hipaa compliance program for - home | fcni30 · hipaa compliance program for family care network,...

HIPAACompliance Program

forFamily Care

Network, Inc.

This is our plan for adherance to federal and state laws,and federal and state health care program requirements.

Important Note: Nothing stated herein should be subsituted for, or usedin lieu of, competent legal advice where necessary.

HIPAA Table of Contents

Introduction to HIPAA 1

Definitions 2

HIPAA Compliance Training Outline 3 Three Basic Goals Summary of the HIPAA Rule Compliance Requirements What Will Change?

10 Step Quick Reference HIPAA (Privacy) Guide 5

Implementing HIPAA 6

Our Practice Information 7

Duties of Privacy/Compliance Officer 8

Our Compliance Committee 10

Compliance Committee Responsibilities 11

Our HIPAA Compliance Manual 12

HIPAA: Schedules and Basic Guidelines 13 Covered Entities Compliance Schedule

Understanding Our HIPAA Program – An Overview 15

Authorization/Notice of Privacy Practices 16

Using the “Minimum Necessary” 18 What Does Using the Minimum Necessary Really Mean? Sign-In Sheets When is Too Much Information Too Much? Limit Use & Disclosure of Patient Information Medical Residents, Students, Assistants and Other Medical Trainees Third Parties Disclosures to Federal and State Agencies Disclosure of an Entire Medical Record Remember the Concept of Reasonable Efforts Minimum Necessary Disclosure and Transaction Standards

Oral Communications 22 Oral Communication – What Does This Mean? Frequently Asked Questions Basic Rules for Oral Communications About Patient Health Records Talking to Other Providers and Patients Calling Out Patient Names Reporting Con-Compliance Concerns Patient Access to Oral Information We Do Not Have to Document ALL Oral Communications

Patient’s Right of Access 26 Covered Entities (CE) Obligations The CE Accepts the Request... The CE Denies the Request, In Whole or In Part Review

Business Associates and Privacy 28

Parents and Minors 29 State Laws Parents and Their Children’s Medical Records Parental Consent Emergency Medical Care Without a Parent’s Consent Frequently Asked Questions

Patient Billing and Payments 32 What Does That Mean? The Claim Form Helpful Hints Consumer Credit Reporting Agencies Debt Collection Agencies Location Information Services of Collection Agencies and the Fair Debt Collection Practices Act

Evaluate Office Security Measures 34

Selecting HIPAA-Worthy Passwords 35

HIPAA Violations and Enforcement 36 Civil Penalties Criminal Penalties CoveredEntityandSpecifiedIndividuals Knowingly Exclusion Enforcing Agencies No Private Cause of Action

Breach of PHI 38 HITECH Act of 2009 Procedure to Report a Breach Assessing the Breach BreachNotificationtoIndividualWhosePHIwasBreached

HIPAA Compliance Associate Agreement 41

HIPAA Compliance Signature Form 43

HIPAA Quiz for All Employees 45

1

Introduction to HIPAA

EnactedbyCongressin1996,theHIPAAACTincludedaseriesof“administrativesimplification”provisionsthat required the Department of Health and Human Services (HHS) to adopt national standards for electronic health care transactions.

HowwillthisimprovetheefficiencyandeffectivenessofthehealthcaresystemintheUnitedStates?Byensuring consistency throughout the industry, these national standards will make it easier for health plans, physicians, hospitals and other health care providers to process claims and other transactions electroni-cally. This consistency is badly needed due to the countless variations in the way health care companies and individuals process patient records, claims, services, etc. It is particularly important because of the electronic processing age that we live in.

The other key component of HIPAA, requiring security and privacy standards, has been created in order to protect personal health information. HHS is issuing the following regulations, some of which are rules that are issued, and others are in development. The following is a list of these rules:

•Electronichealthcaretransactions(finalruleissued);

•Medicalprivacy(finalruleissued);

•Securityrequirements(finalruleissued);

•Uniqueidentifierforemployers(finalruleissued);

•Uniqueidentifierforproviders(proposedruleissued;finalruleindevelopment);

•Uniqueidentifierforhealthplans(proposedruleindevelopment);

•Enforcementprocedures(finalruleissued).

As you can see, many of the HIPAA rules are in process and the guidelines and rules are changing as the government gets feedback from the industry. One of the main objectives of the privacy guidelines is to help ensure fair and equal health care. Privacy will help everyone attain fair insurance coverage and to avoid dis-crimination in other areas of our lives. In addition, we feel strongly that protecting the privacy of our patient’s health records is an ethical obligation of our profession.

In addition, Congressional researchers have concluded that uniform national standards will save billions of dollars each year for health care businesses by lowering the costs of developing and maintaining software and reducing the time and expense needed to handle health care transactions.

While this is all very good, the initial planning and implementation of HIPAA rules will take time, resources, and may be a bit confusing in the initial stages. Once everyone is on board and the national standards are clearandinuse,itmakessensethatallphasesofhealthcareandourpracticewillbenefitfromtheserules.

2

InordertomakesenseoftheHIPAArules,firstafewdefinitionsareinorder.Inthesensethattheyareusedin the HIPAA regulations, privacy and security are closely linked, so it’s important for you to understand the difference:

Privacy

The Department of Health and Human Services describes privacy as the patient’s right over the use and dis-closure of his or her own protected health information. Privacy includes the right to determine when, how and to what extent personal information is shared with others. The HIPAA privacy rules grant new rights to patients to gain access to and control the use and disclosure of their personal health information. There are many reasons this new need for privacy has come about, but the core reason is that patient records are not longertuckedneatlyawayinasinglefamilyphysician’sfilingcabinet.Thisiscloselyrelatedtothefactorsthat have caused a need for additional security.

Security

Security guidelines refer to the specific measures a health care entity must take to secure protected health information from unauthorized breaches of privacy, such as might occur if information is stolen or sent to the wrong person in error. Security also includes measures taken to ensure against the loss of integrity of protected health information, such as might occur if patients’ records are lost or destroyed by accident. The HIPAA privacy rules require general security measures to be put in place. The proposed security rules pre-scribe a detailed and comprehensive set of activities to guard against unauthorized disclosure of protected health information either stored, transmitted electronically, or put on paper.

So as you can see security and privacy are closely related, but we treat them separately. You shall discover by studying this manual that we must keep our records not only secure, but private.

Protected Health Information (PHI)

There’sonemoredefinitionthatwillhelpyouasyoulearnaboutHIPAA:

It is easy to fall into the trap of thinking that the ideas of security and privacy apply only to a written docu-ment. Throughout this manual, keep in mind that what you say to another person about a patient is just as protected as what you write or send electronically. This is a key HIPAA term: Protected health informa-tion (PHI) which is the HIPAA term for health information in any form (i.e., paper, electronic or verbal) that personally identifies a patient.

Definitions

3

HIPAA IS: Health Insurance Portability and Accountability Act (effective April 14, 2003).

Three Basic Goals

1. Protect patient’s medical privacy. 2. Maintain patient information and billing processes in compliance with national standards. 3. Provide appropriate security of our patient records.

That’s it. These three principals are the heart and soul of HIPAA for our agency. If you as an employee will keep these three goals in mind as you carry out your duties, we will progressively achieve compliance with the HIPAA Act.

For the most part we already comply with the HIPAA requirements. We will add some new procedures to ensureconfidentialityofPHI(ProtectedHealthInformation)aswellasallconfidentialclientandemployeeinformation. The changes will be most prominent in electronic storage and transfer of information and new required documentation with new forms and agreements.

Summary of the HIPAA Rule

1. Sets boundaries on the use and release of health records.

2. Establishes appropriate safeguards that health care providers and others must achieve to protect the privacy of others.

3. Holds violators accountable with civil and criminal penalties if they violate patients’ privacy rights.

4. Strikes a balance when public responsibility requires disclosure of some forms of data (i.e.: to protect public health).

5. For patients - being able to make informed choices when seeking care and reimbursement for care based on how personal health information may be used.

6.Enablespatientstofindouthowtheirinformationmaybeusedandwhatdisclosuresoftheirinfo have been made.

7. Generally limits release of information to the minimum reasonably needed for the purpose of disclosure.

8. Gives patients the right to examine and obtain a copy of their own health records and request corrections.

Compliance Requirements

1.ChooseaComplianceOfficer-JonathanNibbioandCo-OfficerJuliannaWhite

2.ChooseaComplianceCommittee-JimRoberts,JonathanNibbio,BobbieBoyer

3. Distribute Compliance Manual to all employees and train employees

4. Have each employee sign the Employee Compliance Signature Form

5. Have each employee complete the HIP AA quiz and complete training log

6. Post the 10 Step Quick Reference Guide

7. Begin using the Privacy Practices Forms Today (must be signed by each client’s personal representative – parent or county social worker)

8. Obtain a baseline audit of your privacy rules against HIPAA regulations

HIPAA ComplianceTraining Outline

4

What Will Change?

Training: All employees will receive a Compliance Program manual and be required to read it, take a quiz, sign a Compliance form, and be required to comply with all regulations.

All Emails:Willonlyincludeconfidentialclientinformationwhenreasonablynecessarytoperformrequireddutiesusingthe“minimumnecessary”benchmarkwhendisclosinginformation.

Outside Emails: All outside e-mails, with or without PHI will have a disclaimer attachment automatically added to the e-mail.

Outside Emails containing confidential client information or PHI: Will need to be sent zipped and with password protection. Individual staff will be given this ability based on need.

Computers: New password criteria will be implemented, including limited access to client records.

Confidential Client Information: Will only be discussed in closed door settings and only with staff who have a need to know.

Notices: Will be posted in all client waiting areas (Promise of Privacy) and staff break areas (10 Step Guide).

Notice of Privacy Practices:Allclientsortheir“PersonalRepresentative”(parentorcountysocialworker)will sign a Notice of Privacy Practices form before we provide services. This only needs to be completed once per client.

Resource Parents, Shelter and Respite Providers, Volunteers and Mentors: Will need to sign a Compliance AssociateAgreementtobeplacedintheirfile.HIPAArequiresoneformperparticipant.

5

1. Use lowered voice for all verbal communication that might disclose personal health information.

2.Never“callout”anyinformationthatmightbeconsideredas personal, e.g. tests required or taken, test results, medications, devices used, etc.

3. Do not allow computer screens to be viewed, intentionally or unintentionally, by unauthorized persons.

4. Exit all programs that might contain personal health information when leaving a computer workstation for a period of time.

5.Becertainthat“sign-in”sheetsdo notrequire“reasonforvisit” information.

6. All chart holders must effectively obscure patient information.

7. All email, written, and faxed PHI must be clearly marked “confidential”andcontainaprivacywarning.

8.Neverleavefilesorfoldersopenorunattended.Filingcabinets etc. containing PHI must be secured and locked.

9. Do not share computer passwords. Change them regularly.

10. Take every precaution to control personal health information.

10 Step Quick ReferenceHIPAA (Privacy) Guide

6

Implementing HIPAA

Each FCNI employee carring a case is responsible for the following:

Exisiting Clients

Notice of Privacy Practice

FFA/969/SHELTER/CALM/THPP – Notice of Privacy Practice needs to be signed by the client’s “Per-sonalRepresentative”:ThePersonalRepresentativeisthepersonwhosignedtheclient’splacementagreement, or for 3632 placements the Personal Representative is the parent or guardian. The Notice ofPrivacyPracticeneedstobeplacedintheclientfile.

TBS/WRAP/IBS/IPC/ICD/OPC – Notice of Privacy Practice needs to be signed by the client’s “PersonalRepresentative”:ThePersonalRepresentativeistheclient’sparentorlegalguardian.TheNoticeofPrivacyPracticeneedstobeplacedintheclientfile.

HIPAA Compliance Associate Agreement

FFA/969/SHELTER/CALM/THPP: HIPAA Compliance Associate Agreement needs to be signed by the following:

•ResourceParents •ShelterParents •RespiteProviders •THPPRA’s

HIPAA Compliance Signature Form

All FCNI employees, independent contractors, interns, mentors and volunteers need to be issued the following:

•HIPAACompliancemanual •HIPAAComplianceSignatureForm •HIPAAComplianceQuiz

Thesignatureformandquizneedtobemaintainedintheindividual’sfile.

7

Our Practice Information

Name of Practice: Family Care Network, Inc.

Address: 1255 Kendall Road

City: San Luis Obispo State: California Zip: 93401

Phone: (805) 781-3535 Fax: (805) 503-6499 Email: [email protected]

Our Compliance Officer and Compliance “Hotline”

TheOfficeoftheInspectorGeneralrecognizesthatitmaynotbefinanciallyfeasibleforasmallPhysician’sofficetomaintainatelephonehotlinededicatedtoreceivingcallssolelyonComplianceissues.Theseprac-tices may explore alternative methods, such as contracting with an independent source to provide hotline servicesorestablishingawrittenmethodofconfidentialdisclosure.Ifapersonhasacomplaintorquestionregarding their Medicare/Medicaid services or billing they should call the following phone number and ask forthefollowingperson(thisisusuallytheComplianceOfficer’sphonenumberinsmallpractices):

NameandTitle:JonathanNibbio(Lead-ComplianceOfficer),JuliannaWhite(Co-ComplianceOfficer)

Firm: Family Care Network, Inc.




8

Duties of Privacy/Compliance Officer

This person serves as the focal point for compliance activities with regard to planning, implementing, and monitoring our compliance program.

CompliancetoHIPAApoliciesisoneofthemanyresponsibilitiesthispersonhasinouroffice.OurPrivacy/ComplianceOfficerhasauthoritytodirectsupervisedpersonnelinourofficeastotheproperprocedurestoenableCompliancewithHIPAApolicies.OurComplianceOfficerhasdirectaccesstomanagement.

Our Privacy/Compliance Officer is responsible for the following:

•Coordinatesprivacy/complianceactivities,whichincludedevelopment,implementation, maintenanceandadherencetopoliciesandproceduresonpatientprivacy,confidentialityand release of patient information

•Reviewsneworrevisedlawsandregulationspertainingtotheprivacyrulestodetermineifnew policiesormodificationsofcurrentpoliciesareneeded

•Conductsassessmentsandinternalprivacyaudits

•Participatesinthedevelopment,implementation,andongoingcompliancemonitoringofallbusiness associate agreements to ensure all privacy concerns, requirements, and responsibilities are addressed

•Ensuresthepracticehasandmaintainsanupdatedprivacynoticeandutilizestheauthorizationform when necessary

•Establishes,withmanagementandoperations,amechanismtotrackaccesstoprotectedhealth informationandtoallowqualifiedindividualstorevieworreceiveareportonsuchactivitywithin thepurviewoftheMedicalofficeandasrequiredbylaw

•Participatesinthedevelopment,implementation,andongoingcompliancemonitoringofallbusiness associate agreements to ensure all privacy concerns, requirements, and responsibilities are addressed

•Ensurescompliancewithprivacypracticesandconsistentapplicationofsanctionsforfailureto comply with privacy policies for all individuals in the organization’s workforce

•Workswithallpracticepersonnelinvolvedwithanyaspectofreleaseofprotectedhealthinformation, to ensure full coordination and cooperation under the practice policies and procedures and legal requirements

•CooperateswiththeOfficeofCivilRights,otherlegalentities,andorganizationofficersinany compliance reviews or investigations

•Establishesandadministersaprocessforreceiving,documenting,tracking,investigating,andtaking action on all complaints concerning the organization’s privacy policies and procedures in coordination and collaboration with other similar functions and, when necessary, legal counsel

•Managespatientrequestforamendmentsandrequestsforchangestotheirmedicalrecord

•Assiststheclinic’sfinancialmanagementincoordinatinginternalCompliancereviewandmonitors activities, including annual or periodic reviews of the practice

•IndependentlyinvestigatesandactsonmattersrelatedtoCompliance,includingtheflexibilityto design and coordinate internal investigations (e.g. responding to reports of problems or suspected violations) and any resulting corrective action with all employees, providers and sub-providers,

9

agents;andifappropriate,independentcontractors

•Developspoliciesandprogramsthatencouragemanagersandemployeestoreportsuspected improprieties without fear of retaliation.

OurPrivacy/ComplianceOfficerhastheauthoritytoreviewalldocumentsandotherinformationthatarerelevant to Compliance activities, including, but not limited to, patient records, billing records, and records concerning the marketing efforts of our clinic and our clinic’s arrangements with other parties. This includes, employees, professionals on staff, independent contractors, suppliers, agents, and clinic-based doctors, etc. ThispolicyenablestheComplianceOfficertoreviewcontractsandobligations(seekingtheadviceofourle-gal counsel, where appropriate) that may contain issues that could violate HIPAA provisions and other legal or regulatory requirements.

10

Our Compliance Committee

TheDoctor(s)/Owner(s)etc.constitutea“ComplianceCommittee”(ThiscanbeaCommitteeofone)andwilladvisetheComplianceOfficerandassistintheimplementationoftheComplianceProgram.

NameandTitle:JimRoberts,CEO





NameandTitle:JonNibbio,COO





Name and Title: Bobbie Boyer, Director of Administrative and Financial Services





11

Compliance CommitteeResponsibilities

The physician(s)/owner(s) and certain outside counsel to our clinic constitutes an informal “compliance reviewcommittee”(thiscanbeacommitteeofone)andwilladvisethecomplianceofficerandassistintheimplementation of the compliance program.

The Committee’s functions include:

•Analyzingtheclinic’sindustryenvironment,thelegalrequirementswithwhichitmustcomply, andspecificriskareas

•Assessingexistingpoliciesandproceduresthataddresstheseareasforpossibleincorporationinto the Compliance Program

•Workingwithappropriateemployeestodevelopstandardsofconductandpoliciesandprocedures to promote Compliance with our clinic’s program

•Recommendingandmonitoringthedevelopmentofinternalsystemsandcontrolstocarryoutthe organization’s standards, policies, and procedures as part of its daily operations

•Determiningtheappropriatestrategy/approachtopromoteCompliancewiththeprogramand detection of any potential violations, such as through hotlines and other fraud reporting mechanisms

•Developingasystemtosolicit,evaluateandrespondtocomplaintsandproblems

12

Our HIPAA ComplianceManual

A Plan to Help Our Employees Comply with the HIPAA Act

Warning: We are serious about following HIPAA rules. Not only because of our desire to comply in order to help patients and the industry, but also because HIPAA calls for severe civil and criminal penalties for noncompliance, including:

• finesupto$25Kformultipleviolationsofthesamestandardinanycalendaryear

• finesupto$250Kand/orimprisonmentupto10yearsforknowingmisuseofindividually identifiablehealthinformation

Our Three Basic HIPAA Goals

The purpose of this manual is to teach our employees skills that will help them to comply with the Health Insurance Portability and Accountability Act of 1996. The name “Health Insurance Portability and Account-abilityAct(HIPAA)”doesnotcompletelydescribewhatthisactisabout.Inthismanualwewilltrytosim-plifythekeyelementsofHIPAA.CongresshasstatedthatthegoalofHIPAAistoimprovetheefficiencyandeffectiveness of the health care system in the United States.

While there are many facets of HIPAA, in reality all elements of the HIPAA Act revolve around three key sets of standards that will affect our practice. In summary here is our program for HIPAA compliance:

1. We strive to comply with HIPAA guidelines by learning to protect our patient’s medical privacy.

2. We strive to comply with HIPAA guidelines by appropriately maintaining our patient information and billing processes in compliance with national standards.

3. We strive to comply with HIPAA guidelines by providing appropriate security of our patient records.

That’s it! Those three principles are the heart and soul of HIPAA for our practice. If you as an employee will keep these three goals in mind as you carry out your duties, we will progressively achieve compliance with the HIPAA Act.

13

HIPAA: Schedules andBasic Guidelines

As a result of our free market health care system in the United States, medical plans, hospitals, pharmacies, dentists, doctors and other health care entities use a wide array of systems to process and track health care billsandotherinformation.Doctor’sofficesthattreatpatientswithmanydifferenttypesofhealthinsuranceunderstand the vast time and money that is spent ensuring that each claim contains the format, codes and other details required by each insurer. Similarly, health plans spend time and money to ensure their systems can handle transactions from various health care providers, employers and other businesses or entities.

The goal of HIPAA is to provide a wide array of provisions designed to make health insurance more afford-able and accessible. With support from health plans, hospitals and other health care businesses, Congress included provisions in HIPAA to require HHS to adopt national standards for certain electronic health care transactions and security. HIPAA also set a three-year deadline for Congress to enact comprehensive privacy legislation to protect medical records and other protected health information.

Althoughattimesitmayseemtediousforourofficetocomplywiththeseguidelines,inthelongrunourinteractionswithotherhealthcareentitiesandinsuranceproviderswillbenefitfromthisstandardization.Whiletherulesarestillinastateofflux,andtheentitiesinvolvedandcomplianceschedulesarechanging,oneruleisclear:ItisimportanttobemovingtowardHIPAAcomplianceregardingourofficeplaninordertoshow good effort in that direction.

The Department of Health and Human Services has given the following guidelines regarding HlPAA.

Covered Entities

In HIPAA, Congress required health plans, health care clearinghouses, and those health care providers who conductcertainfinancialandadministrativetransactionselectronically(suchaseligibility,referralauthori-zationsandclaims)tocomplywitheachsetoffinalstandards.Otherbusinessesmayvoluntarilyadoptthestandards, but the law does not require them to do so.

Compliance Schedule

Under the law, most covered entities have two years to comply with each set of HIPAA standards once the finalregulationtakeseffect,andsmallhealthplanshaveanadditionalyeartocomply.Formostcoveredentities,complianceisrequiredbyOct.16,2002(Oct.16,2003ifanextensionisfiled),fortheelectronictransaction rule, and by April 14,2003, for the health information privacy rule and April 21, 2005 for the se-curity rule. Congress set the schedule for compliance in the law itself. As described below, some of the dates described herein have been or will be changed by Congress as they obtain industry feedback.

AsofAugust14,2002,thefollowingmodificationstothefinalruleweremade:

•Consent: Now voluntary, not mandatory.

•Authorizations: The Privacy Rule requires patient authorization for non-TPO uses of Protected Health Information.

•Notice of Privacy Practices: Direct treatment providers are obligated to make a good faith attempt to obtain an individual’s written acknowledgement of receipt of the Notice of Privacy Practices (NPP). TheNPPmustbeprovidedonorbeforethefirstdeliveryofservice,exceptinemergencysituations.

•Limited Data Sets: The limited data sets are used for the purpose of research, public health, or health careoperations.Theydonotincludedirectidentifierssuchasname,streetaddress,telephone,and social security number and may only be used or disclosed subject to the terms of a data use agreement.

14

•Marketing: The Privacy Rule limits the circumstances in which covered entities may use PHI for marketing purposes without prior authorization for such use and disclosure.

•Minimum Necessary: Covered entities can implement policies and procedures based upon their own assessment of what is reasonable necessary to be disclosed for any particular purpose.

• Incidental Disclosures: The Privacy Rule explicitly permits certain incidental uses and disclosures. Incidental uses and disclosures are permissible only to the extent that reasonable safeguards have been used and, where applicable, the minimum necessary standard has been implemented. Examples of incidental disclosures are when a patient or other person happens to see PHI of other patients on sign-in sheets in waiting rooms, patient charts at bedside, X-ray light boards or empty prescription vials.

•Hybrid Entities: A separate legal entity that performs both covered and non-covered entity functions with designated health care components.

•Employment Record: When an employee authorizes disclosure of PHI to his employer to substantiate sick leave, etc., those records then become part of the employment record and are no longer considered PHI.

• Unemancipated Minors:ThePrivacyRuleclarifiesthatprovidersshouldfollowtheirownStateLaws including statues, regulations and case law.

•Research: ThePrivacyRulesimplifiestherequirementsforresearchauthorizationsandthecriteria forwaiversofauthorizations.Lessspecificityisrequiredwithrespecttotheexpirationdateforthe usesanddisclosuresinconnectionwithresearch.“None”maybeusedastheexpirationdateinany research study.

•Security: TheDepartmentofHealthandHumanServices(HHS)haspublishedthefinalSecurityRule. Its effective date is April 21, 2003, and the compliance deadline is April 21, 2005. They state, “A covered entity must have in place appropriate administrative, technical, and physical safeguards to protecttheprivacyofprotectedhealthinformation.”

15

Understanding Our HIPAAProgram – An Overview

The Department of Health and Human Services has said that the training requirement for the HIPAA rule maybesatisfiedbyasmallmedicalpractice.Providingeachnewmemberoftheworkforcewithacopyofits privacy policies and documenting that new members have reviewed the policies, whereas a large health plan may provide training through live instruction, video presentations, or interactive software programs.

Summary of the HIPAA Rule

1. It sets boundaries on the use and release of health records.

2. It establishes appropriate safeguards that health care providers and others must achieve to protect the privacy of health information.

3. It holds violators accountable, with civil and criminal penalties that can be imposed if they violate patients’ privacy rights.

4. It strikes a balance when public responsibility requires disclosure of some forms of data – for example, to protect public health.

5. For patients - it means being able to make informed choices when seeking care and reimbursement for care based on how protected health information may be used.

6.Itenablespatientstofindouthowtheirinformationmaybeusedandwhatdisclosuresoftheir information have been made.

7. It generally limits release of information to the minimum reasonably needed for the purpose of the disclosure.

8. It gives patients the right to examine and obtain a copy of their own health records and request corrections.

Ourgoalinreviewingandupdatingourprivacystandardscentersonthesecomponentsofthefinalrule.Inall that we do in connection with patient records we should keep in mind the above principles.

16

Authorization/Noticeof Privacy Practices

AnauthorizationisacustomizeddocumentthatgivescoveredentitiespermissiontousespecifiedPHIforspecifiedpurposes,whicharegenerallyotherthanTPO,ortodisclosePHItoathirdpartyspecifiedbytheindividual. Covered entities may not condition treatment or coverage on the individual providing an authori-zation. An authorization is detailed. It covers only the uses and disclosures and only the PHl stipulated in the authorization;ithasanexpirationdate;and,insomecases,italsostatesthepurposeforwhichtheinforma-tion may be used or disclosed.

An authorization is required for use and disclosure of PHI not otherwise allowed by the rule. In general, this means an authorization is required for purposes that are not part of TPO and not described in detail in the Rule - 164.512 (uses and disclosures that require an opportunity for the individual to agree or to object) or in the Rule - 164.512 (uses and disclosures for which consent, authorization, or an opportunity to agree or to objectisnotrequired).SituationsinwhichanauthorizationisrequiredforTPOpurposesareidentifiedanddiscussed ill the next section.

All covered entities, not just direct treatment providers, must obtain an authorization to use or disclose PHI for these purposes. For example, a covered entity would need an authorization from individuals to sell a patient mailing list, to disclose information to an employer for employment decisions, or to disclose informa-tion for eligibility for life insurance.

The Privacy Rule requires providers to obtain authorization to use or disclose PHI maintained in psycho-therapy notes for treatment by persons other than the originator of the notes, for payment, or for health care operationspurposes,exceptasspecifiedinthePrivacyRule(45CFR§164.508(a)(2)).

The Notice of Privacy Practices (NPP) is used in lieu of the consent form. Direct care providers are obligated to make a good faith attempt to obtain an individual’s written acknowledgement of receipt of the NPP. It mustbeprovidedonorbeforethefirstdeliveryofserviceexceptinemergencysituation.Eveniftheindi-vidual fails to return the acknowledgement to the provider, the provider will be deemed to have made the re-quired“goodfaith”attempttoobtainthewrittenacknowledgement.Therearecertainrequiredelementsthatthe NPP must contain. The patient must receive a complete version of the NPP. The provider must display the entireNPPinaprominentplaceinthepracticeoffice.

The Privacy Notice & Acknowledgment

This is the most important aspect of HIPAA Compliance but yet you will see how there is a catch twenty-two and we will explain it to you!

What is a Notice of Privacy?

The Notice of Privacy Practices describes how we may use and disclose patients’ protected health informa-tion to carry out treatment, payment or health care operations and for other purposes that are permitted or required by law. It also describes the patient’s rights to access and control their protected health information. “ProtectedHealthInformation”orPHIisinformationaboutyourpatient,includingdemographicinforma-tion, that may identify them and that relates to their past, present or future physical or mental health or condition and related health care services. We must provide this notice to them no Inter than the date of the firstservicedeliveryincludingservicedeliveredelectronically.

Very Very Important!!

Pleaserefertothesamplenoticeofprivacyintheformsectionofyourbook.Ifyoubelieveyourofficedoessomething that is not covered in our notice of privacy, make sure you amended the sample provided for you.

17

Notices of Privacy Practices

You are required to abide by the terms of this Notice of Privacy Practices. You may change the terms of our notice, at any time. The new notice will be effective for all protected health information that we maintain at that time. Upon the patient’s request, we will provide them with any revised Notice of Privacy Practices. The patient may request that a revised copy be sent to them in the mail or ask for one at the time of their next ap-pointment.Wemustpostthenoticeinourofficeinaclearandprominentlocationwhereitisreasonabletoexpect any patients seeking service from us be able to read the notice.

What does this really mean?

Hangyournoticeofprivacyinaclearlymarkedplace.ThefinalRulestatesinSec.164.520(c)(2)(ii),thattheproposed requirement that a covered provider with a direct treatment relationship with an individual make a good faith effort to obtain the individual’s written acknowledgment of receipt of the notice of privacy.

18

Using the“Minimum Necessary”

What Does “Using the Minimum Necessary” Really Mean?

When using PHI, you make a reasonable effort to limit the use and disclosure of PHI to the minimum neces-sary for TPO (treatment, payment or health care operations).

As a general rule, our practice feels that the term is self-explanatory. Whenever you are dealing with patient health care information always review and/or disclose the minimum necessary information in order for our patients to get the best health care possible.

HHS has declared that health care workers must take reasonable steps to limit the use or disclosure of, and requests for protected health information (PHI) to the minimum necessary to accomplish the intended pur-pose. The minimum necessary provisions do not apply to the following:

•Disclosurestoorrequestsbyahealthcareproviderfortreatmentpurposes.

•Disclosurestotheindividualwhoisthesubjectoftheinformation.

•Usesordisclosuresmadepursuanttoanauthorizationrequestedbytheindividual.

•UsesordisclosuresrequiredforcompliancewiththestandardizedHealthInsurancePortability and Accountability Act (HIPAA) transactions.

• Disclosures to the Department of Health and Human Services (HHS) when disclosure of information is required under the ruIe for enforcement purposes.

• Uses or disclosures that are required by other law.

If you ever have questions regarding your access to patient information please ask our HIPAA Compliance Officer.

Sign-In Sheets

HHSdidnotintendthePrivacyRuletoprohibittheuseofsign-insheetsinmedicaloffices.Sign-insheetsare perfectly permissible as long as the only information listed on them is the patient’s name, appointment time, and the patient’s time of arrival for the appointment.

When is too much information too much?

What if you are in a situation where you believe that a request for patient information is seeking more than the minimum necessary PHI? If this occurs, the Privacy Rule requires you to limit the disclosure to the mini-mum necessary using a reasonable effort to limit patient information while providing the best care for the patient. The rule actually does perm it you to rely on the judgment of the person requesting the information. But it says that the reliance must be reasonable. It even says that despite your concerns you may make the disclosure as requested, again, if it is reasonable.

Keep in mind that nothing in the Privacy Rule prevents you from discussing your concerns with the person making the request, and negotiating an information exchange that meets the needs of both parties. If you haverealconcernaboutarequest,contactourComplianceOfficer.

Themostdifficultsituationsarewhenanon-routinedisclosureisneeded.Asageneralrule,thesespecialsituationsshouldbediscussedwithourHIPAAComplianceOfficer.Inthesecaseswewanttobeespeciallyvigilant that we determine and limit disclosure to only the minimum amount of PHI necessary to accomplish the purpose of the non-routine disclosure.

19

HHS has said that in certain circumstances, the Privacy Rule permits a covered entity to rely on the judgment of the party requesting the disclosure as to the minimum amount of information that is needed. Such reliance must be reasonable under the particular circumstances of the request. This reliance is permitted when the request is made by:

•Apublicofficialoragencyforadisclosurepermittedunder§164.512oftherule.

•Anothercoveredentity.

•A professional who is a workforce member or business associate of the covered entity holding the information.

• A researcher with appropriate documentation from an Institutional Review Board (IRB) or Privacy Board.

The rule does not require such reliance, however, and the covered entity always retains discretion to make its own minimum necessary determination for disclosures to which the standard applies.

Limit Use & Ddisclosure of Patient Information

HHS has said that each health care entity must determine its own set of standards for minimum necessary use and disclosure of patient information. The Privacy Rule requires a covered entity to make reasonable efforts to limit use, disclosure of, and requests for PHI to the minimum necessary to accomplish the intended purpose. To allow covered entities the flexibility to address their unique circumstances, the rule requires covered entities to make their own assessment of what PHI is reasonably necessary for a particular purpose, given the characteristics of their business and workforce. This is not a strict standard and covered entities need not limit information uses or disclosures to those that are absolutely needed to serve the purpose. Rather, this is a reasonableness standard that calls for an approach consistent with the best practices and guidelines already used by many providers today. This will limit the unnecessary sharing of medical information.

We must evaluate our practice and enhance protections as needed to prevent unnecessary or inappropri-ate access to PHI. If you have any suggestions as to how we can better limit access to and disclosure of our patientinformationpleasebringthisinformationtoourHIPAAComplianceOfficer.Theminimumnecessarystandardisintendedtoreflectandbeconsistentwith,notover-ride,professionaljudgmentandstandards.Wewanttoappropriatelylimitaccesstoprotectedhealthinformationwithoutsacrificingthequalityofhealth care that we offer.

There are some who worry that the minimum necessary restrictions impede the delivery of quality health care by preventing or hindering necessary exchanges of patient medical information among health care providers involved in treatment. We want to remind our employees that disclosures for treatment purposes (including requests for disclosures) between health care providers are explicitly exempted from the mini-mum necessary requirements. The Privacy Rule provides our practice with substantial discretion as to how to implement the minimum necessary standard, and appropriately and reasonably limit access to the use of the health information concerning our patients. The rule recognizes that we are in the best position to know and determine who in our workforce needs access to protected health information to perform their jobs.

Medical Residents, Students, Assistants and Other Medical Trainees

The minimum necessary requirements do not prohibit medical residents, students, assistants and other medi-caltraineesfromaccessingpatients’medicalinformationinthecourseoftheirtraining.Thedefinitionof“healthcareoperations”intheruleprovidesfor“conductingtrainingprogramsinwhichstudents,trainees,or practitioners in areas of health care learn under supervision to practice or improve their skills as health careproviders.”

Third Parties

The minimum necessary concept does not need to be applied to disclosures to third parties that are autho-rized by an individual, unless the authorization was requested by a covered entity for its own purposes. The Privacy Rule exempts from the minimum necessary requirements most uses or disclosures that are

20

authorized by an individual. This includes authorizations covered entities may receive directly from third parties, such as life, disability, or casualty insurers pursuant to the patient’s application for or claim under an insurance policy. For example, if a covered health care provider receives an individual’s authorization to disclose health information to a life insurer for underwriting purposes, the provider is permitted to disclose the information requested on the authorization without making any minimum necessary determination. The authorization must meet the requirements of the HIPAA act and, again, minimum necessary does apply to authorizations requested by the covered entity for its own purposes.

Disclosures to Federal and State Agencies

We are not required to make a minimum necessary determination to disclose to federal or state agencies, suchastheSocialSecurityAdministration(SSA)oritsaffiliatedstateagenciesorforindividuals’applicationsforfederalorstatebenefits.Thesedisclosuresmustbeauthorizedbyanindividualand,therefore,areexemptfrom the minimum necessary requirements. HHS has said further that use of the provider’s own authorization form is not required. Providers can accept an agency’s authorization form as long as it meets the require-mentsof§164.508oftherule.Forexample,disclosurestoSSA(oritsaffiliatedstateagencies)forpurposesofdeterminingeligibilityfordisabilitybenefitsarecurrentlymadesubjecttoanindividual’scompletedSSAauthorization form. After the compliance date, the current process may continue subject only to modest changes in the SSA authorization form to conform to the requirements in the rule.

Disclosure of an Entire Medical Record

HHS has said that the Privacy Rule does not prohibit use, disclosure, or requests of an entire medical record. As with all of our policies, the balance is to keep the patient’s health care utmost in your mind while at the same time divulging the minimum information about the patient that is necessary for their best care. HSS has also said that a covered entity may use, disclose, or request an entire medical record without a case-by-casejustificationifthecoveredentityhasdocumentedinitspoliciesandproceduresthattheentiremedicalrecordistheamountreasonablynecessaryforcertainidentifiedpurposes.Forthisreasonitisimportantthatyou are aware of those persons or classes of person in our workforce that need to see the entire medical recordandtheconditions,ifany,thatareappropriateforsuchaccess.OurHIPAAComplianceOfficercanhelp identify our policies and procedures for routine disclosures and requests as well as the criteria used for non-routine disclosures that would identify the circumstances under which disclosing or requesting the entiremedicalrecordisreasonablynecessaryforparticularpurposes.Ourcomplianceofficercanclarifycriteria to assist you in determining when to request the entire medical record. With this in mind, it is clear thatthePrivacyRuledoesnotrequirethatajustificationbeprovidedwithrespecttoeachdistinctmedicalrecord.Keepinmindthatnojustificationisneededininstanceswheretheminimumnecessarystandarddoes not apply, such as disclosures to or requests by the health care provider for treatment or disclosures to the individual.

Remember the Concept of Reasonable Efforts

HHSwasaskedifhealthcarepracticesarerequiredtocompletelyrestructureexistingworkflowsystems,includingredesignsofofficespaceandupgradesofcomputersystems,inordertocomplywiththeminimumnecessary requirements, they said no. The Rule says that the basic standard for minimum necessary uses requires that covered entities make reasonable efforts to limit access to PHI to those in the workforce that need access based on their roles in the covered entity. The Department generally does not consider facility redesigns as necessary to meet the reasonableness standard for minimum necessary uses.

On the other hand HHS has said that health care providers may need to make certain adjustments to their facilitiestominimizeaccess,suchasisolatingandlockingfilecabinetsorrecordsrooms,orprovidingaddi-tionalsecurity,suchaspasswords,oncomputersmaintainingpersonalinformation.Ifyoufindanysituationsinourofficeswhereyoufeelthatourpatientinformationisnotsecure,pleasecontactyoursupervisor.

Inthislight,HHShassaidthatweshouldtakeintoaccountourabilitytoconfigureourrecordsystemstoallowaccesstoonlycertainfields,andthepracticalityoforganizingsystemstoallowthiscapacity.HHShassaid that it may not be reasonable for a small, solo practitioner with largely paper-based records system, to

21

limit access to certain employees. Alternatively, a hospital with an electronic patient record system may rea-sonably implement such controls, and therefore, may choose to limit access ill this manner to comply with the rule. This is what is meant by reasonable efforts.

Regarding patient medical charts in the operatory, empty prescription vials, and X-ray light boards, HHS hasindicatedthatspecificworkplacepracticesneedtoremainastheyhavebeendevelopedovertheyearsinordertomaintainproperpatientcareandreasonableworkflow.Theminimumnecessarystandardsdonot prohibit us from maintaining patient medical charts in the operatory, nor do they require that we shred empty prescription vials, or require that X-ray light boards be isolated.

We must, in accordance with other provisions of the Privacy Rule, take reasonable precautions to prevent in-advertent or unnecessary disclosures. For example, while the Privacy Rule does not require that X-ray boards be totally isolated from all other functions, it does require us to take reasonable precautions to protect X-rays from being accessible to the public.

Minimum Necessary Disclosure and Transactions Standards

HHShassaidthattheminimumnecessarystandarddoesnotconflictwiththeTransactionsstandardsandthatminimumnecessarydoesnotspecificallyapplytothestandardtransactions.ThisisbecausethePrivacyRule exempts from the minimum necessary standard any uses or disclosures that are required for compliance with the applicable requirements of the subchapter. This includes all data elements that are a situational re-quirement in the standard transactions. In a way, the Transactions standards guide you to give the right infor-mation.However,inmanycases,coveredentitieshavesignificantdiscretionastotheinformationincludedin these transactions. This standard does apply to those optional data elements.

22

Oral Communications

Asmentionedearlierinthismanual,HHShasstatedthatthePrivacyRuleappliestoindividuallyidentifiablehealth information in all forms, electronic, written, oral, and any other. Coverage of oral (spoken) informa-tion ensures that information retains protections when discussed or read aloud from a computer screen or a written document. This makes sense because if oral communications were not covered, any health informa-tion could be disclosed to any person, so long as the disclosure was spoken.

Oral Communication - What does this mean?

It is simple really!! You should always use the minimum necessary oral information for best health care and do it quietly.

In particular with oral communications we require that employees be discrete when talking to or about pa-tients. Be aware of who is in the area, and who could listen in. Because we discuss health care issues all day, it may be easy to assume a patient is not private about this information. Always assume the patient wants the minimum number of ears to hear the minimum necessary information about their health care.

Frequently Asked Questions

Q: How are Medical Offices expected to determine what is the minimum necessary information that can be used, disclosed, or requested for a particular purpose?

A: The Privacy Rule requires the doctor to make reasonable efforts to limit use, disclosure of, and requests forPHItotheminimumnecessarytoaccomplishtheintendedpurpose.Toallowthedoctortheflexibilitytoaddress their unique circumstances, the rule requires the doctor to make their own assessment of what PHI is reasonably necessary for a particular purpose, given the characteristics of their business and workforce, and to implement policies and procedures accordingly. This is not a strict standard and the doctor need not limit information uses or disclosures to those that are absolutely needed to serve the purpose. Rather, this is a reasonableness standard that calls for an approach consistent with the best practices and guidelines already used by many providers today to limit the unnecessary sharing of medical information.

The minimum necessary standard is intended to make the doctor evaluate their practices and enhance protectionsasneededtopreventunnecessaryorinappropriateaccesstoPHI.Itisintendedtoreflectandbe consistent with, not override, professional judgment and standards. Therefore, we expect that the doctor will utilize the input of prudent professionals involved in health care activities when developing policies and proceduresthatappropriatelywilllimitaccesstopersonalhealthinformationwithoutsacrificingthequalityof health care.

Q: Won’t the minimum necessary restrictions impede the delivery or quality health care by preventing or hindering necessary exchanges or patient medical information among health care providers involved in treatment?

A: No. Disclosures for treatment purposes (including requests for disclosures) between health care providers are explicitly exempted from the minimum necessary requirements.

The Privacy Rule provides the provider with substantial discretion as to how to implement the minimum nec-essarystandard:andappropriatelyandreasonablylimitaccesstotheuseofidentifiablehealthinformationwithin the covered entity. The rule recognizes that the provider is in the best position to know and deter-mine who in its workforce needs access to personal health information to perform their jobs. Therefore, the provider can develop role-based access policies that allow its health care providers and other employees, as appropriate, access to patient information, including entire medical records, for treatment purposes.

23

Q: Doesn’t the minimum necessary standard conflict with the Transactions standards? Does minimum necessary apply to the standard transactions?

A: No, because the Privacy Rule exempts from the minimum necessary standard any uses or disclosures that are required for compliance with the applicable requirements of tile subchapter. This includes all data elements that are required or situationally required in the standard transactions. However, in many cases, coveredentitieshavesignificantdiscretionastotheinformationincludedinthesetransactions.Thisstandarddoes apply to those optional data elements.

Q: Does the rule strictly prohibit use, disclosure, or requests of an entire medical record? Does the rule prevent use, disclosure, or requests of entire medical records without case-by-case justification?

A: No. The Privacy Rule does not prohibit use, disclosure, or requests of an entire medical record. A provider mayuse,disclose,orrequestanentiremedicalrecord,withoutacase-by-casejustification,iftheproviderhas documented in its policies and procedures that the entire medical record is the amount reasonably nec-essaryforcertainidentifiedpurposes.Foruses,thepoliciesandprocedureswouldidentifythosepersonsorclasses of person in the workforce that need to see the entire medical record and the conditions, if any, that are appropriate for such access. Policies and procedures for routine disclosures and requests and the criteria used for non-routine disclosures would identify the circumstances under which disclosing or requesting the entire medical record is reasonably necessary for particular purposes. In making non-routine requests, the covered entity may also establish and utilize criteria to assist in determining when to request the entire medi-cal record.

ThePrivacyRuledoesnotrequirethatajustificationbeprovidedwithrespecttoeachdistinctmedicalrecord.Finally,nojustificationisneededinthoseinstanceswheretheminimumnecessarystandarddoesnotapply, such as disclosures to or requests by a provider for treatment or disclosures to the individual.

Q: A medical office customarily places patient charts in the plastic box outside an exam room. It does not want the record left unattended with the patient, and doctors want the record close by for fast review right before they see the patient. Will the Privacy Rule allow the office to continue this practice?

A:Yes,theHIPAAPrivacyRulepermitsthispracticeaslongastheofficetakesreasonableandappropriatemeasures to protect the patient’s privacy. The doctor or other health care professionals use the patient charts for treatment purposes. Incidental disclosures to others that might occur as a result of the charts being left in the box are permitted, if the minimum necessary and reasonable safeguards requirements are met. As the purpose of leaving the chart in the box is to provide the provider with access to the medical information relevanttotheexamination,theminimumnecessaryrequirementwouldbesatisfied.Examplesofmeasuresthat could be reasonable and appropriate to safeguard the patient chart in such a situation would be limiting access to certain areas, ensuring that the area is supervised, escorting non-employees in the area, or placing the patient chart in the box with the front cover facing the wall rather than having protected health informa-tion about the patient visible to anyone who walks by. Each covered entity must evaluate what measures are reasonable and appropriate in its environment. Covered entities may tailor measures to their particular circumstances.

Q: Does the Privacy Rule require medical offices to be retrofitted, to provide private rooms, and sound-proof walls to avoid any possibility that a conversation is overheard?

A: No, the Privacy Rule does not require these types of structural changes be made to facilities. Doctors must have in place appropriate administrative, technical, and physical safeguards to protect the privacy of PHI. “Reasonablesafeguards”meanthatdoctorsmustmakereasonableeffortstopreventusesanddisclosuresnotpermitted by the rule. The Department does not consider facility restructuring to be a requirement under this standard. In determining what is reasonable, the Department will take into account the concerns of covered entitiesregardingpotentialeffectsonpatientcareandfinancialburden.

For example, the Privacy Rule does not require the following types of structural or systems changes:

•Privaterooms.

•Soundproofingofrooms.

24

•Encryptionofwirelessorotheremergencymedicalradiocommunications,whichcanbe intercepted by scanners.

• Encryption of telephone system.

Doctors must provide reasonable safeguards to avoid prohibited disclosures. The rule does not require that all risk be eliminated to satisfy this standard. Doctors must review their own practices and determine what steps are reasonable to safeguard their patient information.

Examplesofthetypesofadjustmentsormodificationstofacilitiesorsystemsthatmayconstitutereasonablesafeguards are:

•Youcouldaskpatientstostandafewfeetbackfromacounterusedforpatientcounseling.

• The provider could add curtains or screens to areas where oral communications often occur between doctors and patients or among dentists treating the patient.

• In an area where multiple patient-staff communications routinely occur, use of cubicles, dividers, shields, or similar barriers may constitute a reasonable safeguard. For example, a large clinic intake area may reasonably use cubicles or shield-type dividers, rather than separate rooms.

Inassessingwhatis“reasonable,”Providersmayconsidertheviewpointofprudentprofessionals.

Basic Rules for Oral Communications About Patient Health Records

We are required to reasonably safeguard protected health information (PHI) - including oral information - from any intentional or unintentional use or disclosure that is in violation of the Privacy rule. The rules of oral communication basically are the same as those of written communication. You should always use the minimum necessary information for best health care

In particular, with oral communications, we require that our employees be discrete when talking to or about patients. Be aware of who is in the area, who could listen in. Because we discuss health care issues all day, it may be easy to assume a patient is not private about this information. Always assume the patient wants the minimum number of ears to hear the minimum necessary information about their health care. Again, the minimum necessary standard does not apply to disclosures, including oral disclosures, among providers for treatment purposes.

“Reasonablysafeguard”meansthatyoumustmakereasonableeffortstopreventusesanddisclosuresnotpermitted by the rule. However, HHS does not expect reasonable safeguards to guarantee the privacy of PHI from any and all potential risks. HHS has said that in determining whether a covered entity has provided reasonable safeguards, the Department will take into account all the circumstances, including the potential effectsonpatientcareandthefinancialandadministrativeburdenofanysafeguards.Remember,balanceprivacy with patient care.

It is important that all our employees interacting with patients speak quietly when discussing a patient’s condition with family members in a waiting room or other public area, and avoid using patients’ names in publichallwaysandelevators.Protectionofpatientconfidentialityisanimportantpartofourpractice.

Ifthepatientorothershasdifficultyhearingorexhibitsothercommunicationproblems,takethemtoaprivate area when discussing health information. There is nothing more embarrassing to a patient than to be walking out of a crowded waiting room and have the medical assistant talking about their treatment or medi-cations , It is not only embarrassing, but now it is illegal.

Talking to Other Providers and Patients

The Privacy Rule is not intended to prohibit providers from talking to each other and to their patients. The ruleonlyrequirescoveredentitiestoimplementreasonable(there’sthatwordagain)safeguardsthatreflecttheir particular circumstances and exempting treatment disclosures from certain requirements are intended to ensure that providers’ primary consideration is the appropriate treatment of their patients.

HHS has also said that they also understand that overheard communications are unavoidable. For example,

25

in a busy emergency room, it may be necessary for providers to speak loudly in order to ensure appropriate treatment. The Privacy Rule is not intended to prevent this appropriate behavior. HHS would consider the following practices to be permissible, if reasonable precautions are taken to minimize the chance of inadver-tent disclosures to others who may be nearby (such as using lowered voices, as described earlier):

•Medicalstaffmayorallycoordinateserviceswiththetreatmentfacilities.

• Medical assistants or other health care professionals may discuss a patient’s condition over the phone with the patient, a provider, or a family member.

• Medical professionals may discuss a patient’s condition during training rounds in an academic or training institution.

Calling Out Patient Names

Callingoutthepatient’snameinthewaitingroomisnotdisclosingPHI,butnotanyotherdirectidentifierssuch as street address, telephone number, social security number, reason for visit, etc.

Reporting Con-Compliance Concerns

If you overhear an employee improperly orally divulging private patient information, speak to our Com-plianceOfficer,orifmoreappropriate,kindlyremindtheemployee.Ourpolicyisthatallouremployeesregard these reminders as a protection for them and our practice. Please thank the person if and when they inform you of this problem.

Patient Access to Oral Information

HHS has said that covered entities do not need to provide patients access to oral information. The Privacy Rule requires covered entities to provide individuals with access to PHI about themselves that is contained intheir“designatedrecordsets,”Theterm“record”intheterm“designatedrecordset”doesnotincludeoralinformation;rather,itconnotesInformationthathasbeenrecordedinsomemanner.

The rule does not require you to tape or digitally record oral communications, nor retain digitally or tape re-corded information after transcription. Although, if such records are maintained and used to make decisions abouttheindividual,theymaymeetthedefinitionof“designatedrecordset.”Forexample,ahealthplanisnotrequiredtoprovideamemberaccesstotapesofatelephone“adviceline”interactionifthetapeisonlymaintained for customer service review and not to make decisions about the member.

We Do Not Have to Document ALL Oral Communications

If the oral communications you are giving are relevant to any disclosures signed by the patient or if they have anything to do with following The Privacy Rule, or if they can be used for best practices in patient care, we recommend that you document this in the patient’s records. Once again we strive to provide the best patient care without wasting time documenting events or actions that will not help the patient. The Privacy Rule does not require us to document all information, including oral information, that is used or disclosed for treatment, payment or health care operations (TPO). The rule includes, however, documentation require-ments for some information disclosures for other purposes. For example, some disclosures must be docu-mented ill order to meet the standard for providing a disclosure history to an individual upon request. Where a documentation requirement exists in the rule, it applies to all relevant communications. For example, if acoveredproviderdiscloseshealthinformationtoapublichealthauthorityaspermittedbytherulein§164.512, then he or she must maintain a record of that disclosure regardless of whether the disclosure was made orally by phone or in writing.

26

Patient’s Right of Access

HIPAA provides all individuals with the right to access their protected health information (PHI), maintained ill a designated record set by health plans, covered health care providers, and health care clearinghouses, alsoreferredtoas“CoveredEntities”(CE),whichcreateorreceiveanindividual’sPHI,notincludingbusinessassociates of another covered entity. The right must be provided for as long as PHI is maintained in a desig-nated record set.

A“designatedrecordset”isonecontaininginformationutilizedandmaintainedforthepurposeofmak-ing decisions about an individual’s healthcare. The idea is that individuals have a right to PHI used to make decisions about them, including for example, information upon which health care decisions are based and information to determine payment on insurance claims. Information maintained, but not for utilization to make decisions about the individual, falls outside the designated record set and is exempt from access.

CE Obligations

CEs must permit an individual to request access to inspect/obtain a copy of PHI maintained in the indi-vidual’s designated record set. The CE may require that requests be in writing, if it informs individuals of that requirement.

Timeliness Requirements: A CE must act on a request for access within 30 days of receipt if information is accessible on site, and within 60 days of receipt if information is not accessible or maintained on site. If the CE is unable to act all the request within the applicable time limits, it may have one (and only one), 30-day extension by providing the individual with a written explanation of the reasons for delay and the date the CE will complete its action on the request.

Implementation Tip: The CE has up to 60 days to provide information located on site, and up to 90 for information located off-site. Notice of an extension must be provided to the individual within the standard deadline time.

The CE Accepts the Request…

If access is granted, in whole or in part, the CE must inform the individual of acceptance and provide the access requested within the required time frame at a convenient time and place for the individual to inspect and copy the PHI, or mail a copy of the PHI if the individual requests.

Fees: If the individual requests copies, or agrees to a summary or explanation, The CE may impose a reason-able, cost-based fee that includes only the cost of copying, including supplies and labor, postage and/or the cost to prepare a summary or explanation.

Providing a Summary: The CE may provide a summary or all explanation of the PHI requested, in lieu of access to the PHI.

The CE Denies the Request, in Whole or in Part

The CE must provide the individual with a timely, written denial in plain language.

The CE must provide the individual (if possible), with access to any other PHI requested, after excluding that to which access is being denied. If the CE doesn’t maintain the PHI requested, but knows where it is main-tained, the CE must inform the individual of where to request it.

Implementation Tip: A CE must document the designated record sets subject to access by individuals, the

27

titlesofpersonsorofficesresponsibletoreceiveandprocessrequestsforaccess,andmustretainsuchdocu-mentation as required.

Implementation Tip: A licensed healthcare professional must make the determination based on the standards of harm to apply.

Review

If a CE denies a request for which review is available, the individual has the right to have the denial reviewed byalicensedhealthcareprofessionaldesignatedbytheCEtoactasreviewingofficial(andwhodidnotparticipate in the original decision to deny). The CE must then provide or deny access in accordance with the reviewingofficial’sdecision.Theprocedureforreviewis:

1.TheCEpromptlyreferstherequesttothedesignatedreviewingofficial;

2.Theofficialdetermines,withinareasonableperiodoftime,whetherornottodenyaccessbasedon theallowedreviewablegrounds;and

3.TheCEpromptlyprovideswrittennoticetotheindividualoftheofficial’sdeterminationandtakes appropriate other action required to carry out the determination.

28

Business Associatesand Privacy

HHS’ Definition of a Business Associate

•Abusinessassociateisapersonorentitywhoprovidescertainfunctions,activities,orservicesfor or to a covered entity, involving the use and/or disclosure of PHI.

• A business associate is not a member of the medical/health care provider, medical/health plan, or other covered entity’s workforce.

• A health care provider, health plan, or other covered entity can also be a business associate to an other covered entity.

• The rule includes exceptions. The business associate requirements do not apply to covered entities who disclose PHI to providers for treatment purposes – for example, information exchanges between a pharmacy and doctor for pain relief.

Inallowingprovidersandplanstogiveprotectedhealthinformation(PHI)to“businessassociates,”thePrivacy Rule conditions such disclosures on the provider or plan obtaining, typically by contract, satisfactory assurances that the business associate will:

1. Use the information only for the purposes for which they were engaged by the covered entity.

2. Safeguard the information from misuse.

3. Help the covered entity comply with the covered entity’s duties to provide individuals with access to health information about them and a history of certain disclosures (e.g., if the business associate maintains the only copy of information, it must promise to cooperate with the covered entity to provide individuals access to information upon request).

HHS has stressed that PHI may be disclosed to a business associate only to help the providers and plans carry out their health care functions—not for independent use by the business associate. If you have any questions about whether a particular business associate of ours is properly contracted under the HIPAA rules, pleasecontacttheComplianceOfficer.Wehavea“BusinessAssociatesPHIPrivacyAgreement”thatshouldbe used in situations where required.

29

It is our policy to work closely and cooperatively with our patients to insure that they understand their health conditions at all times. We encourage questions and give answers that are clear and understandable to our patients. The Privacy Rule provides individuals with certain rights with respect to their protected health information, including the right to obtain access to and to request amendment of health information about themselves.Theserightsrestwiththatindividual,orwiththe“personalrepresentative”ofthatindividual.Ingeneral, a person’s right to control protected health information (PHI) is based on that person’s right (under state or other applicable law, e.g., tribal or military law) to control the health care itself.

The concepts below will give you excellent guidance regarding confidential relationships and parents or guardians. If you find yourself in a situation where you are not sure as to the PHI you should divulge to a parent, guardian or child, please check with our Compliance Officer.

Because a parent usually has authority to make health care decisions about his or her minor child, a parent isgenerallya“personalrepresentative”ofhisorherminorchildunderthePrivacyRuleandhastherightto obtain access to health information about his or her minor child. This would also be true in the case of a guardian or other person acting in loco parentis of a minor.

Thereareexceptionsinwhichaparentmightnotbethe“personalrepresentative”withrespecttocertainhealth information about a minor child. In the following situations, the Privacy Rule defers to determinations under other law that the parent does not control the minor’s medical/health care decisions and, thus, does not control the PHI related to that care.

•Whenstateorotherlawdoesnotrequireconsentofaparentorotherpersonbeforeaminorcan obtain a particular health care service, and the minor consents to the medical/health care service, the parent is not the minor’s personal representative under the Privacy Rule. For example, when a state law provides an adolescent the right to consent to mental health treatment without the consent of his or her parent, and the adolescent obtains such treatment without the consent of the parent, the parent is not the personal representative under the Privacy Rule for that treatment. The minor may choose to involve a parent in these health care decisions without giving up his or her right to control the related health information. Of course, the minor may always have the parent continue to be his or her personal representative even in these situations.

•Whenacourtdeterminesorotherlawauthorizessomeoneotherthantheparenttomaketreatment decisions for a minor, the parent is not the personal representative of the minor for the relevant services. For example, courts may grant authority to make health care decisions for the minor to an adult other than the parent, to the minor, or the court may make the decision(s) itself. In order to not undermine these court decisions, the parent is not the personal representative under the Privacy Rule in these circumstances.

Inthefollowingsituations,thePrivacyRulereflectscurrentprofessionalpracticeindeterminingthatthepar-ent is not the minor’s personal representative with respect to the relevant PHI:

•Whenaparentagreestoaconfidentialrelationshipbetweentheminorandthedentist,theparent does not have access to the health information related to that conversation or relationship. For example,ifadentistaskstheparentofa16-yearoldifthedentistcantalkwiththechildconfiden- tially about a medical condition and the parent agrees, the parent would not control the PHI that wasdiscussedduringthatconfidentialconference.

•Whenadoctor(orothercoveredentity)reasonablybelievesinhisorherprofessionaljudgmentthat the child has been or may be subjected to abuse or neglect, then the dentist may choose not to treat the parent as the personal representative of the child.

Parents and Minors

30

State Laws

In addition to the provisions (described above) tying the right to control information to the right to control treatment,thePrivacyRulealsostatesthatitdoesnotpreemptstatelawsthatspecificallyaddressdisclosureofhealthinformationaboutaminortoaparent(§160.202).Thisistruewhetherthestatelawauthorizesorprohibits such disclosure. Thus, if a provider believes that disclosure of information about a minor would en-danger that minor, but a state law requires disclosure to a parent, the dentist may comply with the state law without violating the Privacy Rule. Similarly, a provider may comply with a state law that requires disclosure toaparentandwouldnothavetoaccommodatearequestforconfidentialcommunicationsthatwouldbecontrary to state law.

Parents and Their Children’s Medical Records

HHS has said that the Privacy Rule generally allows parents, as their minor children’s personal representa-tives, to have access to information about the health and well-being of their children when state or other underlying law allows parents to make treatment decisions for the child.

There are two exceptions to the above statement:

1.Whentheparentagreesthattheminorandthehealthcareprovidermayhaveaconfidential relationship, the provider is allowed to withhold information from the parent to the extent of that agreement.Ifaparentagreestothis,thepersongivingthecareshouldmakeaneasilyidentifiable record of this agreement in the patient chart.

2. The provider is permitted not to treat the parent as the child’s personal representative when there is reason to believe that the child has been or may be subjected to abuse or neglect, or when treating the parent as the personal representative could endanger the child.

Parental Consent

The Privacy Rule addresses access to health information, not the underlying treatment. The Rule does not ad-dress consent to treatment, nor does it preempt or change state or other laws that address consent to treatment.

Emergency Medical Care Without a Parent’s Consent

Even though a parent does not provide consent to treatment in an emergency medical situation, under the Privacy Rule, the parent would still be the child’s personal representative. This would not be so only when the minor provided consent (and no other consent is required) or the treating physician suspects abuse or neglect or reasonably believes that releasing the information to the parent will endanger the child.

Frequently Asked Questions

Q: Does the Privacy Rule provide rights for children to be treated without parental consent?

A: No. The Privacy Rule does not address consent to treatment, nor does it change state or other laws that address consent to treatment. The Rule addresses access to health information, not the underlying treatment.

Q: If a child receives emergency medical care without a parent’s consent can the parent get all information about the child’s treatment and condition?

A: Generally, yes, even though the parent did not provide consent to the treatment in this situation, under the Privacy Rule, the parent would still be the child’s personal representative. This would not be so only when the minor provided consent (and no other consent is required) or the treating provider suspects abuse or neglect or reasonably believes that releasing the information to the parent will endanger the child.

Q: Does the rule require my doctor to send my medical records to the government?

A: No. The rule does not require a doctor or any other covered entity to send medical information to the government for a government data base or similar operation. This rule does not require or allow any new

31

government access to medical information, with one exception: the rule does give OCR the authority to investigate complaints and to otherwise ensure that covered entities comply with the rule.

OCR has been assigned the responsibility of enforcing the Privacy Rule. As is typical in many enforcement settings, OCR may need to look at how a covered entity handled medical records and other protected health information. The Privacy Rule limits disclosure to OCR to information that is “pertinent to ascertaining com-pliance.”OCRwillmaintainstringentcontrolstosafeguardanyindividuallyidentifiablehealthinformationthat it receives. If covered entities could avoid or ignore enforcement requests, consumers would not have a way to ensure an independent review of their concerns about privacy violations under the rule.

Q: Why would a Privacy Rule require covered entities to turn over anybody’s protected health information as part of a government enforcement process?

A: An important ingredient in ensuring compliance with the Privacy Rule is the Department’s responsibility to investigate complaints that the rule has been violated and to follow up on other information regarding noncompliance.Attimes,thisresponsibilityentailsseeingprotectedhealthinformation;suchaswhenallindividualindicatestotheDepartJn:!l1tthattheybelieveacoveredentityhasnotproperlyhandledtheirmedical records.

What information would be needed depends on the circumstances and the alleged violations. The Privacy RulelimitsOCR’saccesstoinformationthatis“pertinenttoascertainingcompliance.”Insomecases,noprotected health information would be needed. For instance, OCR may need to review only a business con-tract to determine whether a health plan included appropriate language to protect privacy when it hired an outside company to help process claims.

Examples of investigations that may require OCR to have access to protected health information (PHI) in-clude: Allegations that a covered entity refused to note a request for correction in a patient’s medical record, or did not provide complete access to a patient’s medical records.

ThePrivacyRulehasspecificguidelinesillregardstoresearchactivitiesandPHLTheserulesareoutlinedbelow directly as they were given from the Department of Health and Human Services. If you are involved with research, you should familiarize yourself with these rules and follow them closely.

32

Patient Billing andPayments

InordertounderstandthePrivacyRuleasitpertainstopatientpayments,wefirstmustgivetheHHSdefini-tionofpayment.“Payment”isadefinedtermthatencompassesthevariousactivitiesofmedical/healthcareproviders to obtain payment or be reimbursed for their services and for a health plan to obtain premiums, tofulfilltheircoverageresponsibilitiesandprovidebenefitsundertheplan,andtoobtainorprovidereim-bursementfortheprovisionofhealthcare.Inadditiontothegeneraldefinition,thePrivacyRuleprovidesexamples of common payment activities which include, but are not limited to:

•Determiningeligibilityorcoverageunderaplanandadjudicatingclaims;

•Riskadjustments;

•Billingandcollectionactivities;

•Reviewinghealthcareservicesformedicalnecessity,coverage,justificationofcharges,andthelike;

•Utilizationreviewactivities;and

•Disclosurestoconsumerreportingagencies(limitedtospecifiedidentifyinginformationaboutthe individual, his or her payment history, and identifying information about the covered entity).

HHS has said that as provided for by the Privacy Rule, our practice may use and disclose protected health information (PHI) for payment purposes.

One of the main goals of HIPAA and the standards of electronic transition is the prevention of health care fraud! The best way to guarantee your practice will not break the privacy and security standards of HIPAA are to self audit your records on a random basis.

What Does That Mean?

Theprovider(“who’sname”isonthebottomoftheclaimform?)shouldrandomlyselectagroupofrecordsfrom a past week or month. This procedure should be done every few months. Then take the billing audit form provided and perform a self billing audit, to not only check for HIPAA violations but also the possibility of billing mistakes that would result in the practice having tines or decreased revenue from billing errors.

The Claim Form

Simple mistakes like incorrect codes, blanks on the claim form or incorrect information about the patient, suchasanincorrectbirthday,couldpossiblyputyourofficeundersuspicion.Thissuspicioncouldleadyourofficetobeingplacedonaninsurancecompany’sfocuslistleadingtopossibly:

•Delayedpayment

•Criminalinvestigation

•Audit

•Notbeingpaidatall

Helpful Hints

If you bill incorrectly, you will be in violation of the HIPAA law.

Discounts

If you give a discount to anybody with medical insurance or forgive co-payment and do not inform the insur-ance company on the claim form you have committed billing fraud.

33

Do you give discounts only to patients that do not have medical insurance? The law states you cannot dis-criminate between insured and noninsured patients.

Accidents

Ifapatientisinanaccidentyoumustfilloutthatsectionoftheclaimformcorrectlyevenifyoudonotwantto deal with lawyers.

More Than One Office

Ifyouhavemorethanoneofficeinthesectionthatasksforwheretreatmentwasperformedalwaysmakesurethissectionisfilledoutcorrectly.AllUCRandfeeprofilesarefiguredonthezipcodeoftheaddresswhere treatment was performed not where the check is mailed.

The bottom line is never lie on a claim form!

Consumer Credit Reporting Agencies

ThePrivacyRule’sdefinitionof“payment”includesdisclosurestoconsumerreportingagencies.Thesedisclosures,however,arelimitedtothefollowingPHIabouttheindividual:nameandaddress;dateofbirth;socialsecuritynumber;paymenthistory;andaccountnumber.

In addition, disclosure of the name and address of the health care provider or health plan making the report is allowed. The Privacy Rule allows us to perform this payment activity directly or we may carry out this function through a third party, such as a collection agency, under a business associate arrangement.

Debt Collection Agencies

The Privacy Rule permits our practice to use the services of debt collection agencies. Debt collection is recognizedasapaymentactivitywithinthe“payment”definition.Disclosurestocollectionagenciesunderabusiness associate agreement are governed by other provisions of the rule, including consent (where consent is required), and the minimum necessary requirements.

Location Information Services of Collection Agencies and the Fair Debt Collection Practices Act

Asdescribedabove,“Payment”isbroadlydefinedasactivitiesbyhealthplansorhealthcareproviderstoobtain premiums or obtain or provide reimbursements for the provision of medical/health care. The activities specifiedarebywayofexampleandarenotintendedtobeanexclusivelisting.Billing,claimsmanagement,collectionactivities,andrelateddataprocessingareexpresslyincludedinthedefinitionof“payment.”

HHS has stated that obtaining information about the location of the individual is a routine activity to facili-tate the collection of amounts owed and the management of accounts receivable. Therefore, would consti-tute a payment activity. We would still have to comply with any limitations placed on location information services by the Fair Debt Collection Practices Act.

34

Evaluate OfficeSecurity Measures

Appropriate safeguards must be ill place that provides security to protected health information from an admin-istrative,technicalandphysicalstandpoint,45CFR§164.530MedicalOffice(I).Theofficemustreasonablysafeguard protected health information from any intentional or intentional use or disclosure that is in violation ofthestandards,implementationspecificationsorotherrequirementofthestandard.

You are required to take reasonable safeguards in respect to documents containing protected health informa-tion by shredding them prior to disposal, and limiting access to medical records.

Recommended Physical Security Measures Checklist

o Disposal of Protected Health Information · Not placed in ordinary trash stream · Recycle process controlled · Computer records (disks, CDs, hard drives) are destroyed properly · Shredding is used

o Storage of Protected Health Information ·Lockedfilingcabinets ·Unlockedfilingcabinets · Work stations · Locked storage room on open shelves · Employee desks · Unlocked storage room on open shelves ·Providerdesk/office · Access to record storage after hours · Off-site storage facility

o Protected Health Information Use · Files are put away or turned over to avoid easy viewing · Original records are not removed from premises · Ensure that conversations held with patients are private · Use discretion when discussing PHI within hearing of others · Answering machine or phone messages reviewed in private · Caution during fax of PHI is conducted to assure proper address used and information receivedbyattendedperson/officeanddisclaimerused

o Computer screen accessibility by patients and visitors

o Computer screens timed out

o Computer security administration procedures, including access authorization (password protected)

o Access control procedures when employees are terminated or leave

o Policy and enforcement of signing off computers

oComputerfloppydiskandCDsstoredinasecuremanner

o Backup systems are in place for computer records

35

Selecting HIPAA-WorthyPasswords

Protect Personal Medical Information—An unprotected computer workstation is the weakest link!

We all know that HIPAA requires strong passwords, along with effective password training. Here’s how to select strong passwords that are easy to remember and fun to create.

Does your password training currently go something like this?

· Select a password that is easy to remember, but hard to guess.

· Do not use your name, your children’s, animal’s, or parent’s names

· Do not use a word found in the dictionary

· Include alpha and numeric characters

· Password minimum is 7 characters

· Do not write your password down

· Do not share your password with anyone

Not bad. These are all valid, common rules you may have seen for choosing passwords. However, selecting quality, easy-to-remember passwords requires a little more effort — and can be a whole lot more fun!

Remember your favorite song.

Isit“TheWheelsOnTheBusGoRoundandRound”or“InaGaddaDaVida”?Useeithersong(oranyotherfavorite)tocreateapasswordthatismoredifficulttocrack.

Takethefirstletterofeachwordandthenaddaspecialcharacterornumberandyouwillhaveagoodpassword.“TheWheelsOntheBusGoRoundAndRound”becomesTWOTBOS.“In3.GaddaDaVida”becomesIAG8DV.

If you and music don’t mix, consider something about you, your friends or family. “My Daughter Attends TrinityPresbyterianSchool.”ThatbecomesMDATPS

Or, add a special character or number and statistically it gets even stronger, MD@TPS. “I Took My Son To See Shrek,”becomesITMS2SS.

Above all, make it unique and unusual and change it often.

Use words that aren’t in a dictionary or easily guessed. You can also combine words to create new words. Examples would include Party Animal, which becomes PARANI%. Happy New Year becomes HAPNEWY*.

No password is perfect, and even the best system can be broken with enough time, money and computing power. But by using creative techniques like these, you will create better passwords. This will strengthen securityandhelpensurepatientconfidentiality.

36

HIPAA Violations andEnforcement

FailuretocomplywithHIPAAcanresultincivilandcriminalpenalties(42USC§1320d-5).

Civil Penalties

The“AmericanRecoveryandReinvestmentActof2009”(ARRA)thatwassignedintolawonFebruary17,2009, established a tiered civil penalty structure for HIPAA violations (see below). The Secretary of the De-partment of Health and Human Services (HHS) still has discretion in determining the amount of the penalty based on the nature and extent of the violation and the nature and extent of the harm resulting from the violation. The Secretary is still prohibited from imposing civil penalties (except in cases of willful neglect) if the violation is corrected within 30 days (this time period may be extended).

Criminal Penalties

InJune2005,theU.S.DepartmentofJustice(DOJ)clarifiedwhocanbeheldcriminallyliableunderHIPAA.Coveredentitiesandspecifiedindividuals,asexplainedbelow,whom“knowingly”obtainordiscloseindi-viduallyidentifiablehealthinformationinviolationoftheAdministrativeSimplificationRegulationsfaceafineofupto$50,000,aswellasimprisonmentuptooneyear.Offensescommittedunderfalsepretensesal-lowpenaltiestobeincreasedtoa$100,000fine,withuptofiveyearsinprison.Finally,offensescommittedwiththeintenttosell,transfer,oruseindividuallyidentifiablehealthinformationforcommercialadvantage,personalgainormaliciousharmpermitfinesof$250,000,andimprisonmentforuptotenyears.

$100perviolation,withanannualmaximumof$25,000forrepeat violations (Note: Maximum that can be imposed by State Attoureys General regardless of the type of violation)

$1,000perviolation,withanannualmaximumof$100,000forrepeatviolations

$50,000perviolation,with an annual maximum of$1.5million

Individual did not know (and by exercising reason-able diligence would not have known) that he/she violated HIPAA

HIPAA violation due to reasonable cause and not due to willful neglect

HIPAA violation due to willful neglect but viola-tion is corrected within the required time period

HIPAA violation due to willful neglect and is not corrected




$10,000perviolation,withan annualmaximumof$250,000forrepeat violations

$50,000perviolation,withanannualmaximumof$1.5millionforrepeatviolations

HIPAA Violation Minimum Penalty Maximum Penalty

37

Covered Entity and Specified Individuals

TheDOJconcludedthatthecriminalpenaltiesforaviolationofHIPAAaredirectlyapplicabletocoveredentities-including health plans, health care clearinghouses, health care providers who transmit claims in electronic form, and Medicare prescription drug card sponsors. Individuals such as directors, employees, or officersofthecoveredentity,wherethecoveredentityisnotanindividual,mayalsobedirectlycriminallyliableunderHIPAAinaccordancewithprinciplesof“corporatecriminalliability.”Whereanindividualofa covered entity is not directly liable under HIPAA, they can still be charged with conspiracy or aiding and abetting.

Knowingly

TheDOJinterpretedthe“knowingly”elementoftheHIPAAstatuteforcriminalliabilityasrequiringonlyknowledgeoftheactionsthatconstituteanoffense.SpecificknowledgeofanactionbeinginviolationoftheHIPM statute is not required.

Exclusion

The Department of Health and Human Services (DHHS) has the authority to exclude from participation in Medicare any covered entity that was not compliant with the transaction and code set standards by October 16, 2003 (where an extension was obtained and the covered entity is not small) (68 FR 48805).

Enforcing Agencies

TheDHHSOfficeofCivilRights(OCR)enforcestheprivacystandards,whiletheCentersforMedicareftMedicaid (CMS) enforces both the transaction and code set standards and the security standards (65 FR 18895). Enforcement of the civil monetary provisions has not yet been tasked to an agency.

Please refer to the AMA’s FAQs on the privacy regulations for additional information on enforcement of the privacy standards.

No Private Cause of Action

While HIPAA protects the health information of individuals, it does not create a private cause of action for those aggrieved (65 FR 82566). State law, however, may provide other theories of liability.

38

Breach of PHI

FCNI’s Procedure for Breach Reporting as Mandated in the HITECH Act of 2009

I. HITECH Act of 2009

A.TheHITECHActof2009madeanumberofsignificantchangestoHIPAA.HITECHhasexpanded HIPAAtostatethataCoveredEntity(FCNIisdefinedasaCE“CoveredEntity”underHIPAA)must report breaches of Protected Health Information (PHI).

