prior to a minor obtaining care and the minor consents to the healthcare services; and

When a court, or another individual authorized by law, consents to the healthcare service. The Guidance clarified that:

If a parent agrees to a confidential relationship between the minor and the doctor, the parent does not have access to the PHI stemming from the arrangement; and

If the doctor reasonably believes that the minor has been or may be subject to abuse or neglect, or that treating the parent as the child’s personal representative could endanger the child, the physician may choose not to treat the parent as the personal representative of the child.

Furthermore, the Final Modifications provide that wherever the parent is not the personal representative under HIPAA, and state law is silent, the physician may exercise discretion to provide or deny a parent access to PHI so long as doing so is consistent with state or other law. Generally, a parent can access health information about their minor child. HIPAA does not preempt state law that might authorize or prohibit a disclosure of PHI about a minor to a parent.

Chapter 5 ADMINISTRATIVE REQUIREMENTS The third component of your compliance efforts concerns policies and procedures and other documentation practices. A typical medical practice may comply without going to the same measures as a hospital or health plan. Developing Your Privacy Policy and Practices ASSESS INFORMATION IN YOUR OFFICE Listed below are ways to assess how protected health information flows into, within and out of your organization.

Do an office walk-through. Understand what’s going on from a patient’s perspective regarding the flow of healthcare information.

Write a privacy policy for your medical office. You can customize the enclosed sample policies in this Privacy Kit for your office practices. Be sure your staff understands and practices the privacy policies.

Evaluate your forms, both paper and electronic, determine whether they provide what you need to appropriately use and disclose PHI. You can customize the enclosed sample forms in this Privacy Kit for your medical practice.

Look at your office technology. Note how PHI is obtained, maintained, and distributed. Make sure your system is secure.

Designate a person to be responsible for privacy information and the security of the office systems. Designate a Privacy Officer to receive complaints and make minimum necessary requirement decisions.

Make sure you have written contracts with third parities with whom you share PHI. The contracts should provide required protection of PHI. (See “ The Business Associate Rule” section of this overview.)

The U.S. Department of Health and Human Services has recognized that providers are entitled to flexibility to meet these requirements by creating their own privacy policies and procedures tailored to meet their size and needs. The key to compliance is assuring that there are appropriate administrative, technical, and physical safeguards to protect the privacy of PHI based on your situation. “Reasonableness” is the key.

ANALYZE “GAPS” AND THEIR ASSOCIATED RISKS A gap analysis will help you understand the difference between the requirements of the law and your current practice activities. This involves understanding what the law requires, and how your practice compares with those requirements (both HIPAA and state law). While providers and health plans must provide reasonable safeguards to avoid prohibited disclosures, the rule does not require that all risk be eliminated to satisfy this requirement. Organizations must review their own practices and determine what steps are reasonable to safeguard their patient information. In assessing what is “reasonable,” physicians may consider the viewpoint of prudent professionals. If there is a complaint involving your practice or your information policies, HHS and the courts could become the final arbiters of what is “reasonable” and whether you have met that standard. DEVELOP A WRITTEN PRIVACY POLICY Develop, and write a Privacy Policy for your medical office. Your written Privacy Policy should include information on your office’s practices regarding the use and disclosure of PHI—a plan that includes:

Generally, no disclosure should be made until you have made a good faith effort to obtain an individual’s written Acknowledgement of Receipt of Notice of Privacy Practices. In some instances, you must also secure necessary patient Authorizations(s).

Disclosure should adhere to minimum necessary requirements. The physician may assume a request for PHI is for the minimum necessary information, if:

Disclosure is to public official permitted under the rule who represents that the

request is fort he minimum necessary information; The request is from another covered entity; The request is from a workforce professional Business Associate in order to

provide a professional service and who represents that the request is for the minimum necessary information; and

For research purposes with appropriate documentation. Establish procedures to account for disclosures of PHI for disclosures other than

treatment, payment, and healthcare operations for up to six years from the date of disclosure.

Establish privacy complaint procedures. Record privacy complaints, if any, and their disposition for up to six years from the date of complaint. In addition to a notation in the patient’s charts, an office log for recording any disclosure complaints should be maintained.

Establish record retention procedures in accordance with HIPAA and any more stringent state laws. For enforcement purposes, HHS must be allowed access to all relevant records, books, and internal practices of the physician, Business Associate, or its

subcontractors. Adopt or develop the forms that are needed to implement your privacy policy and practices. (See the sample forms in this Privacy Kit.)

PREPARE YOUR STAFF FOR PRIVACY POLICIES The duties of the Privacy Officer and Contact Person can be divided up among your staff or combined in any fashion—they can be the same person or the physician. Under the HIPAA Privacy Rule, a medical office must designate a Privacy Officer who is responsible for the development and implementation of the policies and procedures of the practice. Also, a medical office must designate a Contact Person who is responsible for receiving complaints and who is able to provide further information about matters covered by the office’s Notice of Privacy Practices. Listed below are some ways to prepare your staff for privacy policies. Appoint a Privacy Officer and Contact Person to Administer Your Office Privacy Policy. Privacy Officer A Privacy Officer is someone to make minimum necessary decisions, receive requests for access to records, receive requests for amendment, and receive requests for restrictions on use or alternative means of communicating. A Privacy Officer can be the physician or an additional responsibility of an existing staff member. Listed below are additional potential functions of a Privacy Officer.

Maintains a record of complaints of violations and their disposition. Provides written explanation of any limitation or denial of access to PHI.

Contact Person A Contact Person receives complaints. Provide Privacy Training for Your Employees You should provide all of your employees with training in safeguarding private health information and its appropriate use and disclosure. This helps create privacy awareness so employees are aware of your office procedures and will know, for example, that if they receive a complaint, they log/record it in accordance with the office’s policies and turn it over to the Privacy Officer.

For good risk management, more extensive training may be appropriate and can be documented in personnel records. Adding adherence to privacy policies to the employee code of conduct and to the practice’s guidelines can also be useful. Establish employee-training records for each employee and enter the dates of privacy training sessions. In the typical medical office, the training requirement can be met by providing each employee with a copy of the office’s Privacy Policy and documenting that the policy has been reviewed. You must have your written policies and procedures in place prior to April 14, 2003 so that all of your staff can be trained in time Training Timeline Training of existing employees must be completed by April 14, 2003. Training for new hires must occur within a reasonable time of their employment. Retraining for employees should occur whenever privacy policies and procedures change, duties change, or if it becomes apparent that an employee needs retraining. Physicians should encourage incident reporting by employees. Physicians must also develop policies for disciplining employees who violate the office’s Privacy Policy. THE BUSINESS ASSOCIATES RULE The Privacy Rule permits disclosures to Business Associates of the medical office after obtaining satisfactory assurances that the Business Associate will use information only for the contracted purpose and will safeguard the information from misuse. The HIPAA regulations require a written agreement between the medical office and the Business Associate, and specify a list of provisions that must appear in those agreements. HHS has published sample Business Associate Contract Terms, which may become the standard and make negotiations with Business Associates easier. A Business Associate (BA) is a person or entity that, on your behalf, performs or assists in the performance of a function or activity involving the use or disclosure of PHI. These may include your:

Attorney; Accountant; Business consultant; Dental and/or medical laboratories; Billing service; Answering service; Computer support staff; and Others who have access to use or disclose PHI as part of their responsibilities to you.

The following are NOT considered to be “Business Associates”:

A member of your staff such as an employed medical associate or nurse; The U.S. Postal Service; or A janitorial service.

PHI may be disclosed to a Business Associate only to help the medical office carry out its functions—not for independent use by the Business Associate. A Business Associate Agreement is not required if you are making a disclosure to another provider concerning treatment or a claim to a payer. If a medical office complies with the Privacy Rule, it is not liable for privacy violations of a Business Associate. A Business Associate must make its internal practices, books, and records related to use or disclosure of PHI available to HHS for determining compliance. The contract must also obligate the Business Associate to advise the medical office when violation occurs. When a physician becomes aware of a pattern of practice that materially violates the Privacy Rule, the physician must take “reasonable steps” to cure the breach, including terminating the relationship, if feasible, or reporting the problem to HHS. Steps for Dealing with Business Associates

Evaluate all of your business relationships, not just the ones with which you currently have contractual agreements. Think through what the patient privacy responsibility is with regard to each of those relationships.

Evaluate Your Existing Business Relationships o Locate all of your existing business agreements, and o Identify any business agreements where you do not have a written agreement. o Determine which business agreements involve the use of disclosure of PHI. o Determine which business agreements will still be in existence on April 14, 2003.

Establishing these business Associate Agreements sooner should provide greater leverage in your contract negotiations. New Business Associate Agreements must be in writing, with the required language, by April 14, 2003. Amendments to existing

written business agreements must be made before: 1) Renewal or modification of the agreement; or if earlier 2) April 14, 2004.

Determine which business agreements require a Business Associate Agreement, even if you’ve never had a written contract with them before.

Develop appropriate agreements or amendments to those agreements as required. Use the model language in this Privacy Kit as appropriate.

Monitor your relationships and communication with your Business Associates. If your Business Associates breaches the agreement, mitigate the damage due to the breach and cure any ongoing problems.

If the problem cannot be cured, exercise your option to terminate the agreement, if feasible. If you determine that termination is not feasible, notify the Secretary of HHS. The agreement must say that at termination of the agreement, the Business Associate must return or destroy PHI, the agreement must obligate the Business Associate to maintain the privacy protections afforded by the agreement and must by the agreement and must restrict use/disclose of the retained PHI only for those purposes that prevent destruction or return. Though not explicitly required by the regulations, the agreement should state that those previsions survive termination of the agreement.

Create a form agreement that contains all the required language to use when you enter new agreements with Business Associates. This language should be in your new agreements starting now—do not wait until April 14, 2003 to start to insert this language in your agreements.

Referrals and Claims PHI may be shared with another covered entity (provider, clearinghouse, or payer) for treatment, payment, or healthcare operations. PREPARE FOR PATIENTS Notice Of Privacy Practices A patient has a right to adequate notice of the uses and disclosures of protected health information that may be made by the medical office, the patient’s rights and the physician’s legal duties with respect to protected health information. The key is your good faith effort to obtain your patient’s written acknowledgement of receipt of the “notice” at the time of the first visit. (In addition, you may choose to secure a written privacy Consent.) The Privacy Rules require that the Notice of Privacy Practices contain certain specified provisions. Among these is a requirement that your Notice take into account state law where you practice that limits your use of

patients’ health information more than HIPAA does. Your office practices must also take those state laws into account. A physician who makes a good faith effort to secure the required Acknowledgement is protected, legally. If you document your good faith effort to secure an Acknowledgement, even if not successful, you can use and disclose PHI as if the patient and signed the Acknowledgement.

HIPAA requires a Notice of Privacy Practices, which must contain specific items in a specified format. Develop and maintain a Notice of Privacy Practices. (See the sample forms.) A Sample Notice of Privacy Practices is included in this Privacy Kit. Among the requirements under HIPAA: the Notice must explain the rights of patients, or their authorized representative, to control use or disclosure of protected health information; and the practice’s legal responsibility to safeguard PHI.

The Notice of Privacy Practices must indicate that patients may file a HIPAA complaint with the physician or with the Secretary of HHS (within 180 days), or with both. The Notice must state that the physicians may not intimidate or retaliate against such patients or their authorized representative due to the complaint. If your state has any further privacy notice requirements, you must include these in your Notice of Privacy Practices.

Provide a copy of the Notice of Privacy Practices to patients.

The regulations require that you post a copy of the current Notice of Privacy Practices in a prominent location where it is expected that patients and visitors would see the notice. You must distribute copies of your Notice of Privacy Practices to patient upon their initial visit after April 14, 2003, as well as have copies available for individuals to take with them from your office.

As a part of training, a physician should give a copy of the Notice of Privacy Practices to employees. It may also be included in Business Associate Agreements. MARKETING

The typical medical office does not generally engage in marketing as defined by HIPAA.

The Privacy Rule’s marketing requirements is quite simple: an Authorization is needed before any marketing communication.

Face-to-face, communication and the provision of gifts of nominal value (e.g., free items that are imprinted with the physician’s name, such a toothbrushes, key chains, calendars, etc.) do not require and Authorization.

The Privacy Rule defines “marketing” so that communications about treatment of the individual and communication about treatment options and other health-related information, including disease management programs, do not require authorization.

Chapter 6 MAKE YOUR HIPAA PRIVACY COMPLIANCE PROGRAM WORK Self-Audit Program Monitor your office practices from this point forward. Listed below are questions to ask yourself when reviewing your HIPAA compliance efforts.

How are policies, procedures, and systems being implemented? How are policies, procedures, and systems being managed? Are the policies, procedures, and systems working? Are changes needed to help the procedures, systems, or policies work more efficiently?

Limit the Harm if There is a Breach of Confidentiality A medical office must mitigate, to the extent practicable, any know harmful effect of a use or disclosure of protected health information in violation of its policies an procedures or the requirements of HIPAA. The physician must also discipline any staff and Business Associate for failure to follow physician office’s policies and procedures.

Chapter 7 HELPFUL HIPAA PRIVACY RESOURCES This Privacy Kit contains forms to record common activities that the HIPAA Privacy Rules require in writing. There are other infrequent activities for which written documentation is not required. Please call the MVIPA/MPCHP office at 503-371-7701 for guidance on any of the situations listed below—or other circumstances that may arise.

If you want to provide a patient with a summary of the information in the patient’s chart—instead of the entire patient record.

If the information requested or amended is maintained by your Business Associate. If an amendment to PHI is requested but denied. If a patient requests either a restriction on the use of protected health information for

treatment, payment, and healthcare operations or an alternative means of communication.

HIPAA PRIVACY WEB SITES Here is a list of some Web sites that you can use to help you become HIPAA compliant. http://www.hhs.gov/ocr/hipaa -- The official HIPAA privacy Web Site. http://www.wedi.org/SNIP/snipimplem.htm -- HIPAA implementation issues and ideas http://www.hipaacomply.com/HIPAAfaq.htm -- Frequently asked questions and unofficial answers from a consultant. http://www.hipaadvisory.com – HIPAA newsletter and discussion forum http://www.privacysecuritynetwork.com/healthcare/default.cfm -- Information about privacy and security issues. http://aspe.os.dhhs.gov/admnsimp/Index.htm -- Administrative Simplification Web site http://www.hipaa-dsmo.org – Submit change requests to the Designated Standards Maintenance Organizations http://www.ada.org/goto/hipaa -- Great source of HIPAA information for dentists including updates to the ADA Privacy Kit.

HIPAA CHECKLIST This Checklist is intended to facilitate your compliance with the new federal Privacy Rule developed pursuant to the Health Information Portability Act of 1996 (HIPAA). HIPAA Privacy rules are still evolving so no source, including the ADA or any vendor selling HIPAA Privacy compliance materials, knows the final compliance requirements for certain. Be cautions of compliance materials claiming otherwise. Under the HIPAA Privacy Rule, medical offices that transmit any health information in electronic form, either directly or indirectly through a vendor or billing service, will need to appropriately safeguard and disclose protected health information (PHI) in compliance with minimum federal requirements; more stringent state laws may also apply. For example, medical offices may obtain the right to use or disclose PHI for purposes of “treatment, payment, and healthcare operations” by making a good faith effort to obtain a patient’s Acknowledgement of Receipt of the (office’s) Notice of Privacy Practices. Failure to comply with the Privacy Rule can subject physicians to severe sanctions for violations, including both civil (fines) and criminal penalties. This Checklist is offered as a starting point for HIPAA privacy compliance in medical offices, and identifies many of the key tasks a private medical practice must undertake to comply. Detailed compliance information may be found in the law and regulation, and elsewhere in this Privacy Kit. This Checklist does not include other privacy compliance that might be required by more stringent state law requirements or of federal requirements beyond privacy contained in HIPAA. The HIPAA privacy compliance date is April 14, 2003. You should be ready before this date with privacy policies and forms, employee training, business associate agreements, and more. You should think in terms of implementing reasonable safeguards that reflect your particular circumstances. The Checklist does not assure compliance with HIPAA or constitute professional advice; physicians must consult with their professional advisors for such advice.

Checklist: to make office Compliant by April 14, 2003 Task Planned

completion date

Completed by 4/14/03

1. Develop a compliance timeline, using this Checklist as a starting point.

2. Develop a compliance timeline, using this Checklist as a

starting point.

3. Learn what HIPAA requires and do a gap analysis to assess where your current practices may be lacking.

4. Develop necessary forms to implement your policies and

practices (E.g. Acknowledgement of Receipt of Notice of Privacy Practices).

5. Develop a Notice of Privacy Practices to post and give to patients, and a method to document your good faith attempt to secure patient’ acknowledgment of receipt of the Notice.

6. Designate a Privacy Officer and a Contact Person to receive complaints.

7. Train employees in privacy. Document all training efforts. 8. Develop an employee discipline process for privacy

violations.

9. Evaluate which of your relationships requires a Business Associate (BA) Agreement and enter into required written contracts, using BA agreement language satisfying HIPAA’s specific requirements. (Compliance date is April 14, 2004 for amending existing written BA agreements, but those that are renewed or modified before then must be amended at the time of that renewal of modification.

10. Your medical office should have appropriate administrative (e.g., policies, procedures, and staff training), technical (e.g., secure software and passwords), and physical (e.g., doors and locks) safeguards in place to make sure health information is private and secure.

Checklist: To Remain Compliant During the Operation of Your Practice Task Planned

completion date

Completed by 4/14/03

11. Implement procedures to verify identify and authorities to access, receive, or use what is protected health information (PHI) under HIPAA. Keep in mind that PHI includes oral communication (e.g., verbal communication among staff members, patient, and/or other providers).

