Table of Contents Disclaimer HIPAA Essentials
Transcription
Table of Contents Disclaimer HIPAA Essentials
Table of Contents Disclaimer HIPAA Essentials HIPAA – Six Years Later Implementation Sample Job Descriptions – HIPAA Privacy Official and Contact Person and HIPAA Security Official HIPAA Self-Assessment Worksheet – Part 1: Data Gathering HIPAA Self-Assessment Worksheet – Part 2: Analyze the Data HIPAA Self-Assessment Worksheet – Part 3: Action Plan (blank) HIPAA Self-Assessment Worksheet – Part 3: Action Plan (filled in) Identify Your Business Associates Business Associate Agreement Checklist Sample Business Associate Contract Provisions Policies, Procedures, and Sample Forms HIPAA Privacy Rule – Policies, Procedures, and Documents Instructions to Assist in Implementing Sample Forms and Policies and Procedures Notice of Privacy Practices (Policy & Procedures) Notice of Privacy Practices Notice of Privacy Practices Acknowledgement Authorization to Use or Disclose Protected Health Information (Policy & Procedures) Authorization to Use or Disclose Protected Health Information Revocation of Authorization to Use or Disclose Protected Health Information (Policy & Procedures) Revocation of Authorization to Use or Disclose Protected Health Information Responding to Requests to Access and/or Copy Protected Health Information (Policy & Procedures) Denying Request to Access Protected Health Information Request to Correct or Amend Protected Health Information (Policy & Procedures) Request to Correct or Amend Protected Health Information Denying Request to Correct or Amend Protected Health Information Response to Defective Subpoena or Incomplete Request to Disclose Protected Health Information Responding to Request for Restrictions on the Use or Disclosure of Protected Health Information (Policy & Procedures) Response to Request for Restrictions on the Use or Disclosure of Protected Health Information Minimum Necessary Requirements for the Use and Disclosure of Protected Health Information (Policy & Procedures) Documenting of and Accounting for Disclosures of Protected Health Information (Policy & Procedures) Accounting Log for Protected Health Information Disclosures Notification of Breach of Unsecured Protected Health Information (Policy & Procedures) Breach Notification Checklist Accounting Log for Notification of Breach of Unsecured Protected Health Information Complaints and Grievances Relating to the Use or Disclosure of Protected Health Information (Policy & Procedures) Complaint / Grievance Resolution Letter Training HIPAA Privacy and Security Training (Policy & Procedures) HIPAA Privacy and Security Training Checklist HIPAA Privacy Rule: A Questionnaire for Nonclinical Staff HIPAA Privacy Rule: A Questionnaire for Nonclinical Staff – Answer Key HIPAA Privacy Rule: A Questionnaire for Clinical Staff HIPAA Privacy Rule: A Questionnaire for Clinical Staff – Answer Key Treatment of Minors and the Handling of Their Protected Health Information Kinship Caregivers Informed Consent Declaration for Minors Employee Confidentiality and HIPAA Training Acknowledgment Statement Nonemployee Confidentiality and HIPAA Training Acknowledgment Statement HIPAA Help – A Resource List Security Updates to the July 2004 HIPAA Model Security Policies and Procedures July 2004 HIPAA Model Security Policies and Procedures November 2009 Disclaimer Physicians Insurance has produced the following materials to assist practices in their efforts to comply with the Privacy and Security Rule promulgated under the Health Insurance Portability & Accountability Act (HIPAA) of 1996, and new federal legislation, the Health Information Technology for Economic and Clinical Health (HITECH) Act, which is part of the American Recovery and Reinvestment Act (ARRA) that was signed into law on February 17, 2009. The HITECH Act strengthens and expands HIPAA’s current privacy and security requirements. These materials are current as of November 2009. While we have made every effort to prepare these materials accurately and completely, the complexity of these issues makes it impossible to guarantee their accuracy and completeness. These materials are provided as general guidance and do not constitute legal advice. Given the scope and complexity of the HIPAA Privacy and Security Rule and HITECH Act requirements and the difficulty of identifying and incorporating all state requirements that are more “stringent” than these rules, practices are well advised to consult with private legal counsel concerning compliance issues. The information in these materials is intended as risk management advice. It does not constitute a legal opinion nor is it a substitute for legal advice. Legal inquiries about topics covered in these materials should be directed to your attorney. November 2009 HIPAA – Six Years Later The Health Insurance Portability and Accountability Act of 1996, or HIPAA, as it has become widely known, was enacted by the federal government to help workers maintain their health insurance coverage during a time of job change, to establish privacy and security rules for protected health information, to set standards for electronic billing of health care services, and to develop a national provider identifier system. The HIPAA Privacy Rule compliance date was April 14, 2003. Since that time, other aspects of the act have come into effect and many states, including Washington, have passed or revised state privacy regulations. On February 17, 2009, the American Recovery and Reinvestment Act (ARRA), also known as the Stimulus Bill, was signed into law. Enacted as part of this new federal legislation is the Health Information Technology for Economic and Clinical Health (HITECH) Act. The HITECH Act strengthens and expands HIPAA’s current privacy and security requirements. This new legislation will require you to review and revise your current practices relating to the use and disclosure of protected health information. To this end, this article is intended to provide you with a checklist of items currently required under the HIPAA Privacy and Security Rules and Washington state privacy regulations, and to outline new regulations that will affect these rules. Physicians Insurance has updated our HIPAA-related sample policies and procedures, forms, and training materials to address these new federal requirements. In addition, we have identified a number of helpful resources to assist you in meeting these new regulations. This information is available to all policyholders and their staff on our Web site at www.phyins.com. Current HIPAA Privacy Rule requirements (Italicized articles and sample documents are available on our Web site at www.phyins.com): Designate a privacy/security official for your practice. You must designate a “HIPAA Privacy Official” to assume responsibilities for the development, implementation, and ongoing management and review of policies and procedures to protect the privacy of protected health information (PHI). HIPAA also requires that you designate a “HIPAA Security Official” who is responsible for the development of policies and procedures to comply with requirements for the security of electronic protected health information. - Sample Job Descriptions – HIPAA Privacy Official and Contact Person and HIPAA Security Official Develop, implement, and conduct ongoing reviews of your HIPAA privacy program. Document the minutes of all meetings, administrative memos, or notes. Develop an annual evaluation schedule for reviewing your privacy program. - HIPAA Self-Assessment Worksheet – Part 1: Data Gathering - HIPAA Self-Assessment Worksheet – Part 2: Analyze the Data - HIPAA Self-Assessment Worksheet – Part 3: Action Plan – BLANK - HIPAA Self-Assessment Worksheet – Part 3: Action Plan – FILLED IN - Identify Your Business Associates - Business Associate Agreement Checklist - Sample Business Associate Contract Provisions November 2009 Develop policies and procedures to comply with the HIPAA Privacy Rule. The HIPAA Privacy Rule requires each covered entity to adopt written policies and procedures with respect to protected health information. Develop an annual evaluation schedule for reviewing your privacy program policies and procedures. - HIPAA Privacy Rule – Policies, Procedures, and Documents - Instructions to Assist in Implementing Sample Forms and Policies and Procedures - Notice of Privacy Practices (Policy & Procedures) - Notice of Privacy Practices - Notice of Privacy Practices Acknowledgment - Authorization to Use or Disclose Protected Health Information (Policy & Procedures) - Authorization to Use or Disclose Protected Health Information - Revocation of Authorization to Use or Disclose Protected Health Information (Policy & Procedures) - Revocation of Authorization to Use or Disclose Protected Health Information - Responding to Requests to Access and/or Copy Protected Health Information (Policy & Procedures) - Denying Request to Access Protected Health Information - Request to Correct or Amend Protected Health Information (Policy & Procedures) - Request to Correct or Amend Protected Health Information - Denying Request to Correct or Amend Protected Health Information - Response to Defective Subpoena or Incomplete Request to Disclose Protected Health Information - Responding to Request for Restrictions on the Use or Disclosure of Protected Health Information (Policy & Procedures) - Response to Request for Restrictions on the Use or Disclosure of Protected Health Information - Minimum Necessary Requirements for the Use and Disclosure of Protected Health Information (Policy & Procedures) - Documenting of and Accounting for Disclosures of Protected Health Information (Policy & Procedures) - Accounting Log for Protected Health Information Disclosures - Notification of Breach of Unsecured Protected Health Information (Policy & Procedures) - Breach Notification Checklist - Accounting Log for Notification of Breach of Unsecured Protected Health Information Designate a contact person to address patient privacy complaints. You must designate a contact person or office responsible for receiving complaints under the HIPAA Privacy Rules and providing further information about matters covered under the Notice of Privacy Practices (NPP). - Complaints and Grievances Relating to the Use or Disclosure of Protected Health Information (Policy & Procedures) - Complaint / Grievance Resolution Letter Develop HIPAA privacy training program. The HIPAA Privacy Rule requires each member of the workforce to receive privacy training as necessary and appropriate for the member to carry out his or her job responsibilities. New members of the workforce November 2009 should receive privacy training during their orientation period. Additional privacy training should be provided to the workforce within a reasonable time period after implementation of organizational policies and procedures that have undergone material changes. Develop a schedule for ongoing retraining of the workforce. - HIPAA Privacy and Security Training (Policy & Procedures) - HIPAA Privacy and Security Training Checklist - HIPAA Privacy Rule: A Questionnaire for Nonclinical Staff - HIPAA Privacy Rule: A Questionnaire for Nonclinical Staff – Answer Key - HIPAA Privacy Rule: A Questionnaire for Clinical Staff - HIPAA Privacy Rule: A Questionnaire for Clinical Staff – Answer Key - Treatment of Minors and the Handling of Their Protected Health Information - Kinship Caregivers Informed Consent Declaration for Minors - Employee Confidentiality and HIPAA Training Acknowledgment Statement - Nonemployee Confidentiality and HIPAA Training Acknowledgment Statement - HIPAA Help – A Resource List Ongoing assessment of HIPAA security policies and procedures. Ongoing assessment of HIPAA Security Policy and Procedures is required in order to comply with the HIPAA Security Rule. The Security Rule specifies that “[s]ecurity measures implemented to comply with standards and implementation specifications…must be reviewed and modified as needed to continue provision of reasonable and appropriate protection of electronic protected health information.” - Updates to the July 2004 HIPAA Model Security Policies and Procedures - July 2004 HIPAA Model Security Policies and Procedures New provisions affecting HIPAA Privacy and Security Rules: Business associates required to comply. Effective February 17, 2010, business associates (BAs) will be subject to the same requirements as covered entities (CEs) for implementing administrative, physical, and technical safeguards for protected health information (PHI). BAs will also be required to have written policies and procedures covering these requirements, and will be subject to the same civil and criminal penalties as CEs. Prior to this change, HIPAA regulations were limited to health plans, health care clearinghouses, and health care providers. Health information exchanges are considered business associates. An organization that provides data transmission of PHI to a CE (or its BA) and that requires access to PHI in order to do so, such as a health information exchange or a regional health information organization, is considered a BA of the participating CEs. This provision also applies to vendors who provide personal health records functionality to CEs as a part of an electronic health records system. CEs will need to maintain business associate agreements with these organizations. PHI breach notification rules. Beginning September 23, 2009, HIPAA CEs are required to notify individuals if they discover a “breach” of “unsecured PHI.” “Breach” means the acquisition, access, use, or disclosure of PHI in a manner not permitted under the Privacy Rule that compromises the security or privacy of the PHI, meaning it poses a significant risk of financial, reputational, or other harm to the individual. “Unsecured PHI” means PHI that is not secured through a technology or methodology that HHS considers as being capable of rendering the PHI unusable, unreadable, or indecipherable to unauthorized individuals. November 2009 Written notification must be provided to individuals via first-class mail. If the CE does not have sufficient contact information for 10 or more affected individuals, notification must also be made on the CE’s Web site home page or in major print or broadcast media. If the breach involved more than 500 individuals, notification must also be made to prominent media outlets. Notification must be made without unreasonable delay and in no case later than 60 days following discovery of the breach and must contain a brief description of what happened; the date of the breach, if known; the date of discovery; and a description of the types of unsecured PHI involved in the breach. The notice must include steps affected individuals should take to protect themselves from potential harm resulting from the breach. The CE must also include a brief description of what the CE has done and is planning to do to investigate the breach, to mitigate losses, and to protect against further breaches. The notice must be in plain language and include contact information for individuals to ask questions or learn more. Business associates must notify CEs of any breach of unsecured PHI. Notification must include the identity of each affected individual. The CE must notify the Department of Health and Human Services (HHS) of all breaches of unsecured PHI. Notification must occur immediately if the breach involves 500 or more individuals. The CE can maintain a log of breaches affecting less than 500 individuals and submit the log annually to HHS. On April 17, 2009, the Secretary of HHS issued guidance which states that PHI that is secured through encryption or destruction in accordance with specified standards would not be considered “unsecured PHI.” A CE would not have to comply with the breach notification rules if the CE utilizes the technologies and methodologies that HHS prescribes. On August 24, 2009, interim final regulations were published in the Federal Register implementing the HITECH breach notification provisions. These regulations clarify important exclusions from the breach notification requirements. A breach excludes: • Any unintentional acquisition, access, or use of PHI by a workforce member or person acting under the authority of a CE or BA made in good faith and within the person’s scope of authority and does not result in further use or disclosure in a manner not permitted under the Privacy Rule. • Any inadvertent disclosure by a person who is authorized to access PHI at a CE or BA to another person authorized to access PHI at the same CE or BA, or organized health care arrangement (OHCA) in which the CE participates, and the PHI received is not further used or disclosed in a manner not permitted under the Privacy Rule. • A disclosure of PHI where the CE or BA has a good faith belief that an unauthorized person to whom the disclosure was made would not reasonably have been able to retain such information. CEs need to address the issue of unsecured PHI and develop policies and procedures to provide for notification of breaches. Patient access to electronic health records. Patients will have the right to receive a copy of their PHI maintained in the electronic health record in an electronic format. A CE may charge a fee that is no greater than the labor costs incurred to respond to the November 2009 request. (In Washington, the labor costs are subject to the limit on handling fees under WAC 246-08-400 which, until June 30, 2011, is $23.) Accounting for disclosures of PHI for treatment, payment, and health care operations. At present, HIPAA and Washington State privacy rules exempt a CE’s obligation to provide individuals with an accounting of disclosures of their PHI if the disclosure was for treatment, payment, or health care operations. Under the HITECH Act, this exception would no longer be available to CEs that use electronic health records (EHRs). The period for which an accounting is required will be limited to 3 years, not the 6-year period currently required. This provision is delayed until January 14, 2014, for CEs that acquired EHRs as of January 1, 2009. For entities that acquire EHRs after January 1, 2009, the provision will be effective on January 1, 2011, or the date upon which the entity acquires the EHR, whichever date is later. HHS is permitted to delay both of these effective dates for up to two years. More guidance is expected from HHS before these effective dates. Minimum necessary standard. Under the current HIPAA Privacy Rule, a CE that uses, discloses, or requests PHI must make reasonable efforts to limit the PHI to the “minimum necessary” to accomplish the intended purpose. The HIPAA Privacy Rule does not define “minimum necessary.” Under the HITECH Act, when using, disclosing, or requesting PHI, CEs are required to limit “to the extent practicable” disclosure of PHI to a “limited data set,” or if more information needed, to the minimum necessary “to accomplish the intended purpose of such use, disclosure, or request.” The Privacy Rule defines a “limited data set” as PHI from which all direct patient identifiers have been removed. This would include name, postal address (other than city, state, and zip code), telephone and fax numbers, e-mail address, social security and medical record numbers, and other identifiers. Additionally, while the current Privacy Rule permits CEs to rely on a request by other CEs and its business associates as being the minimum necessary for a particular disclosure, the HITECH Act requires the CE to make the determination of the minimum necessary for disclosure, rather than relying on others to make that decision. HHS has until August 16, 2010, to publish guidance on what constitutes “minimum necessary” under the Privacy Rule. Nondisclosure of self-pay services. Currently under the HIPAA Privacy Rule, an individual has a right to request special privacy protections for the use and disclosure of PHI for treatment, payment, and health care operations. A CE is not required to grant that request, although the individual’s request is retained in the record. Under the HITECH Act, a CE will be required to honor a patient’s request that information regarding a particular service not be disclosed to the patient’s health plan or insurance if the patient pays for that service in full out of pocket. Failure to comply with the request will be considered a violation and subject to HIPAA penalties. Sale of records prohibited. On or before February 17, 2011, CEs and BAs will be prohibited from directly or indirectly receiving payment in exchange for any PHI, unless the individual specifically authorizes, in writing, that the PHI can be exchanged for payment. Exceptions to this rule include exchanges for treatment purposes; for purposes of a sale, transfer, merger, or consolidation of CEs; for public health activities; and for certain activities of BAs. Exceptions to this rule also apply for research purposes, as long as the price reflects only the costs of preparation and transmittal of the data. November 2009 Marketing communications. Effective February 17, 2010, CEs may no longer use PHI to inform an individual about the CE’s own health care products or services without the individual’s written authorization if the CE receives payment from another party for doing so. These marketing communications would be allowed if the communication describes only a drug or biologic that is currently being prescribed for the patient and the payment the CE receives is reasonable; the CE makes the communication itself and obtains a written patient authorization; or a BA of the CE makes the communication, and the communication is consistent with the business associate agreement between the CE and the BA. Fund-raising communications. Effective February 17, 2010, all fund-raising communications that are considered health care operations must clearly provide individuals with an opportunity to opt out of any future fund-raising solicitations. Increased monetary penalties. Effective immediately is a new tiered civil monetary penalty (CMP) system that imposes monetary penalties based upon the nature of the improper conduct. In situations where the CE did not know (or by exercising reasonable diligence would not have known) it violated HIPAA, a penalty of $100 per violation, up to $25K per year, for each type of violation is applicable. If the violation is due to “reasonable cause,” the maximum penalty rises to $1K per violation, up to $100K per year. If the violation is due to “willful neglect,” depending on whether or not the violation is corrected, the maximum penalty ranges from $10K to $50K per violation, up to $250,000 to $1.5M per year. Beginning February 17, 2011, HHS is required to impose civil penalties on a CE if the violation is determined to be due to “willful neglect.” State attorneys general can bring actions. Effective immediately, state attorneys general have the authority to bring civil actions to enforce HIPAA. Criminal penalties for individuals. Effective immediately is a provision that criminal penalties may be imposed under HIPAA on any individual or entity that wrongly obtains or discloses PHI maintained by a CE. This provision clarifies an ongoing debate as to whether criminal penalties under HIPAA can only be imposed upon a CE. Authority to audit. Under the HITECH Act, HHS has the authority to audit CEs and BAs to ensure compliance with the privacy portion of the HITECH Act and current HIPAA privacy and security regulations. To view the HITECH Act in its entirety, please go to: http://snipr.com/fexbr and see Division A, Title XIII and Division B, Title IV. Conclusion. HIPAA rules, regulations, and standards have and will continue to be a moving target under the direction of the federal government. It is important that your practice’s policies and procedures are periodically reviewed and updated as necessary to reflect these changes. Initial training of new staff members and ongoing retraining of existing staff is required under the HIPAA regulations. In addition to the resources available on our Web site at www.phyins.com, the Department of Health and Human Services Office for Civil Rights (OCR) is another valuable source of information for meeting the various HIPAA requirements. The OCR Web site is available at http://www.hhs.gov/ocr/privacy. You can find an extensive list of November 2009 HIPAA-related questions and answers at http://www.hhs.gov/hipaafaq. HIPAA Security Rule information can be found at http://www.cms.hhs.gov/securitystandard/. We’re here to help you. Contact your Physicians Insurance risk management representative for more information about the new legislation affecting the HIPAA Privacy and Security Rules and Washington State privacy laws. Call our Seattle office at (206) 343-7300 or 1-800-962-1399, or call our Spokane office at (509) 456-5868 or 1-800-962-1398. E-mail our experts at [email protected]. November 2009 Sample Job Descriptions – HIPAA Privacy Official and Contact Person and HIPAA Security Official According to the Privacy Rule, a health care provider must designate a “HIPAA Privacy Official” to assume responsibilities for the development and implementation of policies and procedures to protect the privacy of PHI, and must also designate a contact person or office responsible for receiving complaints under the HIPAA Privacy Regulations and providing further information about matters covered in the Notice of Privacy Practices.1 The Security Rule requires each health care provider to designate a “HIPAA Security Official” who is responsible for the development of policies and procedures to comply with requirements for the security of electronic protected health information.2 HIPAA responsibilities may be incorporated into the job duties of an existing member or members of your staff. For smaller health care providers in particular, it is not necessary to designate an individual whose sole role is HIPAA compliance. The same person may serve as your designated HIPAA Privacy Official and contact person and your designated HIPAA Security Official, or, depending on organizational responsibility for electronic protected health information, it may be more appropriate to have different individuals perform these roles. The following are samples of responsibilities for inclusion on the job description for your designated HIPAA Privacy Official and contact person: a. Oversees the development, implementation, and maintenance of appropriate privacy policies and procedures. (i) Reviews new or revised laws and regulations pertaining to patient privacy to determine if all policies required by law have been developed in writing and if revisions of current policies are needed. Writes or revises policies as necessary. b. Identifies noncompliance with privacy practices to allow for consistent application of sanctions for failure to comply with privacy policies for all individuals in the organization’s workforce. c. Establishes and administers a process for receiving, documenting, tracking, investigating, and taking action on all complaints concerning the organization’s privacy policies and procedures in coordination and collaboration with other similar functions and, when necessary, legal counsel. d. Conducts assessments and internal privacy audits to determine organizational compliance, including reports of compliance activities. e. Oversees, in cooperation with Security Official, the development, delivery, and documentation of HIPAA Privacy and Security Rule training and awareness for all staff, including the orientation of new employees and retraining of employees when material changes have been made in policies and procedures or when necessary, e.g., retraining. f. Participates in the development, implementation, and ongoing compliance monitoring of all business associate agreements, to ensure all privacy concerns and requirements are addressed. g. Maintains appropriate authorization forms, privacy notices, and other materials reflecting current privacy practices and requirements. h. Coordinates visits and cooperates with the Office for Civil Rights, other legal entities, and organization officers in any compliance reviews or investigations. i. Manages patient requests for amendments and requests for changes to their medical records. j. Manages the release of patient records in accordance with established policies and procedures. k. Manages patient requests regarding limiting disclosures to health plans when the patient has paid in full out of pocket for the services that are the subject of the disclosure. l. Serves as the designated contact person to receive questions, comments, and complaints, and provide resources for patients and staff on the HIPAA privacy regulations. m. Receives reports of potential breaches of unsecured PHI and works with Security Official to investigate, make determinations, and provide notification if necessary. While the above job duties may be delegated and shared among employees, it is recommended that duties a, b, and c be assumed by your designated “HIPAA Privacy Official.” November 2009 The following are samples of responsibilities for inclusion on the job description for your designated HIPAA Security Official: a. Performs initial and periodic written risk assessment related to security of electronic protected health information (electronic PHI). b. Implements, oversees, and monitors risk management measures to address security risks and vulnerabilities identified by risk assessments. c. Oversees the development, implementation, and maintenance of appropriate systems and/or processes for the security of electronic PHI, including security policies and procedures. d. Implements measures to protect against reasonably anticipated threats or hazards to security or integrity of electronic PHI and reasonably anticipated unauthorized uses or disclosures. e. Identifies noncompliance with security policies and procedures to allow for consistent application of sanctions for failure to comply with security policies for all individuals in the organization’s workforce. f. Establishes and administers a process for regularly reviewing records of computer or information system activity related to electronic PHI, such as audit logs, access reports, and security incident tracking reports. g. Develops and implements procedures for authorization and supervision of access to electronic PHI by workforce members and termination of access. h. Develops and implements access authorization policies for stored electronic PHI. i. Oversees the development, implementation, and maintenance of appropriate security policies and procedures, including those for physical and technical safeguards. (i) Reviews new or revised laws and regulations pertaining to patient security of electronic PHI to determine if all policies required by law have been developed in writing and if revisions of current policies are needed. Writes or revises policies as necessary. j. Oversees, in cooperation with Privacy Officer, the development, delivery, and documentation of HIPAA Privacy and Security Rule training and awareness for all staff, including the orientation of new employees and retraining of employees when material changes have been made in policies and procedures or when necessary, e.g., retraining. k. Participates in the development, implementation, and ongoing compliance monitoring of all business associate agreements, to ensure all security concerns and requirements are addressed. l. Coordinates visits and cooperates with the Office for Civil Rights, other legal entities, and organization officers in any compliance reviews or investigations. m. Investigates and resolves security breaches involving electronic PHI, including breaches reported by Business Associates, providing appropriate notifications as required by state and federal law, after consulting as necessary with legal counsel. n. Receives reports of potential breaches of unsecured PHI and works with Privacy Officer to investigate, make determinations, and provide notification if necessary. 1 45 CFR § 164.530(a)(1) 2 45 CFR § 164.308(a)(2) Policy effective date: ____/____/____ Revision date(s): ____/____/____ November 2009 HIPAA Self-Assessment Worksheet PART 1: Data Gathering ______________________________________________________________________________ Organization Name One of the first tasks to becoming HIPAA compliant is to conduct an assessment of your current operations. Part 1 of the HIPAA Self-Assessment Worksheet has been designed to assist you with this process. Attach additional sheets if necessary. Part 2 of the HIPAA Self-Assessment Worksheet assists you in identifying additional issues and analyzing the data you collect. Keeping a record of your work is documentation of your compliance efforts and could be used to defend your actions in the event of a claim, complaint investigation, or survey by the Office for Civil Rights (OCR), etc. Part 3 of the HIPAA Self-Assessment Worksheet assists you in this effort. It is recommended that these items be kept in a binder or folder with tabs to indicate the various sections. SECTION 1: Administration Section 1 of your compliance records should include the following: • The minutes of all meetings of your HIPAA compliance group, if applicable, • Any administrative memos or notes relevant to your HIPAA compliance project, and • Any budget information relevant to your HIPAA compliance project. 