HIPAA Privacy Policy and Procedures Supplement for KP-IT Table of Contents Now that you know about HIPAA...3 How do I contact my Privacy Officer?...3 KP Privacy Policies...3 Notice of Privacy Practices...4 HIPAA Privacy Notice...6 Minimum Necessary...9 Complaints About Privacy Practices...12 Intimidation or Retaliation Prohibited...14 Sanctions by KP Against Workforce Members Who Fail to Comply...16 Incident Reporting Procedure...19 1
Now that you know about HIPAA The booklet you have reviewed so far contains HIPAA information all Kaiser personnel need to know. However, there are some policies and procedures that apply specifically to KP-IT. Read through this KP-IT supplement to learn the policies and procedures that apply only to KP-IT personnel. How do I contact my Privacy Officer? KP-IT's Privacy Officer is: KP Privacy Policies Marcella Jordan National Privacy Officer Phone: (301) 816-7178 E-mail: Marcella.Jordan@kp.org The HIPAA Privacy Rule requires all members of KP's workforce to be trained on KP's privacy policies and procedures according to their role or job function. Key information about KP policies and procedures are included in this material. You must read each policy and procedure in this document. Depending on your department's role in using or disclosing PHI, you may be required to have additional training on policies and procedures specific to the work performed by your department. You may view all KP privacy policies by going to the web site listed below. You are not required to read these policies to complete the course. However, you may Bookmark or add this site to your Favorites so you can easily refer to the policies after completing your training. http://kpnet.kp.org/hipaa/privacy/privacy_policies.html Note: Each KP region and medical center has privacy policies and procedures specific to their practices, sometimes based on state law. If you work in a regional office building or medical facility, you should be aware of them.
Notice of Privacy Practices 1. Policy Statement Kaiser Permanente (KP) will make its Notice of Privacy Practices available to KP members/patients. KP will only request written acknowledgment of receipt of the Notice from non-member patients in non-emergency treatment situations. 2. Provisions of This Policy 2.1 Content and Change Rule The content of the Notice is prescribed by law. No changes can be made to the Notice without first consulting with KP legal counsel. 2.2. Accountability for Member/Patient Questions and Concerns KP will designate a department or staff at medical facilities and membership services locations to (i) answer questions and address concerns about the Notice and Notice acknowledgment; and (ii) obtain Notice acknowledgments from non-member patients in non-emergency situations. 2.3. Health Plan 2.3.1. KFHP will provide the Notice on behalf of KFHP, [applicable] PMG, KFH [if applicable], and other applicable covered entities to members and is permitted to meet this obligation by mailing the Notice to subscribers rather than to each member individually. 2.3.2. At least once every three years, Health Plan will notify members of the availability of the Notice and how it may be obtained. 2.4. Health Care Providers 2.4.1. Provision of Notice. Providers must provide the Notice to non-member patients at or before the first delivery of service, except in emergency treatment situations. In emergencies, the Notice shall be provided as soon as reasonably practicable. 2.4.2. Request for Acknowledgment of Receipt.
2.4.2.1. KP health care providers will make a good faith effort to obtain written acknowledgment of receipt of the Notice of Privacy Practices from non-member patients who receive treatment from KP providers. This requirement does not apply to emergency treatment situations. 2.4.2.2. KP will request a written acknowledgment of the receipt of Notice on or before the first delivery of service by a KP provider. 2.4.2.3. If such written acknowledgment is not obtained, KP health care providers must document the good faith efforts to obtain the acknowledgment and the reasons why it was not obtained. 2.4.3. Availability of Notice. Copies of the Notice shall be available to persons who request the Notice at KP medical facilities and other physical service delivery sites, e.g., medical office buildings and pharmacies. 2.4.4. Medical Facility Posting of Notice. Health care providers must post the Notice in physical service delivery sites where individuals seeking health care services can see it. 2.5. Revised Notice 2.5.1. Health Plan. Within 60 days after a significant revision of the Notice, Health Plan will provide members with a revised Notice. This obligation may be satisfied by mailing the Notice to subscribers rather than to each member individually. 2.5.2. Health Care Providers. Providers must post the revised Notice and make it available to persons who request it. 2.6. Kaiser Permanente Websites The Notice must be prominently posted on, and electronically available through, Kaiser Permanente websites that provide information about customer services or benefits. Within 60 days after a significant revision of the Notice, the new Notice will be posted on the website.
