HIPAA AUDIT TOOLKIT. A complimentary excerpt from Davis Wright s audit toolkit Davis Wright Tremaine. dwt.com

Transcription

1 HIP UDIT TOOLKIT complimentary excerpt from Davis Wright s audit toolkit 2013 Davis Wright Tremaine dwt.com

2 DVI WIGHT HIP UDIT TOOLKIT INTODUCTION Davis Wright is pleased to offer members of the International ssociation of Privacy Professionals complementary access to a key section of our comprehensive HIP udit Toolkit. The HIP udit Toolkit is focused on assisting health care providers ensure that their privacy, security, and breach notification programs comply with HIP requirements, identifying potential best practices and hidden vulnerabilities. It includes compliance assessment tools for privacy, security, and breach notification, checklists for authorization forms, notices of privacy practices, business associate contracts, data use agreements, and breach notices, and helpful resources. bout the Excerpt The following excerpt is taken from the privacy assessment tool, one of several tools within the Toolkit. The assessment tool consists of questions focused on assisting health care providers with ensuring that they maintain appropriate policies and procedures, training, and documentation in compliance with the tandards for Privacy of Individually Identifiable Health Information ( Privacy ule ). ome questions are designed to go beyond the minimum requirements of the Privacy ule and are intended to suggest potential best practices. Therefore, a negative response to any of the questions does not necessarily indicate noncompliance with the Privacy ule. Questions are marked as "" (equired) if they relate to a requirement of the Privacy ule that, if not complied with, could be deemed noncompliance. lthough the Privacy ule does not specify how detailed policies and procedures must be, for purposes of defending an audit or investigation, the government may treat an organization as noncompliant if it cannot provide policies that indicate compliance with each requirement. Questions are marked as "" (uggested) if they are not required by the Privacy ule but are either discretionary under the Privacy ule (e.g., discretionary grounds for denying patients access to their designated record set) or are practices that we recommend for your consideration. Questions are marked as "T" (Training) if they pertain to training requirements. The Privacy ule does not specify how detailed organizations must make their training, but we recommend an emphasis on recurring, realworld situations (rather than merely a recitation of the law) and that at least some members of the workforce are trained on each policy. Questions are marked as "" (udit Protocol) if they were taken from the audit protocol that was used in the audits by the U.. Department of Health and Human ervices Office for Civil ights through a contractor. The privacy assessment tool consists of hundreds of questions. The excerpt that follows is the portion of the privacy assessment tool relating to the Privacy ule s requirement to provide individuals with access to certain portions of their protected health information. The electronic version includes additional columns for notes and corrective actions. Terms of Use The excerpt is the property of Davis Wright Tremaine and is offered for educational purposes only. It is not intended as a substitute for individualized advice from qualified business or legal advisors. This excerpt is for use by health care organizations by their own workforce. It may not be further republished without the express written approval of Davis Wright Tremaine. More Information To learn more about Davis Wright s full HIP udit Toolkit go to wwwdwt.com/hiptoolkit/ or contact dam Greene, the toolkit s author, directly at or adamgreene@dwt.com Davis Wright Tremaine

3 Excerpt for International ssociation of Privacy Professionals D HIP Privacy Compliance ssessment Tool (Questionnaire) Designated ecord et, , (e)(1) Have you documented the location of all medical records that are used, in whole or in part, to make decisions about individuals? Have you documented the location of all billing records that are used, in whole or in part, to make decisions about individuals? Have you documented the location of all other PHI that is used, in whole or in part, to make decisions about individuals? Have you documented what Bs have PHI in designated record sets? [Note, while the Privacy ule is ambiguous regarding whether the requirement to document designated record sets includes those maintained by Bs, such documentation may be helpful in order to most efficiently respond to requests for access or amendment where some PHI in designated record sets is held by Bs.] elevant CF ection (45 C.F.. ) (e)(1) (e)(1) (e)(1) equired (), uggested (), Training (T), or udit Protocol () 5 Do you maintain the above documentation for at least six years? (j) E 1 ccess of Individuals to PHI, Do you have a policy permitting individuals to inspect and obtain a copy of PHI about the individual in a designated record set? (a)(1) 2 Have you trained members of your workforce to recognize such requests (e.g., when they come up during routine patient care) and to whom to refer such requests? T 3 If you require that such requests be in writing, have you trained members of your workforce regarding this requirement? T 4 Do you have a form available? [Note, while such a form likely will be helpful, there may be some legal risk if you refuse to accept a written request because it is not on your form.] Yes (Y), No (N), or Unsure (?) 5 Do you have a policy for excepting psychotherapy notes from the provision of access to individuals? (a)(1)(i) 6 Do you have a policy for excepting information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding from the provision of access to individuals? (a)(1)(ii) 7 If you have a laboratory that is subject to the Clinical Laboratory Improvements mendments of 1988 (CLI) or exempt from CLI pursuant to 42 C.F (a)(2), do you have a process for excepting PHI from the provision of access to the extent that the provision of access would be prohibited by law? [Note, this exception is currently the subject of rulemaking and is likely to be removed.] (a)(1)(iii) HIP Privacy Compliance ssessment Tool (v. 3.0) 2013 Davis Wright Tremaine LLP Page 1

