BUSINESS POLICY AND PROCEDURE MANUAL

Transcription

1 06/10 1 of GENERAL STATEMENT OF HIPAA Compliance The Health Insurance Portability and Accountability Act of 1996 (HIPAA regulates health care providers (Covered Entities) that electronically maintain or transmit protected health information (PHI) in connection with a covered transaction. HIPAA requires each covered entity (CE) to maintain reasonable and appropriate administrative, technical and physical safeguards for privacy and security. Entities or individuals who contract to perform services for a CE with access to protected health information (Business Associates) are also required to comply with the HIPAA privacy and security standards. Declaration of Hybrid Entity Status The University is a hybrid entity under the HIPAA Privacy and Security Regulations. The University s primary purpose is education; however, the University is subject to the HIPAA regulations because certain units of the University are covered entities. The University is required to identify its units that meet the CE definition, ensure CE compliance with safeguard and implementation specifications, and enforcement of CE and BA compliance with the HIPAA regulations. The Vice President for Finance and Administration shall be responsible for issuing and maintaining operating procedures to implement this policy.

2 1 of 56 OPERATING S HIPAA HYBRID ENTITY Southeast Missouri State University s ( University ) business activities include both covered and non-covered functions under the HIPAA law and regulation. It has decided to designate itself as a Hybrid Entity. The Hybrid Entity is required to ensure that it does not disclose protected health information to any other component of the University in circumstances in which HIPAA regulations would prohibit such disclosure if the health care component and the other component were separate and distinct legal entities. Purpose - Designates the units within the University which are part of the Hybrid Entity subject to the Privacy and Security regulations of HIPAA. Definitions - The terms used in this policy have the same meaning as those terms in the Health Insurance Portability and Accountability Act and the regulations at 45 CFR Parts 160, 162, and 164. Procedures - The University hereby designates the following as the health care components included in the Hybrid Entity: The University s Self-funded Health Plans The University s Autism Center for Diagnosis and Treatment The University s Health Clinic The following are also designated as part of the Hybrid Entity to the extent that they perform activities that would make them business associates of one of the above health care components if they were separate entities: Human Resources Controller s Office Vice-President, President and Provost Office Vice Provost and Support Staff Information Technology Student Financial Services Whenever University policies, procedures or guidelines refer to the University as a covered entity under HIPAA, they are referring to the units listed above. The requirements of HIPAA apply only to the units of the University included within the Hybrid Entity.

3 2 of 56 The above listed units may not use or disclose protected health information that they create or receive from or on behalf of the health care component in a way prohibited by HIPAA. Although workforce members of the Hybrid Entity perform duties for both the health care components and for other components of the University, they must not use or disclose PHI created or received in the course of or incident to the members work for the health care component in a way prohibited by HIPAA. HIPAA ORGANIZATION FOR COMPLIANCE The Health Insurance Portability and Accountability Act of 1996 (HIPAA), as amended, grants certain rights to individuals regarding their protected health information (PHI). This policy has been drafted to ensure a structure for Southeast Missouri State University s ( University ) compliance with applicable elements of the law and to guide University staff in assisting clients to exercise their rights. Procedures 1.0 HIPAA Chief Privacy Officer - There shall be a HIPAA Chief Privacy Officer whose responsibilities are listed below. 1.1 Responsibilities: Is responsible for overall coordination and oversight of compliance with HIPAA; ultimately assures that policies and procedures required by HIPAA are developed and implemented in a timely manner Serves or appoints a designee as Privacy Officer At Large for the University components units that do not have their own Privacy Officer; assures that these units are kept informed about HIPAA requirements and developments Serves as chair of the HIPAA Compliance Committee; assures that responsibilities of this committee, HIPAA Chief Privacy Officer, and HIPAA Privacy Officers are coordinated so that persons best suited to complete tasks in each situation are assigned to those tasks; in cases of disagreement, makes decisions as to which officer and/or committee (in the case of committee creations) shall be primarily responsible for certain tasks Serves as information privacy consultant for all University departments and appropriate entities; works with all University personnel involved with any aspect of release of

4 3 of 56 protected health information, to ensure full coordination and cooperation under the University s policies and procedures and legal requirements Oversees privacy and security compliance activities, working closely with HIPAA Privacy Officers and HIPAA Security Officer Signs off on all HIPAA related policy and procedure statements, including those which are specific to only one component of the University hybrid covered entity In coordination with the University s legal counsel, Provides guidance and assists in the identification, development, implementation and maintenance of uniform University HIPAA privacy and security policies and procedures Prepares uniform business associate agreements for outside vendors; develops the standard privacy policy to be used by each component of the hybrid covered entity Identifies designee or serves as member of, or liaison to, University s Institutional Review Board (IRB). Also serves as the information privacy liaison for users of clinical and administrative systems Maintains and applies current knowledge of applicable federal and state privacy laws and accreditation standards Serves as primary contact between the Office of Civil Rights, or other legal entities, and University officials in any compliance reviews or investigations. 2.0 HIPAA Privacy Officers - There shall be HIPAA Privacy Officers reporting to the HIPAA Chief Privacy Officer. The Executive Director of University s Health Clinic, University s Self-funded Health Plans and the University s Autism Center for Diagnosis and Treatment shall serve as the appointees for their respective units. In the event another University component is added to the hybrid covered entity, the Director of that unit shall assume the responsibilities as privacy officer. The HIPAA Chief Privacy Officer or designee shall serve as Privacy Officer At Large for other units that are part of the hybrid that is the covered entity.