1. Individual in charge of HIPAA compliance: Name _________________________________________________________________________ Contact information _____________________________________________________________ _____________________________________________________________ 2. Other individuals in your HIPAA compliance work group: a. Name ________________________________________________________________ Contact information _____________________________________________________ b. Name ________________________________________________________________ Contact information _____________________________________________________ 3. Compliance record keeper:______________________________________________________ 4. Compliance budget: ____________________________________________________________ 5. Meeting schedule: ___________________________________________________________ November 2009 6. Meeting location(s): __________________________________________________________ ____________________________________________________________________________ SECTION 2: Record Keeping Section 2 of your files should include all information and materials relevant to the locations where patient information is kept. 7. How are paper medical records kept? (Note all that apply.) a. Open shelves accessible to all: _____________________________________________ b. Open shelves accessible to staff only: ________________________________________ c. Open shelves in locked room: ______________________________________________ d. Filing cabinets with no locks: _______________________________________________ e. Shelves/filing cabinets with locks: ___________________________________________ f. Off-site storage, no security: _______________________________________________ g. Off-site secure storage: ___________________________________________________ h. On a separate sheet, list all sites where paper medical records are kept. 8. How are paper claims and billing information kept? (Note all that apply.) a. Open shelves accessible to all: _____________________________________________ b. Open shelves accessible to staff only: ________________________________________ c. Open shelves in locked room: ______________________________________________ d. Filing cabinets with no locks: _______________________________________________ e. Shelves/filing cabinets with locks: ___________________________________________ f. Off-site storage, no security: _______________________________________________ g. Off-site secure storage: ___________________________________________________ h. On a separate sheet, list all sites where paper claims or billing information are kept. 9. How is other patient information on paper kept? (Note all that apply.) a. Open shelves accessible to all: _____________________________________________ b. Open shelves accessible to staff only: ________________________________________ November 2009 c. Open shelves in locked room: ______________________________________________ d. Filing cabinets with no locks: _______________________________________________ e. Shelves/filing cabinets with locks: ___________________________________________ f. Off-site storage, no security: _______________________________________________ g. Off-site secure storage: ___________________________________________________ h. On separate sheet, list all sites where other patient information on paper is kept. 10. How is patient information kept? (Note all that apply.) a. Not applicable: __________________________________________________________ b. Personal computer(s), no network connections: ________________________________ c. Personal computers, internal network: _______________________________________ d. Personal computers, Internet connection: _____________________________________ e. Off-site personal computers/laptops permitted remote access (dial-in, Internet, etc.): ____________________________________________________ f. CDs/DVDs/backup tapes: ____________________________________________ g. Handheld devices (BlackBerry, iPhone, etc.):__________________________________ h. On separate sheet, list all equipment on which patient information is kept in electronic form. i. Microfilm/microfiche: _______________________ j. Videotape: _______________________ k. Other form(s) of media: _______________________ 11. How is access to patient information controlled? Be prepared to document policies related to administrative restrictions, physical access, and electronic access (e.g., log-ons, passwords, authentication, automatic time-outs) to equipment and systems containing patient information. 12. Copy and attach all policies concerning: a. Access to files containing patient information b. Access to rooms, shelves, and filing cabinets where patient records are kept c. Access to or use of electronic equipment on which patient information is stored November 2009 SECTION 3: Personnel/Workforce Section 3 should include all information and materials relevant to those individuals in your organization who are allowed to have access to, use, or disclose patient information. You should include not only employees, but also trainees and volunteers who are under your organization’s control. 13. List all individuals who work in your organization. For each individual, state: a. Job title and description b. Whether he/she is permitted access to: I. Patient clinical information II. Patient billing and claims information III. Other patient information c. Whether he/she has signed a confidentiality agreement d. Whether his/her employment agreement has confidentiality provisions 14. Copy and attach all policies concerning: a. Confidentiality of and access to patient information b. Use and disclosure of patient information by staff c. Disciplinary procedures for breach of patient confidentiality SECTION 4: Patient Relations Section 4 should contain all relevant materials concerning the way your organization permits patients to have access to, copy, or otherwise exercise some degree of control over the records that pertain to them. 15. Copy and attach all forms, notices, and other material you give patients that affect the use or disclosure of patient health information: a. Standard or customary patient release of information forms b. Any notice of information or privacy practices published or available to patients c. Any patient brochures you may distribute related to records access d. Any “patients’ rights” notices you may provide e. Consents f. Other(s) not listed November 2009 16. Copy and attach all policies concerning: a. Patient review and copying of records b. Patient requests to amend records c. Accounting to patients for disclosures of patient information d. Use or disclosure of patient information for marketing or general contact purposes 17. List all individuals and organizations to which you regularly disclose: a. Patient clinical information b. Patient billings and/or claims information c. Any other patient information SECTION 5: Business Associates Section 5 should include an inventory of the individuals and organizations with which you exchange, from which you receive, or to which you disclose patient information, not including the patients themselves. You should include copies of all your existing contracts or agreements with such individuals or organizations. 18. List all individuals and organizations with which you exchange: a. Patient clinical information b. Patient billings and/or claims information c. Any other patient information 19. Attach copies of all contracts or agreements currently in effect with individuals and organizations to or from which you regularly disclose or receive patient information. CHOICE HIPAA Consultation Pilot – Initial Task List © 2002 CHOICE Regional Health Network – Consent to reproduce for non-profit distribution This information is intended as advisory in nature and should not be considered as legal advice nor is it a substitute for legal advice. This information does not constitute technical information system/security advice. It is designed to assist you in your own risk management activities. It is not intended to be exclusively relied upon or used as a substitute for your own loss-control program. Accuracy and completeness are not guaranteed. November 2009 HIPAA Self-Assessment Worksheet Part 2: Analyze the Data Parts 1 and 2 of the HIPAA Self-Assessment Worksheet were created to help you identify areas where action might be needed to comply with HIPAA. The questions in this document may help you further analyze the data collected in Part 1. DATE COMPLETED: ____________________________________________________________________ COMPLETED BY: _________________________________________________________________ YES NO COMMENTS 1) Steps have been taken to minimize the likelihood that patients and visitors can easily see or access computer screens/monitors and other records containing PHI. For example: Computer screens time out. Files are put away or turned over to avoid easy viewing. PDAs (hand-held computer devices) are kept in a secure manner by the authorized individual. Records, including CDs and DVDs, are stored in a secure manner. Other:_______________________________________________________________________________ 2) Medical, financial, and other records containing PHI are secure and accessible only to those people employed by or doing work on behalf of the practice that have a legitimate—job-related—need to know; e.g., maintained in locked file cabinets or locked medical record rooms. 3) Computers are password protected—each user has a unique identifier—and passwords are changed on a regular basis. 4) Access controls (e.g., passwords, computer accounts, combinations, keys) to computers, filing cabinets, and the building are terminated or changed when employees or contract workers end their relationship with the practice. 5) Electronic equipment and other records containing PHI are stored in a secure location to prevent theft or vandalism— using both physical security (e.g., alarms and locks) and electronic security (access controls, firewalls, and virus checks, all for which you should consider seeking technical expertise). 6) Documents or records that contain patients’ personal, financial, and health information—and are no longer needed— are destroyed. Shredded or Incinerated. Information is kept showing how, why, and by whom medical records were destroyed. Medical records are retained at least: • 6 years from the date of the patient’s death. • 10 years from the date of the patient’s last medical service. • 21 years from the date of a child’s birth for pediatric records and for the obstetric patient’s prenatal records, or 10 years after the minor patient’s last medical service, whichever period is longer. Patient management systems data (financial, etc.) is retained for 10 years. Prior to sale or disposal of computer equipment that stores PHI, the hardware is completely erased by reformatting the hard drive. (Technical knowledge needed.) Other: ____________________________________________________________________________ This information is intended as advisory in nature and should not be considered as legal advice nor is it a substitute for legal advice. This information does not constitute technical information nor system/security advice. It is designed to assist you in your own risk management activities. It is not intended to be exclusively relied upon or used as a substitute for your own loss-control program. Accuracy and completeness are not guaranteed. November 2009 YES NO COMMENTS 7) Computer systems containing PHI have systems to protect data integrity and to prevent data loss, for example: Backup systems are used to prevent loss of data due to power outage, hackers, etc. Audit trails systems are periodically audited. 8) Procedures address handling of medical, financial, or other records containing PHI—for example: Original records are handled correctly (e.g., not removed from premises and charted appropriately, including corrections). Patient requests for copying of and amendment to records are handled correctly. Patient requests for an accounting of disclosures of PHI are handled quickly and correctly. Message boards, daily patient schedules, etc., that allow viewing of patient financial or health information are maintained in areas restricted to employees who have a legitimate job-related need to know. Measures are taken to ensure that conversations held with patients concerning financial and health information maintain privacy. For example: • Exam room doors are closed. • Background music is used in waiting/reception areas to minimize the likelihood of overhearing PHI. • Solid core doors are used to minimize sound travel. • Phone messages are listened to in private. Steps are taken to reduce the likelihood that facsimile transmissions may be sent to an incorrect telephone number. For example: • Confidential disclaimer is utilized on facsimile or electronic transmission. • Transmissions are limited for urgent/emergent needs to transmit private health information. • Infrequently used fax numbers are verified prior to transmission. Cell phone conversations about patients that require the release of Individually Identifiable Health Information are conducted only to ensure continuity of care. Steps are taken to protect the privacy and security of information, if e-mail or another electronic form of communication is used to communicate personal health information. 9) Staff—including volunteers—are trained in privacy and in maintaining the security of health information. Education is documented and includes: Appropriate handling of personal health information, including specific policies. Use of discretion when discussing personal health information within hearing of others. Use of discretion when leaving telephone and electronic messages for patients. Software password-security procedures. Signed confidentiality statements. Staff accountability for following procedures and applicable laws to protect privacy and security of PHI. 10) Criminal security/background checks are conducted prior to hiring employees. 11) Board members understand, and are trained in, maintaining the privacy and security of any PHI that they may have a legitimate need to know. And, they: Sign confidentiality agreements This information is intended as advisory in nature and should not be considered as legal advice nor is it a substitute for legal advice. This information does not constitute technical information nor system/security advice. It is designed to assist you in your own risk management activities. It is not intended to be exclusively relied upon or used as a substitute for your own loss-control program. Accuracy and completeness are not guaranteed. November 2009 YES NO COMMENTS 12) Policies address appropriate handling of patient concerns—including concerns related to the privacy and security of PHI. 13) Forms and documents that affect the use and disclosure of patient health information (e.g., IRB authorization) have been identified, reviewed for compliance with HIPAA, and modified as needed. Using the following list of forms, determine which forms you currently use that you will no longer need. a. Employee Confidentiality and HIPAA Training Acknowledgment Statement b. Revocation of Authorization to Use or Disclose Protected Health Information c. Request to Correct or Amend Protected Health Information d. Authorization to Use or Disclose Protected Health Information e. Notice of Privacy Practices Assess the remaining forms for HIPAA compliance. 14) Business associates are expected to use reasonable measures to handle PHI in a private and secure manner. If written agreements exist, consult legal counsel to ensure HIPAA provisions are met. If written agreements do not exist, work with legal counsel to draft “Business Associate Agreements” required by HIPAA. Business associates, as appropriate, are educated about pertinent practices/policies pertaining to privacy and security when they have reason to perform any job-related functions on premises. 15) List other areas pertaining to your operations affected by HIPAA and not listed in this document. a. _____________________________________________________________________________ b. _____________________________________________________________________________ c. _____________________________________________________________________________ If you responded with a “NO” to any item, further action may be necessary to provide reasonable protection for PHI. You may want to use the HIPAA Self-Assessment Worksheet Part 3: Action Plan to document your actions, rationale behind your plan, and follow-up. This information is intended as advisory in nature and should not be considered as legal advice nor is it a substitute for legal advice. This information does not constitute technical information nor system/security advice. It is designed to assist you in your own risk management activities. It is not intended to be exclusively relied upon or used as a substitute for your own loss-control program. Accuracy and completeness are not guaranteed. November 2009 HIPAA Self-Assessment Worksheet Part 3: Action Plan Using Parts 1 and 2 of the HIPAA Self-Assessment Worksheet, identify each issue that might require further action to comply with HIPAA. Then use this or a similar form to develop an action plan by documenting each issue, its action plan, the reason for your decision, your follow-up, and the responsible individual. ISSUE ACTION PLAN REASON FOR DECISION (Circle all changes that you plan to implement, and attach estimated costs) (Check all that apply) System/equipment change New policy/policy change New form/form change Job description change Education Facility upgrade _______________ Options not feasible at this time: __________________ __________________ Date Completed: ____/____/____ Monitor Budget for: _______________ Other: __________________ __________________ in _______________ (budget year) Options selected provide reasonable protections of PHI. Job description change Education Other: _____________________________________________ Budget for: New policy/policy change Facility upgrade Other: _____________________________________________ New form/form change Monitor Options selected provide reasonable protections of PHI. Education System/equipment change Job description change Facility upgrade ____/____/____ in _______________ (budget year) Options not feasible at this time: __________________ __________________ Other: __________________ __________________ RESPONSIBLE PARTY Date Completed: Other: __________________ __________________ New policy/policy change New form/form change Options not feasible at this time: __________________ __________________ Other: _____________________________________________ System/equipment change Options selected provide reasonable protections of PHI. FOLLOW-UP Date Completed: ____/____/____ Monitor Budget for: _______________ in _______________ (budget year) This information is intended as advisory in nature and should not be considered as legal advice nor is it a substitute for legal advice. This information does not constitute technical information nor system/security advice. It is designed to assist you in your own risk management activities. It is not intended to be exclusively relied upon or used as a substitute for your own loss-control program. Accuracy and completeness are not guaranteed. November 2009 HIPAA Self-Assessment Worksheet Part 3: Action Plan Using Parts 1 and 2 of the HIPAA Self-Assessment Worksheet, identify each issue that might require further action to comply with HIPAA. Then use this or a similar form to develop an action plan by documenting each issue, its action plan, the reason for your decision, your follow-up, and the responsible individual. ISSUE 1.) Information overheard in waiting room ACTION PLAN REASON FOR DECISION (Circle all changes that you plan to implement, and attach estimated costs) (Check all that apply) System/equipment change New policy/policy change background music - ; stereo system ; New form/form change Job description change Education 2.) Disposal of confidential information completed 9/1/09 Options not feasible at this time: Upgrade on hold - budget____ Other: Facility upgrade __________________ Other: _____________________________________________ __________________ ; System/equipment change Education (see issue #1 action plan) completed 8/1/09 Facility upgrade Other: _____________________________________________ Budget for: in __2010______ (budget year) ; Other: __________________ __________________ in _______________ (budget year) ; Options selected provide reasonable protections of PHI. ; Options not feasible at this time: Upgrade on hold - budget____ ; Other: __________________ __________________ Cathy $2000.00 stereo Budget for: Job description change Education ; New policy/policy change New form/form change Monitor Monitor Other: _____________________________________________ System/equipment change ; ; scheduled 10/1/09 RESPONSIBLE PARTY ____/____/____ Options not feasible at this time: __________________ __________________ ; Facility upgrade Date Completed: ; New policy/policy change New form/form change Options selected provide reasonable protections of PHI. Job description change 3.) Sensitive information discussed on phone – possibility of being overheard Options selected provide reasonable protections of PHI. FOLLOW-UP Date Completed: Pat _10_/__1__/__09 _______________ Date Completed: Cathy ____/____/____ ; Monitor ; Budget for: $2000.00 stereo in __2010______ (budget year) This information is intended as advisory in nature and should not be considered as legal advice nor is it a substitute for legal advice. This information does not constitute technical information nor system/security advice. It is designed to assist you in your own risk management activities. It is not intended to be exclusively relied upon or used as a substitute for your own loss-control program. Accuracy and completeness are not guaranteed. November 2009 HIPAA Self-Assessment Worksheet Part 3: Action Plan Using Parts 1 and 2 of the HIPAA Self-Assessment Worksheet, identify each issue that might require further action to comply with HIPAA. Then use this or a similar form to develop an action plan by documenting each issue, its action plan, the reason for your decision, your follow-up, and the responsible individual. ISSUE 4.) PHI left on the counter – accessible to unauthorized persons ACTION PLAN REASON FOR DECISION (Circle all changes that you plan to implement, and attach estimated costs) (Check all that apply) Options selected provide reasonable protections of PHI. ; Options not feasible at this time: __________________ __________________ ; Monitor Budget for: Other: __________________ __________________ in _______________ (budget year) ; Options selected provide reasonable protections of PHI. ; Options not feasible at this time: __________________ __________________ Monitor Budget for: ; Other: __________________ __________________ in _______________ (budget year) ; Options selected provide reasonable protections of PHI. ; System/equipment change New policy/policy change New form/form change ; Job description change Education move information to restricted area ASAP Facility upgrade Other: _____________________________________________ 5.) Files with PHI accessible to unauthorized persons System/equipment change New policy/policy change New form/form change Job description change Education Facility upgrade Other: _____________________________________________ 6. a) computer screens visible to patients b) patients may access network System/equipment change Program for passwords and New policy/policy change add screen savers New form/form change ; Job description change Education Other: assess computer system - possible upgrade Options not feasible at this time: assessment of computer on hold due to budget_ of policy changes Facility upgrade FOLLOW-UP ; Other: __________________ __________________ Date Completed: RESPONSIBLE PARTY Kathy __10_/__1__/__09 _______________ Date Completed: Dave __10_/__1__/__09 _______________ Date Completed: Kim ____/____/____ ; Monitor ; Budget for: Assessment upgrade in 2010 (budget year) This information is intended as advisory in nature and should not be considered as legal advice nor is it a substitute for legal advice. This information does not constitute technical information nor system/security advice. It is designed to assist you in your own risk management activities. It is not intended to be exclusively relied upon or used as a substitute for your own loss-control program. Accuracy and completeness are not guaranteed. HIPAA Self-Assessment Worksheet Part 3: Action Plan Using Parts 1 and 2 of the HIPAA Self-Assessment Worksheet, identify each issue that might require further action to comply with HIPAA. Then use this or a similar form to develop an action plan by documenting each issue, its action plan, the reason for your decision, your follow-up, and the responsible individual. ISSUE 7.) need business associate agreements: • Transcription • Accountant • Collection agency ACTION PLAN REASON FOR DECISION (Circle all changes that you plan to implement, and attach estimated costs) (Check all that apply) System/equipment change ; New policy/policy change New form/form change Job description change Education Facility upgrade Other: obtain sample business assoc. agreements System/equipment change New policy/policy change New form/form change Job description change Education Facility upgrade ; Budget for: in Options selected provide reasonable protections of PHI. 2010 (budget year) Date Completed: ____/____/____ Monitor Budget for: _______________ Options not feasible at this time: __________________ __________________ Other: __________________ __________________ Dennis Legal review Options selected provide reasonable protections of PHI. Education Other: _____________________________________________ Monitor Job description change Facility upgrade in _______________ (budget year) RESPONSIBLE PARTY ____/____/____ Other: __________________ __________________ Options not feasible at this time: __________________ __________________ Date Completed: Other: __________________ __________________ New policy/policy change New form/form change Options not feasible at this time: __________________ __________________ Other: _____________________________________________ System/equipment change Options selected provide reasonable protections of PHI. FOLLOW-UP Date Completed: ____/____/____ Monitor Budget for: _______________ in _______________ (budget year) This information is intended as advisory in nature and should not be considered as legal advice nor is it a substitute for legal advice. This information does not constitute technical information nor system/security advice. It is designed to assist you in your own risk management activities. It is not intended to be exclusively relied upon or used as a substitute for your own loss-control program. Accuracy and completeness are not guaranteed. November 2009 Identifying Your Business Associates The HIPAA Privacy regulation allows you to share patient information with your Business Associates in order to conduct health care operations, but only if you have a Business Associate Agreement with them. The regulation defines Business Associates as persons outside of your workforce who: • On your behalf, perform or assist in the performance of a function or activity involving the use or disclosure of individually identifiable health information (e.g., claims processing, data analysis, quality assurance, billing, practice management); or • Provide legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services, where the service involves the disclosure of individually identifiable health information. Some examples of your Business Associates may be: • • • • • • • • • • • • • • • • • • Accountants Attorneys Billing companies Clearinghouses Consultants Collection agencies Transcription services Data analysis or aggregation services Information technology service providers Temporary staffing agencies Copy services Document storage and destruction vendors Professional liability insurers Insurance agents and brokers Health Information Exchanges (“HIEs”) Regional Health Information Organizations (“RHIOs”) E-prescribing Gateways Vendors that allow you to offer a personal health record to patients as part of your electronic health record This list is not exhaustive. Think broadly when you are identifying your Business Associates. Ask yourself: • • • • • Who are your Business Associates? What function do they serve? What information is disclosed to them? Do you currently have some form of contract with them? If so, when is the contract due to be renewed or renegotiated? The sample form, Business Associate Agreement Checklist, will help you identify what needs to be included in your Business Associate Agreement. November 2009 Effective February 17, 2010, as a result of the ARRA, Business Associates will become accountable to the federal and state authorities for failure to comply with the Privacy Rule provisions applicable to them by their Business Associate Agreements and will be required to directly comply with most provisions of the HIPAA Security Rule, including compliance with administrative safeguards, technical safeguards, physical safeguards, and policies, procedures, and documentation requirements applicable to Covered Entities. This means that Business Associates will be required to undertake a security risk analysis, appoint a security official, and maintain written security policies and procedures, as well as comply with other requirements of the HIPAA Security Rule. The Secretary of Health and Human Services is required to promulgate regulations to implement these requirements. November 2009 Business Associate Agreement Checklist HIPAA Privacy and Security regulations establish the following requirements for the Business Associate Agreement: Business Associate Agreement must: Be in writing. State permitted and required uses and disclosures. Prohibit uses and disclosures not allowed in the Business Associate Agreement or by law or that would be a violation of the Privacy Regulations if done by the Covered Entity (CE). Require Business Associate (BA) to use appropriate safeguards to prevent any unauthorized use or disclosure. Require BA to report to the CE any unauthorized use or disclosure of which BA becomes aware. Require that any agents, including a subcontractor, to whom BA provides protected health information received from the CE, or created or received by BA on behalf of the CE, agree to the same restrictions and conditions that apply to the BA with respect to such protected health information unless disclosures are required by law or unless disclosures are for BA’s proper management or administration and BA obtains the “reasonable assurances” described below from such downstream user. Require BA to make available protected health information to the Individual in the Designated Record Set in accordance with 45 C.F.R. §164.524. (While these provisions must be in the Business Associate Agreement, actual access is not required if Business Associate does not possess protected health information in the original Designated Record Set.) Require BA to make available and to incorporate any amendment to protected health information in the Designated Record Set in accordance with 45 C.F.R. §164.526. (While these provisions must be in the Business Associate Agreement, actual amendment is not required if Business Associate does not possess protected health information in the original Designated Record Set.) When requested by CE, require BA to make available to CE the information required to allow the CE to provide an accounting of disclosures in accordance with 45 C.F.R. §164.528. Require BA to make its internal practices, books, and records available to the Department of Health and Human Services Office for Civil Rights for purposes of determining the CE’s compliance with the Privacy Rule to the extent related to the uses and disclosure of protected health information received from, or created or received by, the BA on behalf of the CE. Require return or destruction of protected health information at end of contract, if feasible; but, if return or destruction is not feasible, extend the protection of the Business Associate Agreement to the information and limit further uses and disclosures to the purposes listed in the Business Associate Agreement. Authorize termination of Agreement if BA violates material term of Business Associate Agreement. November 2009 Require BA to implement administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of electronic PHI. Require BA to report any security incident of which it becomes aware. Require BA to ensure that any agent or subcontractor implement reasonable and appropriate safeguards to protect electronic PHI. (Provisions for compliance with the HITECH Act of the ARRA after February 17, 2010) Require BA to comply with the requirements of Title XII, Subtitle D of the Health Information Technology for Economic and Clinical Health (HITECH) Act, codified at 42 U.S.C. §§1792117954 and regulations issued by the Department of Health and Human Services to implement these statutes as of the date by which business associates are required to comply. Require BA to comply with Section 134-2 of Title XII, Subtitle D of the Health Information Technology for Economic and Clinical Health (HITECH) Act, codified at 42 U.S.C. §17932 and regulations issued by the Department of Health and Human Services to implement this statute as of the date by which business associates are required to comply by, among other things, reporting to CE within five business days of BA’s discovery of any breach1 of unsecured protected health information.2 Require BA to indemnify CE for any reasonable expenses CE incurs in notifying individual of a breach of unsecured protected health information caused by BA or its subcontractors or agents. Optional terms The Business Associate Agreement may permit the BA to use PHI for the proper management and administration of the BA or to carry out its legal responsibilities. The Business Associate Agreement may permit the BA to disclose protected health information if needed for the proper management and administration of the BA or to carry out the legal responsibilities of the BA if: 1. The disclosure is required by law or 2. The BA obtains reasonable assurances from the person to whom PHI is disclosed that the PHI will be held confidentially and used or further disclosed only as required by law or for the purposes for which it was disclosed to the person, and the person agrees to notify the BA of any instances of which it is aware in which the confidentiality of the PHI has been breached. The Business Associate Agreement may allow BA to provide Data Aggregation Services relating to CE’s health care operations. The Business Associate Agreement may include defined terms by either referencing the Privacy Rule or including examples of specific definitions. If specific definitions are included, the Business Associate Agreement may define: Protected Health Information; Electronic Protected Health Information; Designated Record Set; De-identify; and Security Rule. November 2009 The Business Associate Agreement may permit the BA to use PHI to create a Limited Data Set and to use the Limited Data Set pursuant to a Data Use Agreement.3 The Business Associate Agreement may permit the BA to de-identify the PHI. 1 “Breach” is defined in Section 13400 of the HITECH Act as: (a) In general.