BREACHES & COMPLAINTS

Transcription

1 REVISION DATE: HIPAA SECURITY BREACHES & COMPLAINTS Page 1 POLICY: It is the policy of this Alternatives in Psychological Consultation (APC) to ensure the privacy of Protected Health Information ( PHI ) as well as to ensure that such information is used and disclosed in accordance with all applicable laws and regulations. Any concerned individual has the right to file a formal complaint concerning privacy issues without fear of reprisal. All APC employees who become aware of potential HIPAA violations or breaches are required to report issues immediately upon learning of the violation to their direct supervisor or the Agency s Privacy Officer. Such issues could include, but are not limited to, allegations that: PHI that was used/disclosed improperly; Access or amendment rights were wrongfully denied; or The Facility s Notice of Privacy Practices does not reflect current practices accurately PROCEDURE: 1. All clients or their personal representatives will be notified of their right to file a complaint to APC or the Department of Health and Human Services in the Notice of Privacy Practices. 2. All concerns by clients may be registered by telephone, mail, , or in person. 3. Employees with concerns shall first speak with their supervisor about the issue immediately upon learning of a potential breach. This could pertain to a breach by the employee or from another employee who learned of a potential breach. The supervisor shall then contact the Privacy Officer or other designated official regarding the issue and complete a HIPAA Security Form. 4. Upon receipt of a complaint/concern about APC s privacy policies or its compliance with those policies or the law, the complaint/concern will be recorded on a HIPAA Security Log or HIPAA Security Form. (See Attachments.) 5. APC s Privacy Officer or other designated official will review the form/log to ensure that the information is complete, and shall also conduct the following steps: a. Document the date, time, and name of the person making the complaint or violation in the HIPAA Security Log. b. Investigate the complaint or violation. c. Document the resolution of the complaint or violation. 6. The Privacy Officer, together with members of APC s Risk Management team and the supervisor of the affected department, if applicable, shall review and investigate the issue to determine if a violation of the law or APC policies has occurred. 7. The Privacy Officer or designated official will document the findings and conduct the following: a. Record the resolution of the complaint/violation. b. Communicate the outcome of the complaint/violation with the client or employee filing the complaint, within 30 days from receipt of complaint. c. Inform the Secretary and individuals affected by the violation (if applicable) according to all standards set forth in the HIPAA Breach Notification Rules. 8. The Privacy Officer or other designated staff shall maintain documentation of all complaints received, and their disposition, for a period of at least six years (from the date of creation) in accordance with federal regulations. HIPAA SECURITY

2 REVISION DATE: SANCTIONS Page 1 POLICY: All Alternatives in Psychological Consultation (APC) staff are required to receive training on policies and procedures regarding HIPAA laws upon hire and annually thereafter. It is the policy of APC to discipline employees who fail to comply with the agency s policies and procedures regarding HIPAA laws. PROCEDURE: 1. When a concern arises regarding a possible violation of HIPAA or the Agency s policies or procedures related to HIPAA, the Privacy Officer or designated official shall begin an investigation promptly. (See the policy HIPAA Security regarding conducting an investigation.) 2. If, at the conclusion of the investigation, it is found that a violation of the Agency s policy or procedures has occurred, the employee involved shall be disciplined in accordance with the severity of the violation and the agency s disciplinary policy. Violations can be classified according to intent such as: a. Level I Violations: those made accidentally or due to a lack of education. b. Level II Violations: serious violations that are found to show purposeful disregard of Agency policy. 3. The Privacy Officer, together with the Risk Management team and the supervisor of the affected department, if applicable, shall review the circumstances surrounding any substantiated violation and take appropriate action to mitigate, to the extent possible, any harmful effects of the violation. 4. Documentation from the investigation shall be given to the Privacy Officer to be maintained as a part of the agency s HIPAA documentation and retained for six years. 5. The disciplinary action report documenting the employee s violation shall be placed in the employee s personnel file, and a copy shall also be provided to the Privacy Officer. SANCTIONS

3 REVISION DATE: USES AND DISCLOSURES OF PROTECTED HEALTH INFORMATION PAGE 1 PURPOSE: To ensure that disclosure of Protected Health Information ( PHI ) is made consistent with applicable laws, regulations, and health information standards, and to ensure that any disclosures of a client s PHI to a client s family members, other relatives, close friends, or other persons designated by the client, are appropriate. POLICY: Protected Health Information ( PHI ) may not be used or disclosed in violation of the Health Insurance Portability and Accountability Act ( HIPAA ) Privacy Rule (45 C.F.R. parts 160 and 164) (hereinafter, the Privacy Rule ) or in violation of state law. Alternatives in Psychological Consultation (APC) is permitted, but not mandated, under the Privacy Rule to use and disclose PHI without client consent or authorization in limited circumstances. However, state or federal law may supercede, limit, or prohibit these uses and disclosures. Under the Privacy Rule, these permitted uses and disclosures include those made: To the client For treatment, payment, or health care operations purposes, or As authorized by the client. Additional permitted uses and disclosures include those related to or made pursuant to: Reporting on victims of domestic violence or abuse, as required by law Court orders Workers compensation laws Serious threats to health or safety Government oversight (including disclosures to a public health authority, coroner or medical examiner, military or veterans affairs agencies, an agency for national security purposes, law enforcement) Health research Marketing or fundraising APC does not use or disclose PHI in ways that would be in violation of the Privacy Rule or state law. APC uses and discloses PHI as permitted by the Privacy Rule and in accordance with state or other law. In using or disclosing PHI, APC meets the Privacy Rule s minimum necessary requirement, as appropriate. Use and Disclosure of PHI Minimum Necessary Requirement