12. Secure the right to use or disclose PHI. For purposes of treatment, payment, and healthcare operations (TPO), you good faith attempt to secure an Acknowledgement of receipt of your Notice of Privacy Practices will suffice. Otherwise, secure a written Authorization as required by HIPAA.

13. Plan to use PHI information by applying minimum necessary standard, which will often require that you make reasonable efforts to use or disclose only the information that is needed to accomplish the intended purpose.

14. Know what patients; federal rights are established by HIPAA, and develop processes to ensure you will honor those rights (e.g., the right to access and copy protected healthcare information; the right to amend a patient record; the right to an accounting of disclosures, and the right to confidential communication, etc.).

15. Implement complaint systems.

16. Know the HIPAA marketing rules and follow them. 17. Limit the consequences if there is a breach of confidentiality

by you and/or your Business Associate.

18. Develop and implement a HIPAA privacy self-audit program to make sure your compliance efforts are working.

19. DOCUMENT, DOCUMENT, DOCUMENT!

(Name of Practice)

Health Information Privacy Policies & Procedures These Health Information Privacy Policies and Procedures implement our obligations to protect the privacy of individually identifiable health information that we create, receive, or maintain as a healthcare provider. We implement these Health Information Privacy Policies and Procedures as a matter of sound business practice; to protect the interests of our patients; and to fulfill our legal obligations under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), its implementing regulations at 45 CFR Parts 160 and 164 (65 Fed. Reg 82462 (Dec. 28, 2000)) (“Privacy Rules”), as amended (67 Fed. Reg. 53182 [Aug. 14, 2002]), and state law that provides greater protection or rights to patients than the Privacy Rules. As a member of our workforce or as our Business Associate, you are obligated to follow these Health Information Privacy Policies and Procedures faithfully. Failure to do so can result in disciplinary action, including termination of your employment or affiliation with us. These Policies and Procedures address the basics of HIPAA and the Privacy Rules that apply in our medical practice. They do not attempt to cover everything in the Privacy Rules. The Policies and Procedures sometimes refer to forms we use to help implement the policies and to the Privacy Rules themselves when added detail may be needed. Please note that while the Privacy Rules speak in terms of “individual” rights and actions, these Policies and Procedures use the more familiar word “patient” instead; “patient” should be read broadly to include prospective patients, patients of record, former patients, their authorized representatives, and any other “individuals” contemplated in the Privacy Rules. If you have questions or doubts about any use or disclosure of individually identifiable health information or about your other obligations under these Health Information Privacy Policies and Procedures, the Privacy Rules or other federal or state law, consult {INSERT NAME} – at {INSERT TELEPHONE} OR {INSERT E-MAIL}, before you act. _______________________________________________ {INSERT PRACTICE MANAGER’S OR PHYSICIAN’S NAME} {INSERT TITLE IF APPROPRIATE}

1. General Rule: no Use or Disclosure Our medical office must not use or disclose protected health information (PHI), except as these Privacy Policies & Procedures permit or require. 2. Acknowledgement and Optional Consent Our medical office will make a good faith effort to obtain a written acknowledgement of receipt of our Notice of Privacy Practices (see Section 9) from a patient before we use or disclose his or her protected health information (PHI) for treatment, to obtain payment for that treatment, or for our healthcare operations (TPO). Our medical office’s use or disclosure of PHI for our payment activities and healthcare operations may be subject to the minimum necessary requirements (see Section 7). Our Medical office will become familiar with our state’s privacy laws. If required by our state law, or as directed by the physician, we will also seek Consent from a patient before we use or disclose PHI for TPO purposes – in addition to obtaining an Acknowledgement of receipt of our Notice of Privacy Practices.

a) Obtaining Consent – If consent is to be obtained, upon the individual’s first visit as patient (or next visit if already a patient), our medical office will request and obtain the patient’s written Consent for our uses and disclosure of the patient’s PHI for treatment, payment, and healthcare operations.

Any consent we obtain must be on our Consent form, which we may not alter in any way. Our medical office will include the signed Consent form in the patient’s chart.

b) Exceptions – Our medical office does not have to obtain the patient’s Consent in

emergency treatment situations; when treatment is required by law; or when communications barriers prevent Consent.

c) Consent Revocation – A patient from whom we obtain consent may revoke it at any

time by written notice. Our medical office will include the revocation in the patient’s chart. There is space at the bottom of our Consent form where the patient can revoke the consent.

d) Applicability – Consent for use or disclosure of PHI should not be confused with

informed consent for medical treatment. This section applies to our practice.

3. Authorization In some cases we must have proper, written Authorization from the patient (or the patient’s personal representative) before we use or disclose a patient’s PHI for any purpose (except for TPO purposes) or as permitted or required withour consent or authorization (see Sections 3, 4, or 5). Our medical office will use the Authorization form. We will always act in strict accordance with an Authorization.

a) Authorization Revocation – A patient may revoke an authorization at any time by written notice. Our medical office will not rely on an Authorization we know has been revoked.

b) Authorization from Another Provider – Our medical office will use or disclose

PHI as permitted by a valid Authorization we receive from another healthcare provider.

Our medical office may rely on that covered entity to have requested only the minimum necessary protected PHI. Therefore, our medical office will not make our own “minimum necessary” determination, unless we know that the Authorization is incomplete, contains false information, has been revoked, or has expired. c) Authorization Expiration – Our medical office will not rely on an Authorization

we know has expired.

4. Oral Agreement Our medical office may use or disclose a patient’s PHI with the patient’s Oral Agreement or if the patient is unavailable to all applicable requirements. Our medical office may use professional judgment and our experience with common practice to make reasonable inferences of the patient’s best interest in allowing a person to act on behalf of the patient to pick up dental/medical supplies, x-rays, or other similar forms of PHI. 5. Permitted Without Acknowledgement, Consent Authorization or Oral Agreement Our medical office may use or disclose a patient’s PHI in certain situations, without Authorization or Oral Agreement. In our medical office, these disclosures are not likely to be frequent.

a) Verification of Identity – Our medical office will always verify the 0identity of any patient, and the identity and authority of any patient’s personal representative, government or law enforcement official, or other person, unknown to us, who requests PHI before we will disclose the PHI to that person.

Our medical office will obtain appropriate identification and, if the person is not the patient, evidence of authority. Examples of appropriate identification include photographic identification card, government identification card or badge, and appropriate document on government letterhead. Our medical office will document the incident and how we responded.

b) Uses or Disclosures Permitted under this Section 5 – The situation in which our medical office is permitted to use or disclose PHI in accordance with the procedure set out in this Section 5 are listed below.

o Our medical office may disclose a patient’s PHI to that patient on request. o Our medical office may disclose to patient’s personal representative PHI

relevant to the representative capacity. We will not disclose to a personal

representative we reasonably believe may be abusive to a patient any PHI we reasonably believe may promote or further such abuse.

o Our medical office will not use or disclose a patient’s PHI for fundraising purposes without the patient’s Authorization.

o Our medical office will not use or disclose PHI for marketing without a patient’s Authorization unless the marketing is in the form of promotional gift of nominal value that we provide, or face-to-face communication between us and the patient.

o Our medical office may use or disclose PHI in the following types of situations, provided procedures specified in the Privacy Rules are followed:

1. For public health activities; 2. To health oversight agencies; 3. To coroners, medical examiners, and funeral directors; 4. To employers regarding work-related illness or injury; 5. To the military; 6. To federal officials for lawful intelligence, counterintelligence, and

national security activities; 7. To correctional institutions regarding inmates; 8. In response to subpoenas and other lawful judicial processes; 9. To law enforcement officials; 10. To report abuse, neglect, or domestic violence; 11. As required by law; 12. As part of research projects; and 13. As authorized by state worker’s compensation laws.

6. Required Disclosures Our medical office will disclose protected health information (PHI) to a patient (or to the patient’s personal representative) to the extent that the patient has a right of access to the PHI (see Section 10); and to the U.S. Department of Health and Human Services (HHS) on request for complaint investigation or compliance review. Our medical office will use the disclosure log to document each disclosure we make to HHS. 7. Minimum Necessary Our medical office will make reasonable efforts to disclose, or request of another covered entity, only the minimum necessary protected health information (PHI) to accomplish the intended purpose. There is no minimum necessary requirement for disclosures to or requests by one another in our medical office or by a healthcare provider for treatment; permitted or required disclosures to, or for disclosure requested and authorized by, a patient; disclosures to HHS for compliance reviews or compliant investigations; disclosures required by law; or uses or disclosures required for compliance with the HIPAA Administrative Simplification Rules.

a) Routine or Recurring Requests or Disclosures – Our medical office will follow the policies and procedures that we adopt to limit our routine or recurring requests for our disclosures of PHI to the minimum reasonably necessary for the purpose.

b) Non-Routine or Non-Recurring Requests or Disclosures – No non-routine or non-recurring request for or disclosure of PHI will be made until it has been reviewed on a patient-by patient basis against our criteria to ensure that only the minimum necessary PHI for the purpose is requested or disclosed.

c) Other’s Requests – Our medical office will rely, if reasonable for the situation, on a request to disclose PHI being for the minimum necessary, if the requester is: (a) a covered entity; (b) a professional (including an attorney or accountant) who provides professional services to our practice, either as a member of our workforce or as our Business Associate, and who represents that the requested information is the minimum necessary; (c) a public official who represents that the information requested is the minimum necessary; or (d) a researcher presenting appropriate documentation or making appropriate representation that the research satisfies the applicable requirements of the Privacy Rules.

d) Entire Record – Our medical office will not use, disclose, or request an entire record, except as permitted in these Policies & Procedures or standard protocols that we adopt reflection situations when it is necessary.

e) Minimum Necessary Workforce Use – Our medical office will use only the minimum necessary PHI needed to perform our duties.

8. Business Associates Our medical office will obtain satisfactory assurance in the form of a written contract that our Business Associate will appropriately safeguard and limit their use and disclosure of the protected health information (PHI) we disclose to them. These Business Associate requirements are not applicable to our disclosures to a healthcare provider for treatment purposes. The Business Associate Contract Terms document contains the terms that federal law requires be included in each Business Associate Contract. a) Breach by Business Associate – If our medical office learns that a Business Associate

has materially breached or violated its Business Associate Contract with us, we will take prompt, reasonable steps to see that the breach or violation is cured.

If the Business Associate does not promptly and effectively cure the breach or violation, we will terminate our contract with the Business Associate, or if contract termination is not feasible, report the Business Associate’s breach or violation to the U.S. Department of Health and Human Services (HHS).

9. Notice of Privacy Practices Our medical office will maintain a Notice of Privacy Practices as required by the Privacy Rules.

a) Our Notice – Our medical office will use and disclose PHI only in conformance with the contents of our Notice of Privacy Practices. We will promptly revise a Notice of Privacy practices whenever there is a material change to our uses or disclosures of PHI to legal duties, to the patients’ rights or to other privacy practices that render the statements in that Notice no longer accurate. Form 1, Notice of Privacy Practices, found in this Privacy Kit, contains the terms that federal law requires.

b) Distribution of Our Notice – Our medical office will provide our Notice of Privacy Practices to any person who requests it, and to each patient no later than the date of our first service delivery after April 14, 2003.

Our medical office will have our Notice of Privacy Practices available for patients to take with them. We will post our Notice of Privacy Practices in a clear and prominent location where it is reasonable to expect patients seeking services from us will be able to read the Notice.

c) Acknowledgement of Notice – Our medical office will make a good faith effort

to obtain from the patient a written Acknowledgement of receipt of our Notice of Privacy Practices.

Our medical office shall use Form 2, Acknowledgement of Receipt of Notice of Privacy Practices, found in this Privacy Kit, to obtain the Acknowledgement. If we cannot obtain written Acknowledgement from the patient, we will use the form to document our attempt and the reason why written Acknowledgement was not signed by the patient.

10. Patients’ Rights Our medical office will honor the rights of patients regarding their PHI.

a) Access – With rare exceptions, our medical office must permit patients to request access to the PHI we or our Business Associates hold.

No PHI will be withheld from a patient seeking access unless we confirm that the information may be withheld according to the Privacy Rules. We may offer to provide a summary of the information in the chart. The patient must agree in advance to receive a summary and to any fee we will charge for providing the summary. Our medical office will contact our Business Associate to retrieve any PHI they may have on the patient. b) Amendment – Patients have the right to request to amend their PHI and other

records for as long as our medical office maintains them. Our medical office may deny a request to amend PHI or records if: (a) we did not create the information (unless the patient provides us a reasonable basis to believe

that the originator is not available to act on a request to amend); (b) we believe the information is accurate and complete; or (c) we do not have the information. Our medical office will follow all procedures required by the Privacy Rules for denial or approval of amendment requests. We will not, however, physically alter or delete existing notes in a patient’s chart. We will inform the patient when we agree to make an amendment, and we will contact our Business Associates to help assure that any PHI they have on the patient is appropriately amended. We will contact any individuals whom the patient requests we alert to any amendment to the patient’s PHI. We will also contact any individuals or entities of which we are aware that we have sent erroneous or incomplete information and who may have acted on the erroneous or incomplete information to the detriment of the patient. When we deny a request for an amendment, we will mark any future disclosures of the contested information in a way acknowledging the contest. c) Disclosure Accounting – Patients have the right to an accounting of certain

disclosures our dental office made of their PHI within the 6 years prior to their request. Each disclosure we make, that is not for treatment, payment, or healthcare operations, must be documented showing the date of the disclosure, what was disclosed, the purpose of the disclosure, and the name and (if known) address of each person or entity to whom the disclosure was made. The Authorization or other documentation must be included in the patient’s record. We use the patient’s chart to track each disclosure of PHI as needed to enable us to fulfill our obligation to account for these disclosures.

We are not required to account for disclosures we made: (a) before April 14, 2003; (b) to the patient (or the patient’s personal representative); (c) to or for notification of persons involved in a patient’s healthcare or payment for healthcare; (d) for treatment, payment, or healthcare operations; (e) for national security or intelligence purposes; (f) to correctional institutions or law enforcement officials regarding inmates; or (g) according to an Authorization signed by the patient or the patient’s representative; (h) incident to another permitted or required use disclosure. We will temporarily suspend the accounting of any disclosure when requested to do so pursuant according to the Privacy Rules by health oversight agencies or law enforcement officials. We may charge for any accounting that is more frequent than every 12 months, provided the patient is informed of the fee before the accounting is provided. We will contact our Business Associates to assure we include in the accounting any disclosures made by them for which we must account. d) Restriction on Use or Disclosure – Patients have the right to request our medical

office to restrict use or disclosure of their PHI, including for treatment, payment, or healthcare operations. We have no obligation to agree to the request, but if we do, we will comply with our agreement (except in an appropriate dental/medical emergency).

We may terminate an agreement restricting use or disclosure of PHI by a written notice of termination to the patient. We will contact our Business Associates whenever we agree to such a restriction to inform the Business Associate of the restriction and its obligations to abide by the restriction. We will document in the patient’s chart any such agreed to restrictions. e) Alternative Communication – Patients have the right to request us to use

alternative means or alternative locations when communicating PHI to them. Our medical office will accommodate a patient’s request for such alternative communications if the request is reasonable and in writing.

Our medical office will inform the patient of our decision to accommodate or deny such a request. If we agree to such a request, we will inform our Business Associate of the agreement and provide them with the information necessary to comply with the agreement. f) Applicability – Our medical office will be aware of and respect these patients’

rights regarding their PHI, even though in most situations patients are unlikely to exercise them.

11. Staff Training and Management, Compliant Procedures, Data Safeguards,

Administrative Practices

a) Staff Training and Management *Training – Our medical office will train all members of our workforce in these Privacy Policies & Procedures, as necessary and appropriate for them to carry out their functions. We will complete the privacy training of our existing workforce by April 14, 2003.

After April 14, 2003, our medical office will train each new staff member within a reasonable time after the member starts. We will also retain each staff member whose functions are affected either by a material change in our Privacy Policies & Procedures or in the member’s job functions, within a reasonable time after the change. Form 7, Staff Review of Policies and Procedures, can be used to have workforce members acknowledge they have received and read a copy of these Policies & Procedures. *Discipline and Mitigation – Our medical office will develop, document, and disseminate, and implement appropriate discipline policies for staff members who violate our Privacy Policies & Procedures, the Privacy Rules, or other applicable federal or state privacy law. Staff members who violate our Privacy Policies & Procedures, the Privacy Rules or other applicable federal or state privacy law will be subject to disciplinary action, possibly up to and including termination of employment.

b) Complaints – Our medical office will implement procedures for patients to

complain about our compliance with our Privacy Policies & Procedures or the Privacy Rules. We will also implement procedures to investigate and resolve such complaints.

The Complaint form can be used by the patient to lodge the complaint. Each complaint received must be referred to management immediately for investigation and resolution. We will not retaliate against any patient or workforce member who files a Complaint in good faith. c) Data Safeguards – Our medical office will “add to” and strengthen these Privacy

Policies & Procedures with such additional data security policies and procedures as are needed to have reasonable and appropriate administrative, technical, and physical safeguards in place to endure the integrity and confidentiality of the PHI we maintain.

Our medical office will take reasonable steps to limit incidental uses and disclosures of PHI made according to an otherwise permitted or required use or disclosure. d) Documentation and Record Retention – Our medical office will maintain in

written or electronic form all documentation required by the Privacy Rules for six years from the date of creation or when the document was last in effect, whichever is greater.

e) Privacy Policies & Procedures – Only {name of physician} may change these Privacy Policies & Procedures.

12. State Law Compliance Our medical office will comply with the privacy laws of each state that has jurisdiction over our practice, or its actions involving protected health information (PHI), that provide greater protections or rights to patients than the Privacy Rules. 13. HHS Enforcement Our medical office will give the U.S. Department of Health and Human Service (HHS) access to our facilities, books, records, accounts, and other information sources (including individually identifiable health information without patient authorization or notice) during normal business hours (or at other times without notice if HHS presents appropriate lawful administrative or judicial process). We will cooperate with any compliance review or complaint investigation by HHS, while preserving the rights of our practice. 14. Designated Personnel Our medical office will designate a Privacy Officer and other responsible persons as required by the Privacy Rules.