HIPAA Privacy Notice Note: The following privacy notice for Northern California region is provided as an example. You can review it to become familiar with privacy notices, but you do not have to read every word. Each region has a version of this privacy notice that is customized with information specific to their region. Notice of Privacy Practices (NCAL) KAISER PERMANENTE - NORTHERN CALIFORNIA REGION THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION In this notice we use the terms "we," "us" and "our" to describe Kaiser Permanente- Northern California Region. For more details, please refer to section IV. of this notice. I. WHAT IS "PROTECTED HEALTH INFORMATION?" Your protected health information (PHI) is health information that contains identifiers, such as your name, Social Security number, or other information that reveals who you are. For example, your medical record is PHI because it includes your name and other identifiers. If you are a Kaiser Foundation Health Plan member and also an employee of any Kaiser Permanente company, PHI does not include the health information in your employment records. II. ABOUT OUR RESPONSIBILITY TO PROTECT YOUR PHI By law, we must 1) protect the privacy of your PHI, 2) tell you about your rights and our legal duties with respect to your PHI, and 3) tell you about our privacy practices and follow our notice currently in effect. We take these responsibilities seriously and, as in the past, we will continue to take appropriate steps to safeguard the privacy of your PHI.
In the course of providing health care, we collect various types of PHI from members and patients and other sources, including other health care providers. The medical information may be used, for example, to provide health care services and customer services, evaluate benefits and claims, administer health care coverage, measure performance (utilization review), detect fraud and abuse, review the competence or qualifications of health care professionals, and fulfill legal and regulatory requirements. The types of PHI that we collect and maintain about members and patients include, for example: Hospital, medical, mental health and substance abuse patient records, laboratory results, X-ray reports, pharmacy records and appointment records; Information from member/patients, for example, through surveys, applications and other forms, and online communications; and Information about your relationship with Kaiser Permanente such as: medical services received, claims history, and information from your benefits plan sponsor or employer about group health coverage you may have. III. YOUR RIGHTS REGARDING YOUR PHI This section tells you about your rights regarding your PHI, for example, your medical and billing records. It also describes how you can exercise these rights. Your right to see and receive copies of your PHI In general, you have a right to see and receive copies of your PHI in designated record sets such as your medical record or billing records. If you would like to see or receive a copy of such a record, please write us. When you know the Kaiser Permanente facility or medical office where you received your care, please write to us at that address. If you need that address please call 1-800-464-4000 (TTY 1-800-777-1370). However, if you don't know where the record that you want is located, please write to us at the Regional Compliance and Privacy Office, 1950 Franklin Street, Oakland, CA 94612. After we receive your written request, we will let you know when and how you can see or obtain a copy of your record. If you agree, we will give you a summary or explanation of your PHI instead of providing copies. We may charge you a fee for the copies, summary, or explanation. If we don't have the record you asked for but we know who does, we will tell you who to contact to request it. In limited situations, we may deny some or all of your request to see or receive copies of your
records, but if we do, we will tell you why in writing and explain your right, if any to have our denial reviewed.
Your right to choose how we send PHI to you You may ask us to send your PHI to you at a different address (for example, your work address) or by different means (for example, fax instead of regular mail). When we can reasonably and lawfully agree to your request, we will. However, we are permitted to charge you for any additional cost of sending your PHI to different addresses or by different means. Your right to correct or update your PHI If you believe there is a mistake in your PHI or that important information is missing, you may request that we correct or add to the record. Please write to us and tell us what you are asking for and why we should make the correction or addition. When you know the Kaiser Permanente facility or medical office where you received your care, please write to us at that address. If you need that address, please call 1-800-464-4000 (TTY 1-800- 777-1370). However, if you don't know where the record that you want is located, please write to us at the Regional Compliance and Privacy Office, 1950 Franklin Street, Oakland, CA 94612. We will respond in writing after receiving your request. If we approve your request, we will make the correction or addition to your PHI. If we deny your request, we will tell you.