—The term “breach” means the unauthorized acquisition, access, use, or disclosure of protected health information which compromises the security or privacy of such information, except where an unauthorized person to whom such information is disclosed would not reasonably have been able to retain such information. (b) Exceptions.—The term “breach” does not include— (i) any unintentional acquisition, access, or use of protected health information by an employee or individual acting under the authority of a covered entity or business associate if— (I) such acquisition, access, or use was made in good faith and within the course and scope of the employment or other professional relationship of such employee or individual, respectively, with the covered entity or business associate; and (II) such information is not further acquired, accessed, used, or disclosed by any person; or (ii) any inadvertent disclosure from an individual who is otherwise authorized to access protected health information at a facility operated by a covered entity or business associate to another similarly situated individual at the same facility; and (iii) any such information received as a result of such disclosure is not further acquired, accessed, used, or disclosed without authorization by any person. 2 “Unsecured protected health information” has been defined by guidance issued by the Department of Health and Human Services on April 17, 2009, as PHI that is encrypted or destroyed according to National Institute of Standards and Technology (“NIST”) standards. 74 Fed. Reg. 19006 (published April 27, 2009). The specific description is: “Protected health information (PHI) is rendered unusable, unreadable, or indecipherable to unauthorized individuals only if one or more of the following applies: (a) Electronic PHI has been encrypted as specified in the HIPAA Security Rule by ‘the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key’ and such confidential process or key that might enable decryption has not been breached.” To avoid a breach of the confidential process or key, these decryption tools should be stored on a device or at a location separate from the data they are used to encrypt or decrypt. The encryption processes identified below have been tested by the National Institute of Standards and Technology (NIST) and judged to meet this standard. (i) Valid encryption processes for data at rest are consistent with NIST Special Publication 800-111, Guide to Storage Encryption Technologies for End User Devices. (ii) Valid encryption processes for data in motion are those which comply, as appropriate, with NIST Special Publications 800-52, Guidelines for the Selection and Use of Transport Layer Security (TLS) Implementations; 800-77, Guide to IPsec VPNs; or 800-113, Guide to SSLVPNs, or others which are Federal Information Processing Standards (FIPS) 140-2 validated. (b) The media on which the PHI is stored or recorded has been destroyed in one of the following ways: (i) Paper, film, or other hard copy media have been shredded or destroyed such that the PHI cannot be read or otherwise cannot be reconstructed. (ii) Electronic media have been cleared, purged, or destroyed consistent with NIST Special Publication 800-88, Guidelines for Media Sanitization, such that the PHI cannot be retrieved.” 3 A "Data Use Agreement" is a written agreement between a covered entity and the recipient of a limited data set that meets the requirements of 45 CFR 164.514(e)(4) and governs the recipient's use and disclosure of the limited data set. A business associate agreement may permit the BA to use the PHI to create a limited data set and use the limited data set pursuant to a Data Use Agreement provided that the BA uses the limited data set only for the purposes of research, public health, or health care operations. A "limited data set" is PHI that excludes certain direct identifiers of the individual, or of relatives, employers, or household members of the individual listed in 45 CFR 164.514(e)(2). November 2009 Sample Business Associate Contract Provisions1 (Published in FR 67 No.157 pg.53182, 53264 [August 14, 2002]) (The following Sample Business Associate Contract Provisions were prepared by the Department of Health and Human Services and are available on their Web site. It was last updated June 12, 2006. We have added in brackets comments and suggestions for additional revisions as a result of the Security Rule and the ARRA HITECH Act.) Statement of Intent The Department provides these sample business associate contract provisions in response to numerous requests for guidance. This is only sample language. These provisions are designed to help covered entities more easily comply with the business associate contract requirements of the Privacy Rule. However, use of these sample provisions is not required for compliance with the Privacy Rule. The language may be amended to more accurately reflect business arrangements between the covered entity and the business associate. These or similar provisions may be incorporated into an agreement for the provision of services between the entities or they may be incorporated into a separate business associate agreement. These provisions only address concepts and requirements set forth in the Privacy Rule and alone are not sufficient to result in a binding contract under State law. They do not include many formalities and substantive provisions that are required or typically included in a valid contract. Reliance on this sample is not sufficient for compliance with State law and does not replace consultation with a lawyer or negotiations between the parties to the contract. Furthermore, a covered entity may want to include other provisions that are related to the Privacy Rule but that are not required by the Privacy Rule. For example, a covered entity may want to add provisions in a business associate contract in order for the covered entity to be able to rely on the business associate to help the covered entity meet its obligations under the Privacy Rule. In addition, there may be permissible uses or disclosures by a business associate that are not specifically addressed in these sample provisions, for example having a business associate create a limited data set. These and other types of issues will need to be worked out between the parties. Sample Business Associate Contract Provisions2 Definitions (alternative approaches) Catch-all definition: Terms used, but not otherwise defined, in this Agreement shall have the same meaning as those terms in the Privacy Rule. Examples of specific definitions: a. Business Associate. "Business Associate" shall mean [Insert Name of Business Associate]. b. Covered Entity. "Covered Entity" shall mean [Insert Name of Covered Entity]. November 2009 c. Individual. "Individual" shall have the same meaning as the term "individual" in 45 CFR § 160.103 and shall include a person who qualifies as a personal representative in accordance with 45 CFR § 164.502(g). d. Privacy Rule. "Privacy Rule" shall mean the Standards for Privacy of Individually Identifiable Health Information at 45 CFR Part 160 and Part 164, Subparts A and E. e. Protected Health Information. "Protected Health Information" shall have the same meaning as the term "protected health information" in 45 CFR § 160.103, limited to the information created or received by Business Associate from or on behalf of Covered Entity. f. Required By Law. "Required By Law" shall have the same meaning as the term "required by law" in 45 CFR § 164.103. g. Secretary. "Secretary" shall mean the Secretary of the Department of Health and Human Services or his designee. [Additional definitions might include: To more precisely define the roles and responsibilities of the covered entity and the business associate: • • “De-identify” or “De-identified” means to remove, encode, encrypt, or otherwise eliminate or conceal data which identifies an Individual, or modify information so that there is no reasonable basis to believe that the information can be used to identify an Individual. “Designated Record Set” shall have the same meaning as the term “designated record set” in 45 CFR § 164.501. To implement the Security Rule requirements: • • • “Electronic Protected Health Information” shall have the same meaning as the term “electronic protected health information” in 45 CFR § 160.103. “Security Incident” shall have the same meaning as the term “security incident” in 45 CFR § 164.304. “Security Rule” shall mean the Security Standards and Implementation Specifications at 45 CFR Part 160 and Part 164, subpart C. To implement the HITECH Act requirements: • • “Breach” shall have the same meaning as the term “breach” in 45 CFR 164.402 “Unsecured Protected Health Information” shall have the same meaning as the term “unsecured protected health information” in 45 CFR 164.402.] November 2009 Obligations and Activities of Business Associate a. Business Associate agrees to not use or disclose Protected Health Information other than as permitted or required by the Agreement or as Required By Law. b. Business Associate agrees to use appropriate safeguards to prevent use or disclosure of the Protected Health Information other than as provided for by this Agreement. [To implement the Security Rule requirements, include: • Business Associate further agrees to implement administrative, physical, and technical safeguards (including written policies and procedures) to reasonably and appropriately protect the confidentiality, integrity, and availability of electronic Protected Health Information that it creates, receives, maintains, or transmits on behalf of Covered Entity as required by the Security Rule. More specific requirements can also be included as follows: • • • Administrative Safeguards. Business Associate agrees to implement policies and procedures to prevent, detect, contain, and correct security violations. Physical Safeguards. Business Associate agrees to implement policies and procedures to limit physical access to its electronic information systems and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed. Technical Safeguards. Business Associate agrees to implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights. To provide for compliance with the HITECH Act of the ARRA after February 17, 2010, include: • Business Associate agrees to comply with the requirements of Title XII, Subtitle D of the Health Information Technology for Economic and Clinical Health (HITECH) Act, codified at 42 USC §§17921-17954 and regulations issued by the Department of Health and Human Services to implement these statutes as of the date by which business associates are required to comply.] c. Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of Protected Health Information by Business Associate in violation of the requirements of this Agreement. [This provision may be included if it is appropriate for the Covered Entity to pass on its duty to mitigate damages to a Business Associate.] d. Business Associate agrees to report to Covered Entity any use or disclosure of the Protected Health Information not provided for by this Agreement of which it becomes aware. November 2009 [To provide for compliance with the Security Rule, include: • Business Associate agrees to report to Covered Entity any Security Incident of which it becomes aware that results in unauthorized access, use, disclosure, modification, or destruction of information or interference with systems operations. Business Associate shall report such Security Incidents that do not result in unauthorized access, use, disclosure, modification, or destruction of information or interference with systems operations in aggregate numbers and only as frequently as mutually agreed by the parties. To provide for compliance with the HITECH Act of ARRA after February 17, 2010, include: • Business Associate agrees to comply with Section 134-2 of Title XII, Subtitle D of the Health Information Technology for Economic and Clinical Health (HITECH) Act, codified at 42 USC §17932 and regulations issued by the Department of Health and Human Services to implement this statute as of the date by which business associates are required to comply by, among other things, reporting to Covered Entity within five business days of Business Associate’s discovery of any breach of unsecured protected health information.] e. Business Associate agrees to ensure that any agent, including a subcontractor, to whom it provides Protected Health Information received from, or created or received by Business Associate on behalf of Covered Entity agrees to the same restrictions and conditions that apply through this Agreement to Business Associate with respect to such information. [To implement the Security Rule, include: • Business Associate shall ensure that any such agent or subcontractor agrees to implement reasonable and appropriate safeguards to protect Covered Entity’s Protected Health Information.] f. Business Associate agrees to provide access, at the request of Covered Entity, and in the time and manner [insert negotiated terms], to Protected Health Information in a Designated Record Set, to Covered Entity or, as directed by Covered Entity, to an Individual in order to meet the requirements under 45 CFR § 164.524. [Not necessary if business associate does not have protected health information in a designated record set.] g. Business Associate agrees to make any amendment(s) to Protected Health Information in a Designated Record Set that the Covered Entity directs or agrees to pursuant to 45 CFR § 164.526 at the request of Covered Entity or an Individual, and in the time and manner [insert negotiated terms]. [Not necessary if business associate does not have protected health information in a designated record set.] h. Business Associate agrees to make internal practices, books, and records, including policies and procedures and Protected Health Information, relating to the use and disclosure of Protected Health Information received from, or created or received by Business Associate on behalf of, Covered Entity available [to the Covered Entity, or] to the Secretary, in a time and manner [insert negotiated terms] or designated by the November 2009 i. j. Secretary, for purposes of the Secretary determining Covered Entity's compliance with the Privacy Rule. Business Associate agrees to document such disclosures of Protected Health Information and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with 45 CFR § 164.528. Business Associate agrees to provide to Covered Entity or an Individual, in time and manner [insert negotiated terms], information collected in accordance with Section [insert section number in contract where provision (i) appears] of this Agreement, to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with 45 CFR § 164.528. Permitted Uses and Disclosures by Business Associate General Use and Disclosure Provisions [(a) and (b) are alternative approaches] a. Specify purposes: Except as otherwise limited in this Agreement, Business Associate may use or disclose Protected Health Information on behalf of, or to provide services to, Covered Entity for the following purposes, if such use or disclosure of Protected Health Information would not violate the Privacy Rule if done by Covered Entity or the minimum necessary policies and procedures of the Covered Entity: [List purposes] b. Refer to underlying services agreement: Except as otherwise limited in this Agreement, Business Associate may use or disclose Protected Health Information to perform functions, activities, or services for, or on behalf of, Covered Entity as specified in [insert name of services agreement], provided that such use or disclosure would not violate the Privacy Rule if done by Covered Entity or the minimum necessary policies and procedures of the Covered Entity. Specific Use and Disclosure Provisions [Only necessary if parties wish to allow Business Associate to engage in such activities.] a. Except as otherwise limited in this Agreement, Business Associate may use Protected Health Information for the proper management and administration of the Business Associate or to carry out the legal responsibilities of the Business Associate. b. Except as otherwise limited in this Agreement, Business Associate may disclose Protected Health Information for the proper management and administration of the Business Associate, provided that disclosures are Required By Law, or Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential and used or further disclosed only as Required By Law or for the purpose for which it was disclosed to the person, and the person notifies the Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached. c. Except as otherwise limited in this Agreement, Business Associate may use Protected Health Information to provide Data Aggregation services to Covered Entity as permitted by 45 CFR § 164.504(e)(2)(i)(B). November 2009 d. Business Associate may use Protected Health Information to report violations of law to appropriate Federal and State authorities, consistent with § 164.502(j)(1). [If the business associate is to be permitted to de-identify the data or create a limited data set, include: • • De-Identification. Business Associate may De-identify any and all Protected Health Information created or received by Business Associate under the Agreement; provided, however, that the De-identification conforms to the requirements of the Privacy Rule. Such resulting De-identified information would not be subject to the terms of this Addendum. Creating Limited Data Set. Business Associate may create a Limited Data Set as defined in the Privacy Rule, and use such Limited Data Set pursuant to a data use agreement that meets the requirements of the Privacy Rule.] Obligations of Covered Entity Provisions for Covered Entity to Inform Business Associate of Privacy Practices and Restrictions [Provisions dependent on business arrangement.] a. Covered Entity shall notify Business Associate of any limitation(s) in its notice of privacy practices of Covered Entity in accordance with 45 CFR § 164.520, to the extent that such limitation may affect Business Associate's use or disclosure of Protected Health Information. b. Covered Entity shall notify Business Associate of any changes in, or revocation of, permission by Individual to use or disclose Protected Health Information, to the extent that such changes may affect Business Associate's use or disclosure of Protected Health Information. c. Covered Entity shall notify Business Associate of any restriction to the use or disclosure of Protected Health Information that Covered Entity has agreed to in accordance with 45 CFR § 164.522, to the extent that such restriction may affect Business Associate's use or disclosure of Protected Health Information. Permissible Requests by Covered Entity Covered Entity shall not request Business Associate to use or disclose Protected Health Information in any manner that would not be permissible under the Privacy Rule if done by Covered Entity. [Include an exception if the Business Associate will use or disclose protected health information for, and the contract includes provisions for, data aggregation or management and administrative activities of Business Associate]. Term and Termination a. Term. The Term of this Agreement shall be effective as of [insert effective date], and shall terminate when all of the Protected Health Information provided by Covered Entity to Business Associate, or created or received by Business Associate on behalf of Covered Entity, is destroyed or returned to Covered Entity, or, if it is infeasible to return or destroy Protected Health Information, protections are extended to such information, in accordance with the termination provisions in this Section. [Term may differ.] November 2009 b. Termination for Cause. Upon Covered Entity's knowledge of a material breach by Business Associate, Covered Entity shall either: 1. Provide an opportunity for Business Associate to cure the breach or end the violation and terminate this Agreement [and the _________ Agreement/ sections ____ of the ______________ Agreement] if Business Associate does not cure the breach or end the violation within the time specified by Covered Entity; 2. Immediately terminate this Agreement [and the _________ Agreement/ sections ____ of the ______________ Agreement] if Business Associate has breached a material term of this Agreement and cure is not possible; or 3. If neither termination nor cure are feasible, Covered Entity shall report the violation to the Secretary. [Bracketed language in this provision may be necessary if there is an underlying services agreement. Also, opportunity to cure is permitted, but not required by the Privacy Rule.] c. Effect of Termination. 1. Except as provided in paragraph (2) of this section, upon termination of this Agreement, for any reason, Business Associate shall return or destroy all Protected Health Information received from Covered Entity, or created or received by Business Associate on behalf of Covered Entity. This provision shall apply to Protected Health Information that is in the possession of subcontractors or agents of Business Associate. Business Associate shall retain no copies of the Protected Health Information. 2. In the event that Business Associate determines that returning or destroying the Protected Health Information is infeasible, Business Associate shall provide to Covered Entity notification of the conditions that make return or destruction infeasible. Upon [insert negotiated terms] that return or destruction of Protected Health Information is infeasible, Business Associate shall extend the protections of this Agreement to such Protected Health Information and limit further uses and disclosures of such Protected Health Information to those purposes that make the return or destruction infeasible, for so long as Business Associate maintains such Protected Health Information. Miscellaneous a. Regulatory References. A reference in this Agreement to a section in the Privacy Rule means the section as in effect or as amended. b. Amendment. The Parties agree to take such action as is necessary to amend this Agreement from time to time as is necessary for Covered Entity to comply with the requirements of the Privacy Rule and the Health Insurance Portability and Accountability Act of 1996, Pub. L. No. 104-191. c. Survival. The respective rights and obligations of Business Associate under Section [insert section number related to "Effect of Termination"] of this Agreement shall survive the termination of this Agreement. d. Interpretation. Any ambiguity in this Agreement shall be resolved to permit Covered Entity to comply with the Privacy Rule. November 2009 [To avoid creating third party beneficiaries of Business Associate Agreement, include: • No Third Party Beneficiaries. Nothing in this Agreement shall confer upon any person other than the Parties and their respective successors or assigns, any rights, remedies, obligations, or liabilities whatsoever. To address the potential costs of notice for breaches of unsecured protected health information caused by the Business Associate or its subcontractors or agents, include an indemnification provision: • Indemnification: Business Associate will indemnify Covered Entity for any reasonable expenses Covered Entity incurs in notifying individuals of a breach of unsecured protected health information caused by Business Associate or its subcontractors or agents.] 1 This Web site version of Sample Business Associate Contract Provisions was revised June 12, 2006, to amend the regulatory cites to the following terms: "individual"; "protected health information"; and "required by law." 2 Words or phrases contained in brackets are intended as either optional language or as instructions to the users of these sample provisions and are not intended to be included in the contractual provisions. November 2009 HIPAA Privacy Rule – Policies, Procedures, and Documents The HIPAA Privacy Rule requires each covered entity to adopt written policies and procedures with respect to protected health information designed to comply with the standards and other requirements of the Rule. (See Section 164.530[i-j].) Every organization must develop or revise policies and procedures—in formats that work best for the organization. Some prefer a limited number of policies, with each policy addressing many issues. Others prefer separate, shorter policies addressing only one issue each. The following tool is provided to help you address the necessary HIPAA Privacy Rule elements. It includes the element and relevant citation to the section of the HIPAA Privacy Rule that need to be addressed in policies and procedures if they apply to your organization. We have identified which sections we have addressed and where we have addressed them (in italics)—in whole or in part—in template forms, policies and procedures, and documents. Because of the unique needs of each practice/health care facility, you need to review these documents to determine what, if any, additional policies and procedures you may need to be HIPAA-compliant. Policies and procedures are also included to address certain HIPAA privacy and security requirements expanded by the HITECH Act. • Overview of Types of Permission Needed for Use and Disclosure of PHI 45 CFR §164.502 Notice of Privacy Practices Authorization to Use or Disclose Protected Health Information (Policy & Procedures) • Required Disclosures 45 CFR §164.502 Notice of Privacy Practices • Handling of Deceased Individuals 45 CFR § 164.502 Authorization to Use or Disclose Protected Health Information (Policy & Procedures) • Un-Emancipated Minors 45 CFR § 164.502 Treatment of Minors and the Handling of Their Protected Health Information • Handling of Personal Representatives 45 CFR § 164.502 Authorization to Use or Disclose Protected Health Information (Policy & Procedures) • Business Associates 45 CFR § 164.502, 164.504 Identifying Your Business Associates Business Associate Agreement Checklist • Organizational Documentation 45 CFR § 164.504 not applicable in most practices Hybrid Organization Affiliated Covered Entity Organized Health Care Arrangement Multiple Covered Functions November 2009 • Uses and Disclosures Without Authorization for Treatment, Payment, and Health Care Operations 45 CFR § 164.506 Notice of Privacy Practices Authorization to Use or Disclose Protected Health Information (Policy & Procedures) • Authorization 45 CFR § 164.508 Authorization to Use or Disclose Protected Health Information (Policy & Procedures) • Research 45 CFR § 164.508 Notice of Privacy Practices Authorization to Use or Disclose Protected Health Information (Policy & Procedures) • Marketing 45 CFR § 164.508 Notice of Privacy Practices Authorization to Use or Disclose Protected Health Information (Policy & Procedures) • Opportunity to Agree or Object 45 CFR § 164.510 Notice of Privacy Practices • Facility Directory Notice of Privacy Practices (this is not applicable in most practices) • Persons Involved in Care or Payment Notice of Privacy Practices • Disaster Relief Notice of Privacy Practices • Public Policy Disclosures Without Authorization 45 CFR § 164.512 Notice of Privacy Practices Authorization to Use or Disclose Protected Health Information (Policy & Procedures) Minimum Necessary Requirements for the Use and Disclosure of Protected Health Information (Policy & Procedures) • Minimum Necessary 45 CFR § 164.502, 164.514 HITECH Act Section 13405, codified at 42 U.S.C. § 17935 Minimum Necessary Requirements for the Use and Disclosure of Protected Health Information (Policy & Procedures) • Fund-raising 45 CFR § 164.514 Notice of Privacy Practices November 2009 • De-Identification 45 CFR § 164.502 and 164.514 (this is not applicable in most practices) • Limited Data Set 45 CFR § 164.514 HITECH Act Section 13405, codified at 42 U.S.C. § 17935 Minimum Necessary Requirements for the Use and Disclosure of Protected Health Information (Policy & Procedures) • Verification of Identity and Authority 45 CFR § 164.514 All policies and procedures pertaining to the use or disclosure of protected health information to an individual or entity address this subject • Notice of Privacy Practices 45 CFR § 164.520 Notice of Privacy Practices • Requests for Confidential Communications 45 CFR § 164.522 Notice of Privacy Practices • Request for Restrictions on Uses and Disclosures 45 CFR § 164.522 HITECH Act Section 13405(a) Notice of Privacy Practices Responding to Requests for Restrictions on the Use or Disclosure of Protected Health Information (Policies & Procedures) • Patient Access to Records 45 CFR § 164.524 Responding to Requests to Access and/or Copy Protected Health Information (Policy & Procedures) Notice of Privacy Practices • Amendment of Patient Records 45 CFR § 164.526 Requests to Correct or Amend Protected Health Information (Policy & Procedures) Notice of Privacy Practices • Accounting of Disclosures 45 CFR § 164.528 Documenting of and Accounting for Disclosures of Protected Health Information (Policy & Procedures) Notice of Privacy Practices • Privacy Official 45 CFR § 164.530 Sample Job Descriptions – HIPAA Privacy Official and Contact Person and HIPAA Security Official November 2009 • Complaint Process 45 CFR § 164.530 Notice of Privacy Practices Complaints