Privacy For Physicians DEFINITIONS OF POLICIES &

PROCEDURES

HIPAA

DEFINITIONS HIPAA REGULATORY DEFINITIONS 45 CFR Parts 160—General Administrative Requirements, and Part 164—Security and Privacy Italicized terms are defined by the Rules. Authorization (See §§ 164.502 (a0 (1) (iv), 164.508)

Patient’s written permission for uses and disclosures of the patient’s protected health information for any purpose other than by a covered entity carrying out treatment, payment or its own health care operations. (65 Fed. Reg. At 82509-10, 82512-13, 82519-20)

Note: in most situations, consent for disclosures related to treatment, payment and health care operations would apply. Authorization would only be necessary for other disclosures such as certain advertisements and marketing.

Business Associate (§ 160.103)

Person or entity who performs, or assists in performing, a function or activity that involves use or disclosure of individually identifiable health information:

(a) on behalf of a covered entity, or (b) on behalf of an organized health care arrangement in which the covered entity

participates. --Examples are claims processing, claims administrations, data analysis, data processing, data administration, utilization review, quality assurance, billing, benefit management, practice management, repricing. (§ 160.103 “Business Associate” (1) (i) (A))

Person or entity who performs, or assists in performing, function or activity regulated by HIPAA Administrative Simplification Rules, 45 CFR Subchapter c:

(a) on behalf of a covered entity, or

on behalf of an organized health care arrangement in which the covered entity participates. (§ 160.103 “Business Associate” (1) (i) (B)) --Examples are health care clearinghouses, transmission or transactions, health care delivery (including treatment, payment and health care operations), safeguarding data, and marketing.

DEFINITIONS

Person or entity who provides one or more of legal, actuarial, accounting, consulting, data aggregation, management, administration, accreditation (e.g., Joint Commission on the Accreditation of Healthcare Organizations, National Committee on Quality Assurance), or financial services: (a) to or for covered entity, or an organized health care arrangement in which the covered

entity participates, and (b) the provision of the services involves disclosure of individually identifiable health

information to that person or entity by the covered entity or by another business associate of that covered entity. (§ 160.103 “Business Associate” (1) (ii))

Covered entity may be business associate of other covered entities. (§ 160.103 “Business Associate” (3))

Covered entity participating in an organized health care arrangement, who performs or provides any business associate function, activity or service on behalf of, for or to that organized health care arrangement, does not thereby become a business associate of the other covered entities participating in that organized health care arrangement. (§ 160.103 “Business Associate” (1) (ii))

Independent contractors are treated as workforce, unless they have a business associate contract with the covered entity. (65 Fed. Reg. At 82480)

Physicians and others with hospital staff privileges are not thereby business associates of the hospital, nor is the hospital their business associate, as their activities are on behalf of, to or for patients, not each other (but hospital that provides billing, administrative or other business associate functions, activities or services on behalf of, to or for staff physicians, is the physicians’ business associate if hospital receives individually identifiable health information for or from the physicians). (65 Fed. Reg. At 82476)

Health insurance issuer is not business associate of the group health plan that purchases its coverage, as the health insurance issuer’s activities are on its own behalf, not on behalf of, to or for the group health plan (but health insurance issuer that performs administrative services only, third party administration or other business associate functions, activities or services on behalf of, to or for group health plan that are in addition, or not directly related, to the provision of coverage, is business associate of that group health plan if it receives individually identifiable health information for or from the group health plan). (65 Fed. Reg. At 82476)

Delivery services (e.g., U.S. Postal Service, Federal Express) that transport, without the intention to have access to, individually identifiable health information are not thereby business associates. (65 Fed. Reg. At 82476)

Joint administrators of public health plans (e.g., state and CMS (formerly HCFA) administration of Medicaid and SCHIP; private and CMS administration of Medicare+Choice) are not business associates of each other, as neither performs or assists in performing functions or activities on behalf of the other. Rather, each is a covered entity “with respect to the health plan functions it performs.” (65 Fed Reg. At 82477)

Government agency, such as local welfare agency, that determines, or collects individually identifiable health information used to determine, health plan eligibility or enrollment, but that does not administer the health plan, is not thereby a business associate of a covered entity. (65 Fed. Reg. At 82479)

Note: most business associates of medical practices will be larger that the practice and may provide a business associate agreement. Examples would be medical/dental laboratories, collections agencies, lawyers and accountants. These agreements should be carefully reviewed to determine if your requirements are met.

Consent (See §§ 164.502 (a)(1)(ii)-(iii), 164.506)

Patient’s written permission for uses and disclosures of the patient’s protected health information by a covered entity to carry out treatment, payment or helath care operations. (65 Fed. Reg. At 82509-10, 82512)

Correctional Institution (§ 164.501)

Government penal or correctional facility, jail, reformatory, detention center, work farm, halfway house, or residential community program center, to confine or rehabilitate persons covered or otherwise held in lawful custody.

Covered Entity (§ 160.103)

Health plan. Health care clearinghouse. Health care provider who transmits health information in electronic form in connection

with one or more transactions. --Health care provider who does not, directly or through agents (i.e., business associates), transmit health information electronically in connection with transactions is not subject to the Privacy Rules. (65 Fed. Reg. At 82477) --Health care providers are not covered entities when performing the functions of procuring or banking organs, blood, sperm, eyes, or other tissue or human products. (65 Fed. Reg. At 82477)

Joint administrators of public health plans (e.g., state and CMS (formerly HCFA) administration of Medicaid and State CHIP; private and CMS administration of Medicare+Choice) are each a covered entity “with respect to the health plan functions it performs.” (65 Fed. Reg. At 82477)

Government agency, such as local welfare agency, that determines, or collects individually identifiable health information used to determine, health plan eligibility or enrollment, but that does not administer the health plan, is not thereby a covered entity. (65 Fed. Reg. At 82479)

Government-funded program whose principal purpose is other than providing or paying for health care (even though it may incidentally provide health benefits), or whose principal activity is provision of health care or making grants to fund direct provision of health care to persons is not a covered entity unless the program is listed as health plan by the HIPAA Administrative Simplification Rules (see § 160.103 “Health Plan” (1)(i)-(xvi), or qualifies as a health care provider. (§ 160.103 “Health Plan” (2)(ii)(B))

Issuer of policies, plans, or programs that provide or pay for “excepted benefits” (as listed in Public Health Services Act § 2791 (c)(1), 42 USC § 300gg-9 (c)(1)) is not covered entity. (§ 160.103 “Health Plan” (2)(i)) --“Excepted benefits” are “benefits under one or more (or any combination thereof)” of

(a) “coverage only for accident, or disability income insurance”; (b) ”coverage issued as a supplement to liability insurance”; (c) “liability insurance, including general liability and automobile liability

insurance”; (d) “workers’ compensation or similar insurance”; (e) “automobile medical payment insurance”; (f) “credit-only insurance”; (g) “coverage for on-site medical clinics”;

(h) “other similar insurance coverage, specified in regulations, under which benefits for medical care are secondary or incidental to other insurance benefits.” (Public Health Service Act § 2791 (c)(1), 42 USC § 300gg-91 (c)(1))

Data Aggregation (§ 164.501)

Business associate’s combination of protected health information it receives from the covered entities it serves to permit data analyses that relate to the health care operations of those covered entities.

Designated Record Set (§ 164.501)

Group of record maintained by or for a covered entity that is employed, in whole or part, by or for that covered entity to make decisions about patients. (§ 164.501 “Designated Record Set” (1)(ii))

Group of records that is enrollment, payment, claims adjudication, or case or medical/dental management record system maintained by or for a health plan. (§ 164.501 “Designated Record Set” (1)(ii))

Group of medical/dental and billing records about patients maintained by or for a covered health care provider. (§ 164.501 “Designated Record Set” (1)(i))

Excludes oral communications and taped, recorded or transcribed oral communications not maintained or employed to make decisions about patients. (HHS Guide p. 13)

Note: Generally, a designated record set would be the patient records. Disclosures (§ 164.501)

Release, transfer, or divulge information outside the entity holding the information, or provide access to the information for an entity other than the entity holding the information.

--Includes transfer of protected health information from covered entity to business associate.

Health Care Clearinghouse (§ 160.103)

Public or private entity that either: (a) Processes, or facilitates the processing, into standard data elements or standard

transactions, health information received from another is nonstandard format or containing nonstandard data content; or

(b) Processes, or facilitates the processing, into nonstandard format or nonstandard data content for another, health information received from another as standard transactions.

--Includes billing services, repricing companies, community health management information, community health information systems, value-added networks, and value-added switches when they perform clearinghouse functions.

Health plan’s or health care provider’s component that transforms the health plan’s or health care provider’s non standard information into standard data elements or standard transactions, or vice versa, is not thereby a covered health care clearinghouse, because it does not receive the health information it processes from another. (65 Fed. Reg. At 82477)

Affiliate of a health plan or a health care provider (as defined in § 164.504 (d)) may perform clearinghouse functions for other affiliates of that health plan or health care provider without thereby becoming a covered health care clearinghouse. (65 Fed. Reg. At 82477)

Note: Most practice management system vendors use a clearinghouse, such as WebMD, for converting electronic transactions to the standard format and sent them to the appropriate payer.

Health Care Operations (§ 164.501)

Activities of covered entity that relate to covered functions, as follows: Quality assessment and improvement activities, including outcome evaluation and

development of clinical guidelines, and related functions that do not include treatment, and that do not have obtaining “generalized knowledge” (i.e., research) as their primary purpose. (§ 164.501 “Health Care Operations (1)) --Covered entities should document if a health care operation study evolves into research to demonstrate that the primary purpose, when initiated, was health care operations. (65 Fed. Reg. at 82490)

Population-based activities relating to improving health or reducing health care costs,

protocol development, case management, care coordination, and related functions that do not include treatment. (§ 164.501 “Health Care Operations” (1)) --“Disease Management” is not used because it has “no generally accepted definition,” but many functions “often included in discussions of disease management” are included in “health care operations” listing. (65 Fed. Reg. at 82490)

Contacting health care providers and patients with treatment alternative information, and

related functions that do not include treatment. (§ 164.501 “Health Care Operations” (2))

Training non-health care professionals. (§ 164.501 “Health Care Operations” (2)) Accreditation, certification, licensing, or credentialing. (§ 164.501 “Health Care

Operations”(2)) Underwriting, premium rating, and other activities relating to the creation, renewal or

replacement of a contract of health insurance or health benefits. --Covered health care provider must obtain authorization before disclosing a patient’s protected health information for pre-enrollment underwriting because underwriting is not a health care provider’s health care operation. (65 Fed. Reg. at 82490)

Ceding, securing, or placing a contract for reinsurance of risk relating to claims for health

care (including stop-loss insurance and excess loss insurance). (§ 164.501 “Health Care Operations” (3))

Conducting or arranging medical/dental review and auditing functions, including fraud and abuse detection and compliance programs. (§ 164.501 “Health Care Operations” (4))

Conducting or arranging legal services, including for judicial or administrative proceedings. (§ 164.501 “Health Care Operations” (4))

Business planning and development, cost management and planning-related analyses concerning management or operations, formulary development and administration, development or improvement of payment methods or coverage policies. (§ 164.501 “Health Care Operations” (5))

Business management and general administration (§ 164.501 “Health Care Operations” (6)), such as:

Implementation and compliance with HIPAA Administration Simplification Rules. (§ 164.501 “Health Care Operations”(6)(i))

Customer service, including data analysis for policyholders, plan sponsors, or other customers, provided protected health information is not disclosed. (§ 164.501 “Health Care Operations” (6)(ii)) --Group health plans with a single plan sponsor and the health insurance issuers of HMOs that serve them, may jointly provide data analysis as a health care operation of an organized health care arrangement. (65 Fed. Reg. at 82491)

Internal grievance resolution. (§ 164.501 “Health Care Operations” (6) (iii)) Sale, transfer, merger or consolidation of all or part of a covered entity with another

covered entity that is or after such activity, will be a covered entity. (§ 164.501 “Health Care Operations”(6)(iv))

Creating de-identified health information in compliance with the de-identification requirements of §§ 164.514 (a)-(b)). (§ 164.501 “Health Care Operations” (6)(v))

Fundraising for covered entity’s benefit in compliance with the fundraising requirements of § 164.514 (f) and the minimum necessary requirements of §164.514 (d). (§ 164.501 “Health Care Operations” (6)(v))

Refill reminder communications, nursing assistance by telephones and the like when performed by or on behalf of a health plan or other non-health care provider, but these are treatment if performed by or on behalf of health care provider. (65 Fed. Reg. at 82497-98)

Covered entity using or disclosing protected health information for the operations of another covered entity, not pare of and related to the activities of the same organized health care arrangement, is not engaged in health care operations. (65 Fed. Reg. at 82490)

Use or disclosure for health care operations may be to persons or entities that are neither covered entities nor business associates. (65 Fed. Reg. at 82490)

Health Care Provider (§ 160.103)

Person or entity who furnishes, bills, or is paid for health care in the normal course of business. --Includes hospitals, critical access hospitals, skilled nursing facilities, comprehensive outpatient rehabilitation facilities, home health agencies, hospice programs (each as defined by Social Security Act § 1861(u), 42 USC § 1395x(U)). --Includes any provider of physician services, supervised physician assistant and nursing services, certified registered nurse anesthetist services, certified nurse-midwife services, qualified psychologist services, clinical social worker services, physical or occupational therapy services; diagnostic services, clinical social worker services, physical or occupational therapy services; rural health clinic services, federally-qualified health center services; diagnostic services (including x-rays, isotope therapy and laboratory tests); dialysis services, supplies, equipment or support; diabetes outpatient self-management training services; qualified prescription drugs for organ transplant immunosuppressive therapy, for dialysis patients or for anticancer chemotherapy; durable dental/medical equipment or prosthetic devices; ambulance services (each as defined by Social Security Act § 1861 (s), 42 U.S.C. § 1395x(s)).

Health care provider is not a covered entity when procuring or banking organs, blood,

sperm, eyes, or other tissue or human products. (65 Fed. Reg. at 82477)

Health Information (§ 160.103) Information created or received by a health care provider, health plan, public health

authority, employer, life insurer, school, university, or health care clearinghouse that relates to a patient’s past, present, or future physical or mental health or conditions, or the past, present, or future payment for the provision of health care to a patient. --May be oral or recorded in any form or medium – paper, magnetic, optical, or electronic.

HHS (§ 160.103)

United States Department of Health and Human Services. CMS is the Centers for Medicare and Medicaid Services, formerly named HCFA – the

Health Care Financing Administration.

Indirect Treatment Relationship (§ 164.501)

Relationship in which a health care provider, based on orders from another health care provider, delivers health care services or products for, or reports health care diagnosis or results about, a patient directly to the other health care provider, who then provides the services or products or reports to the patient.

Individual (§ 164.501)

Health information, including demographic information collected from a patient, created or received by a health care provider, health plan, health care clearinghouse, or employer, that either identities the patient or provides a reasonable basis to believe that it could be used to identify that patient.

Law Enforcement Official (§ 164.501)

Officer or employee of federal, state, local, territorial, or tribal agency or authority empowered by law to investigate or conduct official inquiry into potential violations of law, or to prosecute or conduct criminal, civil, or administrative proceeding arising from alleged violation of law.

Marketing (§ 164.501)

To make a communication about a product or service that encourages recipients of the communication to purchase or use the produce or service.

Marketing excludes covered entity’s communication that: Describes the entities participating in a health care provider or health plan network (§§

164.501 “Marketing” (1); or Describes if an the extent to which a product or service, or payment for that product or

service, is provided by a covered entity or included in a plan of benefits (§§ 164.501 “Marketing” (1); or

Is for treatment of that individual; or Is for case management or care coordination for that individual or to direct or recommend

alternative treatment, therapies, health care providers, or setting of care to that individual. Payment (§ 164.501)

Health plan activity with respect to a patient to obtain premiums for, to determine or fulfill its responsibilities for coverage and provision of plan benefits for, or to provide or obtain reimbursement for health care delivered to that patient. (§§ 164.501 “Payment” (1)(i)-(ii) & (2)) --Includes “authorizing, processing, clearing, setting, transferring, reconciling payment for or related to health plan premiums or health care.” (See Social Security Act § 1179 (1))

Health care provider activities with respect to a patient to obtain or provide reimbursement for health care delivered to that patient. (§§ 164.501 “Payment” (1)(ii) & (2))

Payment activities with respect to a patient include: Eligibility or coverage determinations. (§ 164.501 “Payment” (2)(i)) Coordination of benefits or other determinations of cost-sharing amounts. (§ 164.501

“Payment” (2)(i)) Adjudication or subrogation or health benefit claims. (§ 164.501 “Payment” (2)(i)) Risk adjusting amounts due, based on enrollee health status and demographic

characteristics. (§ 164.501 “Payment” (2)(ii)) Billing, claims management, collection activities, and related health care data processing.

(§ 164.501 “Payment” (2)(iii)) --Includes in “claims in “claims management,” “auditing payments, investigating and resolving payment disputes, responding to customer inquiries regarding payments.”(65 Fed. Reg. at 82495)

Obtaining payment under reinsurance contract, including stop-loss insurance and excess loss insurance, and related health care data processing. (§ 164.501 “Payment” (2)(iii))

Health care services review with respect to medical necessity, health plan coverage, care appropriateness, or charges justification. (§ 164.501 “Payment” (2)(iv))

Utilization review, including recertification, preauthorization, concurrent and retrospective review. (§ 164.501 “Payment” (2)(v))

Disclosure to consumer reporting agencies, with respect to premium collection or reimbursement, the patient’s name and address, birth date, Social Security number, payment history, account number, and/or health care provider or health plan name and address. (§ 164.501 “Payment” (2)(vi))

Covered entity may disclose protected health information for payment activities to any person or entity. (65 Fed. Reg. at 82495) --Examples include disclosing to financial institutions to cash checks, or to an insurer that is not a health plan, such as “a disability insurance carrier,” to obtain payment.

