HIPAA PRIVACY MONITORING REQUIREMENTS

Similar documents
STATE OF FLORIDA DEPARTMENT OF. NO TALLAHASSEE, June 2, Chapter 1

ACCOUNTING FOR DISCLOSURES OF PROTECTED HEALTH INFORMATION

SDM Health Insurance Portability and Accountability Act (HIPAA) Terms and Conditions For Business Associates

HIPAA Policy Minimum Necessary Use December 1, 2015

COVERED TRANSACTION means a Transaction for which the Secretary has adopted a standard under HIPAA.

TEXAS SOUTHERN UNIVERSITY HIPAA BUSINESS ASSOCIATE AGREEMENT

Definitions: Policy: Procedure:

Limited Data Set Data Use Agreement For Research

Business Associate Agreement

Health Insurance Portability and Accountability Act (HIPAA) Terms and Conditions For Business Associates

BUSINESS ASSOCIATE AGREEMENT

Texas Tech University Health Sciences Center HIPAA Privacy Policies

ARTICLE 1. Terms { ;1}

IHDE BUSINESS ASSOCIATE AGREEMENT (BAA)

NOTICE OF PRIVACY PRACTICES

Business Associate Agreement

Texas Tech University Health Sciences Center El Paso HIPAA Privacy Policies

HIPAA The Health Insurance Portability and Accountability Act of 1996

HIPAA Business Associate Agreement

HIPAA Training. HOPE Health Facility Administrators June 2013 Isaac Willett and Jason Schnabel

Emma Eccles Jones College of Education & Human Services. Title: Business Associate Agreements

SUBCONTRACTOR BUSINESS ASSOCIATE AGREEMENT

GUIDE TO PATIENT PRIVACY AND SECURITY RULES

All subscribers of the Long Beach Unified School District s Self-Insured Health Plan

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT BUSINESS ASSOCIATE TERMS AND CONDITIONS

HIPAA s Medical Privacy Standards:

BUSINESS ASSOCIATE AGREEMENT

Terms used, but not otherwise defined, in this Addendum shall have the same meaning as those terms in 45 CFR and

CHAPTER 33 HIPAA PRIVACY REGULATIONS

CMS stands for Centers for Medicare & Medicaid Services within the Department of Health and Human Services.

HIPAA Business Associate Agreement Passport to Languages

HIPAA PRIVACY RULE POLICIES AND PROCEDURES

RECITALS. In consideration of the mutual promises below and the exchange of information pursuant to this BAA, the Parties agree as follows:

HIPAA BUSINESS ASSOCIATE AGREEMENT

UNIVERSITY POLICY. Access of Individuals to Their Protected Health Information. Adopted: 01/23/2003 Reviewed: 3/11/2016

Business Associate Agreement

Central Florida Regional Transportation Authority Table of Contents A. Introduction...1 B. Plan s General Policies...4

BUSINESS ASSOCIATE AGREEMENT Between THE NORTH CENTRAL TEXAS COUNCIL OF GOVERNMENTS and

Do You Want To Know A Secret? HIPAA s Medical Privacy Regulations

OHCAs, ACEs and Hybrid Entities

Definitions. Except as otherwise provided, the following definitions apply to this subchapter:

Kay Concrete Materials, Inc.

Notice of Privacy Practices

HIPAA ADDENDUM TO SERVICE AGREEMENT

Interpreters Associates Inc. Division of Intérpretes Brasil

Consent for Purposes of Treatment, Payment and Healthcare Operations

ELECTRONIC DATA INTERCHANGE TRADING PARTNER AGREEMENT

HIPAA Notice of Privacy Practices

Business Associate Agreement For Protected Healthcare Information

DELHAIZE AMERICA PHARMACIES AND WELFARE BENEFIT PLAN HIPAA SECURITY POLICY (9/1/2016 VERSION)

SCHOOLS SELF-INSURANCE OF CONTRA COSTA COUNTY NOTICE OF PRIVACY PRACTICES

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) BUSINESS ASSOCIATE AGREEMENT

CROOK COUNTY POLICY AND PROCEDURES FOR COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF

Breach Policy. Applicable Standards from the HITRUST Common Security Framework. Applicable Standards from the HIPAA Security Rule

Robert E. Parker, Ph.D., P.C st Ave S. #101 Normandy Park, WA (206)

Business Associate Agreement Health Insurance Portability and Accountability Act (HIPAA)

HIPAA STUDENT ASSOCIATE AGREEMENT

MICHIGAN HEALTHCARE PROFESSIONALS, P.C.

BUSINESS ASSOCIATE AGREEMENT W I T N E S S E T H:

PATTERSON MEDICAL SUPPLY, INC. HIPAA BUSINESS ASSOCIATE AGREEMENT WITH CUSTOMERS

PRIVACY NOTICE THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION.

