HIPAA Privacy. Provided by Coverys Risk Management

Transcription

1 Prvided by Cverys Risk Management

2 What s the Risk? The HIPAA Standards f Privacy f Individually Identifiable Health Infrmatin (Privacy Rule) was published in final frm in August Enfrcement f the Privacy Rules was spradic. The nus fr reprting privacy breaches fell t the patients. In 2009, the privacy rules were expanded by the Health Infrmatin Technlgy fr Ecnmic and Clinical Health (HITECH) Act t require written ntificatin t bth the affected individual and the Department f Health & Human Services (HHS) when breaches f prtected health infrmatin ccur. Enfrcement was enhanced with a tiered set f significant fines based n the egregiusness f the breach and the rganizatin s preparatin and respnse. In 2013, the Omnibus Final Rule intrduced a number f HIPAA privacy changes, including required revisins t the Ntice f Privacy Practices, changes t Business Assciate Agreements, and the presumptin that breaches are reprtable. Since 2009, there have been mre than 700 large breaches reprted t HHS affecting mre than 28 millin individuals. The OCR has investigated ver 90,000 HIPAA cmplaints and implemented enfrcement nearly 30,000 times. Physician practices were the leading surce f enfrcement actins. Failure t implement plicies and prcedures t ensure the prtectin f identifiable health infrmatin can and has resulted in significant civil mnetary penalties, the largest t date is $4.3 millin. If the OCR determines that criminal prsecutin is necessary, a privacy case may be referred t the Department f Justice. When Is This Risk an Issue? Any practitiner wh transmits prtected health infrmatin in an electrnic frmat, as required fr Medicare and Medicaid billing, is cvered under the HIPAA Privacy regulatins. The HIPAA regulatins apply t nearly every facet f the prvisin f healthcare. The fcus f the Privacy Rule is the prtectin f certain patient care infrmatin defined as prtected health infrmatin r PHI. Under HIPAA, PHI includes any individually identifiable infrmatin that relates t: The past, present, r future physical r mental health f an individual The healthcare delivered t an individual The past, present, r future payment fr healthcare prvided t an individual and that is held r transmitted by a practitiner r ne r mre f the practitiner s business assciates in any frm, whether electrnic, paper, r ral. This manual is a publicatin f Cverys Risk Management Department. This infrmatin is intended t prvide general guidelines fr risk management. It is nt intended and shuld nt be cnstrued as legal r medical advice. The cntents may be used within yur rganizatin with yur staff members and physicians. These dcuments may nt be reprduced r transmitted in any frm r by any means, utside f yur rganizatin, withut the written permissin f Cverys. 1

3 and all individually identifiable patient healthcare infrmatin must be prtected frm imprper disclsure. Hw Can I Reduce Risk? Implement an nging HIPAA cmpliance prgram, including plicies and prcedures which address prtecting the cnfidentiality f patient health infrmatin, implementing patient rights as utlined in the ntice f privacy practices, and cntracting apprpriately with business assciates. Ensure that staff members achieve cmpetency by prviding annual training. Als cnduct peridic privacy practice audits and thrugh investigatins f privacy breaches. Prtect Health Infrmatin Define identifiers Knw that health infrmatin becmes prtected (r PHI) when cmbined with ne r mre patient identifiers. Err n the side f cautin if questins arise regarding whether health infrmatin is identifiable and thus prtected. Under HIPAA, the fllwing are cnsidered identifiers: Patient name. Address (except fr state and first three numbers f zip cde). Birthdate. Dates (except year) relating t the patient, including dates f birth, admissin, discharge and death. Scial Security number. Telephne number. Fax number. address. Medical recrd number. Health plan number. License number. Vehicle identifiers, including license plate numbers. Accunt numbers. This manual is a publicatin f Cverys Risk Management Department. This infrmatin is intended t prvide general guidelines fr risk management. It is nt intended and shuld nt be cnstrued as legal r medical advice. The cntents may be used within yur rganizatin with yur staff members and physicians. These dcuments may nt be reprduced r transmitted in any frm r by any means, utside f yur rganizatin, withut the written permissin f Cverys. 2