Covered entity may not disclose protected health information to financial institution to conduct electronic fund transfers in connection with transactions for which no protected health information is required to effect the fund transfer, but the portion of the transaction containing protected health may be transmitted through the financial institutions if it is encrypted so only the intended recipient may read it. (65 Fed. Reg. at 82496)

Covered entity may use or disclose protected health information only of the patient for whom the covered entity is engaging in a payment activity, and may not use or disclose protected health information for another covered entity’s payment activities. (65 Fed. Reg. at 82496)

Personal Representative (§ 164.502 (g))

Person legally authorized to act on behalf of patient, who is an adult or emancipated minor, for health care decisions. (§ 164.502(g)(2))

Executor, administrator, or person legally authorized to act on behalf of deceased patient or the estate. (§ 164.502(g)(4))

Parent, guardian, or in loco parentis legally authorized to act on behalf of patient, who is an unemancipated minor, for health care decisions. (§ 164.502(g)(3))

State law that authorizes or prohibits disclosure about minors to parents, guardians or in loco parentis controls determination of personal representative relationship and is not preempted by HIPAA. (§ 164.202 “More Stringent” (2); HHS Guide p. 15)

Excludes parent, guardian or in loco parentis of unemancipated minor who (under applicable State law):

Lawfully consents to health care, requests that parent, guardian or in loco parentis not be considered minor’s personal representative, and no other consent is required by law (even though consent of another person may have been obtained). (§ 164.502(g)(3)(i))

Lawfully obtains health care without parent’s, guardian’s or in loco parentis’ consent, and minor, court, or legally authorized person consents to the health care. (§ 164.502(g)(3)(ii))

Has agreement of confidentiality with covered health care provider regarding health care services to which protected health information relates, and parent, guardian or in loco parentis assents to the agreement. (§ 164.502(g)(3)(iii))

Protected Health Information (§ 164.501)

Individually identifiable health information transmitted or maintained in any form or medium (including orally or on paper). (§ 164.501 “Protected Health Information” (1) (iii)) – Includes individually identifiable health information that is transmitted or maintained in electronic media (as defined in § 162.103). (§§ 164.501 “Protected Health Information” 91) (i)-(ii))

Excludes educational records covered by the Family Education Right and Privacy Act, 20 USC § 1232g, or relating to records of students held by post-secondary educational institutions or of students at lease 18 that are used exclusively for health care treatment and which have not been disclosed at the student’s request, other than to health care providers, as described at 20 USC § 1231g(4)(B)(iv). (§ 164.501 “Protected Health Information” (2)). Also excludes employment records held by a covered entity in its role as employer.

Public Health Authority (§ 164.501)

Federal, state, local, territorial, or tribal agency, or person or entity acting under grant of authority from or contract with such agency, and employees or agents of such agency or of its contractors, responsible for public health matters as part of their official mandate.

Record (§ 164.501)

Item, collection, or grouping of information that includes protected health information and it maintained, collected, used, or disseminated by or for a covered entity. (§ 164.501 “Designated Record Set” (2))

Excludes oral information. (HHS Guide p. 13)

Required by Law (§ 164.501)

Mandate contained in, and enforceable by a court, that compels covered entity to use or disclose protected health information. --Examples are court orders; court-ordered warrants; subpoenas or summons issued by court, grand jury, governmental or tribal inspector general, or administrative body authorized to require information production; civil or administrative investigative demand; health care providers’ conditions of participation in Medicare; statutes and regulations that require information production, including those requiring information if payment is sought under government benefits programs.

Standard (§ 160.103)

Rule, condition, or requirement for privacy of individually identifiable health information. (§ 160.103 “Standard” (2))

Rule, condition, or requirement describing classification of components; specification of materials, performance, or operations; or delineation of procedures for products, systems, services, or practices. (§ 160.103 “Standard” (1))

Summary Health Information (§ 160.504 (a))

Information, which may be individually identifiable health information, that summarizes claims history, claims expenses, or types of claims experience by patients for whom plan sponsor has provided health benefits under group health plan, and that is de-identified except for geographic data that may be aggregated to five-digit zip codes.

Transactions (§ 160.103)

Transmission of information between two parties to carry out financial or administrative activities related to health care, including:

(1) Health care claims or equivalent encounter information (2) Health care payment and remittance advice. (3) Coordination of benefits. (4) Health care claims status. (5) Enrollment and disenrollment in a health plan. (6) Eligibility for a health plan. (7) Health plan premium payments. (8) Referral certification and authorization. (9) First report of injury. (10) Health claims attachment. (11) Other transactions HHS may prescribe by regulation.

Treatment (§ 164.501)

Provision, coordination, consultation, referral or management of health care and related services by one or more health care providers.

--Refill reminder communications, nursing assistance by telephone and the like are treatment when performed by or on behalf of health care provider (but these activities are health care operations when performed by or on behalf of a health plan). (65 Fed. Reg. at 82498)

Health care provider may use any protected health information it maintains, including of other patients such as former and other current patients, to treat a patient. (65 Fed. Reg. at 82497)

Use (§ 164.501)

Sharing, employing, applying, utilizing, examining, or analyzing individually identifiable health information within the entity that maintains it.

Workforce (§ 160.103)

Employees, volunteers, trainees, and others whose conduct in the performance of work for a covered entity is under that covered entity’s direct control, without regard to whether that covered entity pays them.

HIPAA PRIVACY FORM 1

Notice Of Privacy Practices Purpose: This form, Notice of Privacy Practices, presents the information that federal law requires us to give our patients regarding our privacy practices. {Note: this form may need to be changed to reflect the medical practice’s particular privacy policies and/or stricter state laws.} We must provide this Notice to each patient beginning no later than the date of our first service delivery to the patient, including service delivered electronically, after April 14, 2003. We must make a good-faith attempt to obtain written acknowledgement of receipt of the Notice from the patient. We must also have the Notice available at the office for patients to request to take with them. We must post the Notice in our office in a clear and prominent location where it is reasonable to expect any patients seeking service from us to be able to read the Notice. Whenever the Notice is revised, we must make the Notice available upon request on or after the effective date of the revision in a manner consistent with the above instructions. Thereafter, we must distribute the Notice to each new patient at the time of service delivery and to any person requesting a Notice. We must also post the revised Notice in our office as discussed above.

{NAME OF PRACTICE}

NOTICE OF PRIVACY PRACTICES

THIS NOTICE DESCRIBES HOW HEALTH INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY. THE PRIVACY OF YOUR HEALTH INFORMATION IS IMPORTANT TO US.

OUR LEGAL DUTY We are required by applicable federal and state law to maintain the privacy of your health information. We are also required to give you this Notice about our privacy practices, our legal duties, and your rights concerning your health information. We must follow the privacy practices that are described in this Notice while it is in effect. This Notice takes effect (mm/dd/yy), and will remain in effect until we replace it.

We reserve the right to change our privacy practices and the terms of this Notice at any time, provided such changes are permitted by applicable law. We reserve the right to make the changes in our privacy practices and the new terms of our Notice effective for all health information that we maintain, including health information we created or received before we made the changes. Before we make a significant change in our privacy practices, we will change this Notice and make the new Notice available upon request.

You may request a copy of our Notice at any time. For more information about our privacy practices, or for additional copies of this Notice, please contact us using the information listed at the end of this Notice.

USES AND DISCLOSURES OF HEALTH INFORMATION We use and disclose health information about you for treatment, payment, and healthcare operations. For example: Treatment: We may use or disclose your health information to a physician or other healthcare provider providing treatment to you.

Payment: We may use and disclose your health information to obtain payment for services we provide to you.

Healthcare Operations: We may use and disclose your health information in connection with our healthcare operations. Healthcare operations include quality assessment and improvement activities, reviewing the competence or qualifications of healthcare professionals, evaluating practitioner and provider performance, conducting training programs, accreditation, certification, licensing or credentialing activities.

Your Authorization: In addition to our use of your health information for treatment, payment or healthcare operations, you may give us written authorization to use your health information or to disclose it to anyone for any purpose. If you give us an authorization, you may revoke it in writing at any time. Your revocation will not affect any use or disclosures permitted by your authorization while it was in effect. Unless you give us a written authorization, we cannot use or disclose your health information for any reason except those described in this Notice.

To Your Family and Friends: We must disclose your health information to you, as described in the Patient Rights section of this Notice. We may disclose your health information to a family member, friend or other person to the extent necessary to help with your healthcare or with payment for your healthcare, but only if you agree that we may do so.

Persons Involved In Care: We may use or disclose health information to notify, or assist in the notification of (including identifying or locating) a family member, your personal representative or another person responsible for your care, your location, your general condition, or death. If you are present, then prior to use or disclosure of your health information, we will provide you with an opportunity to object to such uses or disclosures. In the event of your incapacity or emergency circumstances, we will disclose health information based on a determination using our professional judgment disclosing only health information that is directly relevant to the person’s involvement in your healthcare. We will also use our professional judgment and our experience with common practice to make reasonable inferences of your best interest in allowing a person to pick up filled prescriptions, medical supplies, x-rays, or other similar forms of health information.

Marketing Health-Related Services: We will not use your health information for marketing communications without your written authorization.

Required by Law: We may use or disclose your health information when we are required to do so by law.

Abuse or Neglect: We may disclose your health information to appropriate authorities if we reasonably believe that you are a possible victim of abuse, neglect, or domestic violence or the possible victim of other crimes. We may disclose your health information to the extent necessary to avert a serious threat to your health or safety or the health or safety of others.

National Security: We may disclose to military authorities the health information of Armed Forces personnel under certain circumstances. We may disclose to authorized federal officials health information required for lawful intelligence, counterintelligence, and other national security activities. We may disclose to a correctional institution or law enforcement official having lawful custody of protected health information of inmate or patient under certain circumstances.

Appointment Reminders: We may use or disclose your health information to provide you with appointment reminders (such as voicemail messages, postcards, or letters).

PATIENT RIGHTS Access: You have the right to look at, or get copies of, your health information, with limited exceptions. You may request that we provide copies in a format other than photocopies. We will use the format you request unless we cannot practicably do so. (You must make a request in writing to obtain access to your health information. You may obtain a form to request access by using the contact information listed at the end of this Notice. We will charge you a reasonable cost-based fee for expenses such as copies and staff time. You may also request access by sending us a letter to the address at the end of this Notice. If you request copies, we will charge you $0.___ for each page, $___ per hour for staff time to locate and copy your health information, and postage if you want the copies mailed to you. If you request an alternative format, we will charge a cost-based fee for providing your health information in that format. If you prefer, we will prepare a summary or an explanation of your health information for a fee. Contact us using the information listed at the end of this Notice for a full explanation of our fee structure.)

Disclosure Accounting: You have the right to receive a list of instances in which we or our business associates disclosed your health information for purposes, other than treatment, payment, healthcare operations and certain other activities, for the last 6 years, but not before April 14, 2003. If you request this accounting more than once in a 12-month period, we may charge you a reasonable, cost-based fee for responding to these additional requests.

Restriction: You have the right to request that we place additional restrictions on our use or disclosure of your health information. We are not required to agree to these additional restrictions, but if we do, we will abide by our agreement (except in an emergency).

Alternative Communication: You have the right to request that we communicate with you about your health information by alternative means or to alternative locations. {You must make your request in writing.} Your request must specify the alternative means or location, and provide satisfactory explanation of how payments will be handled under the alternative means or location you request.

Amendment: You have the right to request that we amend your health information. (Your request must be in writing, and it must explain why the information should be amended.) We may deny your request under certain circumstances.

Electronic Notice: If you receive this Notice on our Web site or by electronic mail (e-mail), you are entitled to receive this Notice in written form.

QUESTIONS AND COMPLAINTS If you want more information about our privacy practices or have questions or concerns, please contact us.

If you are concerned that we may have violated your privacy rights, or if you disagree with a decision we made about access to your health information or in response to a request you made to amend or restrict the use or disclosure of your health information or to have us communicate with you by alternative means or at alternative locations, you may complain to us using the contact information listed at the end of this Notice. You also may submit a written complaint to the U.S. Department of Health and Human Services. We will provide you with the address to file your complaint with the U.S. Department of Health and Human Services upon request.

We support your right to the privacy of your health information. We will not retaliate in any way if you choose to file a complaint with us or with the U.S. Department of Health and Human Services.

Contact Officer:

Telephone: Fax:

E-mail:

Address:


Acknowledgement of Receipt of Notice of

Privacy Practices Purpose: This form is used to obtain acknowledgement of receipt of our Notice of Privacy Practices or to document our good faith effort to obtain that acknowledgement.

{NAME OF PRACTICE}

ACKNOWLEDGEMENT OF RECEIPT OF NOTICE OF PRIVACY PRACTICES

**You May Refuse to Sign This Acknowledgement** I have received a copy of this office’s Notice of Privacy Practices.

{Please Print Name}

{Signature}

{Date}

For Office Use Only

We attempted to obtain written acknowledgement of receipt of our Notice of Privacy Practices, but acknowledgement could not be obtained because:

Individual refused to sign

Communications barriers prohibited obtaining the acknowledgement

An emergency situation prevented us from obtaining acknowledgement

Other (Please Specify)


Consent for Use and Disclosure of Health

Information USE OF THIS FORM IS OPTIONAL

Purpose: In cases where _{NAME OF PHYSICIAN}_ has directed not to rely on Acknowledgements as a basis to use or disclose health information, this form is used to obtain a patient’s consent to our use and disclosure of the patient’s protected health information to carry out treatment, payment activities, and healthcare operations, as described more fully in our Notice of Privacy Practices.

{NAME OF PRACTICE}

CONSENT FOR USE AND DISCLOSURE OF HEALTH INFORMATION

SECTION A: PATIENT GIVING CONSENT Name:

Address:

Telephone: E-mail:

Patient Number: Social Security Number:

SECTION B: TO THE PATIENT—PLEASE READ THE FOLLOWING STATEMENTS CAREFULLY. Purpose of Consent: By signing this form, you will consent to our use and disclosure of your protected health information to carry out treatment, payment activities, and healthcare operations.

Notice of Privacy Practices: You have the right to read our Notice of Privacy Practices before you decide whether to sign this Consent. Our Notice provides a description of our treatment, payment activities, and healthcare operations, of the uses and disclosures we may make of your protected health information, and of other important matters about your protected health information. A copy of our Notice accompanies this Consent. We encourage you to read it carefully and completely before signing this Consent.

We reserve the right to change our privacy practices as described in our Notice of Privacy Practices. If we change our privacy practices, we will issue a revised Notice of Privacy Practices, which will contain the changes. Those changes may apply to any of your protected health information that we maintain.

You may obtain a copy of our Notice of Privacy Practices, including any revisions of our Notice, at any time by contacting:

Contact Person:

Telephone: Fax:

E-mail:

Address:

Right to Revoke: You will have the right to revoke this Consent at any time by giving us written notice of your revocation submitted to the Contact Person listed above. Please understand that revocation of this Consent will not affect any action we took in reliance on this Consent before we received your revocation, and that we may decline to treat you or to continue treating you if you revoke this Consent.

SIGNATURE I, ______________________________________________, have had full opportunity to read and consider the contents of this Consent form and your Notice of Privacy Practices. I understand that, by signing this Consent form, I am giving my consent to your use and disclosure of my protected health information to carry out treatment, payment activities and heath care operations.

Signature: Date:

If this Consent is signed by a personal representative on behalf of the patient, complete the following:

Personal Representative’s Name:

Relationship to Patient:

YOU ARE ENTITLED TO A COPY OF THIS CONSENT AFTER YOU SIGN IT. Include completed Consent in the patient’s chart.

REVOCATION OF CONSENT

I revoke my Consent for your use and disclosure of my protected health information for treatment, payment activities, and healthcare operations.

I understand that revocation of my Consent will not affect any action you took in reliance on my Consent before you received this written Notice of Revocation. I also understand that you may decline to treat or to continue to treat me after I have revoked my Consent.

Signature: Date:


Business Associate Contract Terms

Purpose: These contract terms satisfy our obligation under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and its implementing regulations issued by the U.S. Department of Health and Human Services (45 C.F.R. Parts 160-64) to ensure the integrity and confidentiality of protected health information that a Business Associate may create or receive for or from our office. Applicability: These contract terms must be used with each of our “Business Associates.” A “Business Associate” is any person or organization that we engage to perform or assist in performing functions or activities that involve use or disclosure of protected health information created or received for or from our office. A “Business Associate” is also any person or organization that provides legal, actuarial, accounting, consulting, data aggregation, management, administration, accreditation, or financial services to or for our office and receives protected health information from our office or on our behalf. Instructions: We must bind each Business Associate which may create or receive protected health information for or from our office to the contract terms below either by incorporating them into our written agreement with the Business Associate, or by having the Business Associate execute an addendum containing these terms to be added to that agreement. If these terms are incorporated into the agreement, insert the appropriate information for bracketed material. The following Addendum is designed to modify existing contracts to meet the HIPAA requirements. If you do not have a base agreement with your Business Associates, a base agreement must be obtained or prepared to reflect the business relationship. Your Business Associates may present you with an agreement they have developed. Before negotiating terms and conditions, you may wish to review the following agreement that was drafted to provide you with the greater protection.