Minimum Necessary 1. Policy Statement When using or disclosing protected health information (PHI) or requesting PHI from another health plan or health care provider, Kaiser Permanente shall make reasonable efforts to limit the use, disclosure, or request to the minimum necessary for its intended purposes. 2. Provisions of this Policy 2.1 Application of the Minimum Necessary Standard The minimum necessary requirement applies to: 2.1.1 KP uses and disclosures of PHI. 2.1.2 KP requests to health care providers, health plans, or health care clearinghouses for PHI for any purpose other than treatment. 2.1.3 Incidental uses and disclosures, including unintended access to or communication of PHI that may occur as a by-product of permitted uses and disclosures (e.g., incidental disclosures include provider communications with a patient in a shared hospital room, pharmacy consultation windows, or waiting areas; PHI included on whiteboards or pharmacy display boards; PHI viewable on computer screens, printers, or fax machines). 2.2 Exceptions to the Application of the Minimum Necessary Standard The minimum necessary requirement does not apply to: 2.2.1 Treatment By Third Party Provider. Disclosures to, or requests by, an external health care provider for treatment. 2.2.2 Member/Patient Own PHI. Communications to members/patients of their own PHI. 2.2.3 Authorization. Uses or disclosures for which an authorization was obtained.
2.2.4 Secretary of HHS. Disclosures made to the Secretary of HHS for purposes of compliance and enforcement related to the HIPAA Privacy Rule. 2.2.5 Required by Law. Uses or disclosures that are required by law, consistent with the limitations, if any, in the law on what PHI may be disclosed. 2.2.6 Compliance with HIPAA. Any other uses or disclosures required to comply with any HIPAA rule or regulation, including the Privacy Rule, the Transactions Rules and the Security Rule. 2.3 Use of PHI With respect to the use of PHI, KP must: 2.3.1 Identify the persons or classes of persons in KP's workforce who need access to PHI to carry out their duties; 2.3.2 Identify the categories of PHI to which access is needed and the conditions under which individuals or classes or individuals may access PHI specific to their responsibilities. 2.3.3 Establish processes to restrict unauthorized access to PHI, through physical security policies and procedures and monitoring. 2.4 Disclosures of PHI To meet the minimum necessary requirement for disclosures of PHI, KP must do the following: 2.4.1 Routine Disclosures. For any type of disclosure made on a routine and recurring basis, the PHI disclosed must be limited to the amount reasonably necessary to allow the person needing the information to use it. 2.4.1.1 Disclosures to a KP business associate must be made in accord with the terms of the business associate agreement, in which permitted disclosures should be clearly described. 2.4.2 Non-Routine Disclosures of PHI. For non-routine disclosures of PHI, KP must review requests for disclosure on an individual basis in accordance with criteria designed to limit the PHI disclosed to the information reasonably necessary to accomplish
the purpose for which disclosure is sought. (See Appendix for regional/departmental list of criteria.) 2.4.3 Reliance Upon Requests by Others. A request for disclosure of PHI may be considered to be the minimum necessary for the stated purpose when: 2.5 Requests for PHI 2.4.3.1 A public official who is requesting a disclosure of PHI permitted by the HIPAA Privacy Rule represents that the information requested is the minimum necessary amount for the stated purpose. 2.4.3.2 Another health care provider or health plan is requesting the PHI. 2.4.3.3 A professional (e.g., attorney, accountant) who is a member of KP's workforce or a KP business associate requests PHI for the purposes of providing professional services, and the requester represents that the information requested is the minimum necessary for the stated purpose. When requesting PHI, KP must do the following: 2.5.1 Routine Requests. For routine and recurring requests for PHI, request only that PHI necessary for the purpose to be accomplished. 2.5.2 Non-Routine Requests for PHI. For non-routine requests for PHI, KP will follow criteria to limit the PHI requested to that which is reasonably necessary to accomplish the purpose of the requests. (See Appendix for regional/departmental list of criteria.) 2.6 Entire Medical Record As Minimum Necessary KP may not use, disclose, or request an entire medical record, except when specifically justified as the amount that is reasonably necessary to accomplish the purpose of the use, disclosure, or request. KP shall: 2.6.1 For uses, identify those persons who need access to the entire medical record to carry out their duties.