4 REVISION DATE: USES AND DISCLOSURES OF PROTECTED HEALTH INFORMATION PAGE 2 When using, disclosing, or requesting PHI, APC makes reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure or request. APC recognizes that the requirement also applies to covered entities that request clients records and require that such entities meet the standard, as required by law. All APC Direct Service Providers, Secretarial, and Administrative Staff will have access to PHI to carry out their assigned professional duties. APC will utilize the following procedures for both routine and non-routine disclosures to other entities: Routine Disclosures: When APC must release PHI for the purposes of payment, provision of services, or internal health care operations, the APC Representative must be sure that the Notice Form has been signed by the client. Only the minimum necessary disclosure of PHI should be made. Non-Routine Disclosures: When APC receives a request for PHI that is beyond the scope of the Notice Form, that request must be routed to the appropriate Case Manager, Care Coordinator, or Therapist who must then discuss the specific nature of the information that is being requested. The Authorization Form must then be used to specify the PHI to be released. This must then be documented in the Disclosure Log. Limits to Disclosure: APC will limit disclosure of PHI to that which is reasonably necessary to accomplish the purpose for which the request is made. Non-routine disclosure requests will require review on an individual basis determined by conference with the client. APC staff who must request PHI from external agencies must also limit the request to that which is minimally necessary. These requests should also be documented in the Disclosure Log. APC may rely, if such reliance is reasonable under the circumstances, on a requested disclosure as the minimum necessary for the stated purpose, if the PHI is requested by another covered entity, by a public official (who represents that the information requested is the minimum necessary), or by a researcher (with appropriate documentation). APC may rely, if such reliance is reasonable under the circumstances, on a requested disclosure as the minimum necessary for the stated purpose, if the PHI is requested by a member, its staff, or a business associate.

5 REVISION DATE: USES AND DISCLOSURES OF PROTECTED HEALTH INFORMATION PAGE 3 APC will not use, disclose, or request an entire medical record, except when the entire medical record is justified as the amount that is reasonably necessary to accomplish the purpose of the use, disclosure, or request. PROCEDURE: Receiving a Request for Medical Records: Requests for medical records shall only be managed by specifically designated staff persons in each department who have been trained in the dissemination and management of medical records. 1. Other staff members may not release PHI without approval of the Agency Privacy Officer or designated staff member. 2. Only emergency release of information will be done after hours or on weekends. 3. After hours and on weekends, release of information for continuing care (i.e., transfer to a hospital or emergency clinic) is allowed. Responding to Specific Types of Disclosures: See the Request and Disclosure Table following this policy for applicable requirements in responding to requests by specific entities/individuals. 1. Media: No PHI shall be released to the news media or commercial organizations without the authorization of the client or his/her personal representative. 2. Telephone Requests: Staff members receiving requests for PHI via the telephone will make reasonable efforts to identify and verify that the requesting party is entitled to receive such information. Disclosures to Persons Involved with a Client s Care: 1. The Agency may disclose to a family member, other relative, close friend, or any other person identified by the client, PHI: a. That is directly relevant to that person s involvement with the client s care or payment for care; or b. To notify such person of the client s location, general condition, or death. 2. Conditions if the Client is Present. If the client is present for, or otherwise available, prior to a permitted disclosure, then the Agency may use or disclose the PHI only if the Agency: a. Obtains the client s verbal or written agreement; b. Provides the client with an opportunity to object to the disclosure, and the client does not express an objection (this opportunity to object and the client s response may be done orally); or

6 REVISION DATE: USES AND DISCLOSURES OF PROTECTED HEALTH INFORMATION PAGE 4 c. May reasonably infer from the circumstances, based on the exercise of professional judgment, that the client does not object to the disclosure. 3. Conditions if the Client is Not Present or is Incapacitated. The Agency may, in the exercise of professional judgment, determine whether the disclosure is in the best interest of the client, and, if so, disclose only that PHI which is directly relevant to the person s involvement with the client s care if: a. The client is not present, b. The opportunity to agree/object to the use or disclosure cannot practicably be provided because of the client s incapacity, or c. In an emergency. 4. Confirming Identity. The Agency shall take reasonable steps to confirm the identity of a client s family member or friend. The Agency is permitted to rely on the circumstances as confirmation of involvement in care. For example, the fact that a person admits a client to the Agency and visits weekly is sufficient confirmation of involvement in the client s care. Psychotherapy Notes Authorization While a client may authorize the release of any of his PHI, the Privacy Rule specifically requires client authorization for the release of Psychotherapy Notes. Psychotherapy Notes authorization is different from client consent or authorization of other PHI, because a health plan or other covered entity may not condition treatment, payment, enrollment, or eligibility for benefits on obtaining such authorization. As defined by the Privacy Rule, Psychotherapy Notes means notes recorded (in any medium) by a mental health professional, documenting or analyzing the contents of conversation during a private counseling session or a group, joint, or family counseling session, and that are separate from the rest of the individual s medical record. The term excludes medication prescription and monitoring, counseling session start and stop times, the modalities and frequencies of treatment furnished, results of clinical tests, and any summary of the following items: Diagnosis, functional status, the treatment plan, symptoms, prognosis, and progress to date. APC abides by the Psychotherapy Notes authorization requirement of the Privacy Rule, unless otherwise required by law. In addition, authorization is not required in the following circumstances: For use for treatment For use or disclosure in supervised training programs where trainees learn to practice counseling To defend APC in a legal action brought by the client, who is the subject of the PHI For purposes of HHS in determining my compliance with the Privacy Rule

7 REVISION DATE: USES AND DISCLOSURES OF PROTECTED HEALTH INFORMATION PAGE 5 By a health oversight agency for a lawful purpose related to oversight of APC s practice To a coroner or medical examiner In instances of permissible disclosure related to a serious or imminent threat to the health or safety of a person or the public. Psychotherapy notes will be kept in a separate file or section of the EMR from other client PHI. Disclosure of Process Notes: When a request is received for Progress Notes, an Authorization Form must be filled out with the client as specified above in the Non-Routine Disclosure Section. If the client refuses to sign the form, even after a thorough explanation of the rationale for its disclosure, then the information cannot be released. Revoking Authorizations APC recognizes that a client may revoke an authorization at any time in writing, except to the extent that APC has or another entity has taken action in reliance on the authorization. If a client wishes to revoke an authorization, communication with the entity to whom PHI has been disclosed must immediately cease. The time and date of revocation should be noted on the Authorization Form and be reflected in the Disclosure Log.