4 Admissin and discharge dates. Medical device identifiers and serial numbers. URLs and IP address numbers. Bimetric identifiers. Full-face phtgraphs. Any ther unique identifier. Maintain Current Ntice f Privacy Practices Include required sentence Include the fllwing sentence written in capital letters, THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE READ IT CAREFULLY in the Ntice f Privacy Practice. Describe sale f PHI Prvide detail in the Ntice if the rganizatin receives cmpensatin fr the sale f prtected health infrmatin. Include a requirement that written authrizatin be btained frm the patient. Include fundraising pt ut Cmply with ADA requirements Cmply with Civil Rights Act requirements Determine whether layered ntice is permitted If the rganizatin participates in fundraising, include a statement that the rganizatin may cntact individuals abut fundraising and that the individual has a right t pt ut f receiving fundraising cmmunicatins. Prvide cpies f the Ntice in large print, in Braille r as an audi file fr visually impaired patients. Make cpies f the Ntice available in the majr languages spken in the cmmunity and/r within the practice s patient ppulatin. Fr mre infrmatin visit the website. Determine whether a layered ntice is permitted. Understand the final rule, which clarifies that cvered entities may use a layered ntice t implement the rule s prvisins, as lng as the elements required under the This manual is a publicatin f Cverys Risk Management Department. This infrmatin is intended t prvide general guidelines fr risk management. It is nt intended and shuld nt be cnstrued as legal r medical advice. The cntents may be used within yur rganizatin with yur staff members and physicians. These dcuments may nt be reprduced r transmitted in any frm r by any means, utside f yur rganizatin, withut the written permissin f Cverys. 3

5 Privacy Rule are included in the dcument prvided t the individual. Fr example, a practice may prvide the individual with bth a shrt ntice (brief summary f individual rights) and a lnger ntice layered beneath the shrt ntice that cntains all the required elements. Distribute the ntice Althugh the Ntice may be prefaced with a summary, a cpy f the entire Ntice f Privacy Practices must be made available t patients. Pst a cpy in a clear and prminent lcatin in the practice and n the practice s website, if the practice has ne. Obtain patient acknwledgement Obtain written acknwledgement frm the patient f receipt f the Ntice f Privacy Practices. Dcument gd faith effrts made t btain the acknwledgement and the reasns(s) fr failing t d s. Retain the acknwledgement in the medical recrd fr as lng as the recrd is kept. Revise as needed Revise the Ntice f Privacy Practices when the law r plicies and prcedures change. Pst the new versin in the healthcare prvider s ffice and prvide t patients upn request. Include the revisin date n the Ntice. Retain the ntice Keep retired Ntice f Privacy Practices fr at least six years fllwing either the creatin f the Ntice r the date when the Ntice was last in effect, whichever is later. Include patient rights Include descriptin f patient rights in the Ntice (see belw). Recgnize Patient Rights Under HIPAA Respect patient rights t access D NOT refuse release due t utstanding bill Implement prcess fr patients t inspect and btain a cpy f their recrd. D NOT refuse t release medical recrds t the patient r thers (assuming receipt f a valid authrizatin) due t an utstanding bill. This manual is a publicatin f Cverys Risk Management Department. This infrmatin is intended t prvide general guidelines fr risk management. It is nt intended and shuld nt be cnstrued as legal r medical advice. The cntents may be used within yur rganizatin with yur staff members and physicians. These dcuments may nt be reprduced r transmitted in any frm r by any means, utside f yur rganizatin, withut the written permissin f Cverys. 4