5 4 of Responsibilities: Assist in preparing uniform HIPAA related policies and procedures relating to Uses and Disclosures Assure implementation and compliance with HIPAA policies and procedures within their component Establish process and site specific training for all staff within the component who have access to PHI Collect and maintain current Business Associate agreements with all vendors to their units who are covered by HIPAA regulations Assure that HIPAA Privacy Notices are available and communicated as required by HIPAA Oversee patient and employee rights to inspect, request to amend, and restrict access to protected health information Assure that practices are in place to mitigate harmful effects of use or disclosure of protected health information in violation of University policies and procedures or requirements of law Serve on the HIPAA Compliance Committee. 3.0 HIPAA Training Officer - The HIPAA Chief Privacy Officer shall appoint the HIPAA Training Officer. 3.1 Responsibilities: Oversees, directs and delivers or ensures delivery of privacy training and orientation to all employees and volunteers, except training specific to one health care component of hybrid entity Oversees maintenance of the HIPAA website, coordinating with Information Technology and Networks.

6 5 of Provides oversight of distribution of information about HIPAA and compliance requirements to employees, students, volunteers and others within the University community Initiates, facilitates and promotes activities to foster information privacy awareness within University Maintains records of training completed by University employees within the University hybrid covered entity Serves on the HIPAA Compliance Committee. 4.0 HIPAA Complaint Officer - The HIPAA Chief Privacy Officer shall appoint the HIPAA Complaint Officer. 4.1 Responsibilities: Establishes and administers a process for receiving, documenting, tracking, investigating and taking action on all complaints and reports of possible violations concerning University s HIPAA privacy policies and procedures Assures that the University has effective policies and procedures for protecting an individual from retaliation for exercising rights under HIPAA Assures consistent application of sanctions for failure to comply with privacy policies for all individuals in University s workforce and for all business associates, in cooperation with Human Resources, Faculty Personnel Services and the HIPAA Security Officer Serves on the HIPAA Compliance Committee. 5.0 HIPAA Security Officer - The HIPAA Chief Privacy Officer and the Chief Information Officer will agree upon a person on the staff of the Office of Information Technology to be appointed HIPAA Security Officer. 5.1 Responsibilities: Reviews all system-related information security plans throughout University s network to ensure alignment between security and privacy practices.

7 6 of Assures compliance with electronic transaction standards Acts as liaison to the Office of Information Technology and Networks Monitors advancements in information privacy technologies to ensure University adaptation and compliance Coordinates establishment of systems, policies and procedures to comply with Security Regulations of HIPAA Serves on the HIPAA Compliance Committee.

8 7 of 56 SOUTHEAST MISSOURI STATE UNIVERSITY HIPAA DIAGRAM 6.0 HIPAA Compliance Committee Composition: HIPAA Chief Privacy Officer (chair) HIPAA Privacy Officers HIPAA Complaint Officer HIPAA Training Officer HIPAA Security Officer

9 8 of Meetings: Semi-annually, or at call of Chair. 6.3 Responsibilities: Assures communication among all units of the University involved with HIPAA compliance Engages in problem solving where broad input is needed Provides feedback on the successes and challenges of communication of HIPAA goals and rules to the campus at large Advocates for University-wide HIPAA policy and procedure wherever feasible Assures consistency in HIPAA related policies and procedures among components of hybrid covered entity Designates sub-committees as necessary Arranges for periodic information privacy risk assessments and compliance monitoring Arranges for periodic review to assure that University has appropriate administrative, technical and physical safeguards for protected health information, and confidentiality authorization forms and information notices. PRIVACY PRACTICES Purpose - The Health Insurance Portability and Accountability Act of 1996 (HIPAA) and its rules direct that covered entities provide individuals with adequate notice of the uses and disclosures of protected health information that may be made by the covered entity, and of the individual s rights and the covered entity s legal duties with respect to protected health information. This policy issues Southeast Missouri State University s ( University ) Notice of Privacy Practices and a Summary Notice of Privacy Practices for University Health Services, Self-funded Health Plans and Autism Center for Diagnosis and Treatment.

10 9 of 56 Procedures - The attached Notice of Privacy Practices and the three Summary Notices of Privacy Practices are hereby issued as the policy and procedure of the University with regard to its obligations under HIPAA. The names, addresses and contact numbers for health care components, and similar information, may be changed in the Notice of Privacy Practices and the Summary Notices of Privacy Practices, upon authorization of the Chief Privacy Officer.

11 10 of 56 SOUTHEAST MISSOURI STATE UNIVERSITY HEALTH INSURANCE PORTABILITY ACCOUNTABILITY ACT (HIPAA) NOTICE OF PRIVACY PRACTICES THIS NOTICE DESCRIBES HOW MEDICAL/PROTECTED HEALTH ABOUT YOU MAY BE USED DISCLOSED HOW YOU CAN ACCESS THIS. PLEASE REVIEW IT CAREFULLY. Healthcare Components in the Hybrid Entity Covered by this Notice Southeast Missouri State University ( University ) is a covered entity under HIPAA law. It has decided to designate itself as a hybrid entity. This notice applies to the privacy practices of the following health care components included in the hybrid entity that may share your Protected Health Information as needed for treatment, payment and health care operations. The University s Autism Center for Diagnosis and Treatment The University s Health Clinic The University s Self-funded Health Plans Our Commitment Regarding Your Protected Health Information We understand the importance of your Protected Health Information (hereafter referred to as PHI ) and follow strict policies (in accordance with state and federal privacy laws) to keep your PHI private. PHI is information about you, including demographic data, that can reasonably be used to identify you and that relates to your past, present or future physical or mental health, the provision of health care to you, or the payment for that care. In this notice, we explain how we protect the privacy of your PHI, and how we will allow it to be used and given out ( disclosed ). We are required to provide you with a summary of our Notice of Privacy Practices, and a copy of the Notice of Privacy Practices upon request. We must follow the privacy practices described in this notice while it is in effect. This notice is effective August 1, 2010, and will remain in effect until we replace or modify it. We reserve the right to change our privacy practices and the terms of this notice at any time, provided that applicable law permits such changes. These revised practices will apply to your PHI regardless of when it was created or received. Before we make a material change to our privacy practices, we will provide you with a revised Notice of Privacy Practices. Where multiple state or federal laws protect the privacy of your PHI, we will follow the requirements that provide the greatest privacy protection. University student medical records are subject to requirements of the Federal Educational Rights and Privacy Act of 1974 (FERPA) rather than HIPAA in certain circumstances. Our Uses and Disclosures of Protected Health Information We do not sell your PHI to anyone or disclose your PHI to other companies who may want to sell their products to you (e.g., catalog or telemarketing firms).

12 11 of 56 We must have your written authorization to use and disclose your PHI, except for the following uses and disclosures: To You: We may disclose your PHI to you, for example: Supplying you with information about your diagnosis or treatment Communicating with you about treatment alternatives or other health-related benefits and services For Treatment: We may use and disclose your PHI to health care providers and our business associates who request PHI in connection with your diagnosis, treatment, management of your care, coordination of benefits, and insurance eligibility, for example: Physicians and physician s assistants Nurses Dentists Physical or occupational therapists Psychologists, counselors or social workers Pharmacies Hospitals We may disclose your PHI to health care providers in connection with: Disease and case management programs Prescribing medications Ordering lab work or diagnostic imaging at an outside facility Referring you to an outside provider Providing emergency medical treatment Psychological consultations Other health care services For Payment: We may use and disclose your PHI for our payment-related activities and those of health care providers and health plans, including for example: Dealing with protected health information in relation to the University s Self-funded Health Plans Responding to inquiries, appeals and grievances Billing you or a health plan for health care services provided to you through the Autism Center for Diagnosis and Treatment

13 12 of 56 For Health Care Operations: We may use and disclose your PHI for the following health care operations, for example: Conducting quality assessment and improvement activities, including peer review, credentialing of providers, and accreditation, and conducting training programs Auditing billing processes Performing outcome assessments and health claims analyses Preventing, detecting and investigating fraud and abuse Coordinating case and disease management activities Performing business management and other general administrative activities, including systems management and customer service Scheduling appointments and keeping records Autism Center for Diagnosis and Treatment ( Autism Center ) clients: Your name, address and telephone number may be used to contact you in connection with fundraising for the Autism Center for Diagnosis and Treatment. We may also send this information to the Southeast Missouri State University Foundation for the same purpose. If you do not want to receive these materials, please contact the Autism Center s Privacy Officer and request that these fundraising materials not be sent to you. The Autism Center may use or disclose your medical information, as necessary, to provide you with information about treatment alternatives or other health-related benefits and services that may be of interest to you. For example, your name and address may be used to send you a newsletter about our practice and the services we offer. We may also send you information about products or services that we believe may be beneficial to you. You may contact the Autism Center s Privacy Officer to request that these materials not be sent to you. The Self-funded Health Plans may disclose your PHI to Southeast Missouri State University personnel solely for purposes of administrating benefits under this plan. To Others Involved in Your Care: We may disclose your PHI to someone who has the legal right to act on your behalf. We may under certain circumstances disclose to a designated contact person (e.g.: a member of your family, a relative, a close friend or any other person you identify), the PHI directly relevant to that person s involvement in or payment for your health care. When Required by Law: We will use and disclose your PHI if we are required to do so by law. For example, we will use and disclose your PHI. To report infectious diseases To respond to court and administrative orders and subpoenas To comply with workers compensation laws To report suspected abuse and neglect to the proper authorities To law enforcement under certain circumstances