8 Attachment REQUEST AND DISCLOSURE TABLE Requestor Authorization Required? Copy Fee Charged? Track on Accounting of Disclosure? Notes: Accrediting Agencies (JCAHO, CARF) No No No See policy on Business Associates Attorney for Client Yes Yes No See policy on Authorizations Attorney for Agency/Corporation No No No See policy on Business Associates Contractors/ Business Associates For Deceased Persons Coroner or Medical Examiner, Funeral Directors Organ Procurement Employer PHI specific to work related illness or injury, and Required for employer s compliance with occupational safety and health laws Family Members Entity Subject to the Food and Drug Administration Adverse events, product defects or biological product deviations Track products Enable product recalls, repairs, or replacements Conduct post marketing surveillance Health Oversight Government benefits program Fraud and abuse compliance Civil rights laws Trauma/tumor registries Vital statistics Reporting of abuse or neglect Health Care Practitioners and Providers for Continuity of Treatment and Payment Health Care Practitioners and Providers if not Involved in Care or Treatment No, unless their purpose falls outside of TPO No No See policy on Business Associates No No Yes See policy on Accounting of Disclosures No, for the purpose listed. Yes for all others. No for oral disclosures to family members involved in care; Yes for others No No Yes No See policy on Authorizations No No Yes See policy on Accounting of Disclosures No No Yes See policy on Accounting of Disclosures No No No Part of treatment No No No Part of operations

9 Requestor Authorization Required? Copy Fee Charged? Track on Accounting of Disclosure? Notes: (i.e., consultants) Insurance Companies/Third Party Payors Related to Claims Processing Judicial and Administrative Proceedings Court order, or warrant No No No Part of payment No No Yes See policy on Accounting of Disclosures Subpoena Law Enforcement Administrative request Locating a suspect, fugitive, material witness or missing person Victims of crime Crimes on premises Suspicious deaths Avert a serious threat to health or safety No - See policy on Responding to a Subpoena Yes Yes No No Yes, except for disclosures to correctional institutions. See policy on Accounting of Disclosures Public Health Authorities Surveillance Investigations Interventions Foreign governments collaborating with US public health authorities Recording births/deaths Child/elder abuse Prevent serious harm Communicable disease Research (w/o Authorization) No No Yes See policy on Accounting of Disclosures No, if IRB or Privacy Board approves the research study and waives authorization. No Yes See policy on Uses and Disclosures for Research and policy on Accounting of Disclosures Client/Client's Personal Representative No Yes No See policy on Authorizations Specialized Government Functions No No Yes, except for See policy on Military and Veterans' activities disclosures for Accounting of Protective services for the client national security Disclosures Foreign military personnel and intelligence National security and intelligence activities. activities Workers' Compensation Comply w/existing laws (see state law) No See applicable state law This does not apply to PHI created or maintained prior to April 14, Yes See policy on Accounting of Disclosures

10 REVISION DATE: SAFEGUARDING AND STORING PROTECTED HEALTH INFORMATION Page 1 PURPOSE The purpose of this policy is to provide guidelines for the safeguarding of Protected Health Information ( PHI ) in the Agency and to limit unauthorized disclosures of PHI that is contained in a client s medical record, while at the same time ensuring that such PHI is easily accessible to those involved in the treatment of the client. POLICY The policy of Alternatives in Psychological Consultation (APC) is to ensure, to the extent possible, that PHI is not intentionally or unintentionally used or disclosed in a manner that would violate the HIPAA Privacy Rule or any other federal or state regulation governing confidentiality and privacy of health information. The following procedure is designed to prevent improper uses and disclosures of PHI and limit incidental uses and disclosures of PHI that is, or will be, contained in a client s medical record. At the same time, APC recognizes that easy access to all or part of a client s medical record by health care practitioners involved in a client s care is essential to ensure the efficient quality delivery of services. APC s Privacy and Security Officers are responsible for the security management of all medical records. Each Department Head is responsible for ensuring that their staff is trained in all applicable HIPAA and Privacy policies and procedures related to their specific positions, as well as polices related to any governing contracts. All staff members are responsible for the security of medical records with which they are actively working. PROCEDURE APC s Privacy Officer and Security Officer shall periodically monitor the Agency s compliance regarding its reasonable efforts to safeguard PHI. I. Safeguards for Verbal Uses These procedures shall be followed, if possible, for any meeting or conversation where PHI is discussed. Meetings during which PHI is discussed: 1. Specific types of meetings where PHI may be discussed include, but are not limited to: a. Team or Plan of Care meetings b. Billing meetings c. Policy meetings d. Supervision meetings 2. Meetings shall be conducted in an area that is not easily accessible to unauthorized persons. 3. Meetings shall be conducted in a room with a door that closes, if possible. 4. Voices shall be kept to a moderate level to avoid unauthorized persons from overhearing. 5. Only staff members who have a need to know the information will be present at the meeting. (See the Policy Minimum Necessary Uses and Disclosures. ) SAFEGUARDING AND STORING PHI