B. As part of FCNI’s HIPAA policy, we have adopted the following procedure in order to comply with the mandatory reporting requirements of breaches to Protected Health Information.

II. Procedure to Report a Breach

A. Any FCNI staff (paid or un-paid), agent, contractor, business associate or other person or entity working on behalf of Family Care Network, Inc. who suspects that there may have been an acquisition, access, useordisclosureof“unsecured”PHIinamannernotpermittedbythePrivacyRuleimmediatelynotifies theirsupervisorand/ortheFCNIHIPAAComplianceOfficer.Asupervisorwhoisnotifiedofthepossible reportablebreachmustimmediatelynotifytheFCNIHIPAAComplianceOfficer.

III. Assessing the Breach

A.TheFCNIHIPAAComplianceOfficerwill:

1. Assess the Breach

a. An assessment is done in the case of every potential reportable breach to determine whether it meets one of the following three exceptions of a breach listed below. The following are NOT breaches:

1. Unintentional acquisition, access, or use of PHI by a staff member or person acting under the authority of FCNI (Covered Entity- CE) or a contractor of FCNI (business associate- BA) if the acquisition, access or use was made in good faith and within the course and scope of the authority and does not result in further use or disclosure in a manner not permitted by the Privacy Rule.

2. Any inadvertent disclosure by a person who is authorized to access PHI at FCNI or BA to another person authorized to access PHI at FCNI or BA, or organized health care arrangement (OHCA) in which FCNI participates, and the information received is not further used or disclosed in a manner not permitted by the Privacy Rule.

3. A disclosure of PHI where a covered entity or a business associate has a good faith belief that an unauthorized person to whom the disclosure was made would not reasonably have been able to retain such information, for example, sending PHI in themailtothewrongaddresswherethemailisreturnedunopenedtothepostoffice as undeliverable, or where a nurse mistakenly hands discharge papers to the wrong patient, quickly realizes the mistake, and recovers the PHI before the patient has time to read it.

b.Ifitisdeterminedthatitmeetsanexception,theFCNIHIPAAComplianceOfficerordesignee prepares written documentation of that determination and will retain it for at least six (6) years.PatientnotificationandreportingtotheDHHSisnotrequiredinthecaseofanexception.

39

2. Risk Assessment for Harm

a. If it is determined that there is no exception, and that a breach has occurred, the FCNI HIPAA ComplianceOfficerdoesariskassessmenttodeterminewhetherthebreachcompromises thesecurityorprivacyofthePHIinsuchawaythatitposesasignificantriskoffinancial, reputational or other harm to the patient. When doing the risk assessment, the following issues are addressed:

1. Who used or received the PHI in violation of the Privacy Rule? (For example, if the recipient also must comply with federal privacy laws because it is a federal agency or is itself a CE, there may be less risk of harm than if others received the PHI.)

2. Were immediate steps taken to mitigate the harm? (For example, did the recipient provide satisfactory assurances that the PHI will not be further disclosed, was not read, and has been destroyed?)

3.WhattypeofPHIwasinvolved?(Forexample,ifonlyapatient’sfirstinitialandlast namewasreleased,withnootherinformation,itispossiblethattherewasnosignifi- cantriskofharm;conversely,ifinadditiontothepatient’sfirstinitialandlastname thereisreferencetoaspecifictreatmentprogram,thatwouldlikelybedifferent.)

4. Was a limited data set used or disclosed?

b.Ifitisdeterminedthatthereisnopotentialriskofharmtotheindividual,notificationand reporting is not required. However, the risk assessment and determination that there is no potential for harm must be documented in writing and retained for at least six (6) years.

c.Ifitisdeterminedthatthereisapotentialriskforharm,thepatientmustbenotifiedandthe breach must be reported to the DHHS.

IV. Breach Notification to Individual Whose PHI Was Breached

A.TimeFrameofNotification:Notificationmustbemadewithoutreasonabledelayandnolaterthan sixty(60)daysafterdiscovery.Abreachisdeemeddiscoveredwhenanstaffmember,officer,orother agent of FCNI or business associate other than the individual committing the breach, knew or should reasonably have known about the breach.

1.LawEnforcementException:Iflawenforcementaskstodelaynotification/reportingbecauseit wouldimpedeacriminalinvestigationorcausedamagetonationalsecurity,thennotification/ reporting should be delayed until the investigation is completed. If the request is made orally, itneedstobedocumented,identifyingthelawenforcementagencyorofficialmakingthestate- ment,andtemporarilyrefrainingfromnotificationorreporting,butnolongerthan30days,unless a written statement is submitted during that time.

B.MethodofNotification:NotificationisdonebytheFCNIHIPAAComplianceOfficerordesigneeby firstclassmailtotheindividual’slastknowaddress,unlesstheindividualhasspecifiedapreferencefor email or other means. If the patient lacks capacity, notify the personal representative (i.e. parent of a minor). If the patient is deceased, notify the next of kin.

IfnotificationisurgentbecauseofpossibleimminentmisuseoftheunsecuredPHI,notificationisdone byphoneorothermeansasappropriate.Additionally,writtennotificationisstillrequired.

Breach involving 10 or more patients who cannot be reached: If there are ten or more individuals for whomthereisinsufficientorout-of-datecontactinformation,thenoneofthefollowingisrequired:

1. A conspicuous posting on the FCNI’s home page of our website, OR

2. Notice in major print or broadcast media (including major media where individuals likely reside.)

Either method requires a minimum posting of 90 days and a toll free number that an individual can calltofindoutifhis/herunsecuredPHIwasincludedinthebreach.

40

C. Content of Notice: When notifying individuals by any method, the following information needs to be included in the notice that is provided:

1. Brief description of what happened

2. Date of the breach, if known

3. Date of the discovery of the breach

4. Description of types of information involved such as full name, date of birth, home address, account number, disability code, etc.

5. Steps the individual should take to protect him/herself from potential harm resulting from the breach

6. Brief description of what FCNI is doing to investigate the breach, mitigate losses, and protect against further breaches

7. Contact procedures for individuals who have questions, which must include a toll-free number, email address, website or postal address

D. Large Breaches (500 plus): If there is a breach of unsecured PHI of 500 or more residents of a state or jurisdiction, notice must also be provided to prominent media outlets serving the state or jurisdiction, in addition to written notice to each individual.

E.DocumentationofNotification:FCNImustbeabletodemonstratethatallnotificationsweremadeas required (or that a use or disclosure did not constitute a breach because there was no potential risk of harm), so it is essential that written documentation be retained for six (6) years.

F.MandatoryReportingtoDHHS:TheFCNIHIPAAComplianceOfficernotifiestheSecretaryofthe DHHS of all reportable breaches. In situations where 500 or more individuals are involved in a single breach, the notice must be provided immediately. If fewer than 500 individuals are involved, FCNI will maintain a log or other documentation which must be submitted annually to the DHHS. This log or other documentation must be provided within 60 days after the end of the calendar year (March 1st for most years and February 29th in leap years.) The breach can be reported in the DHHS website at the following link: http://transparency.cit.nih.gov/breach/index.cfm

G. Breaches by Business Associates of FCNI: Upon discovery of a reportable breach done by a Business Associate-Contractor (BA) of FCNI, the BA must notify FCNI as soon as possible but no more than 5 workingdaysofthebreachbysubmittedareporttotheFCNIHIPAAComplianceOfficerandfulfill the mandated reporting requirements.

Note: FCNI or it’s BA’s are not responsible for a breach by a third party to whom it permissibly disclosed PHI, unless the third party is an agent of FCNI or a BA.

41

This HIPAA Compliance Business Associate Contract, effective on ___________________ , 20_____ is entered intobyandbetween____________________________________(the“Associate”)andFamilyCareNetwork,Inc.(the“CoveredEntity”).

I. Definitions

What is a “Business Associate?”

A“businessassociate”isapersonorentity,otherthanamemberoftheworkforceofacoveredentity(FCNI),whoperforms functions or activities on behalf of, or provides certain services to a covered entity that involve access by the business associate to protected health information. This includes resource parents, respite workers, independent contractors,andothersimilarpersons/entities.A“businessassociate”alsoisasubcontractorthatcreates,receives,maintains, or transmits protected health information on behalf of another business associate. The HIPAA Rules generally require that covered entities and business associates enter into contracts with their business associates to ensure that the business associates will appropriately safeguard protected health information.

The business associate contract also serves to clarify and limit, as appropriate, the permissible uses and disclo-sures of protected health information by the business associate, based on the relationship between the parties and the activities or services being performed by the business associate. A business associate may use or dis-close protected health information only as permitted or required by its business associate contract or as required by law. A business associate is directly liable under the HIPAA Rules and subject to civil and, in some cases, criminal penalties for making uses and disclosures of protected health information that are not authorized by its contract or required by law. A business associate also is directly liable and subject to civil penalties for failing to safeguard electronic protected health information in accordance with the HIPAA Security Rule.

Termsused,butnototherwisedefined,inthisAgreementshallhavethesamemeaninggiventhosetermsunderHIPAA.

1.1 Agreement.“Agreement”meanstheadministrativeservicesagreemententeredintobetweenBusiness Associate and Covered Entity pursuant to which Business Associate provides services to the Plan.

1.2 Breach.“Breach”shallhavethesamemeaningastheterm“breach”in45CFR§164.402.

1.3 Business Associate.“BusinessAssociate”meansthepersonorentityotherthanFCNIinthisagreement.

1.4 Covered Entity.“CoveredEntity”meansFamilyCareNetwork,Inc.

1.5 Electronic Protected Health Information.“ElectronicProtectedHealthInformation”shallhavethe samemeaningastheterm“electronicprotectedhealthinformation”in45CFR§160.103.

1.6 Electronic Transaction Rule.“ElectronicTransactionRule”meansthefinalregulationsissuedbyHHS concerning standard transactions and code sets under 45 CFR Parts 160 and 162.

1.7 HHS.“HHS”meanstheUnitedStatesDepartmentofHealthandHumanServices.

1.8 HIPAA.“HIPAA”meanstheHealthInsurancePortabilityandAccountabilityActof1996,asamended, and the accompanying regulations.

1.9 Individual. “Individual”shallhavethesamemeaningastheterm“individual”in45CFR§160.103and shallincludeapersonwhoqualifiesasapersonalrepresentativeinaccordancewith45CFR§164.502(g).

1.10 Privacy Rule.“PrivacyRule”meanstheStandardsforPrivacyofIndividuallyIdentifiableHealth

HIPAA Compliance Business Associate Contract

Revised: 5/22/14

42

Information at 45 CFR Part 160 and Part 164, Subparts A and E.

1.11 Protected Health Information.“ProtectedHealthInformation”shallhavethesamemeaningasthe term“protectedhealthinformation”in45CFR§160.103,limitedtotheinformationcreatedor received by Business Associate from or on behalf of Covered Entity.

1.12 Required By Law.“RequiredByLaw”shallhavethesamemeaningastheterm“requiredbylaw”in 45CFR§164.103.

1.13 Secretary.“Secretary”meanstheSecretaryoftheDepartmentofHealthandHumanServicesor his designee.

1.14 Security Rule.“SecurityRule”meanstheSecurityStandardsandImplementationSpecificationsat45 CFR§§164.306,164.308,164.310,164.312,and164.316.

1.15 Security Incident.“SecurityIncident”shallhavethesamemeaningastheterm“securityincident”in 45CFR§164.304.

1.16 Unsecured Protected Health Information.“UnsecuredProtectedHealthInformation”shallhavethe samemeaningastheterm“unsecuredprotectedhealthinformation”in45CFR§164.402.

II. Obligations and Activities of Business Associate

2.1 Business Associate agrees not to use or disclose Protected Health Information other than as permitted or required by this Contract or as Required by Law.

2.2 Business Associate agrees to develop, implement, maintain and use appropriate administrative, technical and physical safeguards to prevent use or disclosure of the Protected Health Information, other than as provided for by this Contract.

2.3 Business Associate will develop, implement, maintain and use administrative, technical and physical safeguardsthatreasonablyandappropriatelyprotecttheconfidentiality,integrityandavailabilityof Electronic Protected Health Information that Business Associate creates, receives, maintains or transmits on Covered Entity’s behalf as required by the Security Rule.

2.4 Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of Protected Health Information by Business Associate in violation of the requirements of this Contract.

2.5 Business Associate agrees to report to Covered Entity any use or disclosure of Protected Health Information, including Electronic Protected Health Information, not provided for by this Contract of which it becomes aware and/or any Security Incident of which it becomes aware.

2.6 Business Associate agrees to ensure that any agent, including a subcontractor, to whom it provides Protected Health Information and/or Electronic Protected Health Information received from, or created or received by Business Associate on behalf of Covered Entity agrees to the same restrictions and conditions that apply through this Contract to Business Associate with respect to such information. Moreover, Business Associate shall ensure that any such subcontractor or agent agrees to implement reasonable and appropriate safeguards to protect Covered Entity’s Protected Health Information.