ACGME BUSINESS ASSOCIATE AGREEMENT

UNIVERSITY PHYSICIANS OF BROOKLYN MEDICAL CENTER UNIVERSITY PHYSICIANS OF BROOKLYN POLICY AND PROCEDURE

PRIVACY STANDARDS OVERVIEW

MONTCLAIR STATE UNIVERSITY HIPAA PRIVACY POLICY. Approved by the Montclair State University Board of Trustees on April 3, 2014

THE CITY AND COUNTY OF SAN FRANCISCO SECTION 125 CAFETERIA PLAN HIPAA PRIVACY POLICIES & PROCEDURES

NOTICE OF PRIVACY PRACTICES

The Basics of HIPAA Business Partner and Chain of Trust Agreements Coverage and Requirements

BUSINESS ASSOCIATE AGREEMENT

NO , Chapter 7 TALLAHASSEE, January 6, 2014 HIPAA BREACH NOTIFICATION PROCEDURES

HEALTH INFORMATION PRIVACY POLICIES & PROCEDURES

Agent Instruction Sheet for the MRA Plan Document

DEPARTMENT OF VERMONT HEALTH ACCESS GENERAL PROVIDER AGREEMENT

HIPAA & HITECH Privacy & Security. Volunteer Annual Review 2017

UNITED WORKERS HEALTH FUND 50 CHARLES LINDBERGH BLVD. SUITE 207 UNIONDALE, NY 11553

Texas Health and Safety Code, Chapter 181 Medical Records Privacy Law, HB 300

NOTICE OF PRIVACY PRACTICES

Central Susquehanna Region School Employees Health and Welfare Trust

SUMMARY OF PRIVACY PRACTICES

Upper Bay Counseling & Support Services, Inc. (Administration)

BUSINESS ASSOCIATE AGREEMENT

NATIONAL RURAL ELECTRIC COOPERATIVE ASSOCIATION GROUP BENEFITS PROGRAM

BREACH NOTIFICATION POLICY

Summary of HIPAA Privacy Rule

HIPAA Privacy Notice Katy Independent School District HIPAA Privacy Notice

Emma Eccles Jones College of Education & Human Services

Hand & Microsurgery Medical Group, Inc. HIPAA NOTICE AND ACKNOWLEDGEMENT

PsyBar, LLC 6600 France Avenue South, Suite 640 Edina, MN Telephone: (952) Facsimile: (952)

USE AND DISCLOSURE REQUIRING AUTHORIZATION. Identifies when Facilities may use and disclose PHI of patients pursuant to an Authorization.

MEDICARE PATIENT INTAKE INFORMATION PATIENT INFORMATION. Beneficiaries Last Name: First: Middle: Marital Status: Sex: M F

The Impact of Final Omnibus HIPAA/HITECH Rules. Presented by Eileen Coyne Clark Niki McCoy September 19, 2013

BUSINESS ASSOCIATE AGREEMENT

8/14/2013. HIPAA Privacy & Security 2013 Omnibus Final Rule update. Highlights from Final Rules January 25, 2013

Effective Date: March 23, 2016

The Health Insurance Portability and Accountability Act (HIPAA) A guided tutorial for GVSU employees

Memorandum of Understanding. Between. Partnership for Children of Essex. and. Provider

Highlights of the Omnibus HIPAA/HITECH Final Rule

"HIPAA RULES AND COMPLIANCE"

Grayson and Associates, P. C.

THE HIPAA PRIVACY RULE

Transcription:

CFOP 60-17 STATE OF FLORIDA DEPARTMENT OF CF OPERATING PROCEDURE CHILDREN AND FAMILIES NO. 60-17 TALLAHASSEE, August 1, 2003 Chapter 3 HIPAA PRIVACY MONITORING REQUIREMENTS CONTENTS 3-1. Purpose... 3-1 3-2. Scope... 3-1 3-3. References... 3-1 3-4. Definition of Terms... 3-1 3-5. General... 3-2 3-6. Policy... 3-2 3-7. Monitoring Process... 3-3 This operating procedure supercedes CFOP 60-17, Chapter 3, dated February 1, 2003 OPR: OSHRC DISTRIBUTION: A 1-i