4 Excerpt for International ssociation of Privacy Professionals If you ever provide care under the direction of a correctional institution, do you have a process for denying requests for access where provision of access would jeopardize the health, safety, security, custody, or rehabilitation of the individual or others? If you seek to deny access to PHI during the course of research, do you have a policy for ensuring that the individual has agreed to the denial of access when consenting to participate in the research? If you seek to deny access to PHI during the course of research, do you have a policy for ensuring that the right to access will be reinstated upon completion of the research? [Note, if you have denied a request for access during the course of the research, you may want to consider automatically providing the requested PHI at the end of the research, rather than requiring a second request.] Do you have a policy permitting the denial of access to information obtained from someone other than a health care provider under a promise of confidentiality? Do you have a policy permitting the denial of access to PHI when a licensed health care professional determines that the provision of access would likely endanger the life or physical safety of the individual or another person? (a)(2)(ii) (a)(2)(iii) (a)(2)(iii) (a)(2)(v) (a)(3)(i) 13 Do you have a policy permitting the denial of access to PHI when the PHI makes reference to another person and a licensed health care professional determines that the provision of access would likely cause substantial harm (physical, emotional, or other) to the other person? (a)(3)(ii) Do you have a policy permitting the denial of access to PHI to an individual s personal representative when a licensed health care professional determines that the provision of access would likely cause substantial harm to the individual or another person (including members of your workforce or others involved in the individual s care)? Have you trained licensed health care professionals that they may deny access (or request that access be denied) on the above bases? If you deny access based on the above exercise of judgment by a licensed health care professional, have you designated another licensed health care professional to review the decision upon the individual or personal representative s request? (a)(3)(iii) (a)(4) T 17 Do you have a policy ensuring that you act on all requests for PHI within a designated record set within 30 days? [Note that you used to have up to 60 days if the designated record set was not accessible on-site, but this extension was removed and covered entities must provide access to offsite materials within 30 days for requests received on or after eptember 23, 2013) (b)(2)(i) 18 Do you have a policy providing for up to a single extension of up to 30 days if you are unable to provide access within the above timeframes? [Note, the Privacy ule does not permit additional extensions and it may be helpful for your policy to reflect this.] (b)(2)(iii) HIP Privacy Compliance ssessment Tool (v. 3.0) 2013 Davis Wright Tremaine LLP Page 2