and Grievances Relating to the Use or Disclosure of Protected Health Information (Policy & Procedures) • No Retaliation for Pursuing Privacy Rights or “Whistleblowing” 45 CFR § 164.530 Notice of Privacy Practices Complaints and Grievances Relating to the Use or Disclosure of Protected Health Information (Policy & Procedures) • Mitigation of Damages From Breach of Privacy 45 CFR § 164.530 Complaints and Grievances Relating to the Use or Disclosure of Protected Health Information (Policy & Procedures) • Prohibition on Asking Patients to Waive Privacy Rights 45 CFR § 164.530 Complaints and Grievances Relating to the Use or Disclosure of Protected Health Information (Policy & Procedures) • Training 45 CFR § 164.530 HIPAA Privacy and Security Training (Policy & Procedures) HIPAA Privacy and Security Training Checklist HIPAA Privacy Rule: A Questionnaire for Nonclinical Staff HIPAA Privacy Rule: A Questionnaire for Nonclinical Staff – Answer Key HIPAA Privacy Rule: A Questionnaire for Clinical Staff HIPAA Privacy Rule: A Questionnaire for Clinical Staff – Answer Key Treatment of Minors and the Handling of Their Protected Health Information Kinship Caregivers Informed Consent Declaration for Minors Employee Confidentiality and HIPAA Training Acknowledgment Statement Nonemployee Confidentiality and HIPAA Training Acknowledgment Statement HIPAA Help – A Resource List • Safeguards 45 CFR § 164.530 All forms/policies and procedures, Employee and Nonemployee Confidentiality and HIPAA Training Acknowledgment Statements, and any safeguards that you utilize or put in place [as identified in your work plan] • Discipline/Sanctions 45 CFR § 164.530 Employee Confidentiality and HIPAA Training Acknowledgment Statement Nonemployee Confidentiality and HIPAA Training Acknowledgment Statement • Document Retention 45 CFR § 164.530 To comply with HIPAA, organizations need a retention policy that reflects that documents are maintained for a period of six years from the date of the patient’s last medical service. From a risk management perspective, however, you may want to retain documents for at least 10 years following the date of the patient’s last medical service. November 2009 • Notification of Breach of Unsecured Protected Health Information HITECH Act Section 13402, codified at 42 U.S.C. § 17935 45 CFR §§ 164.400 et seq. Notification of Breach of Unsecured Protected Health Information (Policy & Procedures) Accounting Log for Notification of Breach of Unsecured Protected Health Information Organizations may access the HIPAA Privacy Rule by going to the US Department of Health and Human Services Office for Civil Rights - HIPAA Web site at: http://www.hhs.gov/ocr/privacy/. It is important to remember that more restrictive or more protective state and federal laws may preempt the HIPAA Privacy Rule. Also, be sure to consider any privacy and security standards established by accrediting bodies. November 2009 Instructions for Implementing Sample HIPAA Forms and Policies and Procedures Review the document titled HIPAA Privacy Rule - Policies, Procedures, and Documents. Identify any additional forms, policies, and procedures that you may need to develop to comply with the HIPAA Privacy Rule—we have indicated on the HIPAA Privacy Rule Policies, Procedures, and Documents checklist which sample forms and policies and procedures we have provided. Review all forms, policies and procedures, and other sample documents. Identify areas that will require customization to your health care operations: To assist you in this process, we have indicated the areas that must be personalized (e.g., [insert practice/health care facility], [insert name of contact person and phone number here]). If the issue is required by state or federal law, it must remain in the form and policy and procedures document. If the issue is not a requirement of state or federal laws, evaluate the issue for any liability concerns. Make any necessary adjustments to the forms, policies and procedures, and sample documents (sample documents can be downloaded from our Web site at www.phyins.com). Provide staff training on new forms, policies and procedures, and documents. Implement your HIPAA and state law-compliant policies only when you are able to fully comply with such policies. If you implement policies and procedures that you cannot fully comply with, you are potentially increasing your liability exposure. Monitor the applicable federal and state laws for changes and modify forms, policies, and procedures accordingly. Retain forms, policies and procedures, and documents—including those that have been superseded—in accordance with your record-retention policy. We recommend that any new or revised forms, policies and procedures, and documents be reviewed by legal counsel knowledgeable with applicable federal and state laws. November 2009 Notice of Privacy Practices (Policy & Procedures) Purpose: To provide patients and other interested persons with a defined opportunity to receive adequate notice of 1) the uses and disclosures of protected health information (PHI) that may be made by the provider; 2) patient rights concerning PHI; and 3) the provider’s legal duties pertaining to PHI. Policy: 1. Reasonable effort shall be made to provide patients or their legally authorized representative the current Notice of Privacy Practices (NPP) on the date of the first service delivery following April 14, 2003, except where the first service delivery involves emergency medical treatment; in such cases, the NPP shall be provided as soon as it is reasonably practicable to do so. 2. Except in emergencies, reasonable effort shall be made to obtain a signed acknowledgment of receipt of the current NPP from the patient or the legally authorized representative.1 3. Document reasonable attempts to provide the current NPP by filing the signed acknowledgment of receipt in the medical record. Refusals to sign the acknowledgment, or refusals to accept the NPP, shall also be documented. 4. A current NPP will be posted in a prominent location where it is reasonable to expect that patients will see and have an opportunity to read the document. At any time, a patient or the patient’s legally authorized representative may request and receive a copy of the current NPP. 5. The Notice of Information Practices required by Washington State law will be placed in a conspicuous place or provided to the patient in another notice. The Notice of Privacy Practices Acknowledgment may contain this required Notice of Information Practices.2 6. The NPP shall describe actual privacy practices and examples of all uses and disclosures of PHI.3 Any change to actual privacy practices shall be reflected in the NPP. Subsequent to any revision, a copy of the “old” NPP shall be retained for 6 years from the date it was last effective.4 7. Any person, not only a patient, having questions about the NPP, or privacy/confidentiality practices, shall be directed to the Privacy Official for further information if necessary. 8. Any member of the general public (who is not a patient or a patient’s legally authorized representative) requesting the NPP shall be provided the current NPP as promptly as circumstances permit. The documentation requirements do not apply.5 Primary Responsible Party: Privacy Official and Admitting/Front Office Staff Other Responsible Party: All staff should have general knowledge and be able to direct questions and concerns appropriately. Procedure: 1. Patients or their legally authorized representative must be provided the current Notice of Privacy Practices (NPP) no later than the date of the first service delivery following April 14, 2003.6 a) Ask the individual to sign the written acknowledgment form attached to the NPP.7 The signed document shall be filed and maintained in the patient record. b) If the individual refuses the offered NPP or declines to sign the acknowledgment form: • Document the refusal on the acknowledgment form, and • File it in the medical record. For example: “Mr. Smith declined to accept NPP” or “Mr. Smith accepted NPP, but refused to sign the acknowledgment form when requested.” • Sign and date the notation. 2. There is no requirement to provide the current NPP, or attempt to do so, where the first patient encounter involves emergency medical treatment, making the provision of notice and related documentation requirements impractical or inappropriate. a) The documentation in the medical record should corroborate that the patient required and received emergency medical treatment. In such cases, the current NPP shall be provided as soon as it is reasonably practicable to do so. This may be when the patient has stabilized, at the next scheduled appointment, via mail if it appears the patient may not return for another November 2009 appointment, or by any other means reasonable and appropriate under the specific circumstances. b) When provision of the current NPP at the first service is not accomplished due to the emergency exception, written acknowledgment of subsequent provision [is/is not] required. [Select the option that works best for your practice/facility—the HIPAA Privacy Regulations do not require acknowledgment in this case—but it is strongly recommended from a risk management perspective.] 3. Copies of the current NPP shall be maintained and available to give to any patient, legally authorized representative, or other person so requesting.8 4. The NPP shall be revised any time there are material changes to the uses and disclosures of PHI, patient rights, provider duties, or other privacy practices referenced in the NPP. 5. Patients receiving the NPP who have questions or desire further information should be directed to the practice/health care facility Privacy Official as necessary. Every effort should be made to help interested patients understand the information contained in the NPP. Policies and Procedures Specific to Electronic Notices of Privacy Practices and/or Electronic Service Delivery: 1. The current NPP will be prominently posted on the Web site and made readily available electronically through our Web site. [This section is mandatory and applies if you provide information on a Web site about your services.] 2. The current NPP may be provided by e-mail if the patient or individual agrees. However, the patient or individual retains the right to obtain a paper copy of the NPP upon request. 3. If the first service is delivered electronically, the patient shall be provided the current NPP automatically and contemporaneously in response to the first request for service. The required “written acknowledgment” should be captured electronically, by whatever means technologically feasible.9 References: RCW: 70.02.120 45 CFR Subtitle A, Subchapter C. § 164.520 1 It is strongly recommended that such acknowledgments also be obtained from patients receiving the NPP after a first-service delivery that involves emergency medical treatment. 2 While the cover sheet for the NPP may contain the required Washington State language, it is still advisable to post it in a prominent location since patients do not have to sign the acknowledgment. 3 If you contact patients to remind them about appointments, or give them information about treatment alternatives or other health-related benefits and services or fund-raising activities, you must make mention of these examples of uses or disclosures of PHI in the section pertaining to health care operations in the NPP. The NPP need not mention the required offer to opt out of fund-raising that must accompany fund-raising solicitations. 4 The NPP must contain a statement reserving the right to make modifications to the practice/health care facility’s practices regarding the PHI maintained. 5 Since the documentation requirements do not apply in these circumstances, it would be necessary to provide and document the provision of the NPP if and when the individual becomes a patient at the practice/health care facility. 6 Providers and health care facilities may want to work together on a system to enable compliance with this requirement when the first-service delivery is at the health care facilities in a nonemergency situation. 7 A copy of the notice must be distributed to the patient without any express or implied request to return it. It is permissible to have a “recycle” basket with a sign stating, “You have a right to keep the Notice of Privacy Practices. If you do not wish to keep it, please place it in this basket.” 8 A charge for a copy of the NPP is not permissible under HIPAA. 9 If it is not feasible (patient does not have e-mail or facsimile machine) to deliver the NPP as required by the rule, we recommend that you inform the patient that you will mail the NPP and the acknowledgment form (for the patient to complete and return) and document your actions. Policy effective date: ___/____/____ Revision date(s): ____/____/____ November 2009 Notice of Privacy Practices THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED, AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY. [Insert name of practice or facility] respects your privacy. We understand that your personal health information is very sensitive. The law protects the privacy of the health information we create and obtain in providing care and services to you. Your protected health information includes your symptoms, test results, diagnoses, treatment, health information from other providers, and billing and payment information relating to these services. We will not use or disclose your health information to others without your authorization, except as described in this Notice, or as required by law. Your health information rights The health and billing records we create and store are the property of [insert name of practice or facility]. The protected health information in it, however, generally belongs to you. You have a right to: • Receive, read, and ask questions about this Notice. • Ask us to restrict certain uses and disclosures. You must deliver this request in writing to us. We are not required to grant the request unless the request is to restrict disclosure of your protected health information to a health plan for payment or health care operations and the protected health information is about a service or treatment for which you paid directly. • Request and receive from us a paper copy of the most current Notice of Privacy Practices (“Notice”). • Request that you be allowed to see and get a copy of your protected health information. You may make this request in writing. We have a form available for this type of request. • Have us review a denial of access to your health information—except in certain circumstances. • Ask us to change your health information. You may give us this request in writing. You may write a statement of disagreement if your request is denied. It will be stored in your medical record, and included with any release of your records. • When you request, we will give you a list of certain disclosures of your health information. The list will not include disclosures for treatment, payment, or health care operations. You may receive this information without charge once every 12 months. We will notify you of the cost involved if you request this information more than once in 12 months. • Ask that your health information be given to you by another means or at another location. Please sign, date, and give us your request in writing. • Cancel prior authorizations to use or disclose health information by giving us a written revocation. Your revocation does not affect information that has already been released. It also does not affect any action taken before we have it. Sometimes, you cannot cancel an authorization if its purpose was to obtain insurance. For help with these rights during normal business hours, please contact: [Insert name or title of designated staff member] [Insert phone number or address] Our responsibilities We are required to: • Keep your protected health information private. • Give you this Notice. • Follow the terms of this Notice. November 2009 We have the right to change our practices regarding the protected health information we maintain. If we make changes, we will update this Notice. You may receive the most recent copy of this Notice by calling and asking for it or by visiting our [office/medical records department] to pick one up. To ask for help or complain. If you have questions, want more information, or want to report a problem about the handling of your protected health information, you may contact: [Insert name or title of designated staff member] [Insert phone number or address] If you believe your privacy rights have been violated, you may discuss your concerns with any staff member. You may also deliver a written complaint to [insert name or title of person] at [insert name of practice or facility]. You may also file a complaint with the Department of Health and Human Services Office for Civil Rights (OCR). We respect your right to file a complaint with us or with the OCR. If you complain, we will not retaliate against you. How we may use and disclose your protected health information. Under the law, we may use or disclose your protected health information under certain circumstances without your permission. The following categories describe the different ways we may use and disclose your protected health information. For each category, we will explain what we mean and give some examples. Not every use or disclosure in a category will be listed. However, all of the ways we are permitted to use and disclose health information will fall within one of the categories. Examples of uses and disclosures of protected health information for treatment, payment, and health care operations: For treatment: • Information obtained by a nurse, physician, or other member of our health care team will be recorded in your medical record and used by members of our health care team to help decide what care may be right for you. • We may also provide information to health care providers outside our practice who are providing you care or for a referral. This will help them stay informed about your care. For payment: • We request payment from your health insurance plan. Health plans need information from us about your medical care. Information provided to health plans may include your diagnoses, procedures performed, or recommended care. • We bill you or the person you tell us is responsible for paying for your care if it is not covered by your health insurance plan. For health care operations: • We may use your medical records to assess quality and improve services. • We may use and disclose medical records to review the qualifications and performance of our health care providers and to train our staff. • We may use and disclose your information to conduct or arrange for services, including: • Medical quality review by your health plan, • Accounting, legal, risk management, and insurance services; and • Audit functions, including fraud and abuse detection and compliance programs November 2009 Statements about certain uses and disclosures. • • • We may contact you to remind you about appointments. We may use and disclose your health information to give you information about treatment alternatives or other health-related benefits and services. We may contact you to raise funds. If we contact you for fund-raising, we will also provide you with a way to opt out of receiving fund-raising requests in the future. Some of the other ways that we may use or disclose your protected health information without your authorization are as follows: • • • • • • • • • • • Required by law: We must make any disclosure required by state, federal, or local law. Business Associates: We contract with individuals and entities to perform jobs for us or to provide certain types of services that may require them to create, maintain, use, and/or disclose your health information. We may disclose your health information to a business associate, but only after they agree in writing to safeguard your health information. Examples include billing services, accountants, and others who perform health care operations for us. Notification of family and others: Unless you object, we may release health information about you to a friend or family member who is involved in your medical care. We may also give information to someone who helps pay for your care. We may tell your family or friends your condition and that you are in a hospital. Public health and safety purposes: As permitted or required by law, we may disclose protected health information: • To prevent or reduce a serious, immediate threat to the health or safety of a person or the public. • To public health or legal authorities: • To protect public health and safety. • To prevent or control disease, injury, or disability. • To report vital statistics such as births or deaths. • To report suspected abuse or neglect to public authorities. Research: We may disclose protected health information to researchers if the research has been approved by an institutional review board or a privacy board and there are policies to protect the privacy of your health information. We may also share information with medical researchers preparing to conduct a research project. Coroners, medical examiners. and funeral directors: We may disclose protected health information to funeral directors and coroners consistent with applicable law to allow them to carry out their duties. Organ-procurement organizations: Consistent with applicable law, we may disclose protected health information to organ-procurement organizations (tissue donation and transplant) or persons who obtain, store, or transplant organs. Food and Drug Administration (FDA): For problems with food, supplements, and products, we may disclose protected health information to the FDA or entities subject to the jurisdiction of the FDA. Workplace injury or illness: Washington State law requires the disclosure of protected health information to the Department of Labor and Industries, the employer, and the payer (including a selfinsured payer) for workers’ compensation and for crime victims’ claims. We also may disclose protected health information for work-related conditions that could affect employee health; for example, an employer may ask us to assess health risks on a job site. Correctional institutions: If you are in jail or prison, we may disclose your protected health information as necessary for your health and the health and safety of others. Law enforcement: We may disclose protected health information to law enforcement officials as required by law, such as reports of certain types of injuries or victims of a crime, or when we receive a warrant, subpoena, court order, or other legal process. November 2009 • • • • • • Government health and safety oversight activities: We may disclose protected health information to an oversight agency that may be conducting an investigation. For example, we may share health information with the Department of Health. Disaster relief: We may share protected health information with disaster relief agencies to assist in notification of your condition to family or others. Military, Veteran, and Department of State: We may disclose protected health information to the military authorities of U.S. and foreign military personnel; for example, the law may require us to provide information necessary to a military mission. Lawsuits and disputes: We are permitted to disclose protected health information in the course of judicial/administrative proceedings at your request, or as directed by a subpoena or court order. National Security: We are permitted to release protected health information to federal officials for national security purposes authorized by law. De-identifying information: We may use your protected health information by removing any information that could be used to identify you. Web site • We have a Web site that provides information about us. For your benefit, this Notice is on the Web site at the following address: [Insert Web site address]. Effective date [Insert effective date of the Notice] November 2009 Notice of Privacy Practices Acknowledgment We keep a record of the health care services we provide you. You may ask to see and copy that record. You may also ask to correct that record. We will not disclose your record to others unless you direct us to do so or unless the law authorizes or compels us to do so. You may see your record or get more information about it by contacting [insert name or title of Privacy Official]. Our Notice of Privacy Practices describes in more detail how your health information may be used and disclosed, and how you can access your information. By my signature below I acknowledge receipt of the Notice of Privacy Practices. _____________________________________________________________________________________ Patient or legally authorized individual signature Date Time _____________________________________________________________________________________ Printed name if signed on behalf of the patient Relationship (parent, legal guardian, personal representative) (Notation, if any, by staff) This form will be retained in your medical record. November 2009 Authorization to Use or Disclose Protected Health Information (Policy & Procedures) Purpose: To provide a procedure for obtaining patient authorization for the use or disclosure of protected health information (PHI) when required by law. Policy: 1. In general, patient health care information should be released pursuant to a valid patient authorization. Examples of when a valid patient authorization is needed include the use or disclosure of: • PHI to the individual to whom the PHI pertains • PHI for marketing1 • Psychotherapy notes2 • Some research purposes3 • Legal requests • Life insurance requests • PHI to others not involved in patient care 2. An authorization is not required for uses or disclosures of PHI for: • Treatment, • Payment, • Health care operations, and • When permitted or required by law.4 3. In general, a valid authorization must be honored as written.5 4. Authorizations and the fulfillment of the disclosure/use request will be appropriately recorded and become part of the patient medical record. [See Documenting of and Accounting for Disclosures of Protected Health Information (Policy & Procedures).] Primary Responsible Party: Privacy Official, Medical Records Clerk, and Front Office Staff. Other Responsible Party: All staff should have general knowledge and be able to direct questions/concerns appropriately. Procedure: 1. When a request is made to disclose PHI: a. Determine if an authorization is needed to release the PHI. See Policy Statements 1 and 2 above. b. If an authorization is required, ask the patient or legally authorized representative to complete and sign the Authorization to Use or Disclose Protected Health Information form. If the authorization is from an outside entity, see step 2 in this procedure to determine its validity. (i) Generally, for an adult (18 years or older), a legally authorized representative is one of the following in order of priority: 1. Legal guardian November 2009 2. Durable power of attorney for health care 3. Spouse 4. Children of the patient who are at least eighteen years of age 5. Birth or adoptive parent 6. Adult siblings (all must agree.) (ii) For a minor (under 18 years of age), a legally authorized representative is one of the following in order of priority: 1. Appointed guardian or legal custodian 2. A person authorized by the court to consent to medical care for a child in or out of home placement pursuant to RCW 13.32A or 13.34 3. Parents 4. An individual to whom the minor's parent has given a signed authorization to make health care decisions for the minor patient 5. A competent adult representing himself or herself to be a relative responsible for the health care of the minor or a competent adult who has signed and dated a declaration under penalty of perjury pursuant to RCW 9A.72.085 stating that the adult person is a relative responsible for the health care of the minor.6 (iii) For deceased patients, an executor of the estate has priority over other legally authorized representatives. c. Ask for verification of the identity and the authority of the individual if warranted (if the identity or the authority of the individual is not known to the practice/health care facility). d. Advise when the request will be processed. Written, valid authorizations must be honored no later than 15 working days from the date received.7 e. Provide a copy of the completed and signed authorization form to the patient if: (i) The patient requests, or (ii) The practice/health care facility is asking the patient to sign the authorization. 2. Review the authorization for validity. A copy of a valid authorization is as binding as the original. The following elements must be present and be honored: a. A description of the information to be used or disclosed.8 b. The name of the entity authorized to release the information (e.g., the name of the practice/health care facility). c. The name (or title) and institutional affiliation (if any) of the recipient(s). d. A description of each purpose for the disclosure/use (e.g., patient request, research, or marketing). The authorization must mention remuneration, if any, for marketing purposes. e. One of the following must be specified: an expiration date (a specific date—e.g., January 1, 2012) OR when a specific event relating to the patient or the purpose of the use or disclosure occurs (e.g., “when adoption of our child is final”).9 For research, the expiration may be “end of research study.” f. Signature and date (time is optional but may be beneficial in dealing with revocations of authorizations). (See 1[b][i] and 1[b][ii] in this procedure for a list of legally authorized representatives able to sign on behalf of the patient.) 10 November 2009 g. A statement regarding the individual’s right to revoke the authorization, the exceptions to their right to revoke the authorization, and how they may revoke the authorization.11 h. A statement regarding the ability or inability to condition health care treatment, payment, enrollment, or eligibility for benefits on the authorization.12 i. A statement that the information may be subject to re-disclosure and may no longer be protected by federal or state privacy laws. j. The form must be in plain language. k. A description of the representative’s authority to act for the individual and/or relationship to the individual if signed by a representative. l. The authorization may not be combined with any other document that would create a compound authorization.13 3. Process the request14 a. Honor the request as written. Information pertaining to HIV (AIDS virus), STDs, psychiatric disorders, mental health, drug use, or alcohol use may not be disclosed or used unless specified by the patient or legally authorized representative on the form. b. The request may not be processed if: (i) All required elements are not present, (ii) The authorization has expired, (iii) There is knowledge that the authorization has been revoked (see Revocation of Authorization to Use or Disclose Protected Health Information form and policy & procedures), (iv) There is knowledge that material information on the authorization is false, or (v) The individual making the request is not authorized. c. Make copies and redact any PHI not authorized in the disclosure/use request from the photocopies (e.g., HIV, AIDS virus, and STDs). You may wish to include a copy of the following language: “We have enclosed all the information we are permitted by law to disclose to you pursuant to the patient’s or legally authorized representative’s valid authorization.” d. Prepare a statement for PHI copy fees.15 e. Record on the authorization and the Accounting Log for Protected Health Information Disclosures form [see Documenting of and Accounting for Disclosures of Protected Health Information (Policy & Procedures)] the appropriate elements showing that the request was fulfilled. Internal References: Documenting of and Accounting for Disclosures of Protected Health Information (Policy & Procedures) Revocation of Authorization to Use or Disclose Protected Health Information (Policy & Procedures) Minimum Necessary Requirements for the Use and Disclosure of Protected Health Information (Policy & Procedures) Responding to Requests to Access and/or Copy Protected Health Information (Policy & Procedures) External References: RCW 70.02 RCW 70.02.010(12) and WAC 246-08-400—Reasonable fee 45 CFR § 164.506, 164.508, 164.512 and 164.524 November 2009 1 45 CFR § 164.508(a)(3): An authorization for the practice/health care facility to even use PHI for marketing purposes is required except if the communication is in the form of a face-to-face communication with the patient or if the communication is in the form of a promotional gift of nominal value to the patient. 2 45 CFR §§ 164.501 & 164.508(a)(2): Psychotherapy notes are notes recorded by a mental health professional documenting or analyzing the contents of conversation during a counseling session—that are separated from the rest of the individual’s medical record. A specific authorization to use or disclose psychotherapy notes is required except if the notes are used or disclosed: by the originator of the notes for treatment; to a person or persons reasonably able to prevent or lessen the threat (including the target of the threat), if there is a good faith belief that the use or disclosure is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public; if the notes are to be used in the course of training students, trainees, or practitioners in mental health; to defend a legal action or any other legal proceeding brought by the patient; when used by a medical examiner or coroner; for health oversight activities of the originator; or when required by law. 3 45 CFR §164.512(i): An authorization is required except if the covered entity can document affirmatively that a valid waiver of the authorization has been approved by an IRB or a Privacy Committee. 4 45 CFR §§ 164.506, 164.512 & RCW 70.02.050: Authorizations are not required for any treatment or payment purposes. Authorizations are also not required for the health care operations of the covered entity (e.g., administrative, legal, financial, or actuarial services) or, under certain circumstances, for the health care operations of another covered entity (e.g., requests for credentialing and quality-improvement purposes). Further, authorizations are not required when the use or disclosure is permitted or required by law. 5 45 CFR §164.524, RCW 70.02.030 and 70.02.090: There are a few rare exceptions. [See Responding to Requests to Access and/or Copy Protected Health Information (Policy and Procedures.)] 6 Such declaration shall be effective for up to six months from the date of the declaration. 7 RCW 70.02.080: If the practice/health care facility is not able to honor the request for access because the information is in use or unusual circumstances have delayed the handling of the request, the patient must be informed in writing of the reasons for the delay and the earliest date, not later than 21 working days after receiving the request, when the information will be available. 8 45 CFR § 164.508(b)(3)(ii): (See also footnote 4) A valid authorization for psychotherapy notes must specifically identify that psychotherapy notes are the subject of disclosure/use and the authorization for psychotherapy notes may not specify any other records to disclose/use. You may utilize the Authorization to Use or Disclose Protected Health Information form; however, you must not combine the request with any other request for record use or disclosure. Simply check “other” and indicate “psychotherapy notes” in the section labeled “You may use or disclose the following health care information.” 9 If the authorization is for a disclosure to a financial institution or an employer of the patient for purposes other than payment, the authorization expires 90 days after signing unless the authorization is renewed by the patient. RCW 70.02.030(6). Additional requirements for authorizations for disclosures to researchers and third party payors are established under RCW 70.02.030(4), but apply only if disclosure without authorization is not permitted under RCW 70.02.050 and HIPAA, which is almost never the case. 10 Electronic signatures on authorization may be accepted by practices. 11 If the authorization form does not contain this element, to be valid the entity must include this information in its Notice of Privacy Practices AND they must refer to their “Notice of Privacy Practices” in their “Authorization to Use or Disclose Protected Health Information” form. See also the Revocation of Authorization to Use or Disclose Protected Health Information form and policy and procedures. 12 45 CFR §164.508 (b)(4)(iii): You may condition the provision of health care on the signing of an authorization when the health care is solely for the purpose of creating PHI for disclosure to a third party (e.g., an Independent Medical Exam, an exam to obtain life insurance) or as a condition of taking part in a research study. 13 45 CFR §164.508 (b)(3)(i): However, an authorization for purposes of a research study may be combined with any other type of written permission for the same research study (e.g., informed consent to participate in research or research protocols). 14 If there is a concern about honoring an authorization, consult the practice/health care facility’s legal counsel and/or malpractice carrier. 15 45 CFR § 164.524(c)(4) & RCW 70.02.010(12) & WAC 246-08-400: HIPAA and Washington State law limit the amount that may be charged for duplication and searching services to a reasonable cost-based fee. A clerical searching and handling fee may be charged under state law, but federal law prohibits charging this fee to the patient or to someone authorized to make health care decisions on behalf of the patient. When editing of the record is required by statute and is done by the provider personally, Washington State law allows the provider to charge the usual and customary charge for a basic office visit—as a result of the HIPAA Privacy Rule, individuals must agree to these charges in advance. Washington State Department of Health discourages charging a fee in cases of financial hardship. Refusing to provide copies of records for treatment purposes is unethical. Policy effective date: ____/____/____ Revision date(s): ____/____/____ November 2009 Authorization to Use or Disclose Protected Health Information Patient name: ___________________________________ Date of birth: _______________________________ Previous name: _________________________________________________________________________________ I. My Authorization You may use or disclose the following health care information (check all that apply): All health care information in my medical record Health care information in my medical record relating to the following treatment or condition: ______________________________________________________________________________________ Health care information in my medical record for the date(s): ______________________________________ Other (e.g., X-rays, bills), specify date(s): _____________________________________________________ You may use or disclose health care information regarding testing, diagnosis, and treatment for (check all that apply): HIV (AIDS virus) Sexually transmitted diseases Psychiatric disorders/mental health Drug and/or alcohol use You may disclose this health care information to: Name (or title) and organization or class of persons: _______________________________________________ Address (optional): __________________________________ City: ________________ State: ___ Zip: ______ Reason(s) for this authorization (check all that apply): at my request check only if [insert name of practice or facility] requests the authorization for marketing purposes other (specify) check only if [insert name of practice or facility] will be paid or get something of value ___________ for providing health information for marketing purposes This authorization ends: on (date): ___________ when the following event occurs: _________________________________ in 90 days from the date signed (if disclosure is to a financial institution or an employer of the patient for purposes other than payment) II. My Rights I understand I do not have to sign this authorization in order to get health care benefits (treatment, payment, or enrollment). However, I do have to sign an authorization form: • To take part in a research study or • To receive health care when the purpose is to create health care information for a third party. I may revoke this authorization in writing. If I did, it would not affect any actions already taken by [insert name of practice or facility] based upon this authorization. I may not be able to revoke this authorization if its purpose was to obtain insurance. Two ways to revoke this authorization are: • Fill out a revocation form. A form is available from [insert name of practice or facility], or • Write a letter to [insert name of practice or facility]. Once health care information is disclosed, the person or organization that receives it may re-disclose it. Privacy laws may no longer protect it. _____________________________________________________________________________________ Patient or legally authorized individual signature Date Time _____________________________________________________________________________________ Printed name if signed on behalf of the patient Relationship (parent, legal guardian, personal representative) November 2009 Revocation of Authorization to Use or Disclose Protected Health Information (Policy & Procedures) Purpose: To provide a procedure to address an individual’s right to revoke an authorization to use or disclose health care information as permitted by law. Policy: 1. With few exceptions, individuals may revoke, in writing, an authorization to use or disclose PHI at any time. 2. The revocation of an authorization to use or disclose PHI must become part of the patient record and the information maintained according to the medical record retention schedule—but no less than six years. Responsible Party: Medical Records staff Other Responsible Party: All staff must have sufficient understanding of the right to revoke an authorization to use or disclose PHI to know where to refer a patient or the legally authorized representative. Procedure: 1. When a request is made to revoke an authorization: a. Ask for verification of the identity and the authority of the individual if warranted—if the identity or the authority of the individual is not known to the practice/health care facility. b. Ask the patient or legally authorized representative to submit the revocation in writing. The revocation may be submitted in one of the following manners:1 i. Sign, date, and time the Revocation of Authorization to Use or Disclose Protected Health Information form; or ii. Write, sign, and date a letter to [insert name of practice or facility] to cancel the authorization; or iii. Write “Revoked” or “Cancelled” on the original or a copy of the Authorization to Use or Disclose Protected Health Information form. These notations should be signed, dated, and timed by the individual requesting the revocation.2 iv. If it is not feasible or practicable to obtain the individual’s written revocation: 1. Document the individual’s oral revocation on the affected Authorization to Use or Disclose Protected Health Information form. 2. Document the date and time and whether the revocation was done in person or over the phone. 3. If feasible, the oral revocation shall be witnessed and documented by a second staff member. c. Inform the individual that: i. A valid request to revoke the authorization will be honored; and ii. Any uses or disclosures already made based upon the original request will not be affected; and iii. Sometimes the practice/health care facility is allowed or required by law to use or disclose information without patient permission; and November 2009 iv. (if applicable) If the authorization form indicates that the original purpose of the form was to obtain insurance—it is possible that the authorization may not be revocable. 2. Honor the request to the extent required by law (see 1[c][i-iv]). 3. If the revocation is not documented on the affected authorization, then link the affected authorization with the documented revocation. Internal References: Authorization to Use or Disclose Protected Health Information (Policy & Procedures) Documenting of and Accounting for Disclosures of Protected Health Information (Policy & Procedures) External References: RCW 70.02.040 45 CFR § 164.508(b) and (c) 1 These suggested elements are risk management recommendations designed to provide privacy safeguards. Federal and Washington State laws require only that the revocation request be made by the patient or authorized individual in writing. 2 This option is available even though it may not be mentioned on the authorization form. Policy effective date: ____/____/____ Revision date(s): ____/____/____ November 2009 Revocation of Authorization to Use or Disclose Protected Health Information Patient name: Date of birth: Previous name: Revoke my authorization dated: Disclose no more information to: Name (or title) and organization: Address: City: State: Zip: I understand that this request does not apply to any uses or disclosures: • Before [insert name of practice or facility] gets this revocation, or • Allowed or required by law. __________________________________________________________________________________ Patient or legally authorized individual signature Date Time __________________________________________________________________________________ Printed name if other than patient Relationship (parent, legal guardian, representative) November 2009 Responding to Requests to Access and/or Copy Protected Health Information (Policy & Procedures) Purpose: To provide a process for handling requests by patients or their legally authorized representatives to access and/or copy the patient’s protected health information (PHI) consistent with federal and state laws. Policy: 1. Subject to certain exceptions, a patient or the patient’s legally authorized representative has a right to inspect and/or obtain a copy of the patient’s PHI maintained by the practice/health care facility.1 2. Requests must be approved or denied—in whole or in part—in a timely fashion. 3. Requests will be reviewed by the appropriate party(ies). 4. Requests and their disposition shall be documented, and any denial—in whole or in part—shall be in writing. 5. Where applicable, the patient or the legally authorized representative shall be informed of the right to request a review of a denial. 6. A reasonable, cost-based fee may be charged for copies or summaries of the PHI. 7. The medical records and other PHI subject to a request for patient access, e.g., the designated record sets, are maintained [insert description of all places where medical and billing information is maintained].2 Primary Responsible Party: [Insert the title(s) of the persons or offices responsible for receiving and processing requests for access (e.g., Privacy Official, medical records personnel)]. Other Responsible Party: All staff must have sufficient understanding of the patient’s rights and the practice/health care facility’s obligation to approve or deny requests—in whole or in part—according to pertinent laws. Procedure: 1. When an individual makes a request to access and/or copy PHI: a) Ask for verification of the identity and the authority of the individual if warranted (if the identity or the authority of the individual is not known to the practice/health care facility). b) File any written request in the medical record—the Authorization to Use or Disclose Health Care Information form may be used for this purpose. c) Document the date any written or verbal request was received. d) Inform the individual either when the record (or copy) will be available or that you will be getting back to them. 2. Access to the record (and any copy request) shall be granted or denied in whole or in part within 15 working days after receipt of the request.3 If there is a delay due to unusual circumstances (e.g., if the record is in use), specify in writing, within the 15 working days, to the individual: a) The reason for the delay. b) The date the record will be available—but no later than 21 working days from the date the request was received.4 3. If the request is denied in whole or in part, inform the individual in writing of the reason for the denial. Permissible reasons are: November 2009 a) The record does not exist or cannot be found.5 b) [Insert name of practice or facility] does not maintain the record, and if known, give the individual the name and address of the health care provider who does maintain the record.6 c) Due to federal and state laws, the requested record is not available to the individual. These include:7 i. Psychotherapy notes; ii. Information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding; iii. PHI where access is prohibited by or exempt from Clinical Laboratory Improvements Amendments of 1988, 42 U.S.C. 263a (CLIA); iv. PHI contained in records subject to the Privacy Act, 5 U.S.C. 552a, if the denial of access under the Privacy Act would meet the requirements of that law; v. PHI maintained by a correctional institution, or a provider acting under the direction of a correctional institution, if access would jeopardize the health, safety, security, custody, or rehabilitation of the patient or other inmates, or the safety of persons at the institution or those responsible for transporting the inmate; vi. PHI created or obtained by a covered health care provider in the course of research—that includes treatment—and the access is temporarily suspended for as long as the research is in progress, provided that the individual has agreed to the denial of access when consenting to participate in the research that includes treatment, and the covered health care provider has informed the individual that the right of access will be reinstated upon completion of the research; vii. PHI obtained from someone other than a health care provider under a promise of confidentiality, and the access requested would be reasonably likely to reveal the source of the information; viii. A licensed health care professional has determined, in the exercise of professional judgment, that the access requested is reasonably likely to endanger the life or physical safety of the patient or another person; ix. The PHI makes reference to another person (unless such other person is a health care provider) and a licensed health care professional has determined, in the exercise of professional judgment, that the access requested is reasonably likely to cause substantial harm to such other person; or x. The request is made by the patient’s personal representative and a licensed health care professional has determined, in the exercise of professional judgment, that the provision of access to such personal representative is reasonably likely to cause substantial harm to the patient or another person. xi. The information requested is not part of the medical record, was not compiled for purposes of making decisions about patient treatment or payment, or was compiled and is used solely for litigation, quality assurance, peer review, or administrative purposes. Grounds viii-x are reviewable upon request by the individual as described in section 5 (c) below. 4. Provision of access a) If access is granted, permit an inspection and/or copying as requested, although if the record is maintained at more than one site, it only has to be produced once. b) It is permissible to discuss the scope, format, and other aspects of the request for access with the individual to facilitate timely access, but any access must be within the time limits described above. November 2009 c) The information shall be provided in the form or format requested if it is readily producible in such form or format, but if not, it shall be produced in readable hard copy or in any other form agreed to by the individual, provided that if the information is in an electronic health record maintained or used by the practice/facility, then the individual has the right to have the information in an electronic format. d) If the individual agrees in advance, it is permissible to produce a summary of the record in lieu of allowing access. Any fees must also be agreed upon in advance. e) Upon request, the practice/health care facility shall provide an explanation of any code or abbreviation used in the record. The practice/health care facility may provide an explanation of any other part of the record that has been produced if the individual agrees to it and agrees to any associated fees in advance. f) Assess a reasonable, cost-based fee for copies and for summaries and for explanations of the record. Such fees cannot exceed actual costs and, by Washington State law, cannot exceed the handling and copying fees described in WAC 246-08-400, which is modified every two years. Until June 30, 2011, the maximum handling fee is $23, and the maximum fee for copying is $1.02 per page for the first 30 pages and $0.78 per page for all subsequent pages. A clerical searching and handling fee may be charged under state law, but federal law prohibits charging this fee to the patient or someone authorized to make health care decisions on behalf of the patient. Federal law also limits fees for information from an electronic health record used or maintained by the practice/health care facility provided in electronic format to no more than the labor costs incurred to respond to the request. These labor costs would be limited to the maximum handling fee under state law. The individual must agree in advance to any fee for explanations or summaries of the record. A basic office visit fee may be assessed whenever the physician/health care provider is required by statute to personally edit confidential information from the record. 5. Denial of access a) If access is denied in whole or in part, then, to the extent possible, allow access to all other parts of the record requested after excluding the portion to which access is denied. b) Within the time limits described above, provide a written denial in plain language containing the reason for the denial, a description of the individual’s right to a review of the denial, if any, and a description of how to complain to the practice/health care facility or to the OCR. The description must include the name, or title, and telephone number of the person or office designated to receive complaints at the practice/health care facility. (See sample letter Denying Request to Access Protected Health Information.) c) The individual has a right to request a review of the denial if the reason for denying access is one of the grounds described in section 3(c)(viii - x) above. When those grounds apply, the denial letter shall: i. offer the individual the option to request that access and a copy of the denied record be made available to another health care professional, licensed to care for the patient’s condition, and chosen by the individual;8 and ii. offer the option for review by a licensed health care professional chosen by the practice/health care facility who did not directly participate in the original decision to deny. When this latter option is chosen, the reviewer shall determine within a reasonable time whether to provide access, and the practice/health care facility shall promptly provide the individual with written notice of the reviewer’s decision and shall comply with that decision.9 November 2009 References: 45 CFR § 160.306, 164.524 RCW 70.02.080 RCW 70.02.090 WAC 246-08-400 1 The practice/health care facility may require a request to inspect and/or copy PHI to be in writing, provided the practice/health care facility informs the patient or the legally authorized representative of this requirement and mentions this requirement in its “Notice of Privacy Practices.” (45 CFR § 164.524 [b][1] and RCW 70.02.080 (1).) 2 45 CFR § 164.524 (e) 3 RCW 70.02.080 (1) 4 RCW 70.02.080 (1)(d) 5 RCW 70.020.080 (1) (b) 6 RCW 70.020.080 (1)(c) 7 45 CFR § 164.524 (a) (1-3), RCW 70.02.090 (1). These are examples of federal and state laws that permit denial of access —these details (in i-xi) do not have to be disclosed to the individual. However, sometimes it may be advisable to give the individual the more specific reason for the denial. 8 RCW 70.020.090 (3). While state law would require the patient to arrange for any compensation of the other provider, HIPAA does not address this issue. 9 45 CFR § 164.524 (a)(4) and (d)(4) Policy effective date: ____/____/____ Revision date(s): ____/____/____ November 2009 Denying Request to Access Protected Health Information Dear ________________________: We have received and reviewed your request to access your health information record. Unfortunately, we cannot honor your request at this time because: We do not maintain this information. Contact [insert name and address of the health care provider who does maintain the information]. Due to federal and state laws, this health information is not available. The record no longer exists or cannot be found. You may contact [insert name or title of internal contact person] at [insert telephone number and address], if you: • Have questions. • Want more information. • Want to report a problem about the handling of your information. You have the right to have this decision reviewed by another licensed health care professional. If you wish to make this request: Sign and date here __________________________________________________________________ and Select one of the following: Please have the following licensed health care professional review the decision: ___________________________________________________________________________ Name Specialty Please find a licensed health care professional to review the decision. This would be someone not involved in the original decision. Return this form to us. If you believe your privacy rights have been violated, you may contact [insert name or title of person] at our office by calling [insert telephone number]. We respect your right to file a complaint with us or with the Department of Health and Human Services Office for Civil Rights. Sincerely, November 2009 Request to Correct or Amend Protected Health Information (Policy & Procedures) Purpose: To provide a process for handling requests by patients or their legally authorized representatives to correct or amend protected health information (PHI) consistent with federal and state laws. Policy: 1. In general, patients or their legally authorized representatives have a right to request to amend or correct PHI maintained by the facility. 2. Verbal requests shall be reviewed in a timely fashion by an appropriate person1 and, if granted, the correction shall be noted in the appropriate record. 3. Written requests must be approved or denied—in whole or in part—in a timely fashion. 4. The appropriate person shall review written requests. 5. Written requests and their disposition shall be documented, and any denial of a written request, in whole or in part, shall be in writing. 6. Where applicable, the disposition of the request will be disclosed to others who need it. Primary Responsible Party: [Insert the title(s) of the persons or offices responsible for receiving and processing requests for amendments (e.g., Privacy Official, medical records personnel)]. Other Responsible Party: All staff must have sufficient understanding of the patient’s rights and the practice/health care facility’s obligation to approve/deny requests—in whole or in part—according to pertinent laws. Procedure: Verbal Requests 1. When an individual makes a verbal request to correct or amend PHI, ask for verification of the identity and the authority of the individual if warranted (if the identity or the authority of the individual is not known to the practice/health care facility). 2. The appropriate person shall approve or deny the request.2 3. If the request is granted, see procedure 3 under Written Requests. 4. If a verbal request is denied, offer the individual the opportunity to make the request in writing by completing and signing the Request to Correct or Amend Protected Health Information form. 5. If the individual chooses not to make a written request, then no additional procedures are required. In some circumstances, it may be advisable to offer the patient the opportunity to have a statement of disagreement included their record (see procedures 5 and 6 under Written Requests). Written Requests 1. Written requests must be handled within 10 calendar days.3 If there is a delay due to unusual circumstances (e.g., if the record is in use), specify in writing, within the 10 calendar days, to the individual: a. The reason for the delay b. The date the request will be answered—but no later than 21 calendar days from the date the request was received.4 November 2009 2. Written requests should be reviewed, and approved or denied, by the health care provider or other person who completed the entry in question.5 It may be appropriate to first discuss the matter with the patient or the legally authorized representative. 3. If the request is approved: a. The correction or amendment shall be made in the appropriate record. b. Mark the record affected by the change as corrected/amended at patient’s request. c. Draw a single line through any information to be modified, and date and sign or initial it. d. The affected record shall be attached or linked or shall otherwise indicate where in the record the corrected or amended information is located. e. In the next available space, document correction or amendment to chart note dated (insert date of entry being corrected or amended), enter the new information, and date and sign the entry. f. Inform the individual in a timely manner that the amendment is accepted. g. Send a copy of the correction or amendment to any third-party payor or insurer that previously received the changed PHI. h. Obtain and document the individual’s identification of any persons the individual wants notified of the correction or amendment, and take reasonable steps to notify such persons of the change within a reasonable time.6 i. Notify others that the practice/health care facility knows have the PHI that is the subject of the correction or amendment and could rely on the un-amended information to the patient’s detriment.7 Take reasonable steps to notify such persons of the change within a reasonable time. j. Document the disclosures to the extent required [see Documenting of and Accounting for Disclosures of Protected Health Information (Policy & Procedures)]. 4. The following permissible reasons to deny any part of an individual’s request are noted on the Request to Correct or Amend Protected Health Information form and on the sample letter Denying Request to Correct or Amend Protected Health Information. a. The existing health information is accurate and complete.8 b. Due to federal and state laws, the individual does not have access to the information (and therefore it is not available for correction or amendment). Examples of when this reason could be used include:9 i. Psychotherapy notes; ii. Information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding; iii. PHI where access is prohibited by or exempt from Clinical Laboratory Improvements Amendments of 1988, 42 U.S.C. § 263a (CLIA); iv. PHI contained in records subject to the Privacy Act, 5 U.S.C. § 552a, if the denial of access under the Privacy Act would meet the requirements of that law; v. PHI maintained by a correctional institution, or a provider acting under the direction of a correctional institution, if access would jeopardize the health, safety, security, custody, or rehabilitation of the patient or other inmates, or the safety of persons at the institution or those responsible for transporting the inmate; vi. PHI created or obtained by a covered health care provider in the course of research— that includes treatment—and the access is temporarily suspended for as long as the research is in progress, provided that the individual has agreed to the denial of access when consenting to participate in the research that includes treatment, and the covered November 2009 health care provider has informed the individual that the right of access will be reinstated upon completion of the research; vii. PHI obtained from someone other than a health care provider under a promise of confidentiality, and the access requested would be reasonably likely to reveal the source of the information; viii. A licensed health care professional has determined, in the exercise of professional judgment, that the access requested is reasonably likely to endanger the life or physical safety of the patient or another person; ix. The PHI makes reference to another person (unless such other person is a health care provider) and a licensed health care professional has determined, in the exercise of professional judgment, that the access requested is reasonably likely to cause substantial harm to such other person; or x. The request is made by the patient’s personal representative and a licensed health care professional has determined, in the exercise of professional judgment, that the provision of access to such personal representative is reasonably likely to cause substantial harm to the patient or another person. xi. The information requested is not part of the medical record, was not compiled for the purposes of making decisions about patient treatment or payment, or was compiled and is used solely for litigation, quality assurance, peer review, or administrative purposes. c. The record no longer exists or cannot be found. d. The request pertains to information that is not PHI, i.e., it does not pertain to the patient’s medical and financial records and the information requested was not compiled or used to make decisions about payment or treatment.10 e. The requested information was not created by [insert name of practice or facility]. Caution—if there is reason to believe the originator of the information is not available, then this ground cannot be used.11 f. [Insert name of practice or facility] does not maintain the record. If known, give the individual the name and address of the health care provider who does maintain the record.12 5. Individuals must be informed of the disposition of the written request. If the request is denied—in whole or in part—they shall be informed in writing (see sample letter Denying Request to Correct or Amend Protected Health Information). If the written request is denied: a. Send the individual the denial letter and include the reason for denial and information about the individual’s option to file a statement of disagreement.13 b. Document the reason for denial on the Request to Correct or Amend Protected Health Information form. c. Add the Request to Correct or Amend Protected Health Information form, any statement of disagreement, and a copy of the denial letter to the medical and/or financial record. d. Mark the challenged entry to indicate that the patient claims the entry is inaccurate or incomplete and indicate where the request for amendment and any statement of disagreement is located in the record.14 e. Send any statement of disagreement to any third-party payor or insurer that previously received the disputed PHI.15 f. Document the disclosure to the extent required [see Documenting of and Accounting for Disclosures of Protected Health Information (Policy & Procedures)]. 6. Future disclosures must include the written request, the denial and any statement of disagreement.16 However, if no statement of disagreement is filed, the written request and the denial can be included in future disclosures ONLY upon request by the patient or authorized individual. The denial letter may November 2009 provide an opportunity for the patient to make this request (see sample letter Denying Request to Correct or Amend Protected Health Information). 7. If notified by another health care entity that an amendment or correction has been made to a patient’s PHI, then: a. The correction or amendment shall be filed in the appropriate record; and, b. As necessary, the record affected by the change shall be marked as corrected or amended; and c. The affected record shall be attached or linked or otherwise indicate where in the record the corrected or amended information is located. Internal References: Responding to Requests to Access and/or Copy Protected Health Information (Policy & Procedures) Documenting of and Accounting for Disclosures of Protected Health Information (Policy & Procedures) External References: 45 CFR § 164.524 (Access) 45 CFR § 164.526 (Amendment) RCW 70.02.080-.110 1 As a risk management recommendation, the appropriate person should be the health care provider or other person who completed the entry in question. See Procedure 2 under written requests and related footnote. 2 See Procedure 2 under Written Requests. 3 RCW 70.02.100(2) 4 RCW 70.02.100 (2)(d) 5 This is a risk management recommendation. The practice/health care facility may have another process in place for who makes the final determination (e.g., medical director). For requests to amend medical information, if the individual is no longer available, consider having the current provider or medical director review the request to correct or amend to determine whether or not the information in the challenged entry is accurate and complete. At times, it may be appropriate to discuss the matter with the patient. If the information is indisputably incorrect (e.g., a typo), it is appropriate to make the correction. 6 You may want the patient to sign an authorization form if the disclosure would ordinarily require the use of that form. See footnote 8. 7 45 CFR § 164.526(c)(3). State law neither requires these disclosures nor forbids them. State law only requires disclosure to third-party payors and insurers. RCW 70.02.110(3). It is therefore unclear whether state law is more stringent here. However, to the extent that prior recipients are those to which disclosures are permitted without authorization, this step seems appropriate. You may want to obtain the patient’s written authorization, not just his permission, to disclose the change if the prior disclosure was made pursuant to a signed authorization. 8 45 CFR § 164.526 (a) (2) (iv) 9 45 CFR § 164.526 (a) (2) (iii). These are examples of federal and state laws that permit denial—these details in (i-x) do not have to be disclosed to the patient. However, sometimes it may be advisable to give the patient the more specific reason for the denial. 10 45 CFR § 164.526 (a) (2) (ii). An example of when this reason could be used is when the information requested is not PHI because it was compiled and used solely for quality improvement or peer review records or for the practice’s attorney or malpractice insurer. 11 45 CFR § 164.526 (a) (2) (i) 12 RCW 70.02.100 (2) (b) and (c) 13 See sample letter Denying Request to Correct or Amend Protected Health Information for other required information. 14 The practice/health care facility may, but need not, prepare and file in the medical record a written rebuttal to a statement of disagreement and must provide the individual with a copy of any rebuttal. Generally, we recommend not preparing such a statement. 15 RCW 70.02.110 (3) 16 While HIPAA would allow the practice/health care facility to summarize the disagreement in lieu of sending copies, it is unclear whether state law permits that option. From a risk management perspective, we recommend not preparing a summary. Policy effective date: ____/____/____ Revision date(s): ____/____/____ November 2009 Request to Correct or Amend Protected Health Information Patient name: _______________________________________________ Date of birth: ________________ Previous name: ________________________________________________________________________ Patient mailing address: __________________________________________________________________ I request a change to my records. Please explain what the information in your record should say to be more accurate or complete. If you need additional space, please include a separate page. Date of entry in record: ________________________ _____________________________________________________________________________________ _____________________________________________________________________________________ _____________________________________________________________________________________ _____________________________________________________________________________________ Patient’s or legally authorized individual’s signature Date _____________________________________________________________________________________ Relationship to patient if signed on patient’s behalf (parent, legal guardian, personal representative) We will review your request and respond within ten (10) days of receiving your request. A copy of your request will be added to your record. If we grant your request, we will send changes to anyone you identify and to anyone who received the information in the past and who needs to know about the change. To be completed by the practice/health care facility: Date received: _____________________ Correction/Amendment has been: accepted denied The review of this request for correction/amendment has been delayed. Your request will be processed by the following date: _______________ (not later than 21 days after the request). If denied, check reason for denial: The existing health information is accurate and complete. This request does not pertain to the patient’s medical and financial records. Due to federal and state laws, this health information is not available and therefore cannot be amended or corrected. This health information was not created by this organization. The record no longer exists or cannot be found. The record is not maintained by this organization. _____________________________________________________________________________________ Name of reviewing department or position Date November 2009 Denying Request to Correct or Amend Protected Health Information Dear ___________________________: We have received and reviewed your request to correct or amend your health information record. Unfortunately, we cannot honor your request at this time because: The existing health information is accurate and complete. Your request does not pertain to your medical and financial records. Due to federal and state laws, this health information is not available and therefore cannot be amended or corrected. This health information was not created by this organization. The record no longer exists or cannot be found. The record is not maintained by this organization. You may contact [insert name or title of internal contact person] at [insert telephone number and address] if you: • Have questions. • Want more information. • Want to report a problem about the handling of your health information. • Want to write a brief statement of disagreement to be added to your medical record. This is your right. It may include: • The reason(s) you believe the health information should be corrected or amended. • Why you disagree with any decision to deny your request. If you do not submit a statement of disagreement, you may request that in future disclosures we include a copy of: • Your original request to correct or amend the health information. • This letter. If you wish to make this request: • Sign and date here ____________________________________________________________ and • Return this form to us. If you believe your privacy rights have been violated, you may contact [insert name or title of person] at our office. We respect your right to file a complaint with us or with the Department of Health and Human Services Office for Civil Rights. Sincerely, November 2009 Response to Defective Subpoena or Incomplete Request to Disclose Protected Health Information [This document is a sample only. Please customize this form to meet the specific needs of your practice. Please also note that information presented in italics and brackets needs to be replaced with the appropriate, specific information.] [Place on letterhead of health care provider] DATE: [Insert today’s date] TO: [Insert name of party issuing subpoena or request] [Insert address of party issuing subpoena or request] FROM: [(Insert name of records custodian), Records Custodian for (insert name of health care provider)] [insert phone number] RE: [Subpoena/Request] for Medical Records of [insert name of patient] Dated [insert date subpoena issued or date of request for disclosure of information] It is our intention to comply with your [subpoena/request] for medical records to the extent allowed by law. However, we are not able to process your request at this time due to: _____ Your request does not conform to the requirements of the UHCIA (RCW 70.02) and/or HIPAA (45 CFR 160, 162 & 164). _____ Your subpoena or discovery request does not conform to the requirements of RCW 70.02.60 and/or 45 CFR 164.512(e). _____ We do not find authorization in our files allowing us to release any patient information to you. _____ Your request is not signed by an authorized party noted in our files. _____ We have documentation in our files which prohibits us from releasing the information to you at this time. _____ Information is not being released at this time as requested by authorities pursuant to further investigation. _____ We need additional information: _________________________________________________ _____ We do not find this patient in our records. Please advise us if you have another name or additional information which would facilitate a further search. _____ We do not provide the services you have listed. _____ We do not possess the information you have requested. _____ Other: _____________________________________________________________________ November 2009 Responding to Requests for Restrictions on the Use or Disclosure of Protected Health Information (Policy & Procedures) Purpose: To provide a process for handling requests by patients or their legally authorized representatives to restrict the use or disclosure of the patient’s protected health information (PHI) consistent with federal law. Policy: 1. A patient or the patient’s legally authorized representative has a right to request certain uses or disclosures of the patient’s protected health information by [insert name of practice or facility] be restricted.1 2. Requests must be approved or denied—in whole or in part—in a timely fashion. 3. Requests will be reviewed by the appropriate party(ies). 4. Requests to restrict the use or disclosure of a patient’s protected health information to a health plan for purposes of carrying out payment or health care operations (but not for purposes of carrying out treatment) when the protected health information pertains solely to a health care item or service for which [insert name of practice or facility] has been paid out of pocket in full by the patient must be approved. Such restrictions may be terminated at any time by the patient. 5. Requests and their disposition shall be documented, and any denial—in whole or in part—shall be in writing. 6. Restrictions, except restrictions on uses or disclosures to a health plan described in paragraph 4, may be terminated at any time by either the patient or [insert name of practice or facility]. 7. Restrictions on uses or disclosures do not apply to: protected health information that must be used or disclosed to provide emergency treatment to the patient; prevent uses or disclosures to the Secretary of Health and Human Services to investigate [insert name of practice or facility]’s compliance with the Privacy Rule; or uses or disclosures that are otherwise required by law. Primary Responsible Party: [Insert the title(s) of the persons or offices responsible for receiving and processing requests for restricting access for (e.g., Privacy Official, medical records personnel)]. Other Responsible Party: All staff must have sufficient understanding of the patient’s rights and the practice/health care facility’s obligation to approve or deny requests—in whole or in part—according to pertinent laws. Procedure: 1. When an individual makes a request to restrict use or disclosure of protected health information: a) Ask for verification of the identity and the authority of the individual if warranted (if the identity or the authority of the individual is not known to the practice/health care facility). b) File any written request in the medical record. c) Document the date any written or verbal request was received. d) Inform the individual when to expect a response to the request. 2. Approve the request if it is to restrict the use or disclosure of a patient’s protected health information to a health plan for purposes of carrying out payment or health care operations when the protected health information pertains solely to a health care item or service for which [insert name of practice or facility] has been paid out of pocket in full by the patient and document the approval. November 2009 3. For such approved requests, flag the information in the patient’s record related to any care that the patient has paid for in full out of pocket to assure that the information is not used or disclosed to a health plan for health care operations or payment. 4. Approve or deny other requests, and notify the patient or the patient’s legal representative. (See sample letter Response to Request for Restrictions on the Use or Disclosure of Protected Health Information.) Document any approved requests and flag the restricted information in the patient’s record so restricted information is not disclosed. 5. Terminate approved restrictions if: a) The patient agrees to or requests the termination in writing; b) The patient orally agrees to the termination and the oral agreement is documented; or c) Except as to restrictions approved under paragraph 2, [insert name of practice or facility] informs the patient in writing it is terminating its agreement effective with protected health information created or received after [insert name of practice or facility] informs the patient. References: 45 CFR § 164.522 HITECH Act § 13405(a) 1 Uses and disclosures that may be restricted are: (i) to carry out treatment, payment, or health care operations; and (ii) to family members, other relatives, or close personal friends identified by the patient, for involvement with the patient’s care or payment related to the care. 45 CFR § 164.522. Policy effective date: ____/____/____ Revision date(s): ____/____/____ November 2009 Response to Request for Restrictions on the Use or Disclosure of Protected Health Information Dear ___________________________: We received your request for restrictions on the use or disclosure of your health information record on [insert date]. [Include one of the following:] We have approved your request to restrict the use and disclosure of your health information regarding [insert description of care or services that patient paid for in full out of pocket] to [insert name of health plan] for the purposes of carrying out payment or health care operations (but not for the purpose of carrying out treatment). This restriction will be effective as of the date of this letter. The restriction is not effective to prevent uses or disclosures required by the Secretary of the Department of Health and Human Services to investigate [insert name of practice or facility]’s compliance with the HIPAA Privacy Rule or uses or disclosures otherwise required by law. or We have approved your request to restrict the use and disclosure of the following health information [insert description] in the following manner and/or to not disclose your health information to [insert names of individuals or entities]. This approval is subject to the following conditions and exceptions: • Either you or [insert name of practice or facility] may terminate this restriction at any time. If we inform you that we are terminating our agreement to this restriction, the termination of the restriction is only effective with respect to health information created or received after we inform you of the termination. • If restricted health information must be used or disclosed to provide emergency treatment for you, then this restriction is void. • The restriction is not effective to prevent uses or disclosures required by the Secretary of the Department of Health and Human Services to investigate [insert name of practice or facility]’s compliance with the Privacy Rule or uses or disclosures otherwise required by law. • If a restriction is not specifically listed above, it will not be effective. or Your request to restrict the use or disclosure of your health information has been denied. See our Notice of Privacy Practices for more information about your rights. For a copy, contact [insert name and phone number of contact person]. If you believe your privacy rights have been violated, you may contact [insert name or title of person] at our office. We respect your right to file a complaint with us or with the Department of Health and Human Services Office for Civil Rights. Sincerely, November 2009 Minimum Necessary1 Requirements for the Use and Disclosure of Protected Health Information (Policy & Procedures) Purpose: To provide a procedure that when using or disclosing protected health information (PHI) or when requesting PHI from other entities, information will be limited to the extent practicable to a limited data set,2 or if more information is needed, to the minimum amount necessary to accomplish the intended purpose of the use, disclosure, or request in accordance with applicable laws. Policy: 1. For disclosures made or requested on a routine and recurring basis, PHI released from or requested by the organization will be limited to either a limited data set or the minimum amount reasonably necessary to achieve the purpose of the disclosure or request. 2. For disclosures made or requested on a nonroutine basis, PHI will be reviewed on an individual basis and released or requested in accordance with procedures to limit the PHI to the extent practicable to a limited data set, or if more information is needed, to the minimum amount reasonably necessary to accomplish the purpose for which the disclosure or request is made. 3. These minimum necessary requirements do not apply to: a. Disclosures to or requests by a health care provider for purposes of treatment, provided disclosures are limited to the extent the recipient needs to know the information,3 b. Uses or disclosures made to the individual,4 c. Uses or disclosures made pursuant to a valid authorization,5 d. Disclosures made to the Department of Health and Human Services Office for Civil Rights to ascertain compliance and enforcement of applicable requirements,6 e. Uses or disclosures that are required by law,7 f. Uses or disclosures that are required for compliance with applicable requirements of the HIPAA privacy regulations. 4. Requests of PHI received from other covered entities and business associates—that have a legitimate need of the information—will be reviewed to determine whether it is practicable to fulfill the request with a limited data set or whether more information is needed, in which case the amount of PHI provided shall be the minimum necessary information, determined by [insert name of practice or facility] to be needed to accomplish the purpose for which the disclosure is sought.8 5. To the extent practicable, disclosures made in response to requests for PHI from the following shall be limited to a limited data set, and if not practicable, [insert name of practice or facility] shall determine the minimum necessary information to accomplish the purpose for which the request is made: a. Public officials,9 b. Professional staff at [insert name of practice or facility], c. Researchers.10 6. Employees will access PHI in accordance with their specific job position within the organization and the purposes for which the PHI is accessed. 7. Whenever the minimum necessary requirements apply, an entire medical record will not be released unless accompanied by a request that specifies the reason for which the entire record is necessary. Procedures: Note: the following are samples of the types of disclosures an organization may make or request– you will need to evaluate, establish, and individualize procedures for your routine and nonroutine disclosures and requests of PHI. You will undoubtedly have numerous routine and nonroutine situations for which you will need to establish procedures or protocols. November 2009 1. Routine and Recurring Disclosures or Requests: a. Release of information for treatment purposes is excluded from the minimum necessary rules. Any health care provider who is treating the patient may receive PHI, to the extent they need to know the information, with the following exceptions: i. Any restrictions that [insert name of practice or facility] has agreed to. ii. Psychotherapy notes—which require an authorization. b. The following PHI is accessible for use by staff when they are involved in the care and treatment of a patient, for securing payment for services rendered and for health care operations: Job Position Accessible PHI11 MD, ARNP, PA, RN, LPN, MA Receptionist Transcriptionist Medical Records Clerk Volunteer (Include other staff) All PHI Health history, Billing information Progress notes/H & P All PHI Directory c. Patient Requests: Refer to Authorization to Use or Disclose Protected Health Information (Policy & Procedures) d. [Add any other routine disclosures or requests] 2. Nonroutine Disclosures or Requests: The following are examples of disclosures or requests of PHI that your organization may encounter on a nonroutine basis: a. Subpoenas and/or court orders b. Investigations by law enforcement c. Abuse, neglect, or domestic violence investigations d. Workers’ compensation e. Regulatory or professional licensure reviews f. See other types of disclosures in the Notice of Privacy Practices and those in RCW 70.02.050 (1) (b-n), and RCW 70.02.050(2). For each type of nonroutine disclosure or request described in your procedures, consider including the following elements and issues: a. Review request to determine if patient authorization or a subpoena or court order is required.12 b. In the case of a state court subpoena, determine whether the 14-day advance notice requirement was satisfied. c. Verify identity of requestor or investigator and their authority—including whether state and federal law permit access—by requesting official documents, e.g., ID badge, other form of official identification, and statutory authority. d. Prior to disclosure, review requested PHI to determine whether a limited data set will satisfy the request, and if not, whether the information requested is the minimum necessary for the purpose of the disclosure. e. Contact your legal counsel or insurer for unusual circumstances. November 2009 Resources: RCW 70.02.050 45 CFR § 164.502(b), 164.512, 164.514(d) 1 Section 13405 of the HITECH Act of the ARRA, codified at 42 U.S.C. § 17935, changed the “minimum necessary” standard under the privacy regulations to provide that the minimum necessary is “to the extent practicable” a limited data set, or the “minimum necessary to accomplish the intended purpose of such use, disclosure, or request.” HHS is to issue guidance regarding these changes by August 16, 2010. 2 A limited data set is partially de-identified information that removes the following direct identifiers from the PHI: names; postal addresses (other than city, state, and zip code); telephone and fax numbers; e-mail addresses; social security numbers; medical record numbers; health plan beneficiary numbers; account numbers; certificate/license numbers; vehicle identifiers and serial numbers; device identifiers and serial numbers; URLs; IP address numbers; biometric identifiers; and full face photographic images. 3 Washington State law has a minimum necessary requirement for this type of disclosure. It allows disclosure of health information about a patient, without the patient’s authorization, to a person who the provider reasonably believes is providing health care to the patient, but only to the extent the recipient needs to know the information. RCW 70.02.050(1)(a). 4 Under certain circumstances, you can deny the individual access to PHI. See Responding to Requests to Access and/or Copy Protected Health Information (Policy & Procedures). 5 See Authorization to Use or Disclose Protected Health Information (Policy & Procedures) and Revocation of Authorization to Use or Disclose Protected Health Information (Policy & Procedures). 6 In accordance with 45 CFR §§ 160.300 160.312. 7 As described in 45 CFR § 164.512 (a). 8 Section 13405(b)(1) of the HITECH Act, codified at 42 U.S.C. §17935(b). The “to the extent the recipient needs to know the information” provision of RCW 70.02.050(1)(a) should be taken into consideration as well. 9 Disclosures to public officials must comply with 45 CFR §164.512, which specifies the uses and disclosures for which an authorization, or opportunity to agree or object, is not required. 10 Documentation or representations that comply with the applicable requirements of 45 CFR §164.512(i), which addresses uses and disclosures for research purposes, must be provided by the researcher. 11 These limitations are examples only. Each practice/health care facility should determine the appropriate access level for its staff. 12 RCW 70.02.050 and 45 CFR § 164.512. Policy effective date: ____/____/____ Revision date(s): ____/____/____ November 2009 Documenting of and Accounting for Disclosures of Protected Health Information (Policy & Procedures) (For all organizations until at least 1/1/2011; thereafter, organizations that use electronic health records will need a revised policy.1 Visit our Web site, www.phyins.com, in 2010 for a sample revised policy.) Purpose: To provide a procedure for documenting of and accounting for the disclosure of protected health information (PHI) in accordance with federal and state laws. Policy: 1. Disclosures of PHI will be recorded and included in the patient’s medical record except disclosures: (a) To carry out treatment, payment, and health care operations; (b) To the patient of health care information about him or her; (c) Incident to a use or disclosure that is otherwise permitted or required; (d) Pursuant to an authorization where the patient authorized the disclosure of health care information about himself or herself; (e) Of directory information; (f) To persons involved in the patient's care; (g) For national security or intelligence purposes if an accounting of disclosures is not permitted by law; (h) To correctional institutions or law enforcement officials if an accounting of disclosures is not permitted by law; and (i) Of a limited data set that excludes direct identifiers of the patient or of relatives, employers, or household members of the patient. 2. A patient has a right to receive an accounting of the disclosures of their protected health information in the six (6) years prior to the date on which the accounting is requested with the exception of the disclosures listed in 1(a)-(i) and for circumstances under which disclosure of health information may be denied.2 3. Information to be recorded for the accounting of PHI disclosures shall include: date of request, brief description of information released, name and address (if known) of the recipient of the information, a brief statement of the purpose of the disclosure, date of disclosure, and name of individual releasing PHI.3 (See Accounting Log for Protected Health Information Disclosures.) 4. A separate research accounting log for all research studies involving 50 or more patients will be maintained. The list shall include the name of the research study; a description of the study; a brief description of the type of PHI that was disclosed; date or period of time during which disclosures occurred, including the last disclosure; the name, address, and telephone number of the entity sponsoring the research and of the researcher to whom the information was disclosed; and a statement that the individual’s PHI may or may not have been disclosed for a particular research activity.4 5. The medical records office will handle PHI disclosure accounting requests and the processing of requests. Responsible Party: Medical Records staff November 2009 Procedures: 1. To document disclosures of PHI: a. If a patient authorization for the release of PHI form has been signed, place the signed authorization form in the patient’s medical record. b. If an authorization for the release of PHI has not been obtained, record the disclosures for which an accounting is required in the patient’s medical record. 2. When a request is made for an accounting of PHI disclosures: a. Verify the identity and authority of the individual if not known. b. Advise the patient if a fee is required.5 c. Review the patient record for the documented disclosures and record those disclosures on the accounting log. d. If multiple disclosures have been made to the same individual or entity for a single purpose during the accounting period requested, the accounting may, with respect to these disclosures, be summarized, e.g., list the initial disclosure; the frequency, periodicity, or number of disclosures made; and the date of the last disclosure. e. The accounting to the patient shall include: i. A copy of the accounting log, and ii. A copy of the research accounting log, if applicable. f. Accounting disclosures shall be provided within 60 days of receipt of a disclosure accounting request. This time period may be extended to 90 days with written notification to the patient, within this initial 60 days, of the reasons for a delay and the expected date of providing the accounting. g. A copy of the written accounting that is provided will be maintained as part of the patient medical record. References: 45 CFR § 164.528 RCW 70.02.020 1 Electronic Health Record or “EHR” is defined as “an electronic record of health-related information on an individual that is created, gathered, managed, and consulted by authorized health care clinicians and staff.” For organizations with EHRs as of January 1, 2009, expanded accounting requirements will apply to disclosure of PHI made from those EHRs on and after January 1, 2014. For organizations with EHRs acquired after January 1, 2009, expanded accounting requirements will apply to disclosure of PHI made from those EHRs on or after January 1, 2011. Under the expanded accounting requirements, disclosures to carry out treatment, payment, and health care operations made through an electronic health record will be subject to accounting, although the right to accounting only applies to three years prior to the date on which the accounting is requested rather than the current six years. HITECH Act, Section 13405(c)(1), codified at 42 U.S.C. §17935(b). 2 HIPAA regulations, 45 CFR § 164.524(a) and RCW 70.02.090, specify circumstances in which a patient’s request to access, examine, and/or copy their records may be denied. 3 The date of request and the name of the individual releasing PHI are not required by 45 CFR § 64.528 (2), but they are recommended for purposes of auditing compliance with HIPAA time limits. 4 If an accounting is made of research disclosures and it is reasonably likely the individual’s PHI was disclosed for research purposes, upon request, the individual shall be assisted in contacting the research sponsor and the researcher. 45 CFR § 164.528(b)(4)(ii). 5 45 CFR §164.528 (c)(2) specifies that the first disclosure accounting within a 12-month period must be provided without charge; thereafter, a reasonable, cost-based fee may be charged for an accounting requested by the same individual within the 12-month period provided that the individual is advised and allowed to modify the request if desired. Policy effective date: ____/____/____ Revision date(s): ____/____/____ November 2009 Accounting Log for Protected Health Information Disclosures Note: in accordance with 45 CFR § 164.258(4)(i), track PHI disclosures for research purposes on a separate research accounting log. Patient’s Name: _______________________________________ Date of Request Brief Description of PHI Released To Whom Disclosed (Name and Address) DOB/Medical Record Number: __________________________ Purpose of Disclosure Date of Disclosure Information Released By (Name of Staff) November 2009 Notification of Breach of Unsecured Protected Health Information (Policy & Procedures) Purpose: To provide a process for notifying individuals of a breach of unsecured PHI as required by law. Policy: 1. Individuals must be notified when their unsecured PHI is acquired, accessed, used, or disclosed in a manner not permitted under the Privacy Rule that poses a significant risk of financial, reputational, or other harm to the individuals (“breach”). 2. Notice will be provided without unreasonable delay, but in any case not later than 60 calendar days from the date of discovery of the breach. 3. The notice will be sent to the last known address of each individual by first class mail unless the individual agrees to electronic notice, in which case notice may be provided by e-mail. If it is known that the individual is deceased, the notice shall be sent to the next of kin or personal representative if that person’s address is known. 4. Alternative forms of substitute notice may be provided depending on the number of individuals to be notified and whether the unsecured PHI includes “personal information” as defined by Washington law. • If the unsecured PHI does not include the first name or initial and last name of the individual and one of the following: the individual’s social security number; driver’s license number or Washington identification card number; or account number or credit or debit card number in combination with any required security code, access code, or password (“personal information”), then if there is insufficient or out-of-date contact information preventing written notice by first class mail to 10 or fewer individuals, notice may be provided by an alternative form of notice such as telephone. If there is insufficient or out-of-date contact information for more than 10 individuals, substitute notice will be provided by either posting notice on [insert name of practice or facility]’s Web site for 90 days or by notice in a major print or broadcast media, with a toll-free number active for at least 90 days for a person to call to learn whether his or her unsecured PHI was included in the breach. • If the unsecured PHI includes personal information, then if there is insufficient or out-of-date contact information, notice may be provided by doing all of the following: e-mailing the notice if an e-mail address is available; posting the notice on [insert name of practice or facility]’s Web site for 90 days; and notification to major statewide media, with a toll-free number active for at least 90 days. 5. If the breach involves more than 500 individuals, notice must be provided by prominent media outlets in [insert state where practice or facility is located], and to the Secretary of Health and Human Services. A log will be maintained of all other breaches and notice provided to the Secretary of HHS annually. 6. Business Associates of [insert name of practice or facility] are required to notify [insert name of practice or facility] of any breach without unreasonable delay and to the extent possible to identify the individuals whose unsecured PHI is involved. 7. Notification may be delayed if a law enforcement official states to [insert name of practice or facility] that notification would impede a criminal investigation. Responsible Party: Privacy Official and Security Official or designees November 2009 Other Responsible Party: All staff must have sufficient understanding of the Privacy Rule, “unsecured PHI,” and “breach” to report potential situations in which unsecured PHI is acquired, accessed, used, or disclosed in a manner not permitted under the Privacy Rule. Procedure 1. Identify “unsecured PHI” to which notification of breach may apply. “Unsecured PHI” is PHI that is not rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of a technology or methodology specified by the Secretary of HHS.1 Encrypted PHI is not unsecured PHI. However, “unsecured PHI” may be in any form or medium, including paper or oral, neither of which may be encrypted. The remaining steps in the procedure apply only to “unsecured PHI.” 2. Promptly report to [insert name of practice or facility]’s Privacy and/or Security Official if unsecured PHI is acquired, accessed, used, or disclosed in a manner not permitted under the Privacy Rule. • HIPAA Privacy and Security Training will include this policy and training regarding timely reporting of breaches of unsecured PHI. 3. Investigate report to determine whether there has been a breach of unsecured PHI that requires notification under HIPAA.2 • Violation of the Security Rule does not in itself constitute a potential breach. • A breach does not include: • Any unintentional acquisition, access, or use of PHI by a workforce member or person acting under the authority of [insert name of practice or facility] or [insert name of practice or facility]’s BA made in good faith and within the person’s scope of authority and does not result in further use or disclosure in a manner not permitted under the Privacy Rule. • Any inadvertent disclosure by a person who is authorized to access PHI at [insert name of practice or facility] or [insert name of practice or facility]’s BA to another person authorized to access PHI at [insert name of practice or facility] or [insert name of practice or facility]’s BA, or organized health care arrangement (OHCA) in which [insert name of practice or facility] participates, and the PHI received is not further used or disclosed in a manner not permitted under the Privacy Rule. • A disclosure of PHI where [insert name of practice or facility] or [insert name of practice or facility]’s BA has a good faith belief that an unauthorized person to whom the disclosure was made would not reasonably have been able to retain such information. • There is a breach only if there is a significant risk of financial, reputational, or other harm to an individual as a result of a breach. • If the PHI was a limited data set and did not include date of birth and zip code, there is no significant risk of financial, reputational, or other harm to an individual as a result of a breach. 4. Document the determination as to whether there has been a breach, including the determination about whether there is a significant risk of financial, reputational or other harm to an individual as a result of a breach of unsecured PHI. 5. If there has been a breach of unsecured PHI, prepare a notice in plain language. The notice shall include: • A brief description of what happened, including date of the breach and the date of the discovery of the breach, if known. • A description of the types of unsecured PHI that were involved in the breach (such as whether full name, social security number, date of birth, etc., were involved), but do not include the actual PHI. November 2009 • • • Any steps the individuals should take to protect themselves from potential harm resulting from the breach.3 A brief description of what [insert name of practice or facility] is doing to investigate the breach, mitigate the harm to individuals, and protect against further breaches. Contact information if the individuals have questions or want to learn more—either a toll-free telephone number, an e-mail address, Web site, or postal address. 6. Send the notice via first class mail to the last known address of individuals whose unsecured PHI was accessed, acquired, used, or disclosed in a manner not permissible under the Privacy Rule without unreasonable delay, but no later than 60 days following its discovery. The notice may be sent by electronic mail if the individual agrees to electronic notice and such agreement has not been withdrawn. If an individual is deceased, mail the notice to the individual’s next of kin or personal representative, if that person’s address is known. 7. If the contact information is insufficient or out-of-date, determine whether the PHI includes the first name or initial and last name of the individual and one of the following: the individual’s social security number; driver’s license number or Washington identification card number; or account number or credit or debit card number in combination with any required security code, access code, or password. • If the PHI does not include such information: • For fewer than 10 individuals involved, provide the notice by telephone or other means. • For 10 or more individuals, provide the notice by either: • Conspicuously posting the notice for 90 days on the home page of [insert name of practice or facility]’s Web site; or • Provide notice in major print or broadcast media where the individuals reside and include a toll-free phone number that remains active for at least 90 days, so individuals can call to learn whether their unsecured PHI was involved in the breach. • If the PHI includes the first name or initial and last name of the individual and one of the following: the individual’s social security number; driver’s license number or Washington identification card number; or account number or credit or debit card number in combination with any required security code, access code, or password, then: • E-mail notice if an e-mail address is available; • Conspicuously post the notice on the home page of [insert name of practice or facility]’s Web site for 90 days; and • Post the notice in major print or broadcast media where the individuals reside and include a toll-free phone number that remains active for at least 90 days. 8. If the breach involves more than 500 individuals, provide the notice to prominent media outlets and to the Secretary of HHS in the manner specified on the HHS Web site. The HHS Office for Civil Rights has posted a form for covered entities to use to provide notice to the Secretary of HHS of a breach of unsecured, protected health information. This form can be found at http://transparency.cit.nih.gov/breach/index.cfm. 9. For breaches that involve fewer than 500 individuals, record the breach in the Accounting Log for Breaches of Unsecured Protected Health Information, attach copy of notice, and provide notification annually to the Secretary of HHS. References: 45 CFR Section 164, subpart D RCW 19.255.010 1 “Unsecured protected health information” has been defined by guidance issued by the Department of Health and Human Services on April 17, 2009, as PHI that is encrypted or destroyed according to National Institute of Standards and Technology (“NIST”) standards. 74 Fed. Reg. 19006 (published April 27, 2009). Guidance will be available at the HHS Web site at http://www/hhs,gov/ocr/privacy/. The specific description is: “Protected health information (PHI) is rendered unusable, unreadable, or indecipherable to unauthorized individuals only if one or more of the following applies: November 2009 (a) Electronic PHI has been encrypted as specified in the HIPAA Security Rule by ‘the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key and such confidential process or key that might enable decryption has not been breached.’ To avoid a breach of the confidential process or key, these decryption tools should be stored on a device or at a location separate from the data they are used to encrypt or decrypt. The encryption processes identified below have been tested by the National Institute of Standards and Technology (NIST) and judged to meet this standard. (i) Valid encryption processes for data at rest are consistent with NIST Special Publication 800-111, Guide to Storage Encryption Technologies for End User Devices. (ii) Valid encryption processes for data in motion are those which comply, as appropriate, with NIST Special Publications 800-52, Guidelines for the Selection and Use of Transport Layer Security (TLS) Implementations; 800-77, Guide to IPsec VPNs; or 800-113, Guide to SSLVPNs, or others which are Federal Information Processing Standards (FIPS) 140-2 validated. (b) The media on which the PHI is stored or recorded has been destroyed in one of the following ways: (i) Paper, film, or other hard copy media have been shredded or destroyed such that the PHI cannot be read or otherwise cannot be reconstructed. (ii) Electronic media have been cleared, purged, or destroyed consistent with NIST Special Publication 800-88, Guidelines for Media Sanitization, such that the PHI cannot be retrieved.” 2 Washington law requires businesses to promptly notify individuals whose computerized personal information (an individual’s first name or initial, last name and SSN, driver’s license number, State ID card number, or account or bank card number) is reasonably believed to have been obtained by an unauthorized person. RCW 19.255.010. 3 The Federal Trade Commission Web site provides information on how to protect against identity theft and can be found at: http://www.ftc.gov/bcp/edu/microsites/idtheft/consumers/defend.html Policy Effective Date: ____/____/____ Policy Revision Date: ____/____/____ November 2009 Breach Notification Checklist HIPAA Privacy and Security regulations require individuals be notified when a covered entity knows or should have known a breach of unsecured protected health information (PHI) that poses a significant risk of harm to the individuals has occurred. Notice must be provided without unreasonable delay and in no case later than 60 calendar days after discovery of the breach unless a law enforcement official requests a delay. The following is a checklist to use to confirm that the necessary steps have been taken to respond to a breach of unsecured PHI. Discovery of or reasonable belief of an impermissible use or disclosure of PHI that compromises the security or privacy of PHI (a breach). • PHI was acquired, accessed, used, or disclosed in a manner not permitted under the Privacy Rule. • Applies to PHI in any medium—oral, paper, electronic. Assess whether the PHI was “unsecured PHI.” • PHI was not encrypted in accordance with the Security Rule, or • PHI was not destroyed. If PHI was secured, then no further action is required. If PHI was unsecured, then: Report breach to [insert name of practice or facility]’s Privacy and/or Security Official. Conduct a risk assessment. • Investigate to determine whether impermissible use or disclosure of PHI poses a significant risk of financial, reputational, or other harm to the individual(s). • Make a fact-based evaluation of: the nature of the PHI, the number of identifiers contained within the PHI, the recipient of the PHI, and any mitigation possible to lessen potential harm. • If the PHI was a limited data set and did not include date of birth and zip code, there is no significant risk of financial, reputational, or other harm to the individual(s) as a result of the breach. • If PHI was mistakenly disclosed to the wrong covered entity, since a covered entity must comply with the Privacy and Security Rules, there is low risk of harm to the individual(s). • If an unencrypted laptop containing PHI is lost, but upon recovery it can be confirmed that PHI has not been accessed, the breach does not pose risk of harm. Document results of risk assessment. If there is no significant risk of financial, reputational, or other harm to the individual(s), no further action is required. If there is a significant risk of harm, then: Determine if the incident falls under any exceptions to the definition of breach. • Unintentional access or use by workforce member or business associate (BA). Any unintentional acquisition, access, or use of PHI by a workforce member or person acting under the authority of [insert name of practice or facility] or [insert name of practice or facility]’s BA made in good faith and within the person’s scope of authority and does not result in further use or disclosure in a manner not permitted under the Privacy Rule. • Inadvertent disclosure. Any inadvertent disclosure by a person who is authorized to access PHI at [insert name of practice or facility] or [insert name of practice or November 2009 facility]’s BA to another person authorized to access PHI at [insert name of practice or facility] or [insert name of practice or facility]’s BA, or organized health care arrangement (OHCA) in which [insert name of practice or facility] participates, and the PHI received is not further used or disclosed in a manner not permitted under the Privacy Rule. • Good faith belief that PHI was not retained. A disclosure of PHI where [insert name of practice or facility] or [insert name of practice or facility]’s BA has a good faith belief that an unauthorized person to whom the disclosure was made would not reasonably have been able to retain such information. Document determination as to whether the breach falls under an exception. If the breach falls under an exception, no further action is required. If no exception applies: Prepare a notice of the breach in plain language that includes: • A brief description of what happened, including the date of the breach and the date of the discovery of the breach, if known. • A description of the types of unsecured PHI that were involved in the breach (such as whether full name, social security number, date of birth, etc., were involved), but do not include the actual PHI. • Any steps the individuals should take to protect themselves from potential harm resulting from the breach.1 • A brief description of what [insert name of practice or facility] is doing to investigate the breach, mitigate the harm to individuals, and protect against further breaches. • Contact information if the individuals have questions or want to learn more—either a tollfree telephone number, an e-mail address, Web site, or postal address. Delay sending the notice if a law enforcement official determines that the notice would impede a criminal investigation or damage national security. If no delay of the notice is required by law enforcement: Send the notice: (i) via first class mail to the last known address of each individual whose PHI was breached; or (ii) via electronic mail if the individual whose PHI was breached has agreed to electronic notice and such agreement has not been withdrawn. • If an individual is deceased, mail the notice to the individual’s next of kin or personal representative, if that person’s address is known. Send notice without unreasonable delay, but no later than 60 calendar days following discovery of the breach. If the contact information is insufficient or out-of-date, provide substitute notice as follows: Determine the content of PHI and number of individuals affected.2 If the PHI is not in electronic format or, if in electronic format, does not include the first name or initial and last name of the individual and one of the following: the individual’s social security number; driver’s license number or Washington identification card number; or account number or credit or debit card number in combination with any required security code, access code, or password, then: If fewer than 10 individuals are affected, provide notice by alternative written notice, telephone, or other means. If more than 10 individuals are affected, provide notice by either: (i) conspicuously posting the notice for 90 days on the home page of [insert name of practice or facility]’s Web site; or (ii) conspicuous notice in major print or broadcast media where the individuals reside. • Notice must include a toll-free phone number that remains active for at least 90 days, so individuals can call to learn whether their unsecured PHI was involved in the breach. November 2009 If the PHI is in electronic format and includes the first name or initial and last name of the individual and one of the following: the individual’s social security number; driver’s license number or Washington identification card number; or account number or credit or debit card number in combination with any required security code, access code, or password, then: E-mail notice if an e-mail address is available; Conspicuously post the notice on the home page of [insert name of practice or facility]’s Web site for 90 days; Post the notice in major print or broadcast media where the individuals reside; and Include a toll-free phone number that remains active for at least 90 days. If the breach involves fewer than 500 individuals: Record the breach in the Accounting Log for Notification of Breach of Unsecured Protected Health Information Attach copy of notice to the Accounting Log for Notification of Breach of Unsecured Protected Health Information Provide notification annually to the Secretary of Health and Human Services. If the breach involves more than 500 individuals: Provide the notice to prominent media outlets; Provide the notice simultaneously to the Secretary of HHS in the manner specified on the HHS Web site. The DHHS Office for Civil Rights has posted a form for covered entities to use to provide notice to the Secretary of HHS of a breach of unsecured, protected health information. This form can be found at http://transparency.cit.nih.gov/breach/index.cfm. 1 The Federal Trade Commission Web site provides information on how to protect against identity theft and can be found at: www.ftc.gov/bcp/edu/microsites/idtheft/cosumers/defend.html 2 Complies with breach notification requirements under RCW 19.255.010 November 2009 Accounting Log for Breaches of Unsecured Protected Health Information Date of Breach Date of Discovery of Breach Nature of Breach (What happened) Types of Unsecured PHI Date of Notice to Individuals Copy of Notice Attached November 2009 Complaints and Grievances Relating to the Use or Disclosure of Protected Health Information (Policy & Procedures) Purpose: To support our mission to continually improve the quality of the services we provide and to provide a process for handling complaints and grievances related to the use or disclosure of protected health information (PHI). Definitions: Complaint: an oral concern about our compliance with health-information privacy laws and regulations Grievance: a written concern about our compliance with health-information privacy laws and regulations Policy: 1. Complaints and grievances about PHI shall be investigated and managed in a timely and respectful manner. 2. Complaints and grievances concerning PHI and their disposition or resolution must be documented. 3. To the extent practicable, any known harmful effect of a use or disclosure of PHI in violation of our policies and procedures and the requirements of applicable laws by [insert name of practice or facility] or our business associates must be mitigated. 4. [Insert name of practice or facility] will not retaliate in any way (e.g., intimidation, threatening behavior, coercion, and discrimination) against an individual lodging a complaint or grievance, or for testifying, assisting, or participating in any investigation or administrative action. Nor will any individual be asked to waive the rights permitted to him or her under state or federal privacy laws as a condition of treatment payment, enrollment, or eligibility for benefits. Responsible Party: All Staff Procedure for responding to a complaint: 1. Listen—communication considerations: • Actively listen. Take steps to minimize interruptions by others and interrupting the individual. • Restate your understanding of the nature of the issue. 2. Address the individual’s concern if authorized and able to do so, or advise the individual that you would be happy to report the problem or that he or she may report the problem to [insert name of internal contact person and telephone number]. Consider the following: a. Remember confidentiality concerns (e.g., if a relative informed you of the concerns, do you have the authority to discuss the patient health care information with the relative—or do you need a signed authorization form?). b. An individual has the right to request to file a written complaint to [insert name of internal contact person and telephone number]. c. If the individual expresses a desire to complain to the Department of Health and Human Services Office for Civil Rights, advise the individual that “we also respect your right to file a complaint and that [insert name of practice or facility] will not retaliate against you.” 3. Write down concerns.1 This document should be routed to the individual responsible for oversight of complaints involving PHI. The complaint disposition or resolution should be noted on this document as well. 4. Follow up as needed (e.g., if indicated that the privacy official would call the individual within the week, contact the privacy official to ensure follow-up). Responsible party: Internal Contact Person (this may be the Privacy Official or the designee)—responsible for overseeing the management and documentation requirements related to complaints and grievances regarding the use or disclosure of PHI. This individual also reviews and responds to complaints or grievances concerning PHI as needed. November 2009 Procedure for responding to a grievance or a complaint that cannot be resolved by anyone other than the Privacy Official or the designee: 1. Respond to grievances in writing. Reply to complaints verbally—unless the individual requests otherwise or it is deemed more appropriate to respond in writing. 2. Consider confidentiality concerns (e.g., if a relative informed you of the concerns, do you have the authority to discuss the patient’s health care information with the relative—or do you need a signed authorization form?). 3. Notify or consult with the appropriate insurance carrier and/or legal counsel on issues involving liability and litigation potential. 4. Respond in a timely fashion (e.g., the initial response could simply be “We will investigate and inform you of the final decision if enough information is not available to make an immediate determination”). A letter with the final resolution or disposition shall be sent to the individual (see Complaint / Grievance Resolution Letter). 5. Notify the appropriate individual to address any pertinent employment issues (e.g., investigation, counseling, disciplinary action, or termination) according to applicable policies/procedures and state and federal laws. 6. Work to mitigate, to the extent practicable, any harmful effect that is known because of a use or disclosure of protected health information in violation of [insert name of practice or facility] policies and procedures or the requirements of applicable laws by [insert name of practice or facility] or business associates. If the complaint involves a breach of unsecured PHI2, refer to Notification of Breach of Unsecured Protected Health Information (Policy & Procedures). 7. Take steps to ensure that [insert name of practice or facility] will not retaliate in any way (e.g., intimidation, threatening behavior, coercion, and discrimination) against an individual lodging a complaint or grievance. 8. Document the resolution or disposition of the grievance and maintain the information in a file labeled “In anticipation of litigation.”3 1 If applicable, consider using your existing quality improvement/incident reporting system for this purpose. Unsecured PHI is defined as PHI that is not rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of a technology or methodology specified by the Secretary of HHS. 3 If applicable, consider using your existing quality improvement/incident reporting system for this purpose. 2 Policy effective date: ____/____/____ Revision date(s): ____/____/____ November 2009 Complaint / Grievance Resolution Letter Date: Address: Dear [insert name of individual]: I am writing to respond to the concerns that you documented in your letter dated [insert date]. You expressed concerns regarding the [handling/use/disclosure] of [insert patient name]’s protected health information. We respect your right to file a concern. We are very sorry that you are upset. (Option 1—If a complaint is made by the patient or the patient’s legally authorized representative.) Based on your concerns, we completed an investigation on [insert date]. We [insert steps taken to investigate the complaint - interviewed staff, reviewed our policies, etc.]. We found that [insert brief summary of the facts of the investigation]. (Option 2—If a complaint is made by someone other than a patient or the patient’s legally authorized representative, and patient permission has not been granted to authorize disclosure.) Based on your concerns, we completed an investigation on [insert date]. We [insert steps taken to investigate the complaint - contacted the patient, interviewed staff, reviewed policies, etc.]. Due to privacy and security laws, we cannot tell you any details of our investigation or findings. However, we would be happy to give you information if the patient permits us to do so. Thank you for bringing your concerns to our attention. We try hard to protect all of the health information that we handle. You have given us an opportunity to review our practices and to make improvements. If you have additional questions, please contact [insert name] at [insert phone number]. Sincerely, Privacy Official or Designee November 2009 HIPAA Privacy and Security Training (Policy & Procedures) Purpose: To provide a procedure for educating the workforce on privacy and security of protected health information (PHI) policies and procedures as required by law. Policy: 1. Each member of the workforce will receive training on the privacy and security of PHI as necessary and appropriate for the member to carry out his or her job responsibilities. New members of the workforce shall receive privacy and security training during their orientation period. 2. Additional privacy and security training will be provided to the workforce within a reasonable time period after implementation of organizational policies and procedures that have undergone material changes. 3. Training will be documented for each member of the workforce. 4. Each workforce member will sign an Employee Confidentiality and Acknowledgment of HIPAA Training Statement acknowledging the confidentiality of PHI and that he or she has been trained and understands [insert name of practice or facility]’s policies and procedures regarding PHI. 5. Training records will be maintained for at least six years. 