{NAME OF PRACTICE}

ADDENDUM TO AGREEMENT WITH BUSINESS ASSOCIATE

This addendum (“Addendum”) is effective upon execution, and amends and is made part of

dated as of

(“Agreement”) by and between (“Business Associate”) and {insert Medical Practice name} (“Medical Practice”).

Medical Practice and Business Associate mutually agree to modify Agreement to incorporate the terms of this Addendum to comply with the requirements of the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations (45 C.F.R. Parts 160-64).

PRIVACY OF PROTECTED HEALTH INFORMATION

1. Permitted Uses and Disclosures. Business Associate is permitted or required to use or disclose Protected Health Information it creates or receives for or from Medical Practice only as follows:

a) Functions and Activities on Medical Practice’s Behalf. Business Associate is permitted to use and disclose Protected Health Information it creates or receives for or from Medical Practice {either insert full description the functions, activities and services to be performed on Medical Practice’s behalf, or reference sections of Agreement that specify those functions, activities and services}

b) Business Associate’s Operations. Business Associate may use Protected Health Information it creates or receives for or from Medical Practice as necessary for Business Associate’s proper management and administration or to carry out Business Associate’s legal responsibilities. Business Associate may disclose such Protected Health Information as necessary for Business Associate’s proper management and administration or to carry out Business Associate’s legal responsibilities only if:

The disclosure is required by law; or

Business Associate obtains reasonable assurance, evidenced by written contract, from any person or organization to which Business Associate will disclose such Protected Health Information that the person or organization will:

o Hold such Protected Health Information in confidence and use or further disclose it only for the purpose for which Business Associate disclosed it to the person or organization or as required by law; and

o Notify Business Associate (who will in turn promptly notify Dental Practice) of any instance of which the person or organization becomes aware in which the confidentiality of such Protected Health Information was breached.

2. Prohibition on Unauthorized Use or Disclosure. Business Associate will neither use nor disclose Protected Health Information it creates or receives for or from Medical Practice or from another Business Associate of Medical Practice, except as permitted or required by this Addendum or as required by law or as otherwise permitted in writing by Medical Practice.

3. Information Safeguards. Business Associate will develop, implement, maintain and use appropriate administrative, technical and physical safeguards, in compliance with Social Security Act § 1173(d) (42 U.S.C. § 1320d-2(d)), 45 Code of Federal Regulation § 164.530(c) and any other implementing regulations issued by the U.S. Department of Health and Human Services, to preserve the integrity and confidentiality of and to prevent non-permitted or violating use or disclosure of Protected Health Information created or received for or from Medical Practice. Business Associate will document and keep these safeguards current.

4. Sub-Contractors and Agents. Business Associate will require any of its subcontractors and agents, to which Business Associate is permitted by this Addendum or in writing by Medical Practice to disclose any of the Protected Health Information Business Associate creates or receives for or from Medical Practice, to provide reasonable assurance, evidenced by written contract, that subcontractor or agent will comply with the same privacy and security obligations as Business Associate with respect to such Protected Health Information.

Compliance with Standard Transactions. If Business Associate conducts in whole or part Standard Transactions for or on behalf of Medical Practice, Business Associate will comply, and will require any subcontractor or agent involved with the conduct of such Standard Transactions to comply, with each applicable requirement of 45 Code of Federal Regulations Part 162.

Protected Health Information Access, Amendment and Disclosure Accounting.

Access. Business Associate will, upon Medical Practice’s request, promptly make available to Medical Practice or, at Medical Practice’s direction, to the patient (or the patient’s personal representative) for inspection and obtaining copies any Protected Health Information about the patient which Business Associate created or received for or from Medical Practice and that is in Business Associate’s custody or control, so that Medical Practice may meet its access obligations under 45 Code of Federal Regulations § 164.524.

5. Amendment. Business Associate will, upon receipt of notice from Medical Practice, promptly amend or permit Medical Practice access to amend any portion of the Protected Health Information which Business Associate created or received for or from Medical Practice, so that Medical Practice may meet its amendment obligations under 45 Code of Federal Regulations § 164.526.

Disclosure Accounting. So that Medical Practice may meet its disclosure accounting obligations under 45 Code of Federal Regulations § 164.528: Disclosure Tracking. Starting April 14, 2003, Business Associate will record for each disclosure, not excepted from disclosure accounting under Addendum Section 5(a) “Exceptions from Disclosure Tracking” below, that Business Associate makes to Medical Practice or a third party of Protected Health Information that Business Associate creates or receives for or from Medical Practice, (i) the disclosure date, (ii) the name and (if known) address of the person or entity to whom Business Associate made the disclosure, (iii) a brief description of the Protected Health Information disclosed, and (iv) a brief statement of the purpose of the disclosure (items i-iv, collectively, the “disclosure information”). For repetitive disclosures Business Associate makes to the same person or entity (including Medical Practice) for a single purpose, Business Associate may provide (x) the disclosure information for the first of these repetitive disclosures, (y) the frequency, periodicity or number of these repetitive disclosures and (z) the date of the last of these repetitive disclosures. Business Associate will make this disclosure information available to Medical Practice promptly upon Medical Practice’s request.

Exceptions from Disclosure Tracking. Business Associate need not record disclosure information or otherwise account for disclosures of Protected Health Information that this Addendum or Medical Practice in writing permits or requires (i) for the purpose of Medical Practice’s treatment activities, payment activities, or healthcare operations, (ii) to the patient who is the subject of the Protected Health Information disclosed or to that patient’s personal representative; (iii) to persons involved in that patient’s healthcare or payment for healthcare; (iv) for notification for disaster relief purposes, (v) for national security or intelligence purposes, or (vi) to law enforcement officials or correctional institutions regarding inmates.

Disclosure Tracking Time Periods. Business Associate must have available for Medical Practice the disclosure information required by Addendum Section 5(a) “Disclosure Tracking” for the 6 years preceding Medical Practice’s request for the disclosure information (except Business Associate need have no disclosure information for disclosures occurring before April 14, 2003).

6. Inspection of Books and Records. Business Associate will make its internal practices, books, and records, relating to its use and disclosure of the Protected Health Information it creates or receives for or from Medical Practice, available to

Medical Practice and to the U.S. Department of Health and Human Services to determine compliance with 45 Code of Federal Regulations Parts 160-64 or this Addendum.

BREACH OF PRIVACY OBLIGATIONS.

7. Reporting. Business Associate will report to Medical Practice any use or disclosure of Protected Health Information not permitted by this Addendum. Business Associate will make the report to Medical Practice not less than 24 hours after Business Associate learns of such non-permitted or violating use or disclosure. Business Associate’s report will at least:

a) Identify the nature of the non-permitted or violating use or disclosure;

b) Identify the Protected Health Information used or disclosed;

c) Identify who made the non-permitted or violating use or received the non-permitted or violating disclosure;

d) Identify what corrective action Business Associate took or will take to prevent further non-permitted or violating uses or disclosures;

e) Identify what Business Associate did or will do to mitigate any deleterious effect of the non-permitted or violating use or disclosure; and

f) Provide such other information, including a written report, as Medical Practice may reasonably request.

8. Termination of Agreement.

a) Right to Terminate for Breach. Medical Practice may terminate Agreement if it determines, in its sole discretion, that Business Associate has breached any provision of this Addendum. Medical Practice may exercise this right to terminate Agreement by providing Business Associate written notice of termination, stating the breach of the Addendum that provides the basis for the termination. Any such termination will be effective immediately or at such other date specified in Medical Practice’s notice of termination.

b) Obligations upon Termination.

Return or Destruction. Upon termination, cancellation, expiration or other conclusion of Agreement, Business Associate will, if feasible, return to Medical Practice or destroy all Protected Health Information, in whatever form or medium (including in any electronic medium under Business Associate’s custody or control), that Business Associate created or received for or from Medical Practice, including all copies of and any data or compilations derived from and allowing identification of any patient who is a subject of the Protected Health Information. Business Associate will complete such return or destruction as promptly as possible, but not later than 30 days after the effective date of the termination, cancellation, expiration or other conclusion of Agreement. Business Associate will identify any Protected Health Information that Business Associate created or received for or from Medical Practice that cannot feasibly be returned to Medical Practice or destroyed, and will limit its further use or disclosure of that Protected Health Information to those purposes that make return or destruction of that Protected Health Information infeasible. Within such 30 days, Business Associate will certify on oath in writing to Medical Practice that such return or destruction has been completed, will deliver to Medical Practice the identification of any Protected Health Information for which return or destruction is infeasible and, for that Protected Health Information, will certify that it will only use or disclose such Protected Health Information for those purposes that make return or destruction infeasible.

Continuing Privacy Obligation. Business Associate’s obligation to protect the privacy of the Protected Health Information it created or received for or from Medical Practice will be continuous and survive termination, cancellation, expiration or other conclusion of Agreement.

9. Indemnity. Business Associate will indemnify and hold harmless Medical Practice and any Medical Practice affiliate, officer, director, employee or agent from and against any claim, cause of action, liability, damage, cost or expense, including attorneys’ fees and court or proceeding costs, arising out of or in connection with any non-permitted or violating use or disclosure of Protected Health Information or other breach of this Addendum by Business Associate or any subcontractor, agent, person or entity under Business Associate’s control.

a) Right to Tender or Undertake Defense. If Medical Practice is named a party in any judicial, administrative or other proceeding arising out of or in connection with any non-permitted or violating use or disclosure of Protected Health Information or other breach of this Addendum by Business Associate or any subcontractor, agent, person or entity under Business Associate’s control, Medical Practice will have the option at any time either (i) to tender its defense to Business Associate, in which case Business Associate will provide qualified attorneys, consultants and other appropriate professionals to represent Medical Practice’s interests at Business Associate’s expense, or (ii) undertake its own defense, choosing the attorneys, consultants and other appropriate professionals to represent its interests, in

which case Business Associate will be responsible for and pay the reasonable fees and expenses of such attorneys, consultants and other professionals.

b) Right to Control Resolution. Medical Practice will have the sole right and discretion to settle, compromise or otherwise resolve any and all claims, causes of actions, liabilities or damages against it, notwithstanding that Medical Practice may have tendered its defense to Business Associate. Any such resolution will not relieve Business Associate of its obligation to indemnify Medical Practice under this Addendum Section 9.

GENERAL PROVISIONS

10. Definitions. The capitalized terms “Protected Health Information” and “Standard Transaction” have the meanings set out in, respectively, 45 Code of Federal Regulations § 164.501 and 45 Code of Federal Regulations § 160.103.

11. Amendment to Agreement. Upon the effective date of any final regulation or amendment to final regulations promulgated by the U.S. Department of Health and Human Services with respect to Protected Health Information or Standard Transactions, this Addendum and the Agreement of which it is part will automatically amend such that the obligations they impose on Business Associate remain in compliance with these regulations.

Conflicts. The terms and conditions of this Addendum will override and control any conflicting term or condition of Agreement. All nonconflicting terms and conditions of Agreement remain in full force and effect.

IN WITNESS WHEREOF, Medical Practice and Business Associate execute this Addendum in multiple originals to be effective on the last date written below.

{Insert Business Associate’s Name} {Insert Medical Practice’s name}

By: _______________________________________ By: _______________________________________

Its: _______________________________________ Its: _______________________________________

Date: _____________________________________ Date: ______________________________________


Health Information Access—

Response/Delay Purpose: This form is used to inform a patient of our decision to grant or deny access to records.

{NAME OF PRACTICE}

Health Information Access—

Response/Delay {DATE}

{PATIENT’S NAME} {PATIENT’S ADDRESS}

Dear {PATIENT}: On ____/____/____ you requested access to records of your health information that we and our Business Associates maintain. Under federal law we have thirty (30) days to provide that access or tell you that we are denying access, unless the information you seek is not maintained by us here in the office. In that case we have sixty (60) days. We are allowed a thirty-day extension if need be. This letter is to inform you that we need that thirty-day extension because: We will provide the access you request or inform you of our denial of access by ____/____/____.

If you have questions, please contact {CONTACT PERSON OR OFFICE} at {CONTACT INFORMATION}

We are granting all or part of the request to inspect and/or obtain copies of your records that we received from you on ____/____/____. See below to determine if we are denying all or part of your request.

The records you requested are ready for inspection. Please contact {CONTACT PERSON OR OFFICE} at {CONTACT INFORMATION} to schedule the inspection.

The records you requested are ready for copying to {DISK/PAPER} as you asked. The copying charge will be $________. Upon receipt of payment of this charge, we will promptly copy the records. Please contact {CONTACT PERSON OR OFFICE} at {CONTACT INFORMATION} to arrange to have the copies picked up by or mailed to the persons you designated on your authorization. We will charge you for the postage we incur if you want us to mail the copies.

The summary or explanation of the records you requested is ready. Please pay $________, the charge to prepare the summary or explanation, and contact {CONTACT PERSON OR OFFICE} at {CONTACT INFORMATION} to arrange to have the summary or explanation picked up by or mailed to the persons you designated on your authorization. We will charge you for the postage we incur if you want us to mail the summary or explanation.

If you have questions or wish to discuss arrangements, please contact {CONTACT PERSON OR OFFICE} at {CONTACT INFORMATION}

We are denying all or part of the request to inspect and/or obtain copies of your records that we received from you on ____/____/____. The reasons we have determined that your request should be denied are:

We do not have the requested records.

We do not know who may have the requested records.

You may be able to obtain the requested records by contacting:

The records you requested are not subject to your access because they have been compiled in anticipation of a civil, criminal or administrative action or proceeding, or are covered by the Clinical Laboratory Improvement Amendments of 1988 (42 U.S.C. § 263a) or the Privacy Act (5 U.S.C. § 552a).

The records you requested were obtained in confidence from a source other than a healthcare provider and providing you access to these records is likely to reveal the confidential source.

The records were created or obtained in the course of research and you agreed not to have access to them while the research remains in progress when you gave your authorization to participate in the research.

A licensed healthcare professional has determined that providing you or your personal representative access to these records is likely to endanger the physical safety or life of you or another, or that the records contain references to persons not healthcare providers whose physical safety or life may be endangered if the access you request were granted.

If you disagree with the determination of the licensed healthcare professional, you may ask us to designate a different licensed healthcare professional who did not participate in the determination to deny you access to review that determination. Please contact {CONTACT PERSON OR OFFICE} at {CONTACT INFORMATION} to request such as review.

You may file a complaint about our denial of your access request with us and/or with the Secretary of the United States Department of Health and Human Services. Please contact {CONTACT PERSON OR OFFICE} at {CONTACT INFORMATION} to complain to us and/or learn about the procedure for complaining to the Secretary of the Department of Health and Human Services. If you have questions or wish to discuss the denial, please contact {CONTACT PERSON OR OFFICE} at {CONTACT INFORMATION}.

Sincerely, {NAME OF PRACTICE}

By: ________________________________


Complaint Purpose: This form can be offered as a way for a patient to lodge a complaint about our privacy practices or compliance.

COMPLAINT

To the Patient: You have the right to file a complaint with us about our privacy practices or our compliance with our Notice of Privacy Practices, our Privacy Policies and Procedures, or federal or state privacy rules or law. We will not require you to waive any right you may have under federal or state privacy or other law to file your complaint, nor will filing your complaint adversely affect our treatment of you. To exercise this right, please complete, sign and date Sections A and B below, then submit this complaint to us at:

Contact Office: ______________________________________________________________

Telephone: _______________________________ Fax: _____________________________

E-mail: _____________________________________________________________________

Address:____________________________________________________________________ You may, in addition or in the alternative to filing a complaint with us, file a complaint with the United States Department of Health and Human Services. For information on the procedures for doing that, please contact us at the above location. SECTION A: PATIENT LODGING COMPLAINT Patient Name:

Patient Address:

Patient Telephone: E-mail:

Patient Number: Social Security Number:

SECTION B: PATIENT’S COMPLAINT Please give a concise, plain statement of your complaint:

Please give a concise, plain statement of the resolution you seek for your complaint:

PATIENT’S SIGNATURE

I certify that the statements made in this complaint are true and correct to the best of my information and belief.

Signature: Date: If this complaint is lodged by a personal representative on behalf of the patient, complete the following:

Personal Representative’s Name:

Relationship to Patient:

YOU ARE ENTITLED TO A COPY OF THIS COMPLAINT.

HIPAA PRIVACY FORM 7 Staff Review of Policies and

Procedures

Purpose: This form is used to document HIPAA staff training.

{NAME OF PRACTICE}

STAFF REVIEW OF POLICIES AND PROCEDURES

I, _______________________________________, have received and reviewed a copy of

_________________________________ ´s health information privacy policies and procedures. NAME OF PRACTICE}

Print Name

Signature

Date

HIPAA Privacy For Physicians

FAQs

HIPAA PRIVACY RULE FAQs STANDARDS FOR PRIVACY OF INIVIDUALLY IDENTIFIABLE HEALTH INFORMATION [45 CFR Parts 160 and 164] General Overview The following is an overview that provides answers to general question regarding the regulation entitled, Standards for Privacy of Individually Identifiable Health Information (the Privacy Rule), promulgated by the Department of Health and Human Services (HHS), and process for modifications to that rule. Detailed guidance on specific requirements in the regulation is presented is subsequent sections, each of which addresses a different standard. The Privacy Rule provides the first compressive federal protection for the privacy of health information. All segments of the health care industry have expressed their support for the objective of enhanced patient privacy in the health care system. At the same time, HHS and most parties agree that privacy protections must not interfere with a patient’s access to or the quality of health care delivery. The guidance provided in this section and those that follow is meant to communicate as clearly as possible the privacy policies contained in the rule. Each section has a short summary of a particular standard in the Privacy Rule, Followed by “Frequently Asked Questions” about that provision. In some cases, the guidance identifies areas of the Privacy Rule where a modification or change to the rule is necessary. These areas are summarized below in response to the question “What changes might you make to the final rule?” and discussed in more detail in the subsequent sections of this guidance. We emphasize that this guidance document is only the first of several technical assistance materials that we will issue to provide clarification and help covered entities implement the rule. We anticipate that there will be many questions that will arise on an ongoing basis which we will need to answer in future guidance. In addition, the department will issue proposed modifications as necessary in one or more rulemaking to ensure that patients’ privacy needs are appropriately met. The Department plans to work expeditiously to address these additional questions and propose modifications as necessary.