6 Charge apprpriately Charge apprpriately fr prviding recrd cpies. The permitted charges fr retrieval and cpying are usually set frth in state regulatins. Deny access apprpriately Implement prcedures fr denying access Deny access apprpriately. Fr example, access may be denied if the infrmatin requested: Is a psychtherapy nte as defined under HIPAA. Has been cmpiled fr use in a legal prceeding. Has been btained frm a cnfidential surce (ther than a healthcare practitiner), if access t the infrmatin culd reveal the surce. Is part f nging research. Has the ptential t cause harm t the patient r anther individual. Implement and fllw prcedures fr denying access. A prvider wh denies patient access t a recrd must: Put the denial in writing. Be specific abut the reasn fr denial. Let the patient knw hw the decisin t deny may be reviewed by a third party. Let the patient knw hw t file a cmplaint abut the denial t the healthcare prvider and the Office f Civil Rights. Respnd t requests Respnd t requests in a timely manner. Prviders have an initial 30 days t respnd t patient requests fr access. The perid may be extended an additinal 30 days under certain circumstances. Respect the right f patients t an electrnic cpy f the recrd Implement and fllw prcedure fr accepting and respnding t patients request fr an electrnic cpy f their recrd. Prvide patients an electrnic cpy f their recrd as fllws: The electrnic frm (e.g., CD, DVD, USB memry stick, prtal) must be agreed n by bth parties. This manual is a publicatin f Cverys Risk Management Department. This infrmatin is intended t prvide general guidelines fr risk management. It is nt intended and shuld nt be cnstrued as legal r medical advice. The cntents may be used within yur rganizatin with yur staff members and physicians. These dcuments may nt be reprduced r transmitted in any frm r by any means, utside f yur rganizatin, withut the written permissin f Cverys. 5

7 The patient may direct the cpy t a designated third party. The electrnic recrds and their transmissin must meet the standards f the HIPAA security rule. Encrypt the dcument r passwrd prtect the electrnic media if encryptin is nt pssible. Hnr initial 30-day perid t respnd t a patient s request fr access. That perid may be extended t 60 days in certain circumstances. Charge apprpriately. Fr example, the practitiner may charge fr the cst f the electrnic media. Respect patients right t request an amendment Develp prcedures fr amending recrds Develp guidelines fr denying an amendment request Understand that patients have a right t request an amendment t their PHI if they believe that the infrmatin is incrrect r incmplete. Develp and implement prcedures fr amending the recrd. The request fr an amendment frm the patient must be in writing and shuld include: The reasn fr the request. The infrmatin the patient wuld like amended r added t the recrd. Use a standardized frm fr recrd amendments. See sample Request t Amend Health Infrmatin. Develp and fllw guidelines fr denying a request fr an amendment. A patient s request t amend the medical recrd may be denied if: The PHI meets ne f the cnditins fr which access may be denied, as nted abve. The entry was nt created by the individual being asked t amend it. The practitiner deems the existing entry t be accurate and cmplete. The PHI is nt part f the designated recrd set. This manual is a publicatin f Cverys Risk Management Department. This infrmatin is intended t prvide general guidelines fr risk management. It is nt intended and shuld nt be cnstrued as legal r medical advice. The cntents may be used within yur rganizatin with yur staff members and physicians. These dcuments may nt be reprduced r transmitted in any frm r by any means, utside f yur rganizatin, withut the written permissin f Cverys. 6

8 Understand patients right t disagree Respnd t request in timely manner D NOT alter the medical recrd Respect patients right t an accunting Develp a prcess fr respnding t an accunting request Understand that patients have a right t disagree with a denial. Require the patient t submit the disagreement in writing. Prvide an pprtunity fr the prvider t rebut the disagreement in writing. Include the riginal request, the denial, the disagreement f the denial, and any rebuttal in the medical recrd. Respnd t the request fr an amendment within 60 days, unless the respnse cannt be cmpleted within that time frame and an exceptin extends the respnse time. D NOT alter the medical recrd. The practitiner wh accepts a patient request fr an amendment shuld append the amended infrmatin t the current medical recrd r prvide a link t it. Under n circumstances shuld the practitiner alter the riginal cntents f the medical recrd. Patients have a right t a written accunting f disclsures f PHI fr the past six years. Develp and implement a prcess fr respnding t patient s request fr an accunting f disclsures that includes: Disclsure date. Name and address f persn wh received PHI. Descriptin f what was disclsed. Purpse f the disclsure. Keep in mind that the accunting given t a patient des nt need t include disclsures: T the patient. Authrized by the patient. Fr natinal security r intelligence. Charge apprpriately Charge apprpriately. Be aware that the first accunting f disclsures in any 12-mnth perid is free. A reasnable fee may be charged fr any additinal accunting f disclsures requested with the same 12-mnth perid, This manual is a publicatin f Cverys Risk Management Department. This infrmatin is intended t prvide general guidelines fr risk management. It is nt intended and shuld nt be cnstrued as legal r medical advice. The cntents may be used within yur rganizatin with yur staff members and physicians. These dcuments may nt be reprduced r transmitted in any frm r by any means, utside f yur rganizatin, withut the written permissin f Cverys. 7