11 REVISION DATE: SAFEGUARDING AND STORING PROTECTED HEALTH INFORMATION Page 2 6. The PHI that is shared or discussed at the meeting will be limited to the minimum amount necessary to accomplish the purpose of sharing the PHI. Telephone conversations: 1. Telephones used for discussing PHI are located in as private an area as possible. 2. Staff members will take reasonable measures to assure that unauthorized persons do not overhear telephone conversations involving PHI. Reasonable measures may include: a. Lowering one s voice b. Requesting that unauthorized persons step away from the telephone area c. Moving to a telephone in a more private area before continuing the conversation 3. PHI shared over the phone will be limited to the minimum amount necessary to accomplish the purpose of the use or disclosure. In-Person conversations: Reasonable measures will be taken to assure that unauthorized persons do not overhear conversations involving PHI. Such measures may include: 1. Lowering one s voice 2. Moving to a private area within the Agency II. Safeguards for Written PHI All documents containing PHI should be stored appropriately to reduce the potential for incidental use or disclosure. Documents should not be easily accessible to any unauthorized staff or visitors. Active Records 1. Active physical medical records shall be stored in an area that allows staff providing care to clients to access the records quickly and easily as needed. 2. Authorized staff shall review the medical record in a secure location within the Agency, unless it is signed out in accordance with Agency procedure. 3. Active medical records shall not be left unattended on desks or other areas where clients, visitors, and unauthorized individuals could easily view the records. 4. Treatment records, notes, and other documents containing PHI shall not be left open and/or unattended. 5. Providers who deliver services in the home or community shall transport any PHI using an appropriate fire-proof lock box or equivalent to ensure its safety. Documents shall be returned to the client s medical record within 24 hours of completing home or community service work. 6. Only authorized staff shall review medical records. All authorized staff reviewing medical records shall do so in accordance with the minimum necessary standards. 7. Medical records shall be protected from loss, damage, and destruction. Thinned Records, Inactive Medical Records: SAFEGUARDING AND STORING PHI

12 REVISION DATE: SAFEGUARDING AND STORING PROTECTED HEALTH INFORMATION Page 3 1. Thinned and inactive Medical Records will be filed in a systematic manner in a location that ensures the privacy and security of the information. The Security or Privacy Officer or a designee shall monitor storage and security of such medical records. When records are left unattended, records will be in a locked room, file cabinet or drawer. 2. Operations personnel will identify and document those staff members with keys to stored medical records. The minimum number of staff necessary to assure that records are secure yet accessible shall have keys allowing access to stored medical records. Staff members with keys shall assure that the keys are not accessible to unauthorized individuals. 3. Inactive medical records must be signed out if removed from their designated storage area. Only authorized persons shall be allowed to sign out such records. 4. Records must be returned to storage promptly. 5. In the event that the confidentiality or security of PHI stored in an active or inactive medical record has been breached, the Agency Privacy and Security Officers shall be notified immediately. 6. In the event of a change in ownership of the Agency, the medical records shall be maintained as specified in the purchase and sale agreement. PHI Not a Part of the Designated Record Set: 1. Use of shadow charts or files is discouraged. 2. Any documentation of PHI shall be stored in a location that ensures, to the extent possible, that such PHI is accessible only to authorized individuals. III. Office Equipment Safeguards Computer access: 1. Only staff members who need to use computers to accomplish work-related tasks shall have access to computer workstations. 2. All users of computer equipment must have unique login and passwords. 3. Passwords shall be changed every 90 days or in accordance with policy. 4. Posting, sharing, and any other disclosure of passwords and/or access codes is prohibited. 5. Access to computer-based PHI shall be limited to staff members who need the information for treatment, payment, or health care operations. 6. Agency staff members shall log off their workstation when leaving the work area. 7. Computer monitors shall be positioned so that unauthorized persons cannot easily view information on the screen. 8. Employee access privileges will be removed promptly following their departure from employment. 9. Employees will immediately report any violations of this policy to their supervisor, Agency Privacy Officer, or Security Officer. SAFEGUARDING AND STORING PHI

13 REVISION DATE: SAFEGUARDING AND STORING PROTECTED HEALTH INFORMATION Page 4 Printers, Copiers and Fax Machines: 1. Printers will be located in areas not easily accessible to unauthorized persons. 2. If equipment cannot be relocated to a secure location, a sign will be posted near the equipment indicating that unauthorized persons are prohibited from viewing documents from the equipment. Sample language: Only authorized staff may view documents generated by this (indicate printer, copier, fax, etc.). Access to such documents by unauthorized persons is prohibited by federal law. 3. Documents containing PHI will be promptly removed from the printer, copier or fax machine and placed in an appropriate and secure location. 4. Documents containing PHI that must be disposed of due to error in printing will be destroyed by shredding or by placing the document in a secure recycling or shredding bin until destroyed. IV. Destruction Written: Documentation that is not part of the medical record and will not become part of the medical record (e.g., report sheets, shadow charts or files, notes, etc.) shall be destroyed promptly when it is no longer needed by shredding or placing the information in a secure recycling or shredding bin until the time that it is destroyed. Electronic: Prior to the disposal of any computer equipment, including donation, sale or destruction, the Agency must determine if PHI has been stored in this equipment and will delete all PHI prior to the disposal of the equipment. Computer hard drives shall be destroyed prior to disposal of equipment. (See the policy, Destruction of Protected Health Information for additional guidelines.) SAFEGUARDING AND STORING PHI

14 REVISION DATE: ING & FAXING PROTECTED HEALTH INFORMATION Page 1 PURPOSE To ensure the appropriate use of the and fax system when transmitting Protected Health Information ( PHI ). POLICY It is the policy of Alternatives in Psychological Consultation (APC) to protect the electronic transmission of PHI as well as to fulfill its duty to protect the confidentiality and integrity of client PHI as required by law, professional ethics and accreditation requirements. The information released will be limited to the minimum necessary to meet the requestor s needs. Whenever possible, de-identified information will be used. PROCEDURE 1. users will be set up with a unique identity complete with unique password and file access controls. 2. users may not intercept, disclose or assist in intercepting and disclosing communications. 3. Client specific information regarding highly sensitive health information must not be sent via , even within the internal system (i.e. information relating to AIDS/HIV, drug and alcohol abuse and psychotherapy notes). 4. Users will restrict their use of for communicating normal business information such as information about general care and treatment of clients, and operational and administrative matters, such as billing. 5. Users should verify the accuracy of the address before sending any PHI and, if possible, use addresses loaded in the system address book. 6. PHI may be sent unprotected via within a properly secured, internal network of the organization. When sending PHI outside of this network, such as over the Internet, every effort should be made to secure the confidentiality and privacy of the information. Sample security measures include password protecting the document(s) being sent or encrypting the message. 7. All containing PHI will contain a confidentiality statement (see sample below). 8. Users should exercise extreme caution when forwarding messages. Sensitive information, including client information, must not be forwarded to any party outside the organization without using the same security safeguards as specified above. 9. Users should periodically purge messages that are no longer needed for business purposes, per the organization s records retention policy. 10. Employee access privileges will be removed promptly following their departure from the organization. ING & FAXING PHI