Frequently Asked Questions Q: What does this regulation do?” A: The Privacy Rule became effective on April 14, 2001. Most health plans and health care providers that are covered by the new rule must comply with the new requirements by April 2003. The Privacy Rule for the first time creates national standards to protect individuals’ medical records and other personal health information.

It gives patients more control over their health information. It sets boundaries on the use and release of health records. It establishes appropriate safeguards that health care providers and others must achieve to

protect the privacy of health information. It holds violators accountable, with civil and criminal penalties that can be imposed if they

violate patients’ privacy rights. And it strikes a balance when public responsibility requires disclosure of some forms of data –

for example, to protect public health. For patients – it means being able to make informed choices when seeking care and reimbursement for care base on how personal health information may be used.

It enables patients to find out how their information may be used and what disclosures of their information have been made.

It generally limits release of information to the minimum reasonably needed for the purpose of the disclosure.

It gives patients the right to examine and obtain a copy of their own health records and request corrections.

Q: Why is this regulation needed? A: In enacting the Health Insurance Portability and Accountability Act of 1996 (HIPAA), Congress mandated the establishment of standards for the privacy of individually identifiable health information. When it comes to personal information that moves across hospitals, doctors’ offices, insurers or third party payers, and state lines, our country has relied on a patchwork of federal and state laws. Under the current patchwork of laws, personal health information can be distributed – without either notice or consent – for reasons that have nothing to do with a patient’s medical treatment or health care reimbursement. Patient information held by a health plan may be passed on to a lender who may then deny the patient’s application for a home mortgage or a credit care – or to an employer who may use it in personnel decisions. The Privacy Rule establishes a federal floor of safeguards to protect the confidentiality of medical information. State laws, which provide stronger privacy protections, will continue to apply over and above the new federal privacy standards. Health care providers have a strong tradition of safeguarding private health information. But in today’s world, the old system of paper records in locked filing cabinets is not enough. With information broadly held and transmitted electronically, the rule provides clear standards for all parties regarding protection of personal health information.

Q: What does this regulation require the average provider or health plan to do? A: For the average health care provider or health plan, the Privacy Rule requires activities, such as:

Providing information to patients about their privacy rights and how their information can be used.

Adopting clear privacy procedures for its practice, hospital, or plan. Training employees so that they understand the privacy procedures. Designating an individual to be responsible for seeing that the privacy procedures are adopted

and followed. Securing patient records containing individually identifiable health information so that they are

not readily available to those who do not need them. Responsible health care providers and businesses already take many of the kinds of steps required by the rule to protect patients’ privacy. Covered entities of all types and sizes are required to comply with the final Privacy Rule. To ease the burden of complying with the new requirements, the Privacy Rules gives needed flexibility for providers and plans to create their own privacy procedures, tailored to fit their size and needs. The scalability of the rules provides a more efficient and appropriate means of safeguarding protected health information than would any single standard.

o For example, The privacy official at a small physician practice may be the office manager, who will have other non-privacy related duties; the privacy official at a large health plan may be a full-time position, and may have the regular support and advice of a privacy staff or board.

The training requirement may be satisfied by a small physician practice’s providing each new

member of the workforce with a copy of its privacy policies and documenting that new members have reviewed the policies; whereas a large health plan may provide training through live instruction, video presentations, or interactive software programs.

The policies and procedures of small providers may be more limited under the rule than those of a large hospital or health plan, based on the volume of health information maintained and the number of interactions with those within and outside of the healthcare system.

Q: Who must comply with these new privacy standards? A: As required by Congress in HIPAA, the Privacy Rule covers health plans, health care clearinghouses, and those health care providers who conduct certain financial and administrative transactions electronically. These electronic transactions are those for which standards are required to be adopted by the Secretary under HIPAA, such as electronic billing and fund transfers. These entities (collectively called “covered entities”) are bound by the new privacy standards even if they contract with others (called “business associates”) to perform some of their essential functions. The law does not give HHS the authority to regulate other types of private businesses or public agencies through this regulation. For example, HHS does not have the authority to regulate employers, life insurance companies, or public agencies that that deliver social security or welfare benefits. The “Business Associate” section of this guidance provides a more detailed discussion of the covered entities’ responsibilities when they engage others to perform essential functions or services for them.

Q: When will covered entities have to meet these standards? A: As Congress required in HIPAA, most covered entities have two full years from the date that the regulation took effect – or, until April 14, 2003 – to come into compliance with these standards. Under the law, small health plans will have three full years – or, until April 14, 2004 – to come into compliance. The HHS Office for Civil Rights (OCR) will provide assistance to help covered entities prepare to comply with the rule. OCR maintains a Web site with information on the new regulation, including guidance for industry, such as these frequently asked questions, at http://www.hhs.gov/ocr/hipaa/. Q: Do you expect to make any changes to this rule before the compliance date? A: We can and will issue proposed modifications to correct any unintended negative effects of the Privacy Rule on health care quality or on access to such care. In February 2001, Secretary Thompson requested public comments on the final rule to help HHS assess the rule’s real-world impact in health care delivery. During the 30-day comment period, we received more than 11,000 letters or comments – including some petitions with thousands of names. These comments are helping to guide the Department’s efforts to clarify areas of the rule to eliminate uncertainties and to help covered entities begin their implementation efforts. Q: What changes might you make in the final rule? A: We continue to review the input received during the recent public comment period to determine what changes are appropriate to ensure that the rule protects patient privacy as intended without harming consumers’ access to care or the quality of that care. Examples of standards in the Privacy Rule for which we will propose changes are:

Phoned-In Prescriptions – A change will permit pharmacists to fill prescriptions phoned in by a patient’s doctor before obtaining the patient’s written consent (see the “Consent” section of this guidance for more discussion).

Referral Appointments – A change will permit direct treatment providers receiving a first time patient referral to schedule appointments, surgery, or other procedures before obtaining the patient’s signed consent (see the “Consent” section of this guidance for more discussion).

Allowable Communications – A change will increase the confidence of covered entities that they are free to engage in whatever communications are required for quick, effective, high quality health care, including routine oral communications with family members, treatment discussions with staff involved in coordination of patient care, and using patient names to locate them in waiting areas (see the “Oral communications” section of this guidance for more discussion.)

Minimum Necessary Scope – A change will increase covered entities’ confidence that certain common practices, such as use of sign-up sheets and x-ray lightboards, and maintenance of patient medical charts at bedside, are not prohibited under the rule (see the “Minimum Necessary” section of this guidance for more discussion). In addition, HHS may reevaluate the Privacy Rule to ensure that parents have appropriate access to information about the health and

well-being of their children. This issue is discussed further in the “Parents and Minors” section of the guidance.

Other changes to the Privacy Rule also may be considered as appropriate. Q: How will you make any changes? A: Any changes to the final rule must be made in accordance with the Administrative Procedures Act (APA). HHS intends to comply with the APA by publishing its rule changes in the Federal Register through a Notice of Proposed Rulemaking and will invite comment from the public. After reviewing and addressing those comments, HHS will issue a final rule to implement appropriate modifications. Congress specifically authorized HHS to make appropriate modifications in the first year after the final rule took effect in order to ensure the rule could be properly implemented in the real world. We are working as quickly as we can to identify where modifications are needed and what corrections need to be made so as to give covered entities as much time as possible to implement the rule. Covered entities can and should begin the process of implementing the privacy standards in order to meet their compliance dates. Consent [45 CFR § 164.506] Background The Privacy Rule establishes a federal requirement that most doctors, hospitals, or other health care providers obtain a patient’s written consent before using or disclosing the patient’s personal health information to carry out treatment, payment, or health care operations (TPO) Today, many health care providers, for professional or ethical reasons, routinely obtain a patient’s consent for disclosure of information to insurance companies or for other purposes. The Privacy Rule builds on these practices by establishing a uniform standard for certain health care providers to obtain their patients’ consent for uses and disclosures or health information about the patient to carry out TPO. Frequently Asked Questions Q: Are health plans or clearinghouses required to obtain an individual’s consent to use or disclose PHI to carry out TPO? A: No. Health plans and clearinghouses may use and disclose PHI for these purposes without obtaining consent. These entities are permitted to obtain consent. If they choose to seek individual consent for these uses and disclosures, the consent must meet the standards, requirements, and implementation specifications for consents set forth under the rule.

Q: Can a pharmacist use PHI to fill a prescription that was telephoned in by a patients physician if the patient is a new patient to the pharmacy and has not yet provided written consent to the pharmacy? A: The Privacy Rule, as written, does not permit this activity without prior patient consent. It poses a problem for first-time users of a particular pharmacy or pharmacy chair. The Department of Health and Human Services did not intend the rule to interfere with a pharmacist’s normal activities in this way. The Secretary is aware of this problem, and will propose modifications to fix it to ensure ready patient access to high quality health care. Q: Can direct treatment providers, such as a specialist or hospital, to whom a patient is referred for the first time, use PHI to set up appointments or schedule surgery or other procedures before obtaining the patient’s written consent? A: As in the pharmacist example above, the Privacy Rule, as written, does not permit uses of PHI prior to obtaining the patient’s written consent for TPO. This unintended problem potentially exists in any circumstance when a patient’s first contact with a direct treatment provider is not in person. As noted above, the Secretary is aware of this problem and will propose modifications to fix it. Q: Will the consent requirements restrict the ability of providers to consult with other providers about a patient’s condition? A: No. A provider with a direct treatment relationship with a patient would have to have initially obtained consent to use that patient’s health information for treatment purposes. Consulting with another health care provider about the patient’s case falls within the definition of “treatment” and, therefore, is permissible. If the provider being consulted does not otherwise have a direct treatment relationship with the patient, that provider does not need to obtain the patient’s consent to engage in the consultation. Q: The rule provides an exception to the prior consent requirement for “emergency treatment situation.” How will a provider know when the situation is an “emergency treatment situation” and, therefore, is exempt from the Privacy Rule’s prior consent requirement? A: Health care providers must exercise their professional judgment to determine whether obtaining a consent would interfere with the timely delivery of necessary health care. If, based on professional judgment, a provider reasonably believes at the time the patient presents for treatment that a delay involved in obtaining the patient’s consent to use or disclose information would compromise the patient’s care, the provider may use or disclose PHI that was obtained during the emergency treatment, without prior consent, to carry out TPO. The provider must attempt to obtain consent as soon as reasonably practicable after the provision of treatment. If the provider is able to obtain the patient’s consent to use or disclose information before providing care, without compromising the patient’s care, we require the provider to do so. Q: Does the exception to the consent requirement regarding substantial barriers to communication with the individual affect requirements under Title VI of the Civil Rights Act of 1964 or the Americans with Disabilities Act?

A: No. The provision of the Privacy Rule regarding substantial barriers to communication does not affect covered entities’ obligations under Title VI or the Americans with Disabilities Act. Entities that are covered by these statutes must continue to meet the requirements of the statues. The Privacy Rule works in conjunction with these laws to remove impediments to access to necessary health care for all individuals. Q: What is the difference between “consent” and “authorization” under the Privacy Rule? A: A consent is a general document that gives health care providers, which have a direct treatment relationship with a patient, permission to use and disclose all PHI for TPO. It gives permission only to that provider, not to any other person. Health care providers may condition the provision of treatment on the individual providing this consent. One consent may cover all uses and disclosures for TPO by that provider, indefinitely. A consent need not specify the particular information to be used or disclosed, nor the recipients of disclosed information. Only doctors or other health care providers with a direct treatment relationship with a patient are required to obtain consent. Generally, a “direct treatment provider” is one that treats a patient directly, rather than based on the orders of another provider, and/or provides health care services or test results directly to patients. Other health care providers, health plans, and health care clearinghouses may use or disclose information for TPO without consent, or may choose to obtain a consent. An authorization is a more customized document that gives covered entities permission to use specified PHI for specified purposes, which are generally other than TPO, or to disclose PHI to a third party specified by the individual. Covered entities may not condition treatment or coverage on the individual providing an authorization. An authorization is more detailed and specific than a consent. It covers only the uses and disclosures and only the PHI stipulated in the authorization; it has an expiration date; and, in some cases, it also states that purpose for which the information may be used or disclosed. An authorization is required for use and disclosure of PHI not otherwise allowed by the rule. In general, this means an authorization is required for purposes that are not part of TPO and not described in § 164.510 (uses and disclosures that require an opportunity for the individual to agree or to object) or § 164.512 (uses and disclosures for which consent, authorization, or an opportunity to agree or to object is not required). Situations in which an authorization, or an opportunity to agree or to object is required for TPO purposes are identified and discussed in the next question. All covered entities, not, not just direct treatment providers, must obtain an authorization to use or disclose PHI for these purposes. For example, a covered entity would need an authorization from individuals to sell a patient mailing list, to disclose information to an employer for employment decisions, or to disclose information for eligibility for life insurance. A covered entity will never need to obtain both an individual’s consent and authorization for a single use or disclosure. However, a provider may have to obtain consent and authorization from the same patient for different uses or disclosures. For example, an obstetrician may, under the consent obtained from the patient, send an appointment reminder to the patient, but would need authorization from the patient to send her name and address to a company marketing a diaper service. Q: Would a covered entity ever need an authorization rather than a consent for uses or disclosures of PHI for TPO?

A: Yes. The Privacy Rule requires providers to obtain authorization and not consent to use or disclose PHI maintained in psychotherapy notes for treatment by persons other than the originator of the notes, for payment, or for health care operations purposes except as specified in the Privacy Rule (§ 164.508 (a)(2)). In addition, because the consent is only for a use or disclosure of PHI for the TPO purposes of the covered entity obtaining the consent, an authorization is also required if the disclosure is for the TPO purposes of an entity other than the provider who obtained the consent. For example, a health plan seeking payment for a particular service from a second health plan, such as in coordination of benefits or secondary pay situations, may need PHI from a physician who rendered the health care services. In this case, the provider typically has been paid, and the transaction is between the plans. Since the provider’s disclosure is for the TPO purposes of the plan, it would not be covered by the provider’s consent. Rather, an authorization, and not a consent, would be the proper document for the plan to use when requesting such a disclosure. Q: Will health care providers be required to determine whether another covered entity has more restrictive consent form before disclosing information to that entity for TPO purposes? A: No. Generally, a consent permits only the covered entity that obtains the consent to use or disclose PHI for its own TPO purposes. Under the Privacy Rule, one covered entity is not bound by a consent or any restrictions on that consent agreed to by another covered entity, with one exception. A covered entity would be bound by the consent of another covered entity if the entities use a “joint consent,” as permitted by the Privacy Rule (§ 164.506(f)). In addition, it is possible for several entities to choose to be treated as a single covered entity under the rule, as “affiliated entities.” Because affiliated entities are considered to be one covered entity under the rule, there would be only one consent and each entity would be bound by the consent (§164.504(d)). Q: What is the interaction between “consent” and “notice”? A: The consent and the notice of privacy practices are two distinct documents. A consent document is brief (may be less than one page). It must refer to the notice and must inform the individual that he has the opportunity to review the notice prior to signing the consent. The Privacy Rule does not require that the individual read the notice or that the covered entity explain each item in the notice before the individual provides consent. We expect that some patients will simply sign the consent while others will read the notice carefully and discuss some of the practices with the covered entity. Q: May consent for use or disclosure of PHI be provided electronically? A: Yes. The covered entity may choose to obtain and store consents in paper or electronic form, provided that the consent meets all of the requirements under the Privacy Rule, including that it be signed by the individual. Paper is not required. Q: Must a covered entity verify a signature on a consent form if the individual is not present when he signs it? A: No.

Q: May consent be obtained by a health care provider only one time if there is a single connected course of treatment involving multiple visits? A: Yes. A health care provider needs to obtain consent from a patient for use or disclosure of PHI only one time. This is true regardless of whether there is a connected course of treatment or treatment for unrelated conditions. A provider will need to obtain a new consent from a patient only if the patient has revoked the consent between treatments. Q: If a individual consents to the use or disclosure of PHI for TPO purposes, obtains a health care service, and then revokes consent before the provider bills for such service, is the provider precluded from billing for such service? A: No. A health care provider that provides health care service to an individual after obtaining consent from the individual, may bill for such service even if the individual immediately revokes consent after the service has been provided. The Privacy Rule requires that an individual be permitted to revoke consent, but provides that the revocation is not effective to the extent that the health care provider has acted in reliance on the consent. Where the provider has obtained a consent and provided a health care service pursuant to that consent with the expectation that he or she could bill for the service, the health care provider has acted in reliance on the consent. The revocation would not interfere with the billing or reimbursement for that care. Q: Must a revocation of a consent be in writing? A: Yes. Q: The Privacy Rule permits a covered entity to continue to use or disclose health information that is has on the compliance date pursuant to express legal permission obtained from an individual prior to the compliance date. Is a form, signed by a patient prior to the compliance date of the rule that permits a provider to use or disclose information for the limited purpose of payment, sufficient to meet these transition provision requirements? A: Yes. A provider that obtains permission from a patient prior to the compliance date to use or disclose information for payment purposes may use the PHI about that patient collected pursuant to that permission for purposes of TPO. Under the transition provisions, if prior to the compliance date, a provider obtained a consent for the use or disclosure of health information for any one of the TPO purposes, the provider may use the health information collected pursuant to that consent for all three purposes after the compliance date (§ 164.532(b)). Thus, a provider that obtained consent for use or disclosure for billing purposes would be able to draw on the data obtained prior to the compliance date and covered by the consent form for all TPO activities to the extent not expressly excluded by the terms of the consent. Q: Are health plans and health care clearinghouses required by the Privacy Rule to have some form of express legal permission to use and disclose health information obtained prior to the compliance date for TPO purposes?