2.6.2 For disclosures and requests, follow as applicable the rules for routine disclosures and requests, non-routine disclosures and requests, and reliance on requests by others.
Complaints About Privacy Practices 1. Policy Statement Kaiser Permanente (KP) acknowledges the right of members/patients and other persons under the HIPAA Privacy Rule to lodge a complaint with KP or the Secretary of Health and Human Services about KP's privacy practices or compliance with the Rule. KP will handle these complaints through existing internal processes for reviewing and responding to other types of complaints, or establish new processes for this purpose. 2. Provisions of this Policy 2.1 Complaints By Members/Patients. Members/patients may file complaints with Kaiser Permanente or with the Secretary of the U.S. Department of Health & Human Services that claim that KP: 2.1.1 Interfered with or failed to 1) allow access to PHI; 2) provide copies of PHI; 3) review requests for amendments of PHI; 4) provide disclosure accountings; and/or 5) allow the individual to exercise other rights under the HIPAA Privacy Rule and/or 6) is otherwise violating the HIPAA Privacy Rule. 2.2 Complaints Complaints by Personal Representatives, Employees and Others. Employees, physicians, other workforce members, associations, health plans, providers, health oversight agencies or advocacy groups, as well as embers/patients and personal representatives, may also file a complaint with the Secretary of the U.S. Department of Heath & Human Services claiming that KP is violating the HIPAA Privacy Rule. 2.3 Process for Handling Complaints 2.3.1 Complaint Process Required. There must be a process for individuals to make complaints about KP's privacy policies and procedures or KP's compliance with the HIPAA Privacy Rule. 2.3.2 Responsibility for Receipt of Complaints. KP will designate a contact person (by title) or office that is responsible for receiving complaints concerning privacy practices and providing contact
information for the Secretary of the U.S. Department of Health & Human Services. 2.3.2.1 Contact Information. Regional and local policies shall include, at a minimum, the contact information that is in the section of the Notice of Privacy Practices that informs members and patients how to contact KP for the purpose of lodging a complaint about KP's privacy practices. 2.4 Investigations by the Secretary of HHS. The Secretary of HHS may investigate complaints submitted to the Secretary. Kaiser Permanente must cooperate with any investigation conducted by the Secretary pursuant to its authority for HIPAA Administrative Simplification. 3. KP- IT Procedures 3.1 Workforce members who wish to file a complaint regarding KP's privacy practices or failure to comply with the rule should contact: Marcella Jordan, National Privacy Officer, (301) 816-7178 or the Kaiser Permanente Compliance Connection Hotline, 888-774-9100. The hotline is a toll-free telephone line, available 24 hours a day, 365 days a year. It provides an anonymous, confidential way to report suspicious or illegal activity. Complaints may also be filed with: The Secretary of the U.S. Department of Health & Human Services 3.2 Filing a Complaint (Non-Workforce Members) If a non-workforce member approaches a KP-IT workforce member to file a complaint regarding KP's privacy practices, the KP-IT workforce member should refer the non-workforce member to: CO - Customer Service GA - Member Services HI - Customer Service MAS - Member Services
NCA - Member Services NW - Membership Services OH - Customer Relations SCA - Member Services Intimidation or Retaliation Prohibited 1. Policy Statement Kaiser Permanente will not intimidate, threaten, coerce, discriminate against, or take other retaliatory action against members/patients, physicians, employees, or any other person for exercising their rights established under the HIPAA Privacy Rule. 2. Provisions of this Policy 2.1 Filing of Complaints By Members/Patients About Kaiser Permanente Privacy Practices. Members/patients may file complaints with Kaiser Permanente or with the Secretary of the U.S. Department of Health & Human Services. 2.2 Permissible Activities By Members/Patients, Personal Representatives and Others. In addition to the right to file a complaint, employees, physicians, other workforce members, associations, health plans, providers, health oversight agencies or advocacy groups, as well as members/patients and personal representatives, may: 2.2.1 Testify, assist or participate in an investigation, compliance review, proceeding or hearing related to the HIPAA Privacy Rule requirements; 2.2.2 Oppose any act or practice for which he or she: 2.2.2.1 Has a good faith belief that the practice is unlawful; and 2.2.2.2 Expresses that opposition in a reasonable manner; and