15 REVISION DATE: ING & FAXING PROTECTED HEALTH INFORMATION Page messages, regardless of content, should not be considered secure and private. The amount of information in any will be limited to the minimum necessary to meet the needs of the recipient. 12. Employees should immediately report any violations of this guideline to their supervisor or Agency Privacy or Security Officers. Sample Confidentiality Statement The information contained in this is legally privileged and confidential information intended only for the use of the individual or entity to whom it is addressed. If the reader of this message is not the intended recipient, you are hereby notified that any viewing, dissemination, distribution, or copy of this message is strictly prohibited. If you have received and/or are viewing this in error, please immediately notify the sender by reply , and delete this from your system. Thank you. Facsimile (fax) 1. The fax machine should be located in an area that is not easily accessible to unauthorized persons. If possible, the fax machine should not be located in a public area where confidentiality of PHI might be compromised. If this is not possible, a sign should be posted regarding access to the documents. 2. Received documents will be removed promptly from the fax machine. To promote secure delivery, instructions on the cover page will be followed. 3. Unless otherwise prohibited by state law, information transmitted via facsimile is acceptable and may be included in the client s medical record. 4. Steps should be taken to ensure that the fax transmission is sent to the appropriate destination. These include: a. Pre-programming and testing destination numbers whenever possible to eliminate errors in transmission due to misdialing. b. Asking frequent recipients to notify the Agency of a fax number change. c. Confirming the accuracy of the recipient s fax number before pressing the send/start key. d. If possible, printing a confirmation of each fax transmission. 5. A cover page should be attached to any facsimile document that includes PHI. The cover page should include: a. Destination of the fax, including name, fax number and phone number; b. Name, fax number and phone number of the sender; c. Date; d. Number of pages transmitted; and e. Confidentiality Statement (See sample below). ING & FAXING PHI

16 REVISION DATE: ING & FAXING PROTECTED HEALTH INFORMATION Page 3 6. If a fax transmission fails to reach a recipient or if the sender becomes aware that a fax was misdirected, the internal logging system should be checked to obtain incorrect recipient s fax number. Fax a letter to the receiver and ask that the material be returned or destroyed. 7. A written authorization for any use or disclosure of PHI will be obtained when the use or disclosure is not for treatment, payment or healthcare operations, or required by federal or state law or regulation. 8. The PHI disclosed will be the minimum necessary to meet the requestor s needs. 9. Highly sensitive health information should not be sent by fax in certain states (e.g., information relating to AIDS/HIV, drug and alcohol abuse and psychotherapy notes). Sample Confidentiality Statement for Faxes: The documents accompanying this transmission contain confidential protected health information that is legally privileged. This information is intended only for the use of the individual or entity named above. The authorized recipient of this information is prohibited from disclosing this information to any other party unless required to do so by law or regulation and is required to destroy the information after its stated need has been fulfilled. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or action taken in reliance on the contents of these documents is strictly prohibited. If you have received this information in error, please notify the sender immediately and arrange for the return or destruction of these documents. ING & FAXING PHI

17 REVISION DATE: RESPONDING TO A SUBPOENA Page 1 PURPOSE To ensure that the Agency complies with HIPAA Privacy Rule requirements when a subpoena requesting Protected Health Information ( PHI ) is served. POLICY Protected Health Information may be disclosed pursuant to judicial or administrative process without the written authorization of the client, or the opportunity for the client to agree or object, subject to certain conditions. The Agency will disclose PHI in the course of judicial or administrative process in response to a court or administrative tribunal order. The Agency will disclose PHI in response to a subpoena, discovery request, or other lawful process that is not accompanied by a court order, subject to the conditions set forth in this procedure. In either case, the Agency will disclose only that PHI expressly authorized by the subpoena, discovery request, other lawful process, or court order. (The Agency may contact its legal counsel to review and verify the legality of a subpoena requesting PHI served.) PROCEDURE 1. Any APC employee who receives a request to release clients PHI from a subpoena or other lawful request accompanied by an order of a court or administrative tribunal, he/she shall give the request to the department staff person who is responsible for releasing medical records in order to determine if it is a lawful request and to verify the identity and authority of the individuals requesting PHI. 2. If the order of the court or other administrative tribunal is valid and meets the verification requirements, the Agency will disclose only that PHI expressly authorized by such order. 3. If the subpoena, discovery request or other lawful process ( subpoena ) is not accompanied by a court order, the Agency will disclose the PHI only after obtaining satisfactory assurances from the party seeking the information that they have made reasonable efforts: a. To notify the individual who is the subject of the requested PHI, or b. To secure a qualified protective order. 4. Notice to individual. Prior to disclosing PHI when the subpoena is not accompanied by a court order and there is no qualified protective order meeting the requirements of the Privacy Rule, the Agency will obtain a written statement and accompanying documentation from the requesting party that meets all of the following requirements: a. The written statement and documentation must demonstrate that reasonable efforts have been made to give notice of the request to the individual who is the subject of the requested PHI. b. The notice must contain sufficient information about the litigation or proceeding to permit the individual to raise an objection to the court or administrative tribunal. c. The written statement and accompanying documentation must demonstrate that: RESPONDING TO A SUBPOENA