A: No. Health plans and health care clearinghouses are not required to have express legal permission from individuals to use or disclose health information obtained prior to the compliance date for their own TPO purposes. MINIMUM NECESSARY [45 CFR §§ 164.502(b), 164.514(d)] General Requirement The Privacy Rule generally requires covered entities to take reasonable steps to limit the use or disclosure of, and requests for protected health information (PHI) to the minimum necessary to accomplish the intended purposes. The minimum necessary provisions do not apply to the following:

Disclosures to or requests by a health care provider for treatment purposes. Disclosures to the individual who is the subject of the information. Uses or disclosures made pursuant to an authorization requested by the individual. Uses or disclosures required for compliance with the standardized Health Insurance Portability

and Accountability Act (HIPAA) transactions. Disclosures to the Department of Health and Human Services (HHS) when disclosures of

information is required under the rule for enforcement purposes. Uses or disclosures that are required by other law.

The implementation specifications for this provision require a covered entity to develop and implement policies and procedures appropriate for its own organization, reflecting the entity’s business practices and workforce. We understand this guidance will not answer all questions pertaining to the minimum necessary standard, especially as applied to specific industry practices. As more questions arise with regard to application of the minimum necessary standard to particular circumstances, we will provide more detailed guidance and clarification on this issue. Frequently Asked Questions Q: How are covered entities expected to determine what is the minimum necessary information that can be used, disclosed, or requested for a particular purpose? A: The Privacy Rule requires a covered entity to make reasonable efforts to limit use, disclosure of, and requests for PHI to the minimum necessary to accomplish the intended purpose. To allow covered entities the flexibility to address their unique circumstances, the rule requires covered entities to make their own assessment of what PHI is reasonably necessary for a particular purpose, given the characteristics of their business and workforce, and to implement policies and procedures accordingly. This is not a strict standard and covered entities need not limit information uses or disclosures to those that are absolutely needed to serve the purpose. Rather, this is a reasonableness standard that calls for an approach consistent with the best practices and guidelines already used by many providers today to limit the unnecessary sharing of medical information. The minimum necessary standard is intended to make covered entities evaluate their practices and enhance protections as needed to prevent unnecessary or inappropriate access to PHI. It is intended to reflect and be consistent with, not

override, professional judgment and standards. Therefore, we expect that covered entities will utilize the input of prudent professionals involved in health care activities when developing policies and procedures that appropriately will limit access to personal health information without sacrificing the quality of health care. Q: Won’t the minimum necessary restrictions impede the delivery of quality health care by preventing or hindering necessary exchanges of patient medical information among health care providers involved in treatment? A: No. Disclosures for treatment purposes (including requests for disclosures) between health care providers are explicitly exempted from the minimum necessary requirements. The Privacy Rule provides the covered entity with substantial discretion as to how to implement the minimum necessary standard, and appropriately and reasonably limit access to the use of identifiable health information within the covered entity. The rule recognizes that the covered entity is in the best position to know and determine who in its workforce needs access to personal health information to perform their jobs. Therefore, the covered entity can develop role-base access policies that allow its health care providers and other employees, as appropriate, access to patient information, including entire medical records, for treatment purposes. Q: Do the minimum necessary requirements prohibit medical residents, medical students, nursing students, and other medical trainees from accessing patients’ medical information in the course of their training? A: No. The definition of “health care operations” in the rule provides for “conduction training programs in which students, trainees, or practitioners in areas of health care learn under supervision to practice or improve their skills as health care providers.” Covered entities can shape their policies and procedures for minimum necessary uses and disclosures to permit medical trainees access to patients’ medical information, including entire medical records. Q: Must minimum necessary be applied to disclosures to third parties that are authorized by an individual? A: No, unless the authorization was requested by a covered entity for its own purposes. The Privacy Rule exempts from the minimum necessary requirements most uses or disclosures that are authorized by an individual. This includes authorization covered entities may receive directly from third parties, such as life, disability, or casualty insurers pursuant to the patient’s application for or claim under an insurance policy. For example, if a covered health care provider receives an individual’s authorization to disclose medical information to a life insurer for underwriting purposes, the provider is permitted to disclose the information requested on the authorization without making any minimum necessary determination. The authorization must meet the requirements of § 164.508. However, minimum necessary does apply to authorizations requested by covered entity for its own purposes (see § 164.508 (d), (e), and (f). Q: Are providers required to make a minimum necessary determination to disclose to federal or state agencies, such as Social Security Administration (SSA) or its affiliated state agencies, for individuals’ application for federal or state benefits?

A: No. These disclosures must be authorized by an individual and, therefore, are exempt from the minimum necessary requirements. Further, use of the provider’s own authorization form is not required. Providers can accept an agency’s authorization form as long as it meets the requirements of § 164.508 of the rule. For example, disclosures to SSA (or its affiliated state agencies) for purposes of determining eligibility for disability benefits are currently made subject to an individual’s completed SSA authorization form. After the compliance date, the current process may continue subject only to modest changes in the SSA authorization form to conform to the requirements in § 164.508. Q: Doesn’t the minimum necessary standard conflict with the Transactions standards? Does minimum necessary apply to the standard transactions? A: No, because the Privacy Rule exempts from the minimum necessary standard any uses or disclosures that are required for compliance with the applicable requirements of the subchapter. This includes all data elements that are required or situationally required in the standard transactions. However, in many cases, covered entities have significant discretion as to the information included in these transactions. This standard does apply to those optional data elements. Q: Does the rule strictly prohibit use, disclosure, or requests of an entire medical record? Does the rule prevent use, disclosure, or requests of entire medical records without case-by-case justification? A: No. The Privacy Rule does not prohibit use, disclosure, or requests of an entire medical record. A covered entity may use, disclose, or request an entire medical record, without a case-by-case justification, if the covered entity has documented in its policies and procedures that the entire medical record is the amount reasonably necessary for certain identified purposes. For uses, the policies and procedures would identify those persons or classes of person in the workforce that need to see the entire medical record and the conditions, if any, that are appropriate for such access. Policies and procedures for routine disclosures and requests and the criteria used for non-routine disclosures would identify the circumstances under which disclosing or requesting the entire medical record is reasonably necessary for particular purposes. In making non-routine requests, the covered entity may also establish and utilize criteria to assist in determining when to request the entire medical record. The Privacy Rule does not require that a justification be provided with respect to each distinct medical record. Finally, no justification is needed in those instances where the minimum necessary standard does not apply, such as disclosures to or requests by a health care provider for treatment or disclosures to the individual. Q: In limiting access, are covered entities required to completely restructure existing workflow systems, including redesigns of office space and upgrades of computer systems, in order to comply with the minimum necessary requirements? A: No. The basic standard for minimum necessary uses requires that covered entities make reasonable effects to limit access to PHI to those in the workforce that need access based on their roles in the covered entity. The Department generally does not consider facility redesigns as necessary to meet the reasonableness standard for minimum necessary uses. However, covered entities may need to make certain adjustments to their facilities to minimize access, such as isolating and locking file

cabinets or records rooms, or providing additional security, such as passwords, on computers maintaining personal information. Covered entities should also take into account their ability to configure their record systems to allow access to only certain fields, and the practicality of organizing systems to allow this capacity. For example, it may not be reasonable for a small, solo practitioner who has largely a paper-based records system to limit access of employees with certain functions to only limited fields in a patient record, while other employees have access to the complete record. Alternatively, a hospital with an electronic patient record system may reasonably implement such controls, and therefore, may choose to limit access in this manner to comply with the rule. Q: Will doctors’ and physicians’ offices be allowed to continue using sign-in sheets in waiting rooms? A: We did not intend to prohibit the use of sign-in sheets, but understand that the Privacy Rule is ambiguous about this common practice. We, therefore, intend to propose modifications to the rule to clarify that this and similar practices are permissible. Q: What happens when a covered entity believes that a request is seeking more than the minimum necessary PHI? A: In such a situation, the Privacy Rule requires a covered entity to limit the disclosures to the minimum necessary as determined by the disclosing entity. Where the rule permits covered entities to rely on the judgment of the person requesting the information, and if such reliance is reasonable despite the covered entity’s concerns, the covered entity may make the disclosure as requested. Nothing in the Privacy Rule prevents a covered entity from discussing its concerns with the person making the request, and negotiating an information exchange that meets the needs of both parties. Such discussions occur today and may continue after the compliance date of the Privacy Rule. ORAL COMMUNICATIONS [45 CFR §§ 160.103, 164.501] Background The Privacy Rule applies to individually identifiable health information in all forms, electronic, written, oral, and any other. Coverage of oral (spoken) information ensures that information retains protections when discussed or read aloud from a computer screen or a written document. If oral communications were not covered, any health information could be disclosed to any person, so long as the disclosure was spoken. Providers and health plans understand the sensitivity of oral information. For example, many hospitals already have confidentiality policies and concrete procedures for addressing privacy, such as posting signs in elevators that remind employees to protect patient confidentiality. We also understand that oral communications must occur freely and quickly in treatment settings, and thus understand the heightened concern that covered entities have about how the rule applies. Therefore, we are taking a two-step approach to clarifying the regulation with respect to these communications. First, we provide some clarification of these issues here, so that covered entities may begin implementing the rule by compliance date. Second, we will propose appropriate changes to the regulation text to clarify the regulatory basis for the policies discussed below in order to

minimize confusion and to increase the confidence of covered entities that they are free to engage in communications as required for quick, effective, and high quality health care. We understand that issues of this importance need to be addressed directly and clearly in the Privacy Rule and that any ambiguities need to be eliminated. Frequently Asked Questions Q: If health care providers engage in confidential conversations with other providers or with patients, have they violated the rule if there is a possibility that they could be overheard? A: The Privacy Rule is not intended to prohibit providers from talking to each other and to their patients. Provisions of this rule requiring covered entities to implement reasonable safeguards that reflect their particular circumstances and exempting treatment disclosures form certain requirements are intended to ensure that providers’ primary consideration is the appropriate treatment of their patients. We also understand that overheard communications are unavoidable. For example, in a busy emergency room it may be necessary for providers to speak loudly in order to ensure appropriate treatment. The Privacy Rule is not intended to prevent this appropriate behavior. We would consider the following practices to be permissible, if reasonable precautions are taken to minimize the change of inadvertent disclosures to others who may be nearby (such as using lowered voices, talking apart):

Health care staff may orally coordinate services at hospital nursing stations. Nurses or other health care professionals may discuss a patient’s condition over the phone with

the patient, a provider, or a family member. A health care professional may discuss lab test results with a patient or other provider in a joint

treatment area. Health care professionals may discuss a patient’s conditions during training rounds in an

academic or training institution. We will propose regulatory language to reinforce and clarify that these and similar oral communications (such as calling out patient names in a waiting room) are permissible.

Q: Does the Privacy Rule require hospitals and doctors’ offices to be retrofitted, to provide private rooms, and soundproof walls to avoid any possibility that a conversation is overheard? A: No, the Privacy Rule does not require these types of structural changes be made to facilities. Covered entities must have in place appropriate administrative, technical, and physical safeguards to protect the privacy of PHI. “Reasonable safeguards” mean that covered entities must make reasonable efforts to prevent uses and disclosures not permitted by the rule. The Department does not consider facility restructuring to be a requirement under this standard. In determining what is reasonable, the Department will take into account the concerns of covered entities regarding potential effects on patient care and financial burden. For example, the Privacy Rule does not require the following types of structural or system changes:

Private rooms. Soundproofing of rooms Encryption of wireless or other emergency medical radio communications which can be

intercepted by scanners. Encryption of telephone systems.

Covered entities must provide reasonable safeguards to avoid prohibited disclosures. The rule does not require that all risk be eliminated to satisfy this standard. Covered entities must review their own practices and determine what steps are reasonable to safeguard their patient information. Examples of the types of adjustments or modifications to facilities or systems that may constitute reasonable safeguards are:

Pharmacies could ask waiting customers to stand a few feet back from a counter used for patient counseling.

Providers could add curtains or screens to areas where oral communications often occur between doctors and patients or among professionals treating the patient.

In an area where multiple patient-staff communications routinely occur, use of cubicles, dividers, shields, or similar barriers may constitute a reasonable safeguard. For example, a large clinic intake area may reasonably use cubicles or shield-type dividers, rather than separate rooms. In assessing what is “reasonable,” covered entities may consider the viewpoint of prudent professionals.

Q: Do covered entities need to provide patients access to oral information? A: No. The Privacy Rule requires covered entities to provide individuals with access to PHI about themselves that is contained in their “designated record sets.” The term “record” in the term “designated record set” does not include oral information; rather, it connotes information that has been recorded in some manner. The rule does not require covered entities to tape or digitally record oral communications, nor retain digitally or tape recorded information after transcription. But if such records are OCR maintained and used to make decisions about the individual, they may meet the definition of “designated record set.” For example, a health plan is not required to provide a member access to tapes of a telephone “advice line” interaction if the tape is only maintained for customer service review and not to make decisions about the member. Q: Do covered entities have to document all oral communications? A: No. The Privacy Rule does not require covered entities to document any information, including oral information, that is used or disclosed for treatment, payment or health care operations (TPO). The rule includes, however, documentation requirements for some information disclosures for other purposes. For example, some disclosures must be documented in order to meet the standard for providing a disclosure history to an individual upon request. Where a documentation requirement exists in the rule, it applies to all relevant communications, whether in oral or some other form. For example, if a covered physician discloses information about a case of tuberculosis to a public health authority as permitted by the rule in § 164.512, then he or she must maintain a record of that disclosure regardless of whether the disclosure was made orally by phone or in writing. Q: Did the Department change its position form the proposed rule by covering oral communications in the final Privacy Rule? A: No. The proposed rule would have covered information in any form or medium, as long as it had at some point been maintained or transmitted electronically. Once information had been electronic, it would have continued to be covered as long as it was held by a covered entity, whether in electronic,

written, or oral form. The final Privacy Rule eliminates this nexus to electronic information. All individually identifiable health information of the covered entity is covered by the rule. BUSINESS ASSOCIATES [45 CFR §§ 160.103, 164.502 (e), 164.514(e)] Background By law, the Privacy Rule applies only to health plans, health care clearinghouses, and certain health care providers. In today’s health care system, however, most health care providers and health plans do not carry out all of their health care activities and functions by themselves; they requires assistance from a variety of contractors and other businesses. In allowing providers and plans to give protected health information (PHI) to these “business associates,” the Privacy Rule conditions such disclosures on the provider or plan obtaining, typically by contract, satisfactory assurances that the business associate will use the information only for purposes for which they were engaged by the covered entity, will safeguard the information from misuse, and will help the covered entity comply with the covered entity’s duties to provide individuals with access to health information about them and a history of certain disclosures (e.g., if the business associate maintains the only copy of information, it must promise to cooperate with the covered entity to provide individuals access to information upon request). PHI may be disclosed to a business associate only to help the providers and plans carry out their health care functions – not for independent use by the business associate. Frequently Asked Questions Q: Has the Secretary exceeded the statutory authority by requiring “satisfactory assurances” for disclosures to business associates? A: No. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) gives the Secretary authority to directly regulate health care providers, health plans, and health care clearinghouses. It also grants the Department explicit authority to regulate the uses and disclosures of PHI maintained and transmitted by covered entities. Therefore, we do have the authority to condition the disclosure of PHI by a covered entity to a business associate on the covered entity’s having a contract with that business associate. Q: Has the Secretary exceeded the HIPAA statutory authority by requiring “business associates” to comply with the Privacy Rule, even if that requirement is through a contract? A: The Privacy Rule does not “pass through” its requirements to business associates or otherwise cause business associates to comply with the terms of the rule. The assurances that covered entities must obtain prior to disclosing PHI to business associates create a set of contractual obligations far narrower than the provisions of the rule, to protect information generally and help the covered entity comply with its obligations under the rule. For example, covered entities do not need to ask their business associates to agree to appoint a privacy officer, or develop policies and procedures for use and disclosure of PHI.

Q: Is it reasonable for covered entities to be held liable for the privacy violations of business associates? A: A health care provider, health plan, or other covered entity is not liable for privacy violations of a business associate. Covered entities are not required to actively monitor or oversee the means by which the business associate carries out safeguards of the extent to which the business associate abides by the requirements of the contract. Moreover, a business associate’s violation of the terms of the contract does not, in and of itself, constitute a violation of the rule by the covered entity. The contract must obligate the business associate to advise the covered entity when violations have occurred. If the covered entity becomes aware of a pattern of practice of the business associate that constitutes a material breach or violation of the business associate’s obligations under its contract, the covered entity must take “reasonable steps” to cure the breach or to end the violation. Reasonable steps will vary with the circumstances and nature of the business relationship. If such steps are not successful, the covered entity must terminate the contract if feasible. The rule also provides for circumstances in which termination is not feasible, for example, where there are no other viable business alternatives for the covered entity. In such circumstances where termination is not feasible, the covered entity must report the problem to the Department. Only if the covered entity fails to take the kinds of steps described above would it be considered to be out of compliance with the requirements of the rule. PARENTS AND MINORS [45 CFR § 164.503(g)] General Requirements The Privacy Rule provides individuals with certain rights with respect to their personal health information, including the right tot obtain access to and to request amendment of health information about themselves. These rights rest with that individual, or with the “personal representative” of that individual. In general, a person’s right to control protected health information (PHI) is based on that person’s right (under state or other applicable law, e.g., tribal or military law) to control the health care itself. Because a parent usually has authority to make health care decisions about his or her minor child, a parent is generally a “personal representative” of his or her minor child under the Privacy Rule and has the right to obtain access to health information about his or her minor child. This would also be true in the case of a guardian or other person acting in loco parentis of a minor. There are exceptions in which a parent might not be the “personal representative” with respect to certain health information about a minor child. In the following situations, the Privacy Rule defers to determinations under other law that the parent does not control the minor’s health care decisions and, thus, does not control the PHI related to the care:

When state or other law does not require consent of a parent or other person before a minor can obtain a particular health care service, and the minor consents to the health care service, the parent is not the minor’s personal representative under the Privacy Rule. For example, when a state law provides an adolescent the right to consent to mental health treatment without the consent of his or her parent, and the adolescent obtains such treatment without the consent of the parent, the parent is not the personal representative under the Privacy Rule for that

treatment. The minor may choose to involve a parent in these health care decisions without giving up his or her right to control the related health information. Of course, the minor may always have the parent continue to be his or her personal representative even in these situations.