14 13 of 56 To report PHI as required by the Secretary of Health and Human Services and state regulatory authorities To report threats to safety of self or others To a health oversight agency, which includes government agencies that oversee the healthcare system, for example, audits, investigations, civil administration or criminal investigations For Matters in the Public Interest: We may use or disclose your PHI without your written permission for matters in the public interest, including for example: Public health and safety activities, including Food and Drug Administration oversight, reporting disease and vital statistics. Averting a serious threat to the health or safety of others, e.g.: as required under the Patriot Act Without your prior authorization. For Research: We may use your PHI to perform select research activities, provided that certain established measures to protect your privacy are in place, e.g. as required by the Institutional Review Board. To Our Business Associates: From time to time we engage third parties to provide various services for us. Whenever an arrangement with such a third party involves the use or disclosure of your PHI, we will have a written contract with that third party designed to protect the privacy of your PHI. For example, we may share your information with business associates who bill for medical services, process claims or conduct disease management programs on our behalf. Disclosures You May Request - You may instruct us and give your written authorization to disclose your PHI to a designated individual or agency for any purpose. We require that your authorization be on a HIPAA compliant form. To obtain the form, contact the applicable health care component: The University s Autism Center for Diagnosis and Treatment (573) The University s Health Clinic (573) The University s Self-funded Health Plans (573)

15 14 of 56 Individual Rights - You have the following rights. To exercise these rights, you must make a written request on our standard form. To obtain the form, contact the designated covered component (see above). Access - With certain exceptions, you have the right to look at or receive a copy of your PHI contained in the group of records that are used by or for us to make decisions about you, including our enrollment, payment and case or medical management notes. We reserve the right to charge a reasonable cost-based fee for copying and postage. If you request an alternative format, such as a summary, we may charge a cost-based fee for preparing the summary. If we deny your request for access, we will tell you the basis for our decision and whether you have a right to further review. You may request access to PHI in an alternative communication format and/or location. If your PHI is maintained in an electronic health record, you also have the right to request that an electronic copy of your record be sent to you or to another individual or entity. We may charge you a reasonable cost-based fee limited to the labor costs associated with transmitting the electronic health record. Disclosure Accounting - You have the right to an accounting of certain disclosures of your PHI, such as disclosures required by law. If you request this accounting more than once in a 12-month period, we may charge you a fee covering the cost of responding to these additional requests. Restriction Requests - You have the right to request that we place restrictions on the way we use or disclose your PHI for treatment, payment or health care operations. We are not required to agree to these additional restrictions, unless you request that your PHI not be disclosed to a health plan for purposes of payment and health operations if you paid out of pocket for that service. If we agree, we will abide by them (except as needed for emergency treatment or as required by law) unless we notify you that we are terminating our agreement. Revoke Prior Authorization - You may revoke your authorization, except to the extent that we have taken action upon it. Amendment - You have the right to inspect PHI and request that we amend it in the set of records we described above under Access. If we deny your request, we will provide you a written explanation. If you disagree, you may have a statement or your disagreement placed in our records. If we accept your request to amend the information, we will make reasonable efforts to inform others of the amendment, including individuals you name. Confidential Communication - You may request to receive confidential communications from us by alternative means or at an alternative location. We will accommodate reasonable requests. We may condition this accommodation by asking you for information as to how payment will be handled or specification of an alternative address or other method of contact.

16 15 of 56 Notice of a Breach - We are required to notify you by first class mail or by (if you have indicated a preference to receive information by ), of any breaches of Unsecured Protected Health Information as soon as possible, but in any event, no later than 60 days following the discovery of the breach. Unsecured Protected Health Information is information that is not secured through the use of a technology or methodology identified by the Secretary of the U.S. Department of Health and Human Services to render the Protected Health Information unusable, unreadable, and undecipherable to unauthorized users. The notice is required to include the following information: a brief description of the breach, including the date of the breach and the date of its discovery, if known; a description of the type of Unsecured Protected Health Information involved in the breach; steps you should take to protect yourself from potential harm resulting from the breach; a brief description of actions we are taking to investigate the breach, mitigate losses, and protect against further breaches; contact information, including a toll-free telephone number, address, Web site or postal address to permit you to ask questions or obtain additional information. In the event the breach involves 10 or more persons whose contact information is out of date we will post a notice of the breach on the home page of our Web site or in a major print or broadcast media. If the breach involves more than 500 persons in the state or jurisdiction, we will send notices to prominent media outlets. If the breach involves more than 500 persons, we are required to immediately notify the Secretary. We also are required to submit an annual report to the Secretary of a breach that involved less than 500 persons during the year and will maintain a written log of breaches involving less than 500 persons. Paper Copy - You have the right to obtain a paper copy of this notice from us upon request, even if you have agreed to accept this notice electronically. Questions and Complaints - If you need more information about our privacy practices, or a written copy of the Summary Notice of Privacy Practices, please contact us at: The University s Health Clinic, Crisp Hall, Rm. 101, (573) The University s Self-funded Health Plans, Human Resources, Academic Hall, Rm. 012, (573) The University s Autism Center for Diagnosis and Treatment, 611 N. Fountain Street, Cape Girardeau, Missouri (573) For your convenience, you may also obtain an electronic (downloadable) copy of the Summary Notice of Privacy Practices online at under Forms - HIPAA

17 16 of 56 If you are concerned that we may have violated your privacy rights, or you believe that we have inappropriately used or disclosed your PHI, please contact: HIPAA Complaint Officer Dr. Chuck McAllister, Vice Provost, (573) , or you may obtain an electronic (downloadable) copy of a Privacy Complaint Report online at under Forms - HIPAA You may also submit a written complaint to: Region VII Office of Civil Rights U.S. Department of Health and Human Services, 601 East 12 th Street, Room 248, Kansas City, MO Phone: (816) We support your right to protect the privacy of your PHI. We will not take action against you if you file a complaint with us or with the U.S. Department of Health and Human Services.

18 17 of 56 SOUTHEAST MISSOURI STATE UNIVERSITY Autism Center for Diagnosis and Treatment SUMMARY NOTICE OF PRIVACY PRACTICES This is a summary of the University s Autism Center for Diagnosis and Treatment ( Autism Center ) s Notice of Privacy Practices and describes how the Autism Center may use and disclose protected health information (PHI) and how you can access this information. Please review this information carefully. This Summary applies to the clinical programs of the Autism Center. The Health Insurance Portability and Accountability Act (HIPAA) requires that we protect the privacy of health information that identifies clients, or when there is reasonable basis to believe the information can be used to identify a client. This notice describes your rights as a client and our obligations regarding the use and disclosure of PHI. USES DISCLOSURE Uses and Disclosures Statement We may disclose your PHI to you. We may use or disclose your PHI without your authorization or opportunity to object to treat you, obtain payment, or operate the Autism Center. Other uses and disclosures may be made without your authorization or opportunity to object if the law requires us to disclose PHI. In most situations not associated with treatment, payment or operations, we may use or disclose your PHI only with your written authorization. Examples of Uses and Disclosures for Treatment Authorization Not Required We may consult with other health care providers in connection with your diagnosis and treatment. We may disclose PHI regarding treatment, coordination, and management of your health care as it related to (1) services related to your psychological care; or (2) other health care services. If you are referred to a physician or other psychologist or a new health care provider, we may disclose PHI to the new provider relating to your diagnosis and treatment. Examples of Uses and Disclosures to Obtain Payment Authorization Not Required We may use and disclose your PHI to 1) submit a claim with your name, birth date, address, insurance or social security number, diagnoses, and procedures performed to your health plan for payment; 2) submit PHI for coordination of benefit purposes; 3) respond to inquiries for purposes of obtaining payment. We may disclose PHI to other health care providers in connection with coordination of benefits or insurance eligibility.

19 18 of 56 USES DISCLOSURE Examples of Uses & Disclosures to Operate the Autism Center Authorization Not Required We may mail you reminders of upcoming appointments. We may leave telephone messages asking that you return our call or reminding you of an appointment. We may use and disclose your PHI to audit billing processes and evaluate the quality of our services. We may share PHI with organizations that assess the quality of care that we provide, e.g., accreditation agencies. We may provide PHI to you as needed to supply you with information about your diagnosis or treatment. We may communicate with you about our clinic services and therapies, your treatment alternatives or other health related benefits and services. Unless you object, we may use your name, address and telephone number to contact you in connection with fundraising for the Autism Center. We may use your PHI to file reports required by law, e.g.: when abuse or neglect is suspected, when subpoenaed, etc. We may use your PHI if you pose a danger to yourself and or others. We may share your PHI with third party business associates that perform various activities like billing for the Autism Center. Whenever an arrangement between the Autism Center and a business associate involves the use or disclosure of your medical information, we will have written contract terms that will protect the privacy of your medical information. YOUR RIGHTS You have the following rights regarding your PHI, and the Autism Center must act on your request within 60 days. You may request restrictions on certain uses and disclosures of PHI, but we are not required to agree to a requested restriction, unless you request that PHI not be disclosed to a health plan for purposes of payment or health operations and you paid out of pocket for that service. You may request access to PHI in alternative communication format and/or location. You may request that you receive confidential communications of PHI. You may request to inspect and/or request a copy of your own PHI. You may request that your records be amended. You may request a copy of our Notice of Privacy Practices on paper or in an alternative format, e.g., electronic. You may revoke an authorization, except to the extent that we have taken action on it. OUR RESPONSIBILITIES The law requires us to maintain the privacy and security of PHI. The law requires that we provide individuals with notice of our privacy practices. The law requires that we abide by the terms of the Notice of Privacy Practices and provide notice of revisions. The law requires that we notify you within 60 days of discovery of a breach of any of your unsecured PHI. QUESTIONS/CONCERNS

20 19 of 56 USES DISCLOSURE For more information, or a copy of the entire Notice of Privacy Practices, contact the Privacy Officer, Southeast Missouri State University Autism Center for Diagnosis and Treatment, 611 N. Fountain Street, Cape Girardeau, MO (573) COMPLAINTS If you believe your privacy rights have been violated, you may submit a complaint in writing to: HIPPA Complaint Officer, Southeast Missouri State University, One University Plaza MS3400, Cape Girardeau, MO or to the U.S. Department of Health and Human Services. No one will retaliate against you for filing a complaint.