9 prvided the patient is given (a) advance ntice f the fee and (b) pprtunity t withdraw r mdify the request. Hnr respnse time Hnr the respnse time fr an accunting f disclsures. Healthcare prviders have 60 days t respnd t a request fr an accunting f disclsures, unless an exceptin applies that extends the respnse time. Respect patients right t cnfidential cmmunicatins Develp a respnse t patient requests fr cnfidential cmmunicatin Respect patients right t restrict disclsure Respect patients right t breach ntificatin Patients have the right t request that their PHI be cmmunicated t them by the means and in the place f their chsing. Practitiners must accmmdate all reasnable requests. The practitiner may require that the patient s request be in writing. Develp and implement a prcess fr respnding t patient requests fr cnfidential cmmunicatins. Examples f cnfidential cmmunicatin types include: Preferred phne number fr calls. Permissin t leave vice messages. Alternative billing address. Respect patients right t restrict the disclsure f prtected health infrmatin in electrnic r any ther frm t a health plan fr payment r healthcare peratins when the patient has paid fr the services ut f pcket. Develp and implement a prcess t facilitate patient requests t restrict disclsure t health plans when the patient pays ut f pcket. T prevent inadvertent disclsure, flag r make a ntatin in the recrd that disclsure f certain infrmatin has been restricted. Cnsider assisting the patient in alerting dwnstream prviders (such as specialists, pharmacists and diagnstic service prviders) f the desire t restrict disclsure f certain infrmatin. Respects patients right t be ntified f a breach. A breach is the imprper acquisitin, access, use r disclsure f prtected health infrmatin in a manner that cmprmises the security r privacy f the prtected health infrmatin. Examples include sending infrmatin t the wrng patient, lss r theft f recrd strage devices (cmputers, back-up tapes, thumb drives), unauthrized recrd review by staff, misdirected fax, and This manual is a publicatin f Cverys Risk Management Department. This infrmatin is intended t prvide general guidelines fr risk management. It is nt intended and shuld nt be cnstrued as legal r medical advice. The cntents may be used within yur rganizatin with yur staff members and physicians. These dcuments may nt be reprduced r transmitted in any frm r by any means, utside f yur rganizatin, withut the written permissin f Cverys. 8

10 same-name mix ups. The 2009 HITECH Act updates t HIPAA included the breach ntificatin rule, which requires prviders t investigate ptential breaches f PHI, ntify the patient in writing if a breach is cnfirmed, and ntify HHS f all reprtable breaches. Implement plicies t guide breach investigatins Implement plicies and prcedures t guide breach investigatins. At minimum, these shuld include: A mechanism fr staff t reprt breaches. The breach investigatin prcess. The prcess t ntify patients. The prcess t reprt breaches t the gvernment including individual breaches and breaches affecting mre than 500 individuals. The prcess fr secndary ntificatin in the event f a large breach. Maintaining the breach ntificatin lg. Prvider and emplyee HIPAA educatin, including the breach reprting prcess. Breach-related disciplinary actins This plicy shuld include a stepped apprach based n severity and intent. Willful and/r malicius breaches generally require terminatin. Investigate breaches Investigate reprted breaches prmptly. A breach is presumed unless the investigatin prves therwise. Include the fllwing fur cmpnents in the investigatin: The nature and extent f the PHI invlved Fr example, what was released, hw much PHI was included, was financially sensitive infrmatin such as Medicare r scial security numbers invlved? The persn wh disclsed the infrmatin and t whm it was disclsed Fr example, was the persn wh disclsed authrized t view and release PHI, did the persn wh received it have a HIPAA bligatin (such as anther healthcare prvider)? This manual is a publicatin f Cverys Risk Management Department. This infrmatin is intended t prvide general guidelines fr risk management. It is nt intended and shuld nt be cnstrued as legal r medical advice. The cntents may be used within yur rganizatin with yur staff members and physicians. These dcuments may nt be reprduced r transmitted in any frm r by any means, utside f yur rganizatin, withut the written permissin f Cverys. 9

11 Was the PHI actually acquired r viewed? Fr example, misdirected mail may be returned unpened. Hw was the risk t cnfidentiality and security f the PHI mitigated? Fr example, was the electrnic infrmatin encrypted, r will the individual wh received the infrmatin in errr enter int a cnfidentiality agreement? Knw when reprting is nt required Be aware that if the risk assessment is thrugh, cmpleted in gd faith, reaches reasnable cnclusins, and the cnsideratin f all factrs indicates a lw prbability that the prtected health infrmatin was cmprmised, reprting is nt required. NOTE: This is a very high standard t achieve. Cnsider seeking legal advice befre determining a breach is nt reprtable. Reprt breach t HHS Reprt the breach t HHS: Breaches invlving less than 500 individuals may be reprted as they ccur r nce a year (n later than 60 days after the end f the calendar year in which the breach ccurred). Breaches invlving 500 r mre individuals have significant regulatry requirements and legal assistance is strngly recmmended. Reprt breaches t HHS using the electrnic frm n the HHS Breach Ntificatin Web page. Reprt breach t affected individual Reprt the breach t the affected individual in writing with 60 days f discvery f the breach r when the breach shuld have been discvered. Include the fllwing in the written ntice: A descriptin f the breach. A descriptin f the types f infrmatin that were invlved in the breach, the steps affected individuals shuld take (such as credit mnitring). A brief descriptin f what the practice is ding t investigate the breach, mitigate the harm, and prevent further breaches. This manual is a publicatin f Cverys Risk Management Department. This infrmatin is intended t prvide general guidelines fr risk management. It is nt intended and shuld nt be cnstrued as legal r medical advice. The cntents may be used within yur rganizatin with yur staff members and physicians. These dcuments may nt be reprduced r transmitted in any frm r by any means, utside f yur rganizatin, withut the written permissin f Cverys. 10

12 Cntact infrmatin, fr individuals with additinal questins. Dcument breach investigatin prcess Maintain breach investigatin lg Dcument the breach investigatin prcess. Maintain a cpy f the letter(s) sent t the individual as well as any respnses and fllw-up. Dcument crrective actins which have been taken, including the review and revisin f plicies and prcedures, staff member training and emplyee discipline. Maintain a breach investigatin lg. Include: The date f the suspected breach. The date the breach was discvered. The name f the individual(s) affected. A summary f the investigatin including the decisin t reprt r nt. A brief descriptin f the crrective actins taken. The date(s) the breach was reprted t the patient and HHS if required. Use Cautin Disclsing Prtected Health Infrmatin Use a HIPAA Cmpliant Authrizatin Obtain time-limited, specific authrizatin fr the use r disclsure f PHI fr any reasn ther than treatment, payment, healthcare peratins, r fr disclsures that are permissible withut an authrizatin (as listed at the end f this sectin). See sample Permissin Frm t Send Medical Recrds. Each authrizatin shuld include: Descriptin in lay language f the PHI t be used r disclsed. Names f the practitiner(s) authrized t use r disclse the PHI. Name f the persn t whm the practitiner is authrized t disclse the PHI. A descriptin f the purpse f the use r disclsure. This manual is a publicatin f Cverys Risk Management Department. This infrmatin is intended t prvide general guidelines fr risk management. It is nt intended and shuld nt be cnstrued as legal r medical advice. The cntents may be used within yur rganizatin with yur staff members and physicians. These dcuments may nt be reprduced r transmitted in any frm r by any means, utside f yur rganizatin, withut the written permissin f Cverys. 11

13 Statement f patient s right t revke authrizatin in writing at any time and a descriptin f hw t d that. Statement that the disclsed PHI may be subject t re-disclsure by the recipient, wh may nt be subject t the HIPAA Privacy Rule. Statement that the practitiner cannt cnditin treatment, payment, enrllment r eligibility fr benefits n a patient s refusal t authrize disclsure f PHI. Expiratin date r event (e.g., the end f a clinical trial). Signature and current date. Althugh nt required by HIPAA, it is recmmended that the fllwing als be included n the authrizatin frm: The patient des r des nt agree t the release f infrmatin related t mental health treatment. The patient des r des nt agree t the release f infrmatin related t HIV status. The patient des r des nt agree t the release f infrmatin related t substance abuse. Release infrmatin n deceased patients apprpriately Be aware that HIPAA nw permits rganizatins t disclse a deceased persn s recrds t family members and thers wh were invlved in the care r payment fr care f the patient prir t death, unless ding s is incnsistent with any prir expressed preference f the individual. Understand the PHI f deceased patients is subject t the Privacy Rule fr 50 years. After 50 years, individually identifiable health infrmatin f the deceased is n lnger cnsidered PHI. NOTE: Sme state laws may be stricter than this new language and wuld preempt the rule. Fllw state laws regarding release f deceased persn s recrds if the state law is mre restrictive. Use cautin when faxing Be aware that HIPAA privacy regulatins permit the sending f PHI via fax. Hwever, take reasnable safeguards t ensure the privacy f the faxed infrmatin. Such safeguards might include: This manual is a publicatin f Cverys Risk Management Department. This infrmatin is intended t prvide general guidelines fr risk management. It is nt intended and shuld nt be cnstrued as legal r medical advice. The cntents may be used within yur rganizatin with yur staff members and physicians. These dcuments may nt be reprduced r transmitted in any frm r by any means, utside f yur rganizatin, withut the written permissin f Cverys. 12

14 Cnfirming the fax number. Cnfirming receipt f the fax. Faxing nly minimum necessary infrmatin. Including a cnfidentiality statement n the fax cver sheet. Including instructin t cntact the practice if the fax has been received in errr. Assign a staff member t cnfirm the fax number accuracy at least every six mnths when preprgrammed fax numbers are used. Release immunizatin recrds Release minimum amunt f PHI necessary t perfrm the task Fllw state laws when stricter than HIPAA Recgnize when a signed authrizatin is nt required Be aware that HIPAA regulatins permit practices t disclse prf f immunizatin t a schl in states in which the state r ther law requires vaccinatins prir t admitting a student. Understand that written authrizatin is n lnger required, but agreement t release must still be btained. The agreement must cme frm a parent/guardian r the patient if they are an adult r emancipated minr. The agreement may be in writing r verbal. Release the minimum amunt f infrmatin necessary t perfrm the task when releasing infrmatin withut a written authrizatin. Release as specified by the authrizatin when there is a valid written authrizatin. Require business assciates t cmply with the minimum necessary rule. Understand that the Privacy Rule is a minimum acceptable standard. Understand certain disclsures that are permissible withut patient authrizatin under HIPAA may be prhibited by state law r may require the patient s written authrizatin in that state. In thse instances in which state law is mre stringent, the state law applies. When HIPAA is mre prtective f the patient r when state law presents an bstacle t the fulfillment f the intent f HIPAA, it is the HIPAA Privacy Rule that applies. Recgnize that under the HIPAA Privacy rule, PHI, including prtins f a recrd created by anther prvider, may be disclsed withut the patient s authrizatin in This manual is a publicatin f Cverys Risk Management Department. This infrmatin is intended t prvide general guidelines fr risk management. It is nt intended and shuld nt be cnstrued as legal r medical advice. The cntents may be used within yur rganizatin with yur staff members and physicians. These dcuments may nt be reprduced r transmitted in any frm r by any means, utside f yur rganizatin, withut the written permissin f Cverys. 13

15 certain defined circumstances. They include, but are nt limited t: Disclsure t the patient. Disclsure t anther party fr purpses f treatment, payment, and fr purpses relating t the disclsing healthcare prvider s healthcare peratins, (e.g., audits, credentialing, accreditatin, case management, training, and reprting a claim t a malpractice carrier). Disclsure that is required under certain circumstances, including sme legal investigatins, emergencies, public health activities (including a public health authrity r ther apprpriate gvernment authrity authrized by law t receive reprts f child abuse r neglect), situatins in which the practitiner is a mandated reprter, certain judicial and administrative prceedings, the wrk f a funeral directr r medical examiner, t avert a serius threat t health r safety, fr natinal defense, r as required by law. Disclsure t a law enfrcement fficial, if disclsure is necessary t identify r lcate a suspect, fugitive, material witness, r missing persn; t alert the fficial t the cmmissin and nature f a crime resulting in a medical emergency; t satisfy a law enfrcement fficer s need fr infrmatin abut a victim r suspected victim f a crime, when the practitiner believes that PHI is evidence f a crime that ccurred n his/her premises. Disclsure t a law enfrcement fficial PHI abut a deceased individual if the healthcare prvider suspects that the death resulted frm criminal cnduct. Disclsure fr research purpses within the guidelines defined by HIPAA. NOTE: Althugh patient authrizatin is nt required fr release f PHI in sme situatins, patient authrizatin may be requested. The practitiner is always safer This manual is a publicatin f Cverys Risk Management Department. This infrmatin is intended t prvide general guidelines fr risk management. It is nt intended and shuld nt be cnstrued as legal r medical advice. The cntents may be used within yur rganizatin with yur staff members and physicians. These dcuments may nt be reprduced r transmitted in any frm r by any means, utside f yur rganizatin, withut the written permissin f Cverys. 14

16 seeking patient authrizatin than assuming he/she des nt need t d s. Implement Business Assciate Agreements Implement Business Assciate Agreements Implement a written agreement with each business assciate with whm PHI is shared. A business assciate is an individual r cmpany: That is nt emplyed by the practice. That perfrms wrk n behalf f the practice, and The wrk invlves PHI. Fr example, business assciates may include auditrs, cnsultants, transcriptinists, billing firms, electrnic medical recrd vendrs, e-prescribing gateways, and recrd destructin and strage cmpanies. Understand what makes a business assciate Knw what t include in a Business Assciate Agreement Be aware that a healthcare prfessinal wh receives PHI fr treatment purpses is nt a business assciate. Understand that individuals r entities perfrming functins r services that d nt invlve the use r disclsure f PHI are nt cnsidered business assciates. Examples are electricians, plumbers and cleaning staff members. Include the fllwing in a Business Assciate Agreement: Specify that the business assciate will use and disclse PHI nly as permitted under the business assciate agreement and under the Privacy Rule. NOTE: the minimum necessary rule als applies t business assciates. Specify that the business assciate will cmply with the requirements f the HIPAA Security rule as it relates t electrnically stred and/r transmitted prtected health infrmatin. Require business assciate t ntify the practitiner as sn as pssible f any imprper uses and disclsures f prtected health infrmatin, including a breach. This manual is a publicatin f Cverys Risk Management Department. This infrmatin is intended t prvide general guidelines fr risk management. It is nt intended and shuld nt be cnstrued as legal r medical advice. The cntents may be used within yur rganizatin with yur staff members and physicians. These dcuments may nt be reprduced r transmitted in any frm r by any means, utside f yur rganizatin, withut the written permissin f Cverys. 15

17 Require business assciate t participate in the breach investigatin. Require business assciate t hld subcntractrs that create r receive PHI t the same restrictins and cnditins that apply t the business assciate. Require business assciate t make the PHI available fr access, amendment, and accunting, and t make the business assciate s bks and recrds available t the gvernment fr purpses f inspectin and audit. Require business assciate t use apprpriate safeguards t prevent use r disclsure f PHI nt permitted by the agreement. Allw terminatin f the agreement if the practitiner learns that the business assciate breached the agreement. Require return r destructin f the PHI at the terminatin f the cntract. A sample Business Assciate Agreement is available frm the Health and Human Services Office fr Civil Rights at: edentities/cntractprv.html. Seek Additinal Infrmatin Visit HHS OCR Privacy Website Refer t Health and Human Services Office fr Civil Rights Health Infrmatin Privacy Website fr additinal infrmatin: The links included in this dcument are being prvided as a cnvenience and fr infrmatinal purpses nly; they are nt intended and shuld nt be cnstrued as legal r medical advice. Cverys Risk Management bears n respnsibility fr the accuracy, legality r cntent f the external site r fr that f subsequent links. Cntact the external site fr answers t questins regarding its cntent. This manual is a publicatin f Cverys Risk Management Department. This infrmatin is intended t prvide general guidelines fr risk management. It is nt intended and shuld nt be cnstrued as legal r medical advice. The cntents may be used within yur rganizatin with yur staff members and physicians. These dcuments may nt be reprduced r transmitted in any frm r by any means, utside f yur rganizatin, withut the written permissin f Cverys. 16