2.2.2.3 Does not disclose protected health information (PHI) in violation of the HIPAA Privacy Rule, in making that opposition known. 2.3 Disclosures of PHI by Whistleblowers A "whistleblower" (who may be a physician, employee or other member of the Kaiser Permanente workforce or a business associate) may disclose PHI if he or she: 2.3.1 Holds a good faith belief that Kaiser Permanente has engaged in conduct that is unlawful or otherwise violates professional or clinical standards, or that the care, services, or conditions provided by Kaiser Permanente potentially endanger one or more patients, workers, or the public; and 2.3.2 Makes the disclosure to: 2.4 No Retaliation 2.3.2.1 A health oversight agency or public health authority authorized by law to investigate or oversee Kaiser Permanente conduct; 2.3.2.2 A health care accreditation organization to report the failure to meet professional standards; or 2.3.2.3 An attorney retained by or on behalf of the workforce member to determine legal options of the workforce member with regard to the unlawful conduct. Kaiser Permanente cannot interfere with the lawful exercise of rights afforded to any member/patient, physician, employee, other member of the Kaiser Permanente workforce or any other person. Kaiser Permanente must not intimidate, threaten, coerce, discriminate against, or take any retaliatory action against any such person who lawfully exercises his or her rights under HIPAA. 2.5 Disciplinary Action However, Kaiser Permanente can take disciplinary action, up to and including dismissal, or other legal or administrative action, against any employee, physician or other member of the Kaiser Permanente workforce or a business associate who discloses PHI in violation of the HIPAA Privacy Rule.
2.6 Other Permissible Actions by Kaiser Permanente In addition, Kaiser Permanente can take appropriate action against any person who makes an unlawful disclosure of PHI, even if done when opposing a claimed improper privacy practice or violation. An unlawful disclosure would include disclosing PHI to the media, family, or friends, rather than to the Department of Health and Human Services. 3. KP-IT Procedure Refer to KP-IT HR for assistance Sanctions by KP Against Workforce Members Who Fail to Comply 1. Policy Statement Kaiser Permanente will impose appropriate sanctions against employees, physicians, and other members of its workforce who fail to comply with its privacy policies and procedures, or the requirements of the HIPAA Privacy Rule. 2. Provisions of this Policy 2.1 Workforce Sanctions for Violation of Rule or Policy. 2.1.1 Sanctions. KP will apply appropriate sanctions, up to and including dismissal, against employees, physicians, and other members of the workforce who fail to comply with the requirements of the HIPAA Privacy Rule or KP's privacy policies and procedures. 2.1.2 Factors Affecting Discipline. Some of the factors that may affect the discipline imposed include, as applicable: 2.1.2.1 Severity of the violation; 2.1.2.2 Whether the violation was intentional or unintentional; 2.1.2.3 Whether the violation was part of a pattern or practice of improper use or disclosure of PHI; 2.1.2.4 Nature of the violation; 2.1.2.5 The individual's past performance;