Chapter 3 HIPAA PRIVACY MONITORING REQUIREMENTS 3-1. Purpose. This operating procedure establishes a uniform process for monitoring activities; and reviewing the compliance of Department programs to ensure the privacy of individually identifiable health information as required by the Health Insurance Portability and Accountability Act (HIPAA). 3-2. Scope. This operating procedure applies to all employees of the Department of Children and Families who are responsible for monitoring the Department s compliance with the Privacy Rule. 3-3. References. a. Health Insurance Portability and Accountability Act of 1996 (HIPAA). b. Title 45 C.F.R., Subparts 160, 162 and 164, Security and Privacy of Individually Identifiable Health Information. 3-4. Definition of Terms. a. Business Associate (BA). The person or entity who, on behalf of the Department and other than in the capacity of an employee, performs or assists in the performance of a function or activity that involves the use or disclosure of PHI; or who provides legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation or financial services. b. Health Information. Any information, whether oral or recorded in any form or medium, that: (1) is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and, (2) relates to past, present or future physical or mental health or condition of an individual; the provision of health care to an individual or the past, present or future payment for the provision of health care to an individual including prescriptions. c. Protected Health Information (PHI). Individually identifiable information relating to past, present or future physical or mental health or condition of an individual, provision of health care to an individual, or the past, present or future payment for health care provided to an individual. d. Treatment, Payment and Health Care Operations (TPO). Includes all of the following: (1) Treatment means the provision, coordination, or management of health care and related services, consultation between providers relating to an individual, or referral of an individual to another provider for health care. (2) Payment means activities undertaken by a provider or health plan to obtain or provide reimbursement for health care, including determinations of eligibility or coverage, billing, collections activities, medical necessity determinations, and utilization review. (3) Health Care Operations includes functions such as quality assessment and improvement activities, case management and care coordination, reviewing competence or qualifications of health care professionals, conducting training programs, licensing and credentialing activities, conducting or arranging for medical review, legal services and auditing functions, business planning and development, and general business and administrative activities. 3-1

3-5. General. a. HIPAA establishes in law the basic principle that an individual's medical records belong to that individual and, with certain exceptions, cannot be used or disclosed without the explicit permission of that individual. The Act gives individuals the right to an explanation of their privacy rights by health care providers, the right to see their medical records, to request corrections to these records, to control the release of information from their records and the right to documented explanations of disclosures by entities who may have access to this information. b. 45 C.F.R., Part 160.310, requires that the Department, as a covered entity, keep and provide records and compliance reports, in such time and manner and containing such information, as the Secretary of the Department of Health and Human Services (HHS) may determine to be necessary to enable the Secretary to ascertain whether the Department has complied and is complying with the requirements of the regulations, to include complaint investigations and compliance reviews. (1) Access shall be provided during normal business hours to the Department's facilities, books, records, accounts, and other sources of information, including PHI, that are pertinent to ascertaining compliance with the regulations. If the Secretary of HHS determines that critical circumstances exist, access shall be permitted at any time, without notice. (2) If any of the information required for an HHS investigation or compliance review is in the exclusive possession of another agency, a Business Associate, institution, or person that fails or refuses to furnish the information, the Department must so certify and set forth all of the efforts undertaken to obtain the required information. 3-6. Policy. a. HIPAA requires the Department to assure the privacy and confidentiality of protected personal health information of clients and patients. Department employees and volunteers shall not permit the unauthorized disclosure of protected health information except as permitted or required by law. b. District and Region Administrators are responsible for ensuring that programs and Business Associates have documented privacy procedures in place that: (1) provide adequate notice to individuals of their rights and the procedures for exercising their rights with respect to protected health information about them in accordance with CFOP 60-17, Chapters 1 and 2; information; (2) enable individuals to exercise the right of access to his or her own protected health (3) give individuals an accurate accounting of all disclosures of protected health information as long as the information is maintained by the program or provider, except for disclosures made: (a) to carry out TPO; (b) to individuals of PHI about themselves; (c) for the facility directory or to persons involved in the individual s care or other notification purposes; 3-2

(d) for national security or intelligence purposes; (e) to correctional institutions or law enforcement officials; (f) prior to the compliance date for the covered entity; and (g) pursuant to an authorization. (4) enable individuals to request amendment or correction of protected health information, to determine whether the request should be granted or denied, and to disseminate amendments or corrections to its business partners and others to whom erroneous information has been disclosed, including the amendment of information in all appropriate designated record sets maintained by the covered entity and its business partners. c. District and Region Administrators are responsible for ensuring that programs and Business Associates have administrative safeguards, physical safeguards and technical safeguards (security procedures/processes) in place that ensure the confidentiality, integrity and availability of all electronic PHI the district/region creates, receives, maintains or transmits; protects against any reasonably anticipated threats or hazards to the security or integrity of such information; and protect against any reasonably anticipated uses or disclosures of such information that are not permitted under the security rule. 3-7. Monitoring Process. a. Compliance with the policies and processes contained in all Chapters of CFOP 60-17 will be monitored. Notice is further given by including language in each procedure as follows: The Privacy Officer will collect and analyze information from districts and institutions during the month of April of each year, beginning in April of 2004,to determine compliance with this procedure. b. The Privacy Officer shall begin to collect information on compliance in April of 2003. c. District Compliance Officers shall provide the results of their monitoring activities to the Privacy Officer using a prescribed format or tool to be determined by the Privacy Officer on an annual basis beginning in April of 2004. d. The Privacy Officer shall analyze results and provide feedback to the District or Region Compliance Officer for distribution to District and Regional Administrators. e. The District or Region Administrator is accountable for taking any remedial action(s) required to be in compliance, and for reporting the measures that have been taken to the Privacy Officer upon receipt of the results. 3-3

BY DIRECTION OF THE SECRETARY: WALTER R. COOK, SPHR Human Resources Director This revision incorporates the compliance monitoring process required by the HIPAA Privacy Act 3-4

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback