HIPAA:
Privacy Essentials for the Physician's OfficeHIPAA:
Privacy Essentials for the Physician's Office
Welcome to the HIPAA: Privacy Essentials for the Physician's Office Web site, developed by OHIC Insurance Company and Ohio University College of Osteopathic Medicine in partnership with Ohio University Without Boundaries.
Welcome Message
Martha Simpson: Welcome to "HIPAA: Privacy Essentials for the Physician's Office." This site represents a partnership between the Ohio University College of Osteopathic Medicine and the OHIC Insurance Company. I'm Martha Simpson from Ohio University. And this is Paul Nagle and this is Carol Murray from OHIC.
Carol Murray: We developed the site specifically for physicians' offices. Working with our insureds, we found that many physicians' offices, particularly the smaller practices, had many concerns about HIPAA. And, while they had neither the resources nor the need to become HIPAA experts, they did need some basic compliance information.
Martha Simpson: Many of our alumni who are in private practice have the same concerns and needs.
Paul Nagle: There are many good resources on HIPAA and we did not want to reinvent the wheel. We do see a need, however, for an easy access source of basic information. In developing the site, we asked, "What are the privacy essentials the physician's office actually needs to know?" Thus the name of the site. The site is organized around a series of essential categories. We provide a checklist, basic resources, forms, and links to sites that have more detailed information. Finally, there is a test that you can take to make certain that you know the basics. We hope that the site is helpful for you.
What is HIPAA?
HIPAA, the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191, was designed to improve the efficiency and effectiveness of the health care system. It included “Administrative Simplification” provisions that required the U.S. Department of Health and Human Services (HHS) to adopt national standards for electronic health care transactions. At the same time, Congress recognized that advances in electronic technology could erode the privacy of health information. Consequently, Congress incorporated into HIPAA provisions that mandated the adoption of federal privacy protections for individually identifiable health information.
What is the Impact of HIPAA’s Privacy Rule?
Health care providers have a strong tradition of safeguarding private health information (PHI). In today’s world, however, with information broadly held and transmitted electronically, the Privacy Rule provides clear standards for the protection of PHI. The Rule requires certain activities to ensure this confidentiality. They include:
How to Use This Site
This Web site has been developed for use by practicing physicians in small office-based practices. It is not a substitute for legal advice. We have provided a basic starter kit of information, policies, forms, and resources. We do not cover special areas such as research, marketing, and fundraising, which have special rules that are not relevant to most practices.
We have formatted this Web site to provide maximal efficiency for you and your office staff. Question Categories provide answers to your most frequently asked questions about HIPAA and is the foundation for learning on this site. Answers cross-reference helpful Resources such as links to relevant Web sites, examples of Daily Dilemmas you may face, and useful Documents to assist you with HIPAA compliance more quickly. You can also access all of the Resources, Daily Dilemmas, and Documents referenced throughout this site from the menu at the left of every page. An online Test is available to check how well you've absorbed the information.
What is a Privacy Notice?
It is really called the Notice of Privacy Practices (NPP). It is a formal document
that explains—in simple terms—how, when, and why a patient’s
medical information may be disclosed. This document is quite comprehensive
and all medical office personnel, including physicians, should read this
Notice. It answers many questions regarding protected health information
(PHI) and is your practice’s guide to handling your patients’ PHI.
What has to be in a Notice of Privacy Practices (NPP)?
It must contain specific
language as proscribed by the U.S. Department of Health and Human Services
(HHS), prominently displayed in the beginning of
the notice.
“THIS NOTICE DESCRIBES HOW HEALTH INFORMATION ABOUT YOU (AS A PATIENT OF THIS PRACTICE) MAY BE USED AND DISCLOSED, AND HOW YOU CAN GET ACCESS TO YOUR INDIVIDUALLY IDENTIFIABLE HEALTH INFORMATION. PLEASE REVIEW THIS NOTICE CAREFULLY.”
You must inform the patient of your practice’s obligations concerning the use and disclosure of his PHI.
A sample notice is provided below, but you must read and edit it to accurately reflect your medical practice style and needs.
Notice of Privacy Policy (Courtesy of Baker & Hostetler, LLP)
Related Resources and Documents:
Once I get this Privacy Notice written, what do I do with it?
What if I forget to give the Privacy Notice to a patient when
he/she comes in?
You should mail the notice to the patient ON THE SAME DAY and
document why it was not given to the patient at the time of service and that
the notice
was mailed.