21 20 of 56 SOUTHEAST MISSOURI STATE UNIVERSITY HEALTH CLINIC SUMMARY OF NOTICE OF PRIVACY PRACTICES This is a summary of our University Health Clinic s Notice of Privacy practices and describes how we may use and disclose your protected health information (PHI) and how you can access this information. Please review this information carefully. The Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule requires that we protect the privacy of health information that identifies a patient, or when there is reasonable basis to believe the information can be used to identify a patient. This notice describes your rights as our patient and our obligations regarding the use and disclosure of PHI. USES DISCLOSURES Uses and Disclosure Statement We may use or disclose your PHI without your authorization or opportunity to agree or object to treat you, to obtain payment, and to operate University Health Clinic*. Other uses and disclosures can be made without your authorization or opportunity to agree or object, e.g., if the law requires us to disclose information to government authorities such as legal requests, suspected abuse, and infectious diseases In most situations not associated with payment, treatment, or operations, we may use or disclose your PHI only with your written authorization. * The Federal Educational Rights and Privacy Act (FERPA), other federal or state laws, and professional ethics also protect the privacy of the University student s PHI when they are more stringent than HIPAA, e.g., The University Health Clinic will continue to require authorization from the student to bill the student s health insurance plan. Examples of Uses and Disclosures for Treatment Authorization Not Required We may consult with other health care providers regarding your treatment and coordinate and manage your health care with others. We may disclose PHI when you need a prescription, lab work, an x-ray, or other health care services from an outside organization. If a clinician in our practice refers you to an outside physician, we may disclose PHI to your new physician regarding whether you are allergic to any medications. A clinician from our practice may call you to advise you of treatment alternatives. Examples of Uses and Disclosures to Obtain Payment Authorization Not Required Student Financial Affairs may submit a claim that contains your name, date of birth, address, social security number, diagnoses, and procedures performed in our clinic to you for payment.

22 21 of 56 USES DISCLOSURES Examples of Uses and Disclosures to Operate our Practice Authorization Not Required We may use and disclose your PHI to audit our billing practices, or for quality assurance purposes. We may leave telephone messages asking that you return our call. We may share PHI with organizations that assess the quality of care we provide, e.g., the Accreditation reviewers. YOUR RIGHTS You have the following rights regarding your PHI, and University Health Clinic must act on your written request within 60 days. You may request restrictions on certain uses and disclosures of PHI, but we are not required to agree to a requested restriction, unless you request that your PHI not be disclosed to your health plan for payment or healthcare operations and you paid out of pocket for that service. You may request access to your PHI in an alternative communication format or location. You may request that you receive confidential communications of PHI. You may request to inspect and receive a copy of your PHI. You may request that your information be amended. You may request a copy of our Notice of Privacy Practices on paper or in an alternative format, e.g., electronic. You may revoke an authorization, except to the extent that we have taken action on it. OUR RESPONSIBILITIES The law requires that we maintain the privacy of PHI. The law requires that we provide individuals with notice of our privacy practices. The law requires us to abide by the terms of the Notice of Privacy Practices and provide notice of revisions. The law requires that we notify you within 60 days of discovery of a breach of any of your unsecured PHI. QUESTIONS/CONCERNS For more information, or a copy of the entire Notice of Privacy Practices, contact the Privacy Officer, Dr. Bruce Skinner, Office of Residence Life Director, Towers Complex, Rm. 102, (573) COMPLAINTS If you believe your privacy rights have been violated, you may submit a complaint in writing to the HIPAA Complaint Officer, Southeast Missouri State University, One University Plaza MS 3400, Cape Girardeau, MO or to the U.S. Department of Health and Human Services. No one will retaliate against you for filing a complaint.