5 Excerpt for International ssociation of Privacy Professionals Do you have a policy ensuring that you notify the individual of an extension within 30 days of the request? Do you have a policy that any notification of an extension includes the reason for the delay and the date by which you will provide the access or provide a denial? (b)(2)(iii) (b)(2)(iii)() 21 If you deny access, do you have a policy of providing a written denial? (d)(2) 22 Does the policy require that the written denial include the basis of the denial? (d)(2)(i) 23 Does the policy require that the written denial include a description of how the individual can file a complaint with the covered entity or HH? (d)(2)(iii) 24 Does the policy require that the written denial include the name or title and phone number of the contact person for privacy complaints? Does the policy require that, if the denial is based on a licensed health care professional s judgment, does the written denial include information about the individual s or personal representative s right to a review and how to exercise this right? Do you have a policy ensuring that if you deny access to some PHI, you will make the rest of the requested PHI in the designated record set available? [Note, it may be advisable to limit the use of denials in which the covered entity denies access to all PHI in the designated record set unless there is a strong basis for denying all such access.] (d)(2)(iii) (d)(2)(ii) (d)(1) 27 Do you have a policy for providing access to PHI in a designated record set in the form or format requested when such form and format is readily producible? [If the individual requests a copy through unencrypted and such a copy is readily producible in electronic form, the covered entity should warn that there is some risk of the being read by a third party and may offer an alternative form. If the individual still wishes to receive an unencrypted , the covered entity should accommodate the request. 78 Fed. eg Jan. 25, 2013).] (c)(2)(i) 28 Do you have a policy that, if an individual requests an electronic copy of a designated record set that is maintained electronically and the requested form and format is not readily producible, you will provide a copy in an alternative readable electronic form that is agreeable to the individual (such as (c)(2)(ii) a PDF)? 29 Do you document your basis for determining that a requested form or format is not readily producible and maintain this documentation for at least six years? 30 Do you have a process for providing a summary of PHI or an explanation? (c)(2)(ii) 31 If you provide a summary or explanation, do you have a process for ensuring that the individual has agreed in advance to any fees associated with creating the summary or explanation? (c)(2)(iii) HIP Privacy Compliance ssessment Tool (v. 3.0) 2013 Davis Wright Tremaine LLP Page 3

6 Excerpt for International ssociation of Privacy Professionals Do you have a policy providing that an individual can designate a third party to receive the copy of the designated record set, so long as the request is in writing and signed by the individual (including electronic requests with electronic signatures), identifies the designated third party, and identifies where to send the copy? Do you have a policy limiting your charges for copies of PHI to a reasonable amount, including compliance with any applicable state laws? Do you have a policy further limiting your charges for copies of PHI to your costs of labor (for paper or electronic copies, which may not include time for retrieving records), supplies (for paper copies, such as paper and toner), electronic media (if an electronic copy is provided on electronic media, such as CD or UB drive) and postage, even if such costs are less than the allowance under state law? [ee 78 Fed. eg (Jan. 25, 2013)] Do you have documentation of your copying costs? [Note, this documentation arguably can be based on average copying costs across your organization, but it may be advisable to update this information periodically.] Does your policy exclude the cost of retrieval, including any standard retrieval fee (even if allowed under state law)? Have you trained members of your workforce on how to provide or deny access, including permissible charges and applicable timeframes? [Note, it arguably is appropriate to limit this training to only members of the workforce with responsibilities in this area, while training regarding handling requests for access may include anyone who potentially may receive such a request during the course of treatment, payment, or other activities.] (c)(3)(ii) (c)(4) (c)(4)(i) and (ii) 65 Fed. eg. 82,557 (Dec. 28, 2000) 38 Do you maintain documentation of all requests for access for at least six years? (j)(2) 39 Have you documented the titles of the persons or offices responsible for receiving and processing requests for access? (e)(2) 40 Do you maintain such documentation for at least six years? "Inquire of management as to how an individual can access PHI." 42 "Obtain and review formal or informal policies and procedures to determine a [sic] if a process is in place for individuals to access PHI." 43 "Obtain and review the notice of privacy practices to identify if an individual's right to access in timely manner is outlined in the notice." 44 "Determine whether fee charged meets criteria." 45 "Inquire of management as to whether a process to facilitate review of denial of access is in place." T 46 "Obtain or inquire about the formal or informal process to determine whether it meets the requirements of the established criteria." HIP Privacy Compliance ssessment Tool (v. 3.0) 2013 Davis Wright Tremaine LLP Page 4

7 Excerpt for International ssociation of Privacy Professionals 47 "Inquire of management as to whether a process to facilitate review of denial of access is in place." "Obtain or inquire about the formal or informal process to determine whether it meets the requirements of the established criteria." "Determine if the entity has a process in place for an individual to request and receive a review of a denial of access by a licensed health care professional who did not participate in the original decision to deny the individual's request for access." "Inquire of management as to whether the unreviewable denied requests for access are properly documented." 51 "Obtain and review a list of unreviewable denials of access." "Verify that the circumstances that trigger unreviewable grounds for denial apply to the denied access." "Inquire of management as to whether the policies and procedures are in place to have the denial of access reviewed." "Obtain and review policies and procedures to determine a process in place to allow an individual to request a review of the denial of access." HIP Privacy Compliance ssessment Tool (v. 3.0) 2013 Davis Wright Tremaine LLP Page 5

8 MOE INFOMTION: dam Greene