Related Resources and Documents for Privacy Notice:
Final
Standards for Privacy of Individually Identifiable Health Information. §164.520
Notice of Privacy Practices for Protected Health Information. (HIPAAdvisory)
http://www.hipaadvisory.com/regs/finalprivacy/520.htm
Notice of Privacy Policy (Courtesy of Baker & Hostetler, LLP)
Can a patient ask to have their health related communications
handled in a confidential manner?
Yes. A patient has the right to request that they receive health information
from your office in a non-conforming manner, to maintain confidentiality. Generally,
out of fear for personal safety, a patient may want his/her information sent
to a different address or through a different method of contact. The
patient
should
make this request to you in writing but that is not required by the regulations.
The patient is not required to explain why this request is being made. Your office
should accommodate reasonable requests.
Related Resources and Documents:
What is the requirement for an authorization?
Unless release of protected health
information (PHI) is allowed by other provisions of the law (for treatment,
payment, and health care operations (TPO),
a valid authorization is required. There are also additional requirements for
authorization for release of psychotherapy notes and most marketing uses.
Are there specific elements that must be in an authorization
to make it valid?
Yes, it must contain:
Is there a requirement about language?
Must be in plain (easily understood)
language.
Can an authorization be verbal?
To be valid, authorizations must be in writing.
A fax of a signed, properly executed authorization is valid.
Can we accept a copy of an authorization instead of the original?
Copies are
acceptable if they contain the required elements.
Is there a requirement to verify the identity of the individual
signing the authorization?
Only if the individual signing is not the patient
whose records are to be released. It is a good practice, however, to verify
the authenticity of the
signature. If a person presents whose identity is not known on visual sight,
you should properly identify that person.
Are there any special requirements to revoke an authorization?
An individual
may revoke an authorization at any time, provided the revocation is in writing,
except where action has already been taken (e.g., condition
of obtaining insurance coverage).
Are there special requirements for authorization for research
purposes?
In addition to the core elements, the authorization must contain:
Is there any easier way to obtain authorization for research
purposes?
An authorization can be a part of another document, such as a consent
to participate in research, a consent to use or disclose protected health information
(PHI) to carry out treatment, payment, and health care operations (TPO), or
a Notice of Privacy Practices (NPP).
Related Resources and Documents:Office of Civil Rights Guidance Tool on HIPAA
http://www.hhs.gov/ocr/hipaa/privacy.html
Are there any exceptions to the requirement for an authorization
for disclosure for marketing purposes?
ALL marketing communications require
a written authorization from the patient except when a face-to-face communication
is made by your practice to an individual
or when the communication is a promotional gift of nominal value provided by
your practice.
Related Resources and Documents for Authorization:
Final
Standards for Privacy of Individually Identifiable Health Information. §164.528
Accounting of Disclosures of Protected Health Information. (HIPAAdvisory)
http://www.hipaadvisory.com/regs/finalprivacy/528.htm
Office
of Civil Rights Guidance Tool on HIPAA
http://www.hhs.gov/ocr/hipaa/privacy.html
Authorization Form Sample (added 4/11/03)
Confidential Communications Form
Confidential Communications Policy
Under HIPAA, can patients change their medical records?
The privacy portion
of HIPAA gives patients the right to request to
amend their records. An individual has the right to have a practice amend protected
health information (PHI) or a record about the individual in a designated record
set for as long as the information is maintained in the designated record set.
Can the practice deny the request to amend the record?
The request can be denied
for one of the following reasons:
Related Resources and Documents:
Final
Standards for Privacy of Individually Identifiable Health Information. § 164.524
Access of individuals to protected health information. (HIPAAdvisory)
http://www.hipaadvisory.com/regs/finalprivacy/524.htm
Is there any time limitation for response to a request to
amend a record?
The practice must act on an individual’s request for an
amendment no later than 60 days after the request is received.
Are there requirements if a request to amend a record is approved?
What happens next if the request to amend the record is denied by the practice?
Related Resources and Documents for Amendment:
Final
Standards for Privacy of Individually Identifiable Health Information. § 164.524
Access of individuals to protected health information. (HIPAAdvisory)
http://www.hipaadvisory.com/regs/finalprivacy/524.htm
Medical Record Amendment Request Form
Medical Record Amendment Policy
4. Uses and Disclosures of PHI
Under what circumstances can I use and disclose protected
health information (PHI)?
You are permitted to use or disclose PHI:
You are REQUIRED to disclose information:
When can protected health information (PHI) be disclosed without
patient authorization (other than for treatment, payment, and health care operations
(TPO)?
Information can be disclosed without patient authorization to public health
authorities and the Federal Drug Administration (FDA). It may also be released
to law enforcement officials, the medical examiner or coroner after someone
has died, and other instances as noted in your Notice of Privacy Practices
(NPP) and as authorized by state or federal law. This is referred to as a “non-authorized” disclosure.
Do I have to tell a patient that I have disclosed his/her
protected health information (PHI) without authorization?
While you do not have
to tell the patient, sometimes it is appropriate to do so. In the instance
where you will be reporting a communicable disease to
the authorities, you could inform the patient that you are doing so.
If you make a non-authorized disclosure of PHI, you MUST keep track of this disclosure and make the list of such disclosures available to the patient upon written request for six (6) years. You must list the date of disclosure, to whom you disclosed and for what purpose. All disclosures that are not related to treatment, payment, and health care operations (TPO) and disclosed without patient authorization outside of the organization must be accounted for. This accounting of disclosures does not apply to any disclosure prior to April 14, 2003.
Related Resources and Documents:
What if a patient asks for frequent accounts of disclosure?
The first request
in a 12-month period is free of charge, but your practice may charge for additional
requests. You should have this practice clearly stated
in your Notice of Privacy Practices (NPP) and you should inform the patient
of the approximate charge prior to completing the additional requests for disclosure.
Related Resources and Documents for Uses and Disclosures of PHI:
Final
Standards for Privacy of Individually Identifiable Health Information. §164.528
Accounting of Disclosures of Protected Health Information. (HIPAAdvisory)
http://www.hipaadvisory.com/regs/finalprivacy/528.htm
Accounting of Non-Authorized Use or Disclosures Request Form
Non-Authorized Disclosures Policy
Can a patient restrict the use or disclosure of his/her protected
health information (PHI)?
A patient has the right to REQUEST that the use and
disclosure of his/her PHI be restricted for treatment, payment, and health
care operations (TPO)
as well as restricting disclosure to only certain people, such as certain family
members only. YOU DO NOT HAVE TO AGREE TO THE PATIENT’S REQUEST. Your
patient’s restriction request must be in writing, be specific as to what
information is covered by this request, whether it covers use, disclosure or
both, and to whom these limitations apply.
If your practice agrees to the request, it must honor the request except when overriding laws or emergencies apply.
Related Resources and Documents for Restriction of Use:
Final
Standards for Privacy of Individually Identifiable Health Information §164.522
Rights to request privacy protection for protected health information. (HIPAAdvisory)
http://www.hipaadvisory.com/regs/finalprivacy/522.htm
Restriction of Use or Disclosure of PHI Form
Restriction of Use or Disclosure of PHI Policy
Do physicians have to allow patients to read their own charts?
No. A patient
has the right to read his/her own record, but you have the right refuse this
request for the reasons listed below. You may also provide
the patient with a chart summary instead of the actual chart. There are specific
provisions under HIPAA that give patients the right to inspect or obtain a
copy of their medical record. In most states, this is already in place under
state law.
Are there any exceptions to the provisions allowing patients
to read their own charts?
Yes.
Can physicians deny patients access to their charts?
Yes, in certain circumstances,
which are listed below.
Unreviewable denial:
Reviewable denial:
Related Resources and Documents:
HIPAA
Privacy Joint Information Center (Bricker & Eckler LLP). Specific language
from Privacy law on unreviewable denial.
http://www.bricker.com/hipaa/
Does the patient have the right to appeal a denial?
Yes. They have the right
to review by another licensed health professional designated by the practice
and who was not a part of the original decision
to deny access.
Are there exceptions to the right to appeal a denial?
Yes. There are several
circumstances including correctional facilities, Clinical Laboratory Improvements
Amendments (CLIA) required information, and certain
research situations if access would compromise an individual providing information
under a promise of confidentiality.
If access is denied, are there any other requirements to be
met by the practice?
Yes, the individual must be informed of how to make a formal
complaint to the practice and the Secretary of Health and Human Services (HHS).
Can a summary of the information instead of the complete record
be provided and meet the access requirement?
Yes, if you believe the information
would be difficult to interpret (e.g., billing codes) and you and the requestor
agree on the charge in advance.
Can I charge patients for copies of their medical record?
Yes, you can charge
reasonable, cost-based fees. The fee, however, may only include the cost of
copying (supplies and labor) and postage (if germane). The
fee may not include the cost of retrieving the record. You may want to
check your respective state statutes or an existing law on charging for copies.
Can I provide access to information from another health care
provider that is part of my medical record?
Yes, there is no exclusion.
Related Resources and Documents for Patient Access:
Final
Standards for Privacy of Individually Identifiable Health Information. § 164.524
Access of individuals to protected health information. (HIPAAdvisory)
http://www.hipaadvisory.com/regs/finalprivacy/524.htm
Patient Access to Medical Record Request Form
Patient Access to Medical Record Policy
Are we required to have a formal privacy complaint process
related to privacy issues?
HIPAA mandates a process for individuals to complain
to both the practice and the Secretary of Health and Human Services (HSS) about
either the practice’s
policies and procedures related to privacy or compliance with the policies
and procedures or the requirements.
Are there specific requirements about notification?
The final Rules stipulate
that covered entities have a mechanism for receiving complaints and this mechanism
must be included in the Privacy Notice (specify
contact person or office phone number).
Do I have to keep a record of complaints?
Yes, you have to maintain a record
of the complaints you receive and a brief description of the resolution, if
there is a resolution.
Can the individual elect to complain to the Secretary of Health
and Human Services (HSS) without first complaining to me, as the practice?
Individuals
have the right to send their complaint directly to the Secretary of HSS.
Are there specific requirements for filing a complaint with
the Secretary of Health and Human Services (HSS)?
Complaints must be in writing
(either on paper or electronic), must name the practice, and must be filed
within 180 days of when the complainant knew
or should have known of the omission.
What could happen if the Secretary of Health and Human Services
(HSS) found the complaint to substantiate a violation?
Efforts would be made
to settle the matter informally with the practice. A compliance review of the
practice might result. If the Secretary of HSS found
no violation, the practice and the complainant would be notified. A practice
that is found to have violated the Privacy Regulations may face civil penalties
up to $100 per violation and/or criminal penalties if the practice knowingly
violated the Privacy Regulations. Criminal penalties can include substantial
fines as well as incarceration.
Related Resources and Documents for Complaints:
Final
Standards for Privacy of Individually Identifiable Health Information. Subpart
C - Compliance and Enforcement. (HIPAAdvisory)
http://www.hipaadvisory.com/regs/finalprivacy/160c.htm
HIPAAdvisory
Knowledge Web Site sponsored by Phoenix Health Systems. (HIPAA newsletters
with additional information on complaints.)
http://www.hipaadvisory.com/
What is the intent or purpose of the privacy officer?
The privacy officer is
responsible for implementing and overseeing the privacy policies and procedures
for the practice. He/she oversees all activities related
to the development, implementation, maintenance of and adherence to the practice’s
policies and procedures addressing privacy and access to protected health information
(PHI). He/she assures compliance with HIPAA and all other federal and state
rules and regulations pertaining to use and release of PHI.
Small practices may assign this role to one or more persons, while larger group practices most likely will designate a specific person to oversee the integrity of PHI. The privacy officer has numerous roles such as performing a risk assessment of the practice to determine where vulnerabilities lie with respect to PHI and ensuring that privacy security measures and policies are implemented and adhered to by the practice. He or she serves as the designated contact person required by the final Rule to receive complaints and provide further information about the practice’s privacy policy procedures.
What steps or activities should be privacy officer take to
assure compliance?
Key activities are really basic risk management techniques.
A privacy officer should conduct the following steps:
A. Identify the internal and external risks of disclosure of protected health
information (PHI).
B. Create a plan to reduce the risk of releasing PHI in those areas identified.
C. Implement the plans.
D. Train all personnel on the practice’s privacy and security of PHI.
E. Monitor the implementation and enforce appropriately any breaches of policy.
Identifying the risks of disclosure is the first step so policies and procedures can be created to address the use and release of PHI. A risk assessment should be conducted to ascertain where privacy and security threats may exist. Make a list of all activities that involve the use or disclosure of PHI and evaluate whether there are policies and procedures already in place to reduce the risk of release.
Once areas are identified, create a plan of action around those areas identified to reduce the risks. The plan development communicates to staff the importance to the practice of the safe and proper utilization of protected health information.
Policies and procedures should be modified or developed to integrate compliance into everyday activities. Implementation of the plan should consider the needs and ability of the staff to assimilate and follow the policies and procedures. It applies to the actual medical records as well as electronic or computerized records containing PHI.
During implementation, all personnel must be trained in the relevant areas that affect their interaction with PHI. Staff must understand what information is protected, when PHI may be released, and when PHI may be in jeopardy of improper release. Training should be integrated into the practice’s compliance plan including documentation of the training that has occurred. The training is germane to the responsibilities of the staff member. Changes in job descriptions or positions that allow greater access warrants additional training within a reasonable time frame following the change in responsibilities.
Monitoring is an important part of the privacy officer’s duties. This means actively checking to make sure the practice is adhering to the policies and procedures related to PHI. It is important to always follow your own rules to mitigate the opportunity for an error to occur but also reduce the damage if improper use or release is detected.
What if information is misused or improperly released?
HIPAA requires that
medical practices provide a complaint process to individuals who feel the practice
is not following their own policies and procedures. As
privacy officer, you need to implement this process if it is not in place already.
This complaint process allows individuals to resolve complaints at both a local
and a federal level.
What qualifications and responsibilities should a privacy
officer’s job description contain?
The Microsoft Word document attached
below is a sample privacy officer job description developed by the American
Health Information Management Association
(AHIMA).
Sample (Chief) Privacy Officer Job Description 36K
You may also view this sample privacy officer job description on the AHIMA Web site: Sample Privacy Officer Job Description
Related Resources and Documents for Privacy Officer:
Sample
Privacy Officer Job Description (AHIMA)
http://www.ahima.org/infocenter/models/PrivacyOfficer2001.cfm
Sample (Chief) Privacy Officer Job Description
What is the intent of the minimum necessary requirement?
The purpose of this
provision is to safeguard protected health information (PHI) to the extent
that when PHI is released, only the minimum amount of information
needed to satisfy the request is released. You must make appropriate efforts
to accomplish this limitation.
The minimum necessary standard is intended to be consistent with, and not override, professional judgment and standards, and that practices must implement policies and procedures based on their own assessment of what PHI is reasonably necessary for a particular purpose.
This standard is derived from confidentiality codes and is already in common use today within medical practices. The belief is that a sound practice would not use or disclose PHI that is not necessary to satisfy a request or effectively carry out a function. The privacy benefits of retaining the minimum necessary standard outweigh the burden to implement this standard.
Are there exceptions to the minimum necessary requirement?
As with many rules,
there are times when this requirement does not apply. They are:
A. Disclosures to or requests by a health care provider for treatment.
B. Uses or disclosures made to the individual, as permitted under paragraph
(a)(1)(i) of this section or as required by paragraph (a)(2)(i) of this section.
C. Uses or disclosures made pursuant to an authorization under §(Section)
164.508.
D. Disclosures made to the Secretary of Health and Human Services in accordance
with subpart C of part 160 of this subchapter.
E. Uses or disclosures that are required by law, as described by § 164.512(a).
F. Uses or disclosures that are required for compliance with applicable requirements
of this subchapter.
In plainer language, the minimum necessary requirement does not apply to disclosures required by law, disclosures made to the individual or based on an authorization initiated by the individual, or requests by a health care provider for treatment purposes. In addition, disclosures are allowed as required for compliance with the regulations implementing the other administrative simplification provisions of HIPAA or disclosure to the Secretary of Health and Human Services (HSS) for purposes of enforcing this Rule.
Related Resources and Documents:
What is the significance of an individual authorizing release
of protected health information (PHI)?
While additional information on authorization
is noted elsewhere on this Web site, it is significant that all uses and
disclosures made pursuant to
any authorization are exempt from the minimum necessary standard.
Can information be released for continuity of care concerns
to another provider without an individual authorizing release of protected
health information (PHI)?
While it is appropriate to release PHI to a subsequent
provider, the Privacy Rule permits a practice to reasonably rely on another
practice’s request
for PHI as the minimum necessary for the intended disclosure. The practice
that holds the information retains the discretion to make its own minimum necessary
determination.
What about an individual authorizing release of protected
health information (PHI) that includes psychotherapy notes?
The U.S. Department
of Health and Human Services clarified that the final Rule does not require
a practice to use or disclose PHI as a result of an authorization.
If a practice is concerned that a request for an individual’s psychotherapy
records is not warranted or excessive, the practice may consult with the individual
to determine whether or not the authorization is consistent with the individual’s
will for releasing protected health information.
The Privacy Rule does not permit a health plan or health care provider to condition coverage or treatment on an authorization to use or disclose psychotherapy notes. It is felt that these additional protections appropriately and effectively protect an individual’s privacy with respect to psychotherapy notes.
What should a practice do to implement HIPAA provisions?
Requirements for implementing
this standard include developing and implementing appropriate policies and
procedures that reasonably minimize the amount of
protected health information (PHI) used, disclosed, and requested. These
policies and procedures must identify the persons or classes of persons within
the practice
who need access to PHI to carry our their duties, the categories or types
of PHI needed, and the times when it is appropriate to access this information.
For regular or recurring requests and disclosures, the policies and procedures
may be standard protocols. Non-routine disclosures or requests for PHI must
be reviewed on an individual basis.
What about releasing protected health information (PHI) not
made in a routine and recurring manner?
A practice must implement the minimum
necessary standard by developing and implementing criteria designed to limit
the request for PHI to the minimum
necessary to accomplish the intended purpose.
Related Resources and Documents for Minimum Necessary:
Standards
for Privacy of Individually Identifiable Health Information. B. Section 164.502—Uses
and Disclosures of Protected Health Information: General Rules. 2. Minimum
Necessary Standard. December 2000 Privacy Rule. (HIPAAdvisory)
http://www.hipaadvisory.com/regs/finalprivacymod/minimum.htm
Office
for Civil Rights – HIPAA. Guidance Explaining Significant Aspects of
the Privacy Rule – December 4, 2002
http://www.hhs.gov/ocr/hipaa/privacy.html
Minimum Necessary Disclosure Policy
What is the intent of business
associate agreements?
One of the purposes of HIPAA again is to safeguard protected
health information (PHI). To the extent you have control of protected health
information, you
must take appropriate steps to accomplish this security. In a medical practice,
many of the provisions of this rule apply to “business associates” who
have contact with you and, therefore, access to PHI.
You cannot release or disclose PHI to business associates unless both parties have a business associate agreement in place. The business associate agreement must contain a confidentiality clause that holds the business associate accountable for protecting private PHI. The business associate cannot use or further disclose the information in any way that violates the Privacy Rule.
When a relationship with a business associate ends, the business associate must return or destroy all PHI within a reasonable time frame.
Who qualifies as a business associate?
A business associate is any person with
whom the practice discloses protected health information (PHI) for the purpose
of carrying out, assisting in the
performance of, and performing for or on behalf of, a function or activity
for the practice. This includes persons or contractors who receive PHI from
your practice in the course of providing a service to you. You may only disclose
this confidential PHI to a business associate if the associate has taken steps
to ensure the confidentiality of the information.
What types of functions do business associates typically perform?
Functions
or activities typically performed that involve the use or disclosure of individually
identifiable health information include claims processing or
administration, data analysis, processing or administration, utilization review,
quality assurance, billing, benefit management, practice management, and repricing.
Who doesn’t qualify as a business associate?
The following do not qualify
as business associates under the Privacy Rule.
A. Employees.
B. Contracted employees who perform a substantial portion of their work at
your practice, such as a physical therapist.
C. Some government oversight agencies.
D. Hospitals, unless the hospital performs billing services for staff providers.
What about when information is shared for treatment purposes?
Any practice
or provider may share protected health information (PHI) with a health care
provider for treatment purposes without a business associate
agreement so long as information is used to treat the patient and not for other
unrelated usage.
Do I need a business associate agreement for my cleaning service?
You are not
required to enter into a business associate agreement with your janitorial
service because the performance of such service does not involve
the use or disclosure of protected health information (PHI). In most cases,
a janitor has incidental contact and such disclosure is permissible as long
as reasonable safeguards are in place. It would be ideal to lock the records
room or store records in lockable cabinets.
Since I already have an attorney-client relationship with
counsel, do I need a business associate agreement?
While the Privacy Rule does
not intend to interfere with this relationship and feels access to privileged
protected health information (PHI) is limited,
it does believe that it is appropriate to have attorneys sign a business associate
agreement.
What about organizations that act merely as a conduit of protected
health information (PHI)?
The rule does not require a business associate agreement
with a person or organization that acts merely as a conduit of information,
such as the U.S.
Postal Service, certain private couriers, and their electronic equivalents.
Since no disclosure is intended and the probability is small for incidental
release, no agreement is necessary.
Neither are financial institutions considered business associates when it processes consumer-conducted financial transactions by debit, credit, or other payment cards, checks, or electronic funds transfers. Covered entities that initiate such payment activities must meet the minimum necessary disclosure requirements.
What is the requirement for the return or destruction of protected
health information (PHI)?
The Privacy Rule requires the return or destruction
of all PHI at the termination of a contract only where feasible or permitted
by law. When return or destruction
is not feasible, the contract must state that the information will remain protected
as long as maintained and any further use of this information will be limited
to those purposes that make return or destruction infeasible.
Related Resources and Documents for Business Associates:
Business
Associates [45 CFR 164.502(e), 164.504(e), 164.532(d) and (e)] (HIPAAdvisory)
http://www.hipaadvisory.com/regs/finalprivacymod/gbusiness.htm
Sample
Business Associate Agreement Contract Provisions. Additional information
on business associate agreement contract language. (HIPAAdvisory)
http://www.hipaadvisory.com/regs/finalprivacymod/appendix.htm
Sample Business Associate Agreement
What are the requirements for training my staff and
who needs to be trained?
There are no set standards for training in the federal regulations except that
all staff, including professional staff such as physicians, must be trained initially
and annually about HIPAA privacy. This training must take place before April
14, 2003. All new employees must receive HIPAA training as part of their initial
orientation to your practice.
Privacy is very important in health care and training your staff to understand the regulations can help to avoid accidental disclosures of information and privacy complaints from patients. Annual privacy training is strongly advised for your practice.
Everyone that handles protected health information (PHI) should be trained in the HIPAA regulations. Everyone who works in your office should be trained about confidentiality.
What does my staff need to know about HIPAA?
They should understand the patient rights listed in the Notice of Privacy Practices
(NPP) and how to handle any questions or requests by a patient. Having good
policies and procedures in place, and having your staff familiar with them,
is the best place to start. A HIPAA privacy training agenda is provided below
to assure that the basic information is covered. This may be modified to
suit your practice needs. All physicians, staff, employees, and contract
personnel should sign a confidentiality agreement.
Everyone in your office should be trained about patient confidentiality including your cleaning service and maintenance people.
Related Resources and Documents:
How do I prove training took place?
Use a sign-in sheet, keep an agenda of issues covered, and document your staff’s
training in their employment records. You and your staff may also take the
online test on this site and print out a summary of your results and a certificate
of completion. Place the summary and certificate of completion in your employees’ files.
If you prefer to administer a printed test, you may download the test, answer
key, and customizable certificate of completion in Microsoft Word format. See
the Test section for more information.
You should retain HIPAA training records for six (6) years. A HIPAA training agenda is below to help you provide complete training.
Related Resources and Documents for Training:
Final Standards for Privacy of Individually Identifiable Health Information. §164.530 Administrative requirements. (HIPAAdvisory)
http://www.hipaadvisory.com/regs/finalprivacy/530.htm
The following are policies, forms, and checklists that you may download to use and modify for your own practice. Click on a document below to download or view the file.
HIPAA Readiness Checklist (revised 2/10/03)
Sample Business Associate Agreement
Sample (Chief) Privacy Officer Job Description
Notice of Privacy Practices (NPP) Policy
Non-Authorized Disclosures Policy (revised 2/10/03)
Accounting of Non-Authorized Use or Disclosures Request Form (revised 2/10/03)
Authorization Form Policy (revised 2/10/03)
Authorization Form Sample (added 4/11/03)
Medical Record Amendment Policy (revised 2/10/03)
Medical Record Amendment Request Form (revised 2/10/03)
Privacy Complaint Policy (revised 2/10/03)
Minimum Necessary Disclosure Policy (revised 2/10/03)
HIPAA Training Agenda (revised 2/10/03)
Confidentiality Policy (revised 2/10/03)
Patient Access to Medical Record Policy (revised 2/10/03)
Patient Access to Medical Record Request Form (revised 2/10/03)
Restriction of Use or Disclosure of PHI Form (revised 2/10/03)
Restriction of Use or Disclosure of PHI Policy (revised 2/10/03)
Notice of Privacy Policy (Courtesy of Baker & Hostetler, LLP) (added 2/10/03)
Authorization For Use And Disclosure Of Personal Health Information (Courtesy of Baker & Hostetler, LLP) (added 2/10/03)
Business Associate Addendum (Courtesy of Baker & Hostetler, LLP) (added 2/10/03
Confidential Communications Request Form (added 2/10/03)
Confidential Communications Policy (updated 3/12/03)
Sample
Privacy Officer Job Description (American Health Information Management Association)
http://www.ahima.org/infocenter/models/PrivacyOfficer2001.cfm
The following are resource links referenced throughout this Web site, as well as additional ones you may find helpful.