2.1.2.6 Knowledge of rules/warnings; 2.1.2.7 Consistent application of rules, including alleged discriminatory treatment; 2.1.2.8 Whether there was a full investigation and/or an opportunity for the individual to be heard; 2.1.2.9 Length of service; and 2.1.2.10 Other relevant circumstances, including relevant mitigating or exacerbating factors. 2.2 Circumstances When Sanctions May Not Be Imposed KP will not discipline a "whistleblower" who acts in accordance with "whistleblower" requirements under the HIPAA Privacy Rule. 2.3 Victims of Crimes Workforce members may disclose a limited amount of PHI if they are victims of crimes and a member/patient is the suspected perpetrator. 2.3.1 However, such workforce members are not allowed access to PHI they are not otherwise entitled to see as part of their jobs. 2.3.2 In addition, the disclosure must be made to a law enforcement officer only about the suspected perpetrator of the crime. The victim may only disclose: 2.3.2.1 Name and address; 2.3.2.2 Date and place of birth; 2.3.2.3 Social Security Number; 2.3.2.4 Blood type and rh factor (limited to A, B, AB, or O 2.3.2.5 Type of injury; 2.3.2.6 Date and time of treatment; 2.3.2.7 Date and time of death, if applicable; and
2.3.2.8 Description of distinguishing physical characteristics, including height, weight, gender, race, hair and eye color, presence or absence of facial hair (beard or moustache), scars, and tattoos. 2.3.3 If the employee, physician, or other workforce member who is a victim of a crime discloses more than the above information or accesses PHI that they are not entitled to see, they may be subject to discipline. 2.4 Other Exceptions Kaiser Permanente will not discipline any employee, physician, or other member of its workforce for properly filing a complaint with the Secretary of HHS or exercising other rights under the HIPAA Privacy Rule with respect to alleged unlawful activity by KP. 3. KP-IT Procedure Refer to KP-IT HR for assistance
Incident Reporting Procedure How to Identify and Manage Incidents There are four kinds of security incidents: 1. General emergency incidents 2. Behavioral security incidents 3. Electronic/computer security incidents 4. Physical security incidents Identifying General Emergency Incidents These incidents do not necessarily involve PHI and might occur at any time in any Kaiser facility. Examples of general emergencies are (armed intruder, fire, heart attack, chemical spill etc.) Identifying Behavioral Security Incidents These incidents are the result of actions on the part of workforce or nonworkforce personnel that compromise data security or integrity. Examples of behavioral security violations include inappropriate use of electronic information, writing down or sharing passwords, not securing (locking or logging off) an unattended workstation, etc. Identifying Electronic Security Incidents These include any attempt, whether successful or not, to obtain unauthorized access to PHI or any other confidential information, to alter or damage the security of a computer or computing device, or to disrupt or negatively impact KP's or one of its subsidiaries ability to conduct business electronically. Examples of electronic/computer security incidents include computer virus, unauthorized access, inappropriate use of electronic information, etc. Identifying Physical Security Incidents A physical security incident is any attempt, whether successful or not, to obtain unauthorized access to PHI or any other confidential information, to alter or damage the security of a computer or computing device, or to disrupt or negatively impact Kaiser or one of its subsidiaries ability to conduct business physically.
Examples of physical security incidents include a secured room left unsecured, medical records left unattended in unsecured area, unsupervised maintenance, fire or water hazard, etc. Reporting Procedures To report a general emergency, first call 911, then notify your manager, if it is safe to do so. To report a behavioral security incident, KP-IT personnel can notify their managers. Alternately, call the Compliance Hotline number, 888-774-9100, and make an anonymous report. To Report an electronic security incident, call the National Help Desk (888-457-4872). To Report a physical security incident, call building security at your location. What to do while you wait Electronic Security Incident - do not log off or shut down the computer until the help desk gives you authorization. Physical Security Incident - attempt to secure the area, if it is safe to do so. Do not allow anyone to move, alter or disturb any of physical evidence at the incident site.