2.7 AsoftheeffectivedatespecifiedbyHHSinfinalregulationstobeissuedonthistopic,Business Associate shall not directly or indirectly receive remuneration in exchange for any Protected Health Information of an individual unless the Covered Entity or Business Associate obtains from the individual, inaccordancewith45CFR§164.508,avalidauthorizationthatincludesaspecificationofwhether the Protected Health Information can be further exchanged for remuneration by the entity receiving Protected Health Information of that individual, except as otherwise allowed under HIPAA.

43

2.8 To the extent it maintains a Designated Record Set, Business Associate agrees to provide access, at the request of Covered Entity, as soon as administratively practical and in no event later than 30 days following the Covered Entity’s request, to Protected Health Information in a Designated Record Set, to Covered Entity or, as directed by Covered Entity, to an Individual in order to meet the requirements under45CFR§164.524.

2.9 To the extent it maintains a Designated Record Set, Business Associate agrees to make any amendment(s) to Protected Health Information in a Designated Record Set that the Covered Entity directsoragreestopursuantto45CFR§164.526attherequestofCoveredEntityoranIndividual, as soon as administratively practicable.

2.10 Business Associate agrees to make internal practices, books, and records, including policies and procedures and Protected Health Information, relating to the use and disclosure of Protected Health Information received from, or created or received by Business Associate on behalf of, Covered Entity available to the Secretary, in a time and manner designated by the Secretary, for purposes of the Secretary determining Covered Entity’s compliance with the Privacy Rule.

2.11 Business Associate agrees to document such disclosures of Protected Health Information and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with 45CFR§164.528.

2.12 Business Associate agrees to provide to Covered Entity or an Individual, within 30 days following Covered Entity’s request, information collected in accordance with the Agreement and/or this BA Contract, to permit Covered Entity to respond to a request by an Individual for an accounting of dis closuresofProtectedHealthInformationinaccordancewith45CFR§164.528.

2.13 If Business Associate conducts in whole or in part electronic transactions on behalf of Covered Entity for which HHS has established standards, Business Associate will comply, and will require any subcontractor to comply, with each applicable requirement of the Electronic Transaction Rule. Business Associate shall alsocomplywiththeNationalProviderIdentifierrequirements,ifandtotheextentapplicable.

2.14 Business Associate acknowledges that it is subject to civil and criminal enforcement for failure to comply with the Privacy Rule and Security Rule.

III. Permitted Uses and Disclosures by Business Associate

3.1 General Use and Disclosure Provisions.

(a) Except as otherwise limited in this Agreement, Business Associate may use or disclose Protected Health Information to perform functions, activities or services for, or on behalf of, Covered Entity asspecifiedintheAgreement,providedthatsuchuseordisclosurewouldnotviolatethePrivacyRule if done by Covered Entity or the minimum necessary policies and procedures of the Cov-ered Entity.

(b) Business Associate will, in its performance of the functions, activities, services and operations specifiedabove,makereasonableeffortstouse,todiscloseandtorequestonlytheminimumamount of Covered Entity’s Protected Health Information reasonably necessary to accomplish the intended purpose of the use, disclosure or request, except that Business Associate will not be obligated to comply with this minimum necessary limitation if neither Business Associate nor Covered Entity is required to limit its use, disclosure or request to the minimum necessary. Busi-nessAssociateandCoveredEntityacknowledgethatthephrase“minimumnecessary”shall

44

be interpreted in accordance with the Health Information Technology for Economic and Clinical HealthAct(“HITECH”)andgovernmentguidanceonthedefinition.

3.2 Specific Use and Disclosure Provisions.

(a) Except as otherwise limited in this Contract, Business Associate may use Protected Health Infor-mation for the proper management and administration of Business Associate or to carry out the legal responsibilities of Business Associate.

(b) Except as otherwise limited in this Contract, Business Associate may disclose Protected Health Information for the proper management and administration of Business Associate, provided that disclosures are Required By Law, or Business Associate obtains reasonable assurances from the persontowhomtheinformationisdisclosedthatitwillremainconfidentialandusedorfurtherdisclosed only as Required By Law or for the purpose for which it was disclosed to the person, andthepersonnotifiesBusinessAssociateofanyinstancesofwhichitisawareinwhichthecon-fidentialityoftheinformationhasbeenbreached.

(c) Except as otherwise limited in this Contract, Business Associate may use Protected Health InformationtoprovideDataAggregationservicestoCoveredEntityaspermittedby45CFR§164.504(e)(2)(i)(B).

(d) Business Associate may use Protected Health Information to report violations of law to appropri-ateFederalandStateauthorities,consistentwith45CFR§164.502(j)(1).

IV. Obligations of Covered Entity

4.1 Provisions for Covered Entity to Inform Business Associate of Privacy Practices and Restrictions.

(a) Covered Entity shall notify Business Associate of any limitation(s) in its notice of privacy practices ofCoveredEntityinaccordancewith45CFR§164.520,totheextentthatsuchlimitationmayaffect Business Associate’s use or disclosure of Protected Health Information.

(b) Covered Entity shall notify Business Associate of any changes in, or revocation of, permission by an Individual to use or disclose Protected Health Information, to the extent that such changes may affect Business Associate’s use or disclosure of Protected Health Information.

(c) Covered Entity shall notify Business Associate of any restriction to the use or disclosure of Protect-edHealthInformationthatCoveredEntityhasagreedtoinaccordancewith45CFR§164.522,to the extent that such restriction may affect Business Associate’s use or disclosure of Protected Health Information. Covered Entity shall not agree to any restrictions without the written consent of Business Associate except with respect to a restriction where (1) the disclosure is to a health plan for purposes of carrying out payment or health care operations, and (2) the Protected Health Information pertains solely to a health care item or service for which the health care provider involved has been paid in full out of pocket.

4.2 Permissible Requests by Covered Entity.

Covered Entity shall not request Business Associate to use or disclose Protected Health Informa-tion in any manner that would not be permissible under the Privacy Rule if done by Covered Entity, except that Business Associate may use or disclose Protected Health Information for purposes of data aggregation.

V. Breaches and Security Incidents

5.1 Privacy or Security Breach. Business Associate will report to Covered Entity any use or disclosure of Covered Entity’s Protected Health Information not permitted by this Contract along with any Breach

45

of Covered Entity’s Unsecured Protected Health Information. Business Associate will treat the Breach asbeingdiscoveredinaccordancewith45CFR§164.410.BusinessAssociatewillmakethereport toCoveredentity’sPrivacyOfficialorothercorporatecontractassoonaspossibleandnolaterthan 30 calendar days after Business Associate learns of such non-permitted use or disclosure. If a delay isrequestedbyalaw-enforcementofficialinaccordancewith45CFR§164.412,BusinessAssociate may delay notifying Covered Entity for the applicable time period. Business Associate’s report will at least:

(a) Identify the nature of the breach or other non-permitted use or disclosure, which will include a brief description of what happened, including the date of any Breach and the date of the discov-eryofanyBreach;

(b) Identify Covered Entity’s Protected Health Information that was subject to the non-permitted use or disclosure or Breach (such as whether full name, social security number, date of birth, home address,accountnumberorotherinformationwereinvolved)onanindividualbasis;

(c)Identifywhomadethenon-permitteduseordisclosureandwhoreceivedthenon-permitteddisclosure;

(d) Identify what corrective or investigational action Business Associate took or will take to prevent further non-permitted uses or disclosures, to mitigate harmful effects and to protect against any furtherBreaches;

(e)IdentifywhatstepstheindividualswhoweresubjecttoaBreachshouldtaketoprotectthemselves;

(f) Provide such other information, including a written report, as Covered Entity may reasonably request.

5.2 Security Incidents. Business Associate will report to Covered Entity any successful (A) unauthorized access,use,disclosure,modification,ordestructionofCoveredEntity’sElectronicProtectedHealth Information or (B) interference with Business Associate’s system operations in Business Associate’s information systems, of which Business Associate becomes aware. Business Associate will make this report monthly, except that if any such Security Incident resulted in a disclosure not permitted by this BA Contract or Breach of Covered Entity’s Unsecured Protected Health Information, Business Associate will make the report in accordance with the provisions set forth in the paragraph above.

VI. Term and Termination

6.1 Term. The Term of this BA Contract shall be effective as of Effective Date, and shall terminate when all of the Protected Health Information provided by Covered Entity to Business Associate, or created or received by Business Associate on behalf of Covered Entity, is destroyed or returned to Covered Entity, or, if it is infeasible to return or destroy Protected Health Information, protections are extended to such information, in accordance with the termination provisions in this Section.

6.2 Termination for Cause. Upon Covered Entity’s knowledge of a material breach by Business Associate, Covered Entity shall either:

(a) Provide an opportunity for Business Associate to cure the breach or end the violation and termi-nate the Agreement and/or this BA Contract if Business Associate does not cure the breach or end theviolationwithinthetimespecifiedbyCoveredEntity;

(b) Immediately terminate the Agreement and/or this BA Contract if Business Associate has breached amaterialtermofthisBAContractandcureisnotpossible;or

(c) If neither termination nor cure are feasible, Covered Entity shall report the violation to the Secretary.

6.3 Effect of Termination.

(a) Except as provided in paragraph (b) of this section, upon termination of this BA Contract, for any reason, Business Associate shall return or destroy all Protected Health Information received from

46

Covered Entity, or created or received by Business Associate on behalf of Covered Entity. This provision shall apply to Protected Health Information that is in the possession of subcontractors or agents of Business Associate. Business Associate shall retain no copies of the Protected Health Information.

(b) In the event that Business Associate determines that returning or destroying the Protected Health Informationisinfeasible,BusinessAssociateshallprovidetoCoveredEntitynotificationoftheconditions that make return or destruction infeasible. Upon notifying Covered Entity that return or destruction of Protected Health Information is infeasible, Business Associate shall extend the protections of this BA Contract to such Protected Health Information and limit further uses and dis-closures of such Protected Health Information to those purposes that make the return or destruction infeasible, for so long as Business Associate maintains such Protected Health Information.

VII. Miscellaneous

7.1 Regulatory References. A reference in this Contract to a section in the Privacy Rule or the Security Rule means the section as in effect or as amended.

7.2 Amendment. The Parties agree to take such action as is necessary to amend this Agreement from time to time as is necessary for Covered Entity and/or Business Associate to comply with the requirements of the Privacy Rule, and, the Security Rule and any other provision of HIPAA.

7.3 Survival. The respective rights and obligations of Business Associate under Section 6.3 of this Contract shall survive the termination of this Contract.

7.4 Interpretation. Any ambiguity in this Contract shall be resolved to permit Covered Entity and/or Business Associate to comply with HIPAA.

IN WITNESS WHEREOF, the parties have duly executed this Business Associate Contract effective as of the later date signed below.

Associate Name Signature Date

Witness Signature Title Date

Covered Entity Name Signature, Title Date

Witness Signature, Title Date

Family Care Network, Inc.

47

HIPAA ComplianceSignature Form

Our policy is a simple, yet a powerful four-step process: keep up-to-date in our knowledge of the newest HIPAA regulations, educate, comply, and audit/correct.

a. We seek to maintain up-to-date knowledge about federal and state law pertaining to protection of our patients Protected Health Information.

b. We educate our employees, independent contractors, interns, volunteers and mentors and keep them up-to-date about federal and state law as it applies to Protected Health Information.

c. Our policy is to comply with all federal and state law governing Protected Health Information.

We desire that all our employees, independent contractors, interns, volunteers and mentors are particularly cognizant of the fact that protected health information must be treated with utmost attention, accuracy, honesty, and integrity. We seek to educate and carry out these policies with all our employees, managers, clinicians, interns, volunteers, mentors, independent contractors and other agents.

I have received our office’s FCNI HIPAA Compliance manual. I agree to review it and I agree to do all I can, within my area of responsibility to maintain up-to-date knowledge about federal and state laws and program requirements. I will comply with these requirements to the best of my ability, and to immediately let the FCNI Compliance Officer know if there is any area where I feel our office is not in compliance with these laws and program requirements.

I agree with our policy and will do all I can to comply with all regulatory laws pertaining to personal health information. I understand that our office has an open door policy and I may discuss any problems I feel may occur with PHI without worry of recourse with my supervisor or other supervisors.

Please check one: Employee Intern Independent Contractor Volunteer Mentor

Name Date

Signature Compliance Officer Signature

49

HIPAA Quiz forAll Employees

Name Date

1. HIPAA is an abbreviation for what act?

2. Who is the HIPAA Compliance Officer for your practice/facility?

3. What are the HIPAA regulations trying to protect?

4. What does the “minimum necessary” standard mean and when does it apply?

5. You call a patient to confirm an appointment, but there is no answer. can you leave a message on their answer-ing machine? Explain.

6. What is TPO?

7. What is PHI?

hipaa compliance program for - home | fcni30 · hipaa compliance program for family care network,...

Documents