23 22 of 56 SOUTHEAST MISSOURI STATE UNIVERSITY SELF-FUNDED HEALTH PLANS SUMMARY OF NOTICE OF PRIVACY PRACTICES This is a summary of The University s Self-funded Health Plans Notice of Privacy Practices and describes how as a health plan we may use and disclose your protected health information (PHI) and how you can access this information. Please review this information carefully. The Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule requires that we protect the privacy of health information that identifies an employee, or when there is reasonable basis to believe the information can be used to identify an employee. This notice describes your rights as a participant in the University s Self-funded Health plans and our obligations regarding the use and disclosure of PHI. USES DISCLOSURE Uses and Disclosures Statement We may use or disclose your PHI without your authorization or opportunity to agree or object to treat you, to obtain payment, and to operate the University s Self-funded Health plans. Other uses and disclosures can be made without your authorization or opportunity to agree or object, e.g., if the law requires us to disclose information to government authorities such as legal requests, suspected abuse, and infectious diseases. In most situations not associated with payment, treatment, or operations, we may use or disclose your PHI only with your written authorization. Examples of Uses and Disclosures to Obtain Payment Authorization Not Required We may use and disclose your PHI for payment related activities and those of health care providers and other health plans including for example: submit a claim form that contains your name, date of birth, address, insurance, social security number, diagnoses, and procedures performed to the health plan for payment. submit PHI for coordination of benefit purposes. responding to inquiries for purposes of making or obtaining payment. Examples of Uses and Disclosures to Operate the Health Plan Authorization Not Required We may mail PHI to you as we confirm payment from your Self-funded Health Plans. We may leave telephone messages asking that you return our call. We may use and disclose your PHI to audit billing processes. We may share PHI with organizations that assess the quality of care we provide.

24 23 of 56 USES DISCLOSURE YOUR RIGHTS You have the following rights regarding your PHI, and The University s Health Clinic must act on your written request within 60 days. You may request restrictions on certain uses and disclosures of PHI, but we are not required to agree to a requested restriction, unless you request that your PHI not be disclosed to your health plan for payment or healthcare operations and you paid out of pocket for that service. You may request access to your PHI in an alternative communication format or location. You may request that you receive confidential communications of PHI. You may request to inspect and receive a copy of your PHI. You may request that your information be amended. You may request a copy of our Notice of Privacy Practices on paper or in an alternative format, e.g., electronic. You may revoke an authorization, except to the extent that we have taken action on it. OUR RESPONSIBILITIES The law requires that The University s Self-funded Health Plans maintain the privacy of PHI. The law requires that we provide notice of our privacy practices. The law requires us to abide by the terms of the Notice of Privacy Practices and provide notice of revisions. The law requires that we notify you within 60 days of discovery of a breach of any of your unsecured PHI. QUESTIONS/CONCERNS For more information, or a copy of the entire Notice of Privacy Practices, contact Alissa Vandeven, Privacy Officer, Southeast Missouri State University, Human Resources, Self-funded Health Plans at (573) COMPLAINTS If you believe your privacy rights have been violated, you may submit a complaint in writing to the University HIPAA Complaint Officer, Southeast Missouri State University, One University Plaza MS3400, Cape Girardeau, MO 63701, (573) , or to the U.S. Department of Health and Human Services. No one will retaliate against you for filing a complaint.

25 24 of 56 Southeast Missouri State University HIPAA Privacy Complaint Report Reported by: Contact Information: Address: Date: Telephone Number: Date of Occurrence: Clinic/Office of Occurrence: Please mail this form to: University Complaint Officer Secretary of Health & Human Services Southeast Missouri State University or Office of Civil Rights --DHHS MS East 12 th Street, Room 248 Cape Girardeau, MO Kansas City, MO You may also contact the Privacy Officer by: Phone: Telephone: (573)

26 25 of 56 CLIENT COMPLAINTS RELATED TO PROTECTED HEALTH REPORTS OF BREACH OF PRIVACY SECURITY OF PHI Background - Southeast Missouri State University ( University ) is a covered entity under the HIPAA law and regulations. According to this law, all University officers, employees, and agents must preserve the integrity and the confidentiality of individually identifiable health information (IIHI) pertaining to each patient or client. This IIHI is protected health information (PHI) and shall be safeguarded to the highest degree possible in compliance with the requirements of the security and privacy rules and standards established under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), as amended. Purpose - The Health Insurance Portability and Accountability Act of 1996 (HIPAA), as amended, and its rules direct covered entities to provide a process for individuals to lodge complaints regarding the handling of protected health information (PHI) and for employees to report possible violations of HIPAA law or rules or the University s HIPAA policies and procedures. This policy establishes a process for persons to register complaints regarding the University s privacy policy and procedures and/or its compliance with those policies and procedures. This policy also informs persons of their right to file complaints with the Secretary, US Department of Health and Human Services. Definitions - The terms used in this policy have the same meaning as those terms in the Health Insurance Portability and Accountability Act of 1966, as amended, and the regulations at 45 CFR Parts 160, 162, and 164. Procedures Persons who believe that the University or its employees or agents may have violated the requirements of HIPAA law or rules, or the University s HIPAA policies and procedures may file a complaint either with the HIPAA Complaint Officer or any HIPAA Privacy Officer. Any officer, employee or agent of University who believes another officer, employee or agent of University has breached the University s HIPAA privacy or security policies and/or procedures or otherwise breached the integrity or confidentiality of patient or client or other sensitive information shall immediately report the alleged breach to his or her supervisor or to the HIPAA Complaint Officer. Supervisors who receive reports of alleged breach of the HIPAA privacy or security policies and/or procedures shall immediately report the allegation to the HIPAA Complaint Officer. 2.0 Persons who believe that the University or its employees or agents may have violated the requirements of HIPAA law or rules may also file a complaint with the Secretary of the U.S. Department of Health and Human Services.