HIPAA
Glossary (Ohio HIPAA Statewide Project)
http://www.state.oh.us/hipaa/glossary.htm
Ohio
HIPAA Statewide Project
http://www.state.oh.us/hipaa/
Guide
to the HIPAA Privacy Rule (Ohio HIPAA Statewide Project)
http://www.state.oh.us/hipaa/privacyrule/index.htm
American Health
Information Management Association (AHIMA)
http://www.ahima.org
Sample
Privacy Officer Job Description (AHIMA)
http://www.ahima.org/infocenter/models/PrivacyOfficer2001.cfm
Final
Rule for Electronic Transaction and Code (AHIMA)
http://www.ahima.org/dc/hipaa.cfm
Administrative
Simplification (U.S. Department of Health and Human Services)
http://aspe.os.dhhs.gov/admnsimp/index.shtml
Centers
for Medicare & Medicaid Services—Latest HIPAA Administrative Simplification
News
http://cms.hhs.gov/hipaa/hipaa2/default.asp
Centers
for Medicare & Medicaid Services —HIPAA Insurance Reform
http://cms.hhs.gov./hipaa/hipaa1/default.asp
Office
for Civil Rights – HIPAA. Guidance Explaining Significant Aspects of
the Privacy Rule – December 4, 2002
http://www.hhs.gov/ocr/hipaa/privacy.html
Office
for Civil Rights —Standards for Privacy of Individually Identifiable
Health Information [45 CFR Parts 160 and 164]
http://www.hhs.gov/ocr/hipaa/finalmaster.html
Office
for Civil Rights – HIPAA. What’s New
http://www.hhs.gov/ocr/hipaa/whatsnew.html
HIPAA
Privacy Joint Information Center (Bricker & Eckler LLP)
http://www.bricker.com/hipaa/
Standards
for Privacy of Individually Identifiable Health Information
(Unofficial Version) [45 CFR Parts 160 and 164] Regulation Text, as amended
(Bricker & Eckler LLP) (2.5MB)
http://www.bricker.com/attserv/practice/hcare/hipaa/combinedregtext.pdf
FindLaw—Health
Hippo: HIPAA Page (News & Reports, Shalala Statement, HIPAA Law, HippoQuiz)
http://hippo.findlaw.com/hipaa.html
HIPAAdvisory
Knowledge Web Site sponsored by Phoenix Health Systems
http://www.hipaadvisory.com/
HIPAA
Final Standards for Privacy of Individually Identifiable Health Information.
(HIPAAdvisory)
http://www.hipaadvisory.com/regs/finalprivacy/index.htm
§164.502. Uses and disclosures of protected health information: general rules.
http://www.hipaadvisory.com/regs/finalprivacy/502.htmB. Section 164.502—Uses and Disclosures of Protected Health Information.
http://www.hipaadvisory.com/regs/finalprivacymod/minimum.htm§ 164.504 Uses and Disclosures: Organizational Requirements.
http://www.hipaadvisory.com/regs/finalprivacy/504.htm§ 164.520 Notice of Privacy Practices for Protected Health Information.
http://www.hipaadvisory.com/regs/finalprivacy/520.htm§ 164.524 Access of individuals to protected health information.
http://www.hipaadvisory.com/regs/finalprivacy/524.htm§ 164.528 Accounting of Disclosures of Protected Health Information.
http://www.hipaadvisory.com/regs/finalprivacy/528.htm§ 164.530 Administrative requirements.
http://www.hipaadvisory.com/regs/finalprivacy/530.htmSubpart A - General Provisions. §160.103. Definitions. (Definition of Business Associate.)
http://www.hipaadvisory.com/regs/finalprivacy/160a.htmBusiness Associates [45 CFR 164.502(e), 164.504(e), 164.532(d) and (e)]
http://www.hipaadvisory.com/regs/finalprivacymod/gbusiness.htmSample Business Associate Agreement Contract Provisions
http://www.hipaadvisory.com/regs/finalprivacymod/appendix.htmSubpart C - Compliance and Enforcement.
http://www.hipaadvisory.com/regs/finalprivacy/160c.htm
HIPAA
Resource Links for Physicians (American Medical Association)
http://www.ama-assn.org/ama/pub/category/4234.html
American
Osteopathic Association
http://www.aoa-net.org
HIPAA
Checklist (ePractis)
http://www.epractis.com/HIPAA/todolist.htm
Baker & Hostetler
http://www.bakerlaw.com
We have developed a short test as an adjunct to your HIPAA training. The test has 22 questions and should take approximately 10-20 minutes to complete. It may be used in many ways:
As the employer, you may determine how, when, or if this test is to be used and the passing score. You may also use this test as a template upon which to develop your own practice-specific test. If you prefer to download the test, answer key, and certificate of completion in Microsoft Word format, click here.
E-mail us for questions and comments about this Web site.
The information, services, and products available to you on this Web site may contain errors and are subject to periods of interruption. While OHIC Insurance Company and the Ohio University College of Medicine does their best to maintain the information, services, and products it offers on this Web site, it cannot be held responsible for any errors, defects, lost profits, or other damages arising from the use of this Web site.
Advice and information provided on this Web site are presented for general educational purposes and are not intended as legal advice. Site visitors seeking advice for specific HIPAA situations should consult their personal attorney.
Use of materials on this Web site is permitted for physician offices' purposes only. Materials may not be redistributed for any other purpose without the express written permission of Ohio University Without Boundaries. Requests for permission to use copyrighted material for any other purpose should be e-mailed to ouwb@ohio.edu.