18 REVISION DATE: RESPONDING TO A SUBPOENA Page 2 i. Time for raising objections to the court or administrative tribunal has elapsed, and ii. iii. 5. Qualified Protective Order No objections were filed, or The court has resolved all objections filed by the individual or the administrative tribunal and the disclosures being sought are consistent with such resolution. A qualified protective order means an order of a court or of an administrative tribunal or a stipulation by the parties to the litigation or administrative proceeding that: a. Prohibits the parties from using or disclosing the PHI for any purpose other than the litigation or proceeding for which such information was requested; and b. Requires the return to the Agency or destruction of the PHI, (including all copies made) at the end of the litigation or proceeding. 6. Prior to disclosing PHI when the subpoena is not accompanied by a court order and the above notice requirements are not met, the Agency will obtain from the requesting party a written statement and accompanying documentation demonstrating that: a. The parties to the dispute giving rise to the request for PHI have agreed to a qualified protective order and have presented it to the court or administrative tribunal with jurisdiction over the dispute, or b. The party seeking the PHI has requested a qualified protective order from such court or administrative tribunal. 7. If the requesting party is unable to meet the requirements for Notice or a Qualified Protective Order, the Agency will notify the requesting party that it is unable to comply with the subpoena. (See sample Response to a Subpoena letter following this Policy.) 8. If the requesting party decides to pursue the request for the PHI without meeting the above requirements, the Agency Privacy Official will contact the Agency s Legal Counsel for further direction. 9. The Agency Privacy Official shall document the information regarding the subpoena or other legal process that requests PHI in an Accounting of Disclosures Log. 10. The subpoena and any documents produced for the subpoena will be retained according to state and federal regulations. RESPONDING TO A SUBPOENA

19 SAMPLE RESPONSE TO SUBPOENA NOT ACCOMPANIED BY A COURT ORDER AND LACKING SATISFACTORY ASSURANCES OF NOTICE OR QUALIFIED PROTECTIVE ORDER [Date] [Attorney Name and Address] Re: [name of client] Dear [Attorney]: The subpoena you caused to be issued dated requesting copies of protected health information for fails to comply with the applicable requirements of the HIPAA privacy regulations, specifically 45 CFR (e). As a covered entity, we are allowed to release health information only in accordance with these privacy regulations. Accordingly, we recommend you either secure an authorization in conformity with 45 CFR directly from [name of client or his/her personal representative] for release of the requested protected health information or take the following steps pursuant to 45 CFR section (e): a) Secure a Court Order detailing your specific needs pursuant to 45 CFR (e)(1)(i)); or b) Provide us with satisfactory assurance as described at 45 CFR (e)(1)(ii)(A) that you have made reasonable efforts to notify [name of client] of your request for protected health information. This requires you to provide us with a written statement and accompanying documentation assuring us that you have made a reasonable effort to provide [name of client] with a written notice of your request. This written statement you provide to us must also attest that the written notice you provided [name of client] included: 1. Sufficient information about the litigation or proceeding in which the protected health information is requested to permit [name of client] to raise an objection to the court or administrative tribunal; and that 2. The time for [name of client] to raise objections to the court or administrative tribunal has elapsed; and 3. No objections were filed; or 4. All objections filed by [name of client] have been resolved by the court or administrative tribunal and the disclosures or protected health information being sought are consistent with such resolution; or you may c) Provide us satisfactory assurance as described at 45 CFR (e)(1)(iv) that you have made reasonable efforts to secure a qualified protective order that meets the requirements set forth at 45 CFR (e)(1)(v). The satisfactory assurance you provide us must include a written statement and accompanying documentation demonstrating that: 1. The parties to the dispute giving rise to the request for protected health information have agreed to a qualified protective order and have presented it to the court or administrative tribunal with jurisdiction over the dispute; or 2. The party seeking the protected health information has requested a qualified protective order from such court or administrative tribunal. RESPONDING TO A SUBPOENA

20 A qualified protective order, as the term is used in paragraph (c) above means: an order of a court or of an administrative tribunal or a stipulation by the parties to the litigation or administrative proceeding that: a) Prohibits the parties from using or disclosing the protected health information for any purpose other than the litigation or proceeding for which such information was requested; and b) Requires the return to the covered entity or destruction of the protected health information (including all copies made) at the end of the litigation or proceeding. We respectfully ask that if you are not able to meet one of the identified exceptions above regarding disclosure of protected health information, thereby allowing us to release such information in a manner compliant with the regulations cited, that you withdraw your subpoena request until such time as one of the requirements can be met. Sincerely, [Privacy Official] Cc: [Agency Director or administrator] RESPONDING TO A SUBPOENA

21 REVISION DATE: PAGE 1 POLICY: As required under the Privacy Rule, and in accordance with state law, APC provides notice to clients of the uses and disclosures that may be made regarding their PHI and APC s duties and client rights with respect to notice. APC makes a good faith effort to obtain written acknowledgment that clients receive this notice. While each Direct Service Provider is responsible for following these guidelines, the Privacy Officer will be responsible for training, maintenance of guidelines, and client grievances. That Privacy Officer is designated as: Karen T. Drexler Phone: (414) PROCEDURE: Provide Notice at the outset of treatment: APC employees providing health services shall provide the Notice to clients before any services are provided. APC will provide Notice upon initiating services. APC may provide Notice by instead of through paper delivery. Successful transmission of the Notice meets the client acknowledgment requirement. Client acknowledgment: A client's signature on the Agreement suffices as client acknowledgment. If APC staff are unable to obtain a client's acknowledgment, or the client refuses to acknowledge receipt of Notice, APC will document that an attempt was made to obtain Notice and the reason why the client acknowledgment was not obtained. Documentation: APC WILL retain copies of any Notice provided, which includes client acknowledgment of Notice and documentation of good faith attempts to obtain acknowledgment when a client is unable to or has refused to acknowledge receipt of Notice. APC provides notice to clients on the first date of service/treatment. In an emergency situation, APC provides notice as soon as reasonably practicable. (This first date of treatment timing requirement applies to electronic service delivery, and a client may request a paper copy of notice when services are electronically delivered.) Except in emergency situations, APC makes a good faith effort to obtain from a client written acknowledgement of receipt of the notice. If the client refuses or is unable to acknowledge receipt of notice, APC documents why acknowledgement was not obtained. APC promptly revises and distributes the updated notice whenever there is a material change to uses and disclosures, clients rights, legal duties, or other privacy practices stated in the notice. APC makes the notice available in its offices for clients to take with them and posts the notice in a clear and prominent location.