27 26 of 56 Procedures The University s Notice of Privacy Practices, distributed to clients, patients, and participants in the University s Self-funded Health plans, shall include a notification of the offices with which complaints may be filed or possible violations may be reported. The University HIPAA Complaint Officer shall document all complaints received and the disposition of those complaints. Documentation shall be retained as required by law. 4.0 No University officer, employee or agent shall intimidate, threaten, coerce, discriminate against, or take other retaliatory action against any individual who files a complaint with the University or with the Secretary of Health and Human Services. 5.0 An officer, employee or agent who discriminates or retaliates against an individual who files a complaint to University or the Secretary shall be subject to disciplinary action up to and including termination. 1.0 COMPLAINT PROCESS 1.1 Communicating Process to Clients. The University s Notice of Privacy Practices shall direct individuals to submit a complaint regarding management of PHI to University s HIPAA Complaint Officer or any HIPAA Privacy Officer. The Notice shall also indicate that a complaint can be made directly to the Secretary of Health and Human Services (HHS). The Notice shall notify clients of the availability of complaint forms at the reception desk of the health care component, or from the HIPAA Complaint Officer. 1.2 Complaint Form. Complaints regarding the University s privacy policy and procedures and/or its compliance with those policies and procedures shall be submitted in writing on a complaint form prepared by the University. The form shall be available on the University s website under Forms HIPAA, at the office of the HIPAA Complaint Officer, all HIPAA Privacy Officers, and at the reception desk of the health care components. 1.3 Complaints to Health and Human Services. Complaints made to the Secretary of Health and Human Services shall be made in writing using whatever form the client wishes and shall be mailed directly to the Secretary at: Secretary US Department of Health and Human Services 200 Independence Ave., S. W. Washington, D. C

28 27 of University Handling of Complaints. The University s HIPAA Complaint Officer or Privacy Officer shall receive and handle all complaints regarding the management of an individual s protected health information according to the policy and procedure entitled HIPAA: Investigation of Complaints & Reports of Breach of Privacy and Security of PHI; Sanctions for Breach of Privacy and Security of PHI. 2.0 Documentation of Complaints and Disposition. 2.1 Retention of Complaints and Disposition. All complaints to the University regarding its management of protected health information and documentation of the disposition of those complaints shall be filed in the office of the HIPAA Complaint Officer in a manner that all documentation can be easily retrieved for review and/or audit. The documentation shall be retained for a period of six years from the date of the complaint. Contact for More Information: HIPAA Privacy Officer HIPAA Privacy Officer The University s Self- funded Health Plan The University s Health Cinic Academic Hall, Rm. 012 Crisp Hall, Rm. 101 Cape Girardeau, MO Cape Girardeau, MO Phone: (573) ext. Phone: (573) ext. HIPAA Privacy Officer The University s Autism Center for Diagnosis and Treatment 611 N. Fountain Street Cape Girardeau, MO Phone:

29 28 of 56 INVESTIGATION OF COMPAINTS & REPORTS OF BREACH OF PRIVACY SECURITY OF PHI SANCTIONS FOR BREACH OF PRIVACY SECURITY OF PHI Background - Southeast Missouri State University ( University ) is a covered entity under the HIPAA law and regulations. According to this law, all University officers, employees, and agents must preserve the integrity and the confidentiality of individually identifiable health information (IIHI) pertaining to each patient or client. This IIHI is protected health information (PHI) and shall be safeguarded to the highest degree possible in compliance with the requirements of the security and privacy rules and standards established under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), as amended. Purpose - The University has adopted this policy to comply with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), as amended, and the privacy regulations, as well as to fulfill our duty to protect the confidentiality and integrity of confidential protected health information as required by law, professional ethics, and accreditation requirements. Definitions - The terms used in this policy have the same meaning as those terms in the Health Insurance Portability and Accountability Act of 1996, as amended, and the regulations at 45 CFR Parts 160, 162, and 164. Procedures The University prohibits violations of HIPAA statutory and regulatory requirements, and University policies and procedures in place to uphold them. Any violation of HIPAA rules or University policy and procedures shall constitute grounds for disciplinary action. 2.0 The disciplinary process and sanctions that may be imposed for a violation of HIPAA law, regulations and/or University policies and procedures will vary according to the status of the person who has engaged in the violation. 2.1 Employees, including student employees, will be subject to the disciplinary processes already in place for their employee group. Disciplinary action may include termination. If the seriousness of the offense warrants such action, an employee may be terminated for the first breach of HIPAA law, regulation or University s HIPAA policy and procedures 2.2 Students who are engaged in clinical experiences giving them access to protected health information will be subject to discipline by the work site, up to and including termination from the clinical work. If the student is enrolled in a class, he/she will be subject to grading consequences according to the judgment of the instructor for that class. Students enrolled in clinical programs may be further subject to review for their fitness for continuation in