When a court determines or other law authorizes someone other than the parent to make treatment decisions for a minor, the parent is not the personal representative of the minor for the relevant services. For example, courts may grant authority to make health care decisions for the minor to an adult other than the parent, to the minor, or the court may make the decision(s) itself. In order to not undermine these court decisions, the parent is not the personal representative under the Privacy Rule in these circumstances. In the following situations, the Privacy Rule reflects current professional practice in determining that the parent is not the minor’s personal representative with respect to the relevant PHI:

When a parent agrees to a confidential relationship between the minor and the physician, the parent does not have access to the health information related to that conversation or relationship. For example, if a physician asks the parent of a 16-year old if the physician can talk with the child confidentially about a medical condition and the parent agrees, the parent would not control the PHI that was discussed during that confidential conference.

When a physician (or other covered entity) reasonably believes in his or her professional judgment that the child has been or may be subjected to abuse or neglect, or that treating the parent as the child’s personal representative could endanger the child, the physician may choose not to treat the parent as the personal representative of the child.

Relation to State law In addition to the provisions (described above) tying the right tot control information to the right to control treatment, the Privacy Rule also states that it does not preempt state laws that specifically address disclosure of health information about a minor to a parent (§ 160.202). This is true whether the state law authorizes or prohibits such disclosure. Thus, if a physician believes that disclosure of information about a minor would endanger that minor, but a state law requires disclosure to a parent, the physician may comply with the state law without violating the Privacy Rule. Similarly a provider may comply with a state law that requires disclosure to a parent and would not have to accommodate a request for confidential communications that would be contrary to state law. Frequently Asked Questions Q: Does the Privacy Rule allow parents the right to see their children’s medical records? A: The Privacy Rule generally allows parents, as their minor children’s personal representatives, to have access to information about the health and well-being of their children when state or other underlying law allows parents to make treatment decisions for the child. There are two exceptions: (1) when the parent agrees that the minor and the health care provider may have a confidential relationship, the provider is allowed to withhold information from the parent to the extent of that agreement; and (2) when the provider reasonably believes in his or her professional judgment that the child has been or may be subjected to abuse or neglect, or that treating the parent as the child’s personal representative could endanger the child, the provider is permitted not to treat the parent as the child’s personal representative with respect to health information. Secretary Thompson has stated that he is reassessing these provisions of the regulation.

Q: Does the Privacy Rule provide rights for children to be treated without parental consent? A: No. The Privacy Rule does not address consent to treatment, nor does it preempt or change state or other laws that address consent to treatment. The Rule addresses access to health information, not the underlying treatment. Q: If a child receives emergency medical care without a parent’s consent, can the parent get all information about the child’s treatment and condition? A: Generally, yes. Even thought the parent did not provide consent to the treatment in this situation, under the Privacy Rule, the parent would still be the child’s personal representative. This would not be so only when the minor provided consent (and no other consent is required) or the treating physician suspects abuse or neglect or reasonably believes that releasing the information to the parent will endanger the child. HEALTH-RELATED COMMUNICATIONS AND MARKETING [45 CFR §§ 164.501, 164.514(e)] General Requirements The privacy Rule addresses the use and disclosure of protected health information (PHI) for marketing purposes in the following ways:

Defines what is “marketing” under the rule; Removes from that definition certain treatment or health care operations activities; Set limits on the kind of marketing that can be done as a health care operations; and Requires individual authorization for all other uses or disclosures of PHI for marketing

purposes. Frequently Asked Questions Q: Does this rule expand the ability of providers, plans, marketers and others to use my PHI to market goods and services to me? Does the Privacy Rule make it easier for health care businesses to engage in door-to-door sales and marketing efforts? A: No. The provisions described above impose limits on the use or disclosure of PHI for marketing that do not exist in most states today. For example, the rule requires patients’ authorization for the following types of uses or disclosures of PHI for marketing:

Selling PHI to third parties for their use and re-use. Under the rule, a hospital or other provider may not sell names of pregnant women to baby formula manufacturers or magazines.

Disclosing PHI to outsiders for the outsiders’ independent marketing use. Under the rule, doctors may not provide patient lists to pharmaceutical companies for those companies’ drug promotions. These activities can occur today with no authorization from the individual. In

additions, for the marketing activities that are allowed by the rule without authorization from the individual, the Privacy Rule requires covered entities to offer individuals the ability to opt-out of further marketing communications. Similarly, under the business associate provisions of the rule, a covered entity may not give PHI to a telemarketer, door-to-door salesperson, or other marketer it has hired unless that marketer has agreed by contract to use the information only for marketing on behalf of the covered entity. Today, there may be no restrictions on how marketers re-use information they obtain from health plans and providers.

Q: Can telemarketers gain access to PHI and call individuals to sell goods and services? A: Under the rule, unless the covered entity obtains the individual’s authorization, it may only give health information to a telemarketer that it has hired to undertake marketing on its behalf. The telemarketer must be a business associate under the rule, which means that it must agree by contract to use the information only for marketing on behalf of the covered entity, and not market its own goods or services (or those of another third party). The caller must identify the covered entity that is sponsoring the marketing call. The caller must provide individuals the opportunity to opt-out of further marketing. Q: When is an authorization required from the patient before a provider or health plan engages in marketing to that individual? A: An authorization for use or disclosure of PHI for marketing is always required, unless one of the following three exceptions apply:

The marketing occurs during an in-person meeting with the patient (e.g., during a medical appointment).

The marketing concerns products or services of nominal value. The covered entity is marketing health-related products and services (of either the covered

entity or a third party), the marketing identifies the covered entity that is responsible for the marketing, and the individual is offered an opportunity to opt-out of further marketing. In addition, the marketing must tell people if they have been targeted based on their health status, and must also tell people when the covered entity is compensated (directly or indirectly) for making the communication.

Q: How can I distinguish between activities for treatment, payment or health care operations (TPO) versus marketing activities? A: There is no need for covered entities to make this distinction. In recommending treatments, providers and health plans advise us to purchase good and services. The overlap between “treatment,” “health care operations,” and “marketing” is unavoidable. Instead of creating artificial distinctions, the rule imposes requirements that do not require such distinctions. Specifically:

If the activity is included in the rule’s definition of “marketing,” the rule’s provisions restriction the use or disclosure of PHI for marketing purposes will apply, whether or not that communication also meets the rule’s definition of “treatment,” “payment,” or “health care operations.” For these communications, the individual’s authorization is required before a covered entity may use or disclose PHI for marketing unless one of the exceptions to the authorization requirement (described above) applies.

The rule exempts certain activities from the definition of “marketing.” If an activity falls into one of the definition’s exemptions, the marketing rules do not apply. In these cases, covered entities may engage in the activity without first obtaining an authorization if the activity meets the definition of “treatment,” “payment,” or “health care operations.” These exemptions are described above, in the section titled “Communications That Are Not Marketing,” and are designed to ensure that nothing in this rule interferes with treatment activities.

Q: Do disease management, health promotion, preventive care, and wellness programs fall under the definition of “marketing”? A: Whether these kinds of activities fall under the rule’s definition of “marketing” depends on the specifics of how the activity is conducted. The activities currently undertaken under these rubrics are diverse. Covered entities must examine the particular activities they undertake, and compare these to the activities that are exempt from the definition of “marketing.” Q: Can contractors (business associates) use PHI to market to individuals for their own business purposes? A: The Privacy Rule prohibits health plans and covered health care providers from giving PHI to third parties for the third party’s own business purposes, absent authorization from the individuals. Under the statue, this regulation cannot govern contractors directly. RESEARCH [45 CFR §§ 164.501, 164.508(f), 164.512(i)] Background The Privacy Rule establishes the conditions under which protected health information (PHI) may be used or disclosed by covered entities for research purposes. A covered entity may always use or disclose for research purposes health information, which has been de-identified (in accordance with §§ 164.502(d), 164.514(a)-(c) of the rule) without regard to the provisions below. The Privacy Rule also defines the means by which individuals/human research subjects are informed of how medical information about them will be used or disclosed and their rights with regard to gaining access to information about themselves, when such information is held by covered entities. Where research is concerned, the Privacy Rule protects the privacy of individually identifiable health information, while at the same time, ensuring that researchers continue to have access to medical information necessary to conduct vital research. Currently, most research involving human subjects operates under the Common Rule (codified for the Department of Health and Human Services (HHS) at Title 45 Code of Federal Regulations Part 46) and/or the Food and Drug Administration’s (FDA) human subjects protection regulations, which have some provisions that are similar to, but more stringent than and separate from, the Privacy Rule’s provisions for research. Frequently Asked Questions

Q: Will the rule hinder medical research by making doctors and others less willing and/or able to share information about individual patients? A: We do not believe that the Privacy Rule will hinder medical research. Indeed, patients and health plan members should be more willing to participate in research when they know their information is protected. For example, in genetic studies at the National Institutes of Health (NIH), nearly 32 percent of eligible people offered a test for breast cancer risk decline to take it. The overwhelming majority of those who refuse cite concerns about health insurance discrimination and loss of privacy as the reason. The Privacy Rule both permits important research and, at the same time, encourages patients to participate in research by providing much needed assurances about the privacy of their health information. The Privacy Rule will require some covered health care providers and health plans to change their current practices related to documenting research uses and disclosures. It is possible that some covered health care providers and health plans may conclude that the rule’s requirements for research uses and disclosures are too burdensome and will choose to limit researchers’ access to PHI. We believe few providers will take this route, however, because the Common Rule includes similar, and more stringent requirements, which have not impaired the willingness of researchers to undertake federally-funded research. For example, unlike the Privacy Rule, the Common Rule requires IRB review for all research proposals under its purview, even if informed consent is to be sought. The Privacy Rule requires documentation of IRB or Privacy Board approval only if patient authorization for the use of disclosure of PHI for research purposes is to be altered or waived. RESTRICTIONS OF GOVERNMENT ACCESS TO HEALTH INFORMATION [45 CFR §§160.300; 164.512(b); 164.512(f)] Background Under the Privacy Rule, government-operated health plans and health care providers must meet substantially the same requirements as private ones for protection the privacy of individual identifiable health information. For instance, government-run health plans, such as Medicare and Medicaid, must take virtually the same steps to protect the claims and health information that they receive from beneficiaries as private insurance plans or health maintenance organizations (HMO). In addition, all federal agencies must also meet the requirements of the Privacy Act of 1974, which restricts what information about individual citizens – including any personal health information – can be shared with other agencies and with the public. The only new authority for government involves enforcement of the Privacy Rule itself. In order to ensure covered entities protect patients’ privacy as required, the rule provides that health plans, hospitals, and other covered entities cooperate with the Department’s efforts to investigate complaints or otherwise ensure compliance. The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) is responsible for enforcing the privacy protections and access rights for consumers under this rule. Frequently Asked Questions

Q: Does the rule require my doctor to send my medical records to the government? A: No. The rule does not require a physician or any other covered entity to send medical information to the government for a government data base or similar operation. This rule does not require or allow any new government access to medical information, with one exception: the rule does give OCR the authority to investigate complaints and to otherwise ensure that covered entities comply with the rule. OCR has been assigned the responsibility of enforcing the Privacy Rule. As is typical in many enforcement settings, OCR may need to look at how a covered entity handled medical records and other personal health information. The Privacy Rule limits disclosure to OCR to information that is “pertinent to ascertaining compliance.” OCR will maintain stringent controls to safeguard any individually identifiable health information that it receives. If covered entities could avoid or ignore enforcement requests, consumers would not have a way to ensure an independent review of their concerns about privacy violations under the rule. Q: Why would a Privacy Rule require covered entities to turn over anybody’s personal health information as part of a government enforcement process? A: An important ingredient in ensuring compliance with the Privacy Rule is the Department’s responsibility to investigate complaints that the rule has been violated and to follow up on other information regarding noncompliance. At times, this responsibility entails seeing personal health information, such as when an individual indicates to the Department that they believe a covered entity has not properly handled their medical records. What information would be needed depends on the circumstances and the alleged violations. The Privacy Rule limits OCR’s access to information that is “pertinent to ascertaining compliance.” In some cases, no personal health information would be needed. For instance, OCR may need to review only a business contract to determine whether a health plan included appropriate language to protect privacy when it hired an outside company to help process claims. Examples of investigations that may require OCR to have access to protected health information (PHI) include:

Allegations that a covered entity refused to note a request for correction in a patient’s medical record, or did not provide complete access to patient’s medical records to that patient.

Allegations that a covered entity used health information for marketing purposes without first obtaining the individuals’ authorization when required by the rule. OCR may need to review information in the marketing department that contains personal health information, to determine whether a violation has occurred.

Q: Will this rule make it easier for police and law enforcement agencies to get my medical information? A: No. The rule does not expand current law enforcement access to individually identifiable health information. In fact, it limits access to a greater degree than currently exists. Today, law enforcement office obtain health information for many purposes, sometimes without a warrant or other prior process. The rule establishes new procedures and safeguards to restrict the circumstances under which a covered entity may give such information to law enforcement officers. For example, the rule limits the type of information that covered entities may disclose to law enforcement, absent a warrant or other prior process, when law enforcement is seeking to identify or locate a suspect. It specifically prohibits disclosure of DNA information for this purpose, absent some legal requirements such as a

warrant. Similarly, under most circumstances, the Privacy Rule requires covered entities to obtain permission from persons who have been the victim of domestic violence or abuse before disclosing information about them to law enforcement. In most states, such permission is not required today. Where states law imposes additional restrictions on disclosure of health information to law enforcement, those state laws continue to apply. This rule sets a national floor of legal protections; it is not a set of “best practices.” Even in those circumstances when disclosure to law enforcement is permitted by the rule, the Privacy Rule does not require covered entities to disclose any information. Some other federal or state law may require a disclosure, and the Privacy Rule does not interfere with the operation of these other laws. However, unless the disclosure is required by some other law, covered entities should use their professional judgment to decide whether to disclose information, reflecting their own policies and ethical principles. In other words, doctors, hospitals, and health plans could continue to follow their own policies to protect privacy in such instances. Q: Must a health care provider or other covered entity obtain permission from a patient prior to notifying public health authorities of the occurrence of a reportable disease? A: No. All states have laws that require providers to report cases of specific disease to public health officials. The Privacy Rule allows disclosures that are required by law. Furthermore, disclosures to public health authorities that are authorized by law to collect or receive information for public health purposes are also permissible under the Privacy Rule. In order to do their job of protecting the health of the public, it is frequently necessary for public health officials to obtain information about the persons affected by a disease. In some cases they may need to contact those affected in order to determine the cause of the disease to allow for actions to prevent further illness. The Privacy Rule continues to allow for the existing practice of sharing PHI with public health authorities that are authorized by law to collect or receive such information to aid them in their mission of protecting the health of the public. Examples of such activities include those directed at the reporting of disease or injury, reporting deaths and births, investigating the occurrence and cause of injury and disease, and monitoring adverse outcomes related to food, drugs, biological products, and dietary supplements. Q: How does the rule affect my rights under the federal Privacy Act? A: The Privacy Act of 19745 protects personal information about individuals held by the federal government. Covered entities that are federal agencies or federal contractors that maintain records are covered by the Privacy Act not only must obey the Privacy Rule’s requirements but also must comply with the Privacy Act. PAYMENT [45 CFR 164.501] General Requirements As, provided for by the Privacy Rule, a covered entity may use and disclose protected health information (PHI) for payment purposes. “Payment” is a defined term that encompasses the various activities of health care providers to obtain payment or be reimbursed for their services and for a health plan to obtain premiums, to fulfill their coverage responsibilities and provide benefits under the plan,

and to obtain or provide reimbursement for the provision of health care. In addition to the general definition, the Privacy Rule provides examples of common payment activities, which include, but are not limited to:

Determining eligibility or coverage under a plan and adjudicating claims; Risk adjustments; Billing and collection activities; Reviewing health care services for medical necessity, coverage, justification of charges, and the

like; Utilization review activities; and Disclosures to consumer reporting agencies (limited to specified identifying information about

the individual, his or her payment history, and identifying information about the covered entity).

Frequently Asked Questions Q: Does the Privacy Rule prevent health plans and providers from using debt collection agencies? Does the rule conflict with the Fair Debt Collection Practices Act? A: The Privacy Rule permits covered entities to continue to use the services of debt collection agencies. Debt collection is recognized as a payment activity within the “payment” definition. Through a business associate arrangement, the covered entity may engage a debt collection agency to perform this function on its behalf. Disclosures to collection agencies under a business associate agreement are governed y other provisions of the rule, including consent (where consent is required) and the minimum necessary requirements. We are not aware of any conflict between the Privacy Rule and the Fair Debt Collection Practices Act. Where a use or disclosure of PHI necessary for the covered entity to fulfill a legal duty, the Privacy Rule would permit such use or disclosure as required by law.

Documents

Marion Polk Community Health Plan manual.pdf · Start with a gap analysis to help you understand the difference between the requirements of the law and your current practice activities