22 REVISION DATE: PAGE 2 This notice will also be posted on the APC Website. The Privacy Rule permits clients to request restrictions on the use and disclosure of PHI for treatment, payment, and health care operations, or to family members. While APC is not required to agree to such restrictions, APC will attempt to accommodate a reasonable request. Once APC has agreed to a restriction, APC may not violate the restriction. However, restricted PHI may be provided to another health care provider in an emergency treatment situation. A restriction is not effective to prevent uses and disclosures when a client requests access to his or her records or requests an accounting of disclosures. A restriction is not effective for any uses and disclosures authorized by the client, or for any required or permitted uses recognized by law. The Privacy Rule also permits clients to request receipt of communications from APC through alternative means or at alternative locations. As required by the Privacy Rule, APC will accommodate all reasonable requests. When a client requests to restrict the release of certain information included on the Notice Form, APC will require that the client make the request in writing. This written request will be attached to the Notice Form and noted in the Disclosure Log. The client will also be made aware of the following points: APC is not required to accommodate requests to restrict the use and disclosure of information, but once agreed upon, APC may not violate the agreement. Restricted PHI may be provided to another health care provider in an emergency treatment situation. A restriction is not effective to prevent uses and disclosures when a client requests access to his or her records or requests an accounting of disclosures. A restriction is not effective for any uses and disclosures authorized by the client, or for any required or permitted uses recognized by law. APC permit clients to request receipt of communications through alternative means or at alternative locations and APC will accommodate reasonable requests. APC may not require an explanation for a confidential communication request, and reasonable accommodation may be conditioned on information on how payment will be handled and specification of an alternative address or method of contact. If a client chooses to terminate a restriction, an oral or written request will be accepted. This will be noted in the Notice Form and Disclosure Log.

23 REVISION DATE: PAGE 3 Access to and Amendment of Records In accordance with state law, the Privacy Rule, and other federal law, clients have access to and may obtain a copy of the medical and billing records that APC maintains. Clients are also permitted to amend their records in accordance with such law. Right of Access to Records As a health service provider, APC staff WILL decide whether or not it is appropriate to provide the client with access to his or her records in accordance with both state law and the Privacy Rule. Under certain circumstances, when APC staff has denied a request for access, a client may ask for a review of the denial. These are referred to as reviewable denials. In the instance of a reviewable denial, the client has the right to have the denial reviewed by another licensed health care professional. This individual will act as a reviewing official and will not have participated in the original decision to deny access. This reviewing official will be designated by a covered entity. APC staff WILL then provide or deny access according to the reviewing health care professional's decision. Listed below are the grounds for reviewable denials. APC staff may deny access if: In the exercise of professional judgment, APC determine that access to the record is "reasonably likely to endanger the life or physical safety" of the client or another person. The requested information makes reference to another person (other than another health care provider), and in the exercise of professional judgment, APC staff determine that access is "reasonably likely to cause substantial harm" to this other person. A personal representative for a client has requested access to the record, and in the exercise of professional judgment, APC determines that such access is "reasonably likely to cause substantial harm" to the client or another person. Other denials are final and are not reviewable. They are referred to as unreviewable grounds for denial. These are listed below: When access to psychotherapy notes are requested. When information is compiled in reasonable anticipation of, or for use, in a legal or administration action of proceeding. When someone other than a health care provider provides information about the client under a promise of confidentiality, and the access to the requested information would be reasonably likely to reveal the source of the information. When considering a request for access to a medical and billing record by a client: APC may require that the request be in writing. APC will act on the request no later than 30 days after receiving it.

24 REVISION DATE: PAGE 4 APC may extend this deadline up to an additional 30 days, if APC provides a written statement of the reasons for the delay and the date by which APC will complete the request. When granting a request for access, either in whole or in part: APC will inform the client and provide access, including inspection, obtaining a copy, or both. APC will provide access in a form and format requested by the client, if producible, or in a readable hard copy form or other form or format agreed to by the client. Optionally, APC may provide a summary or explanation of the information, if the client agrees in advance to such a summary or explanation and APC s associated fees in producing it. APC will arrange for a convenient time for the client to inspect or obtain a copy of the PHI. Optionally, APC may mail a copy at the client's request. APC may charge a reasonable, cost-based fee for copying, postage, or the preparation of an explanation or summary. When denying a request, in whole or in part, APC will: If possible, separate PHI to which APC believes the client may have access from that which APC is denying access, and provide access to such PHI. Provide the client a written denial. This written denial will be in plain language. It WILL contain the basis for the denial, a statement of the client's review rights (if any), how the client may exercise those rights, and a description of how the client may complain to the health care worker, APC s offices, or HHS under the Privacy Rule's complaint procedures. Client Amendment of Records A client has the right to request that APC amend his or her PHI in APC medical and billing records for as long as APC maintains the records. APC may deny the request, if APC is not the originator of the information, or if APC believes that the information is accurate and complete. With advance notice, APC may require that the client's request for amendment be in writing and that it include a reason for the need for amendment. APC will act on an amendment request (granting or denying the request) within 60 days. This may be extended an additional 30 days, if APC provide a written statement to the client of the reason for the delay and a date that APC will complete the request. If APC grants the request in whole or in part, APC will make the appropriate amendment to the PHI and identify the portion of the APC records affected by the amendment and append or otherwise create a link to the amendment. APC will inform the client in a timely fashion that APC has made the amendment in the record.

25 REVISION DATE: PAGE 5 The client may ask APC to notify relevant persons of the amendment. APC WILL make a reasonable effort to inform and provide the amendment within a reasonable time to persons identified by the client. APC WILL also inform and provide the amendment to persons, including APC business associates, that APC knows have the client's PHI that is subject to the amendment, and that have relied or could foresee-ably rely on the information to the detriment of the client. If APC denies the request, in whole or in part: APC WILL provide a written denial in plain language that contains the basis for the denial, the client's rights and how to submit a written statement of disagreement, and how the client may file such a statement. The written denial WILL also contain a statement that, if a client does not submit a statement of disagreement, he or she may request inclusion of his or her request for amendment and the denial with any future disclosures of the PHI that is the subject of the amendment. The denial also will provide information on how the client may formally complain to the health care worker or to HHS under the compliance review requirements set by the Privacy Rule. APC also WILL permit the client to submit a written statement of disagreement with the denial of the amendment and the basis for the disagreement. APC may reasonably limit the length of this statement. APC may prepare a written rebuttal to this statement to be provided to the client. APC will append or link the statement of disagreement and rebuttal, as appropriate, to the disputed PHI, and these documents, or an accurate summary of them, will be included with future disclosures. If the client does not submit a statement of disagreement, APC will include the request for amendment and denial with the disputed PHI at the request of the client. If APC is submitting a standard transaction form required by the HIPAA transactions rule, such form may not allow APC to provide these documents. APC may transmit them separately. Even when an amendment to the record is made, APC does not remove what was previously in the record. Right to Accounting of Disclosures Upon request, a health care worker will provide an accounting of disclosures of PHI held by APC for up to six years prior to the request. An accounting and its associated administrative burden on APC s business practice should be very limited in nature. This is because APC is not required to account for typical disclosures, such as those made to health plans for payment purposes. An accounting of disclosures is not required for: Treatment, payment, or health care operations purposes Disclosures made to the client or as a result of client Authorizations

26 REVISION DATE: PAGE 6 Incidental disclosures Disclosures made for national security intelligence purposes Disclosures made to correctional institutions or law enforcement officers Disclosures that occurred prior to the rule's compliance date APC will temporarily suspend providing an accounting of disclosures made to a health oversight agency or law enforcement official at the agency's or official's request, for a time specified by such agency or official, if the agency or official provides APC with a written statement that such an accounting would be reasonably likely to impede their activities. The statement WILL indicate the amount of time needed for suspension. The statement may be made orally, in which instance APC will document the statement, temporarily suspend the accounting for these disclosures, and limit the temporary suspension to no longer than 30 days from when the oral statement was made, unless a written statement is submitted. The written accounting will include for each disclosure: the date, the name and address (if known) of the entity that received the PHI, a brief description of the PHI disclosed, and a brief statement of the purpose of the disclosure that reasonably informs the client of the basis of the disclosure, or in lieu of such a statement, a copy of any written requests for disclosure. If APC made multiple disclosures for a single purpose, APC will indicate the frequency or number of disclosures that APC made and provide the date of the last disclosure. If multiple disclosures were made for a single purpose to HHS for compliance purposes, for the various permitted requests under the rule, the accounting will, in addition to the information for each disclosure indicated above, include the frequency, periodicity, or number of disclosures made and the date of the last disclosure. APC will provide an accounting within 60 days of the request. APC may extend this period up to 30 more days by providing the client with a written statement of the reasons for APC s inability to provide the accounting and the date that the accounting will be provided. APC will document the accounting by keeping a copy and indicating the person in his or her office responsible for receiving and processing accounting requests. Right to Restrictions and Confidential Communications APC will permit a client to request that the health care worker restrict the use and disclosure of PHI for treatment, payment, and health care operations, or to family members, relatives, close friends, or anyone else identified by the client as involved in his or her care or payment for care. Restrictions: APC is not required to agree to a restriction and should not agree to a request for a restriction that would compromise the integrity of the information disclosed or the health care services provided. If APC agrees to a restriction, he or she may not violate it. A health care worker, however, may provide restricted PHI to another treating health care provider when such PHI is necessary for

27 REVISION DATE: PAGE 7 emergency treatment of the client. The health care worker will request that such health care provider not further use or disclose the information. A restriction is not effective to prevent Uses and Disclosures for which client Consent, Authorization, or opportunity to object is not required. APC may terminate a restriction if the client agrees in writing. A client may also agree orally. However, APC staff should document this oral agreement. APC staff may also terminate the restriction by informing the client of the termination and the information restricted before the termination will remain restricted. APC will document a restriction in accordance with the rule's documentation requirements. Confidential Communications APC will permit a client to request and will accommodate reasonable requests to receive communications of PHI by alternative means or at alternative locations. APC may not require an explanation for a confidential communication request. APC should know that a health plan will also permit and accommodate such requests, if the client clearly states that the disclosure of all or part of the information could endanger the client. A health plan may require a written statement of endangerment. A health care worker may require a client to make such request in writing. Reasonable accommodation may be conditioned on information on how payment will be handled and specification of an alternate address or other method of contact. Disclosing PHI for Research Purposes: PHI may be disclosed for research under a limited set of circumstances. Client Authorization is not required if: The information has been de-identified (i.e., is no longer PHI) There is an approved waiver from an institutional review board The information is only being used as preparatory for research (e.g., developing protocols) The PHI being used is that of deceased individuals Personal and Legal Representatives A health care worker WILL treat a personal or legal representative of the client as if he or she were the client. Personal representatives include those for adults and emancipated minors. APC may refuse to treat an individual as a personal representative of the client under the following conditions: If there is reason to believe that the client has been or may have been subjected to domestic violence, abuse, or neglect; or there is reason to believe that treating the person as a personal representative could endanger the individual; and if he or she decides "in the exercise of professional judgment" that treating an individual as a personal representative is not in the best interest of the client.