6. Periodic retraining will be conducted as needed and appropriate, or at least once a year. Responsible Party: Privacy Official or the designee Procedure (here is one example of how you may structure your training program): 1. All members of the workforce shall review the following materials: a. Notice of Privacy Practices b. Complaints and Grievances Relating to the Use or Disclosure of Protected Health Information (Policy & Procedures) c. Minimum Necessary Requirements for the Use and Disclosure of Protected Health Information (Policy & Procedures) d. Administrative Safeguards—Physical Controls for Visitor Access e. Physical Safeguards—Access Control f. Technical Safeguards—Personal or “Entity” Authentication g. Notification of Breach of Unsecured Protected Health Information (Policies & Procedures) h. Job-specific and other newly developed HIPAA privacy policies and procedures 2. Each member of the workforce shall review job-specific privacy and security practices and complete the HIPAA Privacy Rule: A Questionnaire for Nonclinical Staff or the HIPPA Privacy Rule: A Questionnaire for Clinical Staff. 3. Each member’s training shall be documented, e.g., written confidentiality and acknowledgment of training statement, personnel files, continuing education records. Policy effective date: ____/____/____ Revision date(s): ____/____/____ November 2009 HIPAA Privacy and Security Training Checklist [This checklist contains a listing of suggested training materials to help document the job-specific training required by the HIPAA Privacy and Security Rules. It should be personalized to meet the needs of your organization and each job position.] For each area, place a check in the box as each item is completed: Read your Notice of Privacy Practices. Read your Complaints and Grievances Relating to the Use or Disclosure of Protected Health Information (Policy & Procedure). Read your Minimum Necessary Requirements for the Use and Disclosure of Protected Health Information (Policy & Procedure). Read your Administrative Safeguards—Physical Controls for Visitor Access. Read your Physical Safeguards—Access Control. Read your Technical Safeguards—Personal or “Entity” Authentication. Read your Notification of Breach of Unsecured Protected Health Information (Policy & Procedures. Read your job-specific HIPAA privacy and security policies and procedures. As applicable, understand other newly developed privacy and security policies and procedures and your role in implementation: (List p & p: _____________________________________) (List p & p: _____________________________________) (List p & p: _____________________________________) (Other specific training materials: ___________________) (Other specific training materials: ___________________) (Other specific training materials: ___________________) Read, complete, and submit HIPAA Privacy Rule Questionnaire. Sign Employee Confidentiality and Acknowledgment of HIPAA Training Statement. ____________________________________________________________________________ Signature and Title of Employee Date Completed ____________________________________________________________________________ Reviewing Supervisor Date Reviewed November 2009 HIPAA Privacy Rule: A Questionnaire for Nonclinical Staff This questionnaire is designed to address common privacy issues encountered in a variety of clinical settings. Please read and answer each question. General Privacy Issues 1. What does PHI stand for? a. Protected Health Information b. Personal Health Information c. Private Health Information d. Presidential Health Information Telephone Messages 2. You are calling to confirm a patient’s appointment with her doctor. You dial and get an answering machine. Can you leave a message? If so, what should you say? General Privacy Issues 3. A well-known high school athlete, Gary, goes to the doctor for treatment of a sexually transmitted disease (STD). Jane, an employee at the clinic, happens to have a daughter, Sue, who attends high school with Lisa. Lisa is dating the athlete, Gary. a. Jane is concerned about Lisa, whom she believes is sexually active with the boy. She is good friends with Lisa’s mother and tells you—her coworker—that she is considering advising Linda—Lisa’s mother—“in confidence,” of course, that Gary was seen at the clinic for treatment of an STD. Jane says she believes she has an obligation to do this to prevent Lisa from contracting an STD. What, if any, privacy concerns do you see? b. What do you say to Jane? Release of Information 4. True or false? You can comply with a request by a school nurse to fax over a student’s immunization record because the student’s mother has not submitted the required records. November 2009 Privacy and Minors 5. A parent demands to see her daughter’s medical record. The daughter is 12 years old. The record has information from the patient about her sexual activity, provided in confidence. What do you do? Privacy Practices 6. You overhear a discussion between a patient and a visitor regarding the new federal privacy laws. The visitor asks you, “What are your office’s privacy practices?” What will you do? General Privacy Issues 7. True or false? A surgeon requests portions of his patient’s medical record relating to his surgical care. You are able to provide these copies without patient authorization. 8. A family member of a patient comes to you quite upset. He just overheard two employees discussing his relative’s health status in the cafeteria over lunch. He wants to file a complaint. How would you assist him in this process? You: a. Refer him to the individual your facility has designated to handle privacy complaints. b. Advise him to contact the Department of Health and Human Services Office for Civil Rights and provide the telephone number. c. Document the complaint in the medical record and complete an incident report. d. Listen to the complaint and advise him that you will take care of the problem. 9. What do you do if a patient asks you for a list of the individuals that have received copies of his or her medical record? 10. True or false? A nurse and a physician may discuss a patient’s medical condition in the hall outside a patient’s room. November 2009 HIPAA Privacy Rule: A Questionnaire for Nonclinical Staff (Answer Key) We have provided these responses to address common privacy issues encountered in a variety of clinical settings. While a case study may focus on a particular setting (e.g., a clinic or hospital), the privacy principles apply to everyone. Some answers may depend upon your facility’s policies and procedures and should be modified to meet your operational needs. 1. a. Protected Health Information. 2. Yes, you may leave a limited message. Be sure to be discreet when doing so, as others may be present when the individual replays the message—or another person may pick up the message. An appropriate message for an appointment of a general nature might be: “Hello. This is Lynne from Dr. Olson’s office calling to remind Susan of her appointment at 3:00 tomorrow afternoon. Please have her call me at 206-111-2222 if there are any questions.” Never leave information about a diagnosis, medical condition, or laboratory or test result on an answering machine—even if the result is good news—unless the patient has requested you to do so. Be sure to document the patient’s request in the medical record. 3. The privacy concern in this scenario is that Jane is considering an unauthorized disclosure of PHI. In general, disclosures of PHI for any purpose other than treatment, payment, or health care operations require the patient to sign an authorization. Releasing such information violates state and federal laws and may also subject the individual and facility to criminal or civil fines and penalties. Further, it would violate the organization’s privacy policies and subject Jane to disciplinary action that may include termination from her job. How to handle this situation: Advise Jane that Gary’s health information is protected by law. Jane could share her concerns with the doctor. The doctor may then take whatever action is clinically appropriate. Jane should not share information with anyone else unless the disclosure is in the performance of her job-related duties to facilitate treatment, payment, or health care operations. 4. True, if the request is for purposes of treating the student/patient. The Washington State Department of Health has advised that sharing immunization records with the nurse or a designee—regardless of purpose—is acceptable. However, we are not aware of any provision in the HIPAA Privacy Rule or Washington State laws that would allow sharing this information for any purposes other than treatment. Therefore, we recommend that if the request is for school administrative purposes, the parent’s permission be obtained prior to sending the records to the school. A signed authorization is preferred (though a facsimile is acceptable). However, authorization could be obtained from the parent over the phone. The oral permission should be documented, along with the date and time, and signed by the staff. Be sure to use reasonable precautions to protect the privacy of information sent via facsimile (e.g., double-check the number before sending and use a facsimile cover sheet with a disclaimer). November 2009 5. An individual trained and familiar with handling issues relating to treatment of minors should deal with this issue (e.g., a clinician, a manager, or medical records personnel). Appropriate answers might include: a. Refer to a manager, or b. Refer to medical records staff. Appropriately trained staff should consider the following when responding to the mother: • Minors may consent independently at any age for treatment related to pregnancy—provided they have the capacity to understand the nature of the treatment and the risks associated with the treatment. • Minors may consent independently at age 14 for treatment related to sexually transmitted diseases (STDs) provided they have the capacity to understand the nature of the treatment and the risks associated with the treatment. • Emancipated minors may consent for treatment of any condition independently. Emancipation may be determined by the courts or for medical treatment purposes by the physician. • The health care information may be released to the mother if the highly sensitive areas that require the minor’s permission for release are redacted from the copy of the record. Consultation with the treating provider may be necessary to determine whether providing the mother with access is permissible. You might inform the mother that patient privacy laws protect the information in the medical record. Urge the mother to discuss the reason for the visit with her daughter. When in doubt, it is advisable to obtain the minor’s permission prior to releasing the information. 6. Provide the current Notice of Privacy Practices (NPP) to the visitor or direct the visitor to the appropriate individual or department to obtain a copy of the current NPP. Patients must be given a copy of the NPP at their first contact with the facility. Reasonable attempts must be made to obtain a signed acknowledgment of receipt of the NPP. The regulations also require the facility to provide a copy to ANY individual upon his or her request—and this does not need to be documented. 7. True. Trained and authorized staff may provide the copy to the surgeon because it is for treatment purposes. 8. Appropriate responses may be a, c, or d, depending upon the job position, circumstances, or the organization’s policies and procedures. HIPAA requires that organizations have a policy in place to address complaints pertaining to the handling of PHI—which must be followed. 9. Patients have a right to obtain a list of the individuals that have received copies of their PHI in certain circumstances when the disclosure has not been made for treatment, payment, or health care operations and the patient has not authorized the disclosure. This should be referred to an appropriately trained and authorized individual to handle according to the organization’s Documenting of and Accounting for Disclosures of Protected Health Information (Policy and Procedures). The trained and authorized individual should be able to provide details about how to handle the request—as outlined in your policy. 10. True—if the disclosure is necessary for continuity of care. Discretion (e.g., reasonable and appropriate safeguards) should be used as appropriate. November 2009 HIPAA Privacy Rule: A Questionnaire for Clinical Staff This questionnaire is designed to address common privacy issues encountered in a variety of clinical settings. Please read and answer each question. Telephone Messages 1. You are a nurse calling on behalf of a physician at an OB/GYN clinic to advise a patient about her pregnancy-test results. You dial and get an answering machine. Can you leave a message? If so, what should you say? General Privacy Issues 2. What does PHI stand for? a. Protected Health Information b. Personal Health Information c. Private Health Information d. Presidential Health Information 3. A well-known high school athlete, Gary, goes to the doctor for treatment of a sexually transmitted disease (STD). Jane, an employee at the clinic, has a daughter, Sue, who attends high school with Lisa. Lisa is dating the athlete, Gary. a. Jane is concerned about Lisa, whom she believes is sexually active with the boy. She is good friends with Lisa’s mother and tells you—her coworker—that she is considering advising Linda—Lisa’s mother—“in confidence,” of course, that Gary was seen at the clinic for treatment of an STD. Jane says she believes she has an obligation to do this to prevent Lisa from contracting an STD. What, if any, privacy concerns do you see? b. What do you say to Jane? November 2009 Information Release 4. True or false? You can comply with a request by a school nurse to fax over a student’s immunization record because the student’s mother has not submitted the required records. Record Amendment Request 5. You approach Sally Jones, your patient, and see that she has been reading her medical record. She disagrees with an entry in the record that the nurse made about her “being very demanding and requesting multiple prescriptions for Percodan.” She demands that the entry be stricken from the record. How do you handle Sally’s request? General Privacy Issues 6. You find Dr. Rota reviewing medical records at the nurses’ station. You notice he is reviewing the record of another physician’s patient—Dr. Rota is not involved in that patient’s care. How do you handle the situation? 7. What do you do if a patient asks for a list of the individuals who have received copies of his or her medical record? 8. True or false? A nurse and a physician may discuss a patient’s medical condition in the hall outside a patient’s room. Privacy Practices 9. You overhear a discussion between a patient and a visitor regarding the federal privacy laws. The visitor asks you, “What are your office’s privacy practices?” What will you do? November 2009 Complaint Management 10. A family member of a patient comes to you quite upset. He just overheard two employees discussing his relative’s health status in the cafeteria over lunch. He wants to file a formal complaint. How would you assist him in this process? You: a. Refer him to the individual your facility has designated to handle privacy complaints. b. Advise him to contact the Department of Health and Human Services Office for Civil Rights and provide the telephone number. c. Document the complaint in the medical record and complete an incident report. d. Listen to the complaint and advise him you will take care of the problem. Privacy and Minors 11. True or false? You may discuss the health information of a child with the child’s stepparent. 12. A parent demands information about why her daughter was seen at the clinic. The daughter is 12 years old. The record has a discussion documented about the patient’s sexual activity and a request for birth control pills, provided in confidence. How do you handle the situation? November 2009 HIPAA Privacy Rule: A Questionnaire for Clinical Staff (Answer Key) We have provided these responses to address common privacy issues encountered in a variety of clinical settings. Some answers may depend upon your facility’s policies and procedures and should be modified to meet your operational needs. 1. Yes, you may leave a limited message. Be sure to be discreet when doing so, as others may be present when the individual replays the message—or another person may pick up the message. For an appointment involving highly sensitive PHI (e.g., pregnancy, mental health, STDs, or substance abuse, an appropriate message might be limited to: “Hello, this is Lynne calling for Susan. Please have her call me at 206-111-2222.” Never leave information about a diagnosis, medical condition, or laboratory or test result on an answering machine—even if the result is good news—unless the patient has requested you to do so. Be sure to document the patient’s request in the medical record. 2. a. Protected Health Information 3. The privacy concern in this scenario is that Jane is considering an unauthorized disclosure of PHI. In general, disclosures of PHI for any purpose other than treatment, payment, or health care operations require the patient to sign an authorization. Releasing such information violates state and federal laws and may also subject the individual and facility to criminal or civil fines and penalties. Further, it would violate the organization’s privacy policies and subject Jane to disciplinary action that may include termination from her job. How to handle this situation: Advise Jane that Gary’s health information is protected by law. Jane could share her concerns with the doctor. The doctor may then take whatever action is clinically appropriate. Jane should not share information with anyone else unless the disclosure is in the performance of her job-related duties to facilitate treatment, payment, or health care operations. 4. True, if the request is for purposes of treating the student/patient. The Washington State Department of Health has advised that sharing immunization records with the nurse or a designee—regardless of purpose—is acceptable. However, we are not aware of any provision in the HIPAA Privacy Rule or Washington State laws that would allow sharing this information for any purposes other than treatment. Therefore, we recommend that if the request is for school administrative purposes, the parent’s permission be obtained prior to sending the records to the school. A signed authorization is preferred (though a facsimile is acceptable). However, authorization could be obtained over the phone from the parent. The oral permission should be documented, dated, timed, and signed by the staff. Be sure to use reasonable precautions to protect the privacy of information sent via facsimile (e.g., double-check the number before sending and use a facsimile cover sheet with a disclaimer). November 2009 5. The patient has a right to request a correction or amendment to her PHI. Initially, you may wish to discuss her request with her. If this was a note that you authored, then you could review the note and approve or deny the request. If the note was made by someone else, refer Sally to the appropriate individual according to your organization’s Request to Correct or Amend Protected Health Information (Policy & Procedures). 6. State and federal privacy laws permit access to PHI by those involved in treatment, payment, or health care operations without a patient authorization. In this case it does not appear that Dr. Rota has a legitimate need to know the information—as he is not directly involved in the patient’s care (i.e., he is not the attending or a consulting physician for this patient). Unless Dr. Rota was performing some other health care operation for the organization, such as a quality improvement review, access to this patient’s information is not appropriate. In such a case you might inquire about the reason for Dr. Rota’s need for the information. If the reason given does not coincide with patient privacy laws, you might: 1) ask for the patient’s chart and indicate that due to patient privacy laws he is not permitted to access this patient’s information or 2) go up the chain of command. 7. Patients have a right to obtain a list of the individuals that have received copies of their PHI in certain circumstances when the disclosure has not been made for treatment, payment, or health care operations and the patient has not authorized the disclosure. This should be referred to an appropriately trained and authorized individual to handle according to the organization’s Documenting of and Accounting for Disclosures of Protected Health Information (Policy & Procedures). The trained and authorized individual should be able to provide details about how to handle the request—as outlined in your policy. 8. True—if the disclosure is necessary for continuity of care. Discretion (e.g., reasonable and appropriate safeguards) should be used as appropriate. 9. Provide the current Notice of Privacy Practices (NPP) to the visitor or direct the visitor to the appropriate individual or department to obtain a copy of the current NPP. Patients must be given a copy of the NPP at their first contact with the facility. Reasonable attempts must be made to obtain a signed acknowledgment of receipt of the NPP. The regulations also require the facility to provide a copy to ANY individual upon his or her request - and this does not need to be documented. 10. Appropriate responses may be a, c, or d, depending upon the job position, circumstances, or the organization’s policies and procedures. HIPAA requires that organizations have a policy in place to address complaints pertaining to the handling of PHI—which must be followed. 11. False---unless it is an emergency, the stepparent has adopted the child, the stepparent is representing himself or herself to be a relative responsible for the health care of this minor patient, or the stepparent has obtained permission from one of the birth parents. From a risk management perspective, it is suggested that the stepparent complete a Kinship Caregivers Informed Consent Declaration for Minors form if he or she is representing himself or herself to be a relative responsible for the health care of this minor patient. If the stepparent obtains permission from the birth parent, it should be in writing and a copy should be filed in the medical record. Authorization from the birth parent can also be obtained over the phone. The oral permission should be documented, along with the date and time, and signed by the staff. 12. As a general rule, the right to consent for care is a companion right to release of information. When responding to the mother, clinical staff should consider the following: November 2009 • • • • Minors may consent independently at any age for treatment related to pregnancy and reproductive care—provided the provider determines the minor has the capacity to understand the nature of the treatment and the risks associated with the treatment. Minors may consent independently at age 14 for treatment related to sexually transmitted diseases (STDs) provided they have the capacity to understand the nature of the treatment and the risks associated with the treatment. Since the minor is 12 in this scenario, this would not apply. Emancipated minors may consent for treatment of any condition independently. Emancipation may be determined by the courts or for medical treatment purposes by the physician. The health care information may be released to the mother if the highly sensitive areas that require the minor’s permission for release are redacted from the copy of the record. Consultation with the treating provider may be necessary to determine whether providing the mother with access is permissible. You might inform the mother that patient privacy laws protect the information in the medical record. Urge the mother to discuss the reason for the visit with her daughter. When in doubt, it is advisable to obtain the minor’s permission prior to releasing the information. November 2009 Treatment of Minors and the Handling of Their Protected Health Information State law allows minors under the age of 18 to consent to medical care and treatment under certain conditions that are described below. State law allows minors to make decisions about the handling of their protected health information (PHI) when the law allows them to consent for their own treatment. In Washington a person under the age of 18 cannot consent to medical care unless one or more of the following exceptions apply: • If the minor is emancipated (legally independent) or married to someone at or above age 18 (RCW 26.28.020). • In the event emergency care is necessary (when impractical to get parental consent first). • For birth control and pregnancy-related care at any age (see State v. Koome). • For outpatient drug- and alcohol-abuse treatment beginning at age 13 (RCW 70.96A.095). • For mental health treatment beginning at age 13 (RCW 71.34.500 and 71.34.530). • For sexually transmitted diseases, including HIV/AIDS, beginning at age 14 (RCW 70.24.110). In Oregon minors have the right to consent to certain health care without a parent or guardian’s consent. A minor may consent to medical care: • At age 15 or above for most types of medical treatment (ORS 109.640). • In the event emergency care is necessary (ORS 418.307). • For birth control and pregnancy-related care at any age (ORS 109.610 and ORS 109.640). • For outpatient chemical dependency (excluding methadone maintenance), and outpatient mental health diagnosis and treatment beginning at age 14. Parents or guardians must be involved at some time prior to the end of treatment except under special circumstances (ORS 109.675). • For sexually transmitted diseases at any age (ORS 109.610 and ORS 109.640). • For HIV testing and treatment at any age. Additionally, HIV test results and details regarding treatment of HIV/AIDS may not be disclosed to anyone without the express consent of the minor (ORS 433.045). November 2009 In Idaho a person under the age of 18 cannot consent to medical care unless one or more of the following exceptions apply (these exceptions are much more limited in Idaho): • If the minor is emancipated (economic self-sufficiency, Ireland v. Ireland 123 Idaho 955(1993). • If the minor is or has been married (Idaho Code 32-101). • For treatment of infectious, contagious, or communicable disease, beginning at age 14, if the disease or condition is one required by law or regulation to be reported to the local health officer (Idaho Code 39-3801). Other treatment of minor issues in Idaho law are not easily summarized and we recommend you contact a risk management consultant or attorney if you have questions. Documentation The underlying facts for the application of any of these exceptions should be documented in the medical record at the time of treatment. When consent forms are applicable to these exceptions, such as pregnancy termination, the minor may sign these forms. Due to the minor patient’s relative immaturity and lack of sophistication, adequate time needs to be spent concerning these consent issues. Emancipation A person under the age of 18 who is either emancipated or married (Idaho) to a spouse 18 years of age or older (Washington) can consent to his or her own medical care. An emancipated minor is an individual who is free from parental control and is selfsupporting. Emergencies Washington State law provides that no clinician or hospital is liable for failing to secure consent when rendering emergency medical, surgical, hospital, or health services to any individual, regardless of age, where the patient is unable to provide consent for any reason and where there is no other person reasonably available who is legally authorized to give such consent. In Washington, Oregon, and Idaho, though not specifically addressed in Idaho, emergency care should not be unduly delayed pending attempts to obtain any such consent. If the child’s condition could deteriorate, treatment should begin at once and permission to treat should be sought concurrently. Although “emergency” can be defined either broadly or narrowly, we believe the interpretation should be considered as broader than “life-threatening.” For example, in the instance of an upper respiratory infection in a child, we believe that treatment should be started even if consent is not readily available. Although it could be argued that in most cases a delay in treatment of an upper respiratory infection will not cause sequelae, clearly a delay in treatment increases a child’s suffering, and we can’t conceive of an instance where a parent would refuse this care and a court would support such a decision. As in most cases, the issue of determining when to treat without parental or guardian consent requires good judgment and common sense. November 2009 In cases involving minors, clinicians or hospital personnel should thoroughly chart their efforts to contact the parent or guardian for consent for emergency care. If parental consent is obtained by phone, document it in the chart. Sexual activity, substance abuse, and mental health Some courts and legislatures have granted minors the right to consent to medical care in a number of situations where forced consultation would most likely deter the minor from seeking needed treatment. In Washington and Oregon a minor may consent to medical care relating to birth control, medical conditions relating to pregnancy, and pregnancy terminations. In Washington persons 14 years of age or older may give their own consent for medical care relating to HIV/AIDS or sexually transmitted diseases. In Idaho, beginning at age 14, minors can consent to treatment of some STDs as described by Statute 39-3801 as quoted above. Persons 13 years of age or older (14 in Oregon) may give their own consent for outpatient mental health care or the outpatient treatment of substance abuse. However, minors cannot be admitted for inpatient treatment of substance abuse or mental health without parental consent or a commitment order. Cost of care For other than emergency care, parents or guardians are not liable for the cost of care provided without their consent when the minor has the right to consent without consulting the parents. In these instances, each minor needs to be informed that he or she will be responsible for paying for services, and appropriate arrangements should be made. Divorced or separated parents For health care of a minor that does require parental consent, the parent or guardian who brings the child to the medical office can provide consent for the child’s care. A parent or guardian can provide consent for the treatment of a minor child regardless of whether the parents are married, unmarried, or separated at the time of the treatment. This applies whether the parent is the custodial parent or not, and would only be impacted by a court order limiting the parent’s parental rights, including the right to direct medical care. You may treat a minor when one parent provides consent to care even if the other parent demands you not treat the minor, although there may be occasional circumstances where, in your judgment, you choose not to provide care when the parents disagree. 6.3 Conclusion The law concerning treatment of minors has numerous exceptions and nuances, and this article attempts to focus on the most common issues. It does not address the more case-specific problems related to extremely immature minors who may lack mental competence to consent, the court-ordered treatment of minors, or the right of minors to refuse medical care. If health care providers use their common sense and their best judgment, with an emphasis on what is best for the patient, the liability risk will be minimized. Whenever difficult case-specific consent issues arise, Physicians Insurance members can call the Risk Management Department at (206) 343-7300 or 1-800-9621399 (Western Washington) or (509) 456-5868 or 1-800-962-1398 (Eastern Washington). November 2009 Kinship Caregivers Informed Consent Declaration for Minors Persons authorized to provide informed consent to health care on behalf of a child under the age of 18 must be a member of one of the following classes of persons in the following order of priority (RCW 7.70.065): 1. A guardian or legal custodian appointed by the court; 2. A person authorized by the court to consent to medical care for a child in out-of-home placement pursuant to the dependency and termination of parental rights statutes; 3. Parents of the minor patient; 4. A person to whom the minor’s parent has given a signed authorization to make health care decisions for the minor patient; and 5. A competent adult representing himself or herself to be a relative responsible for the health care of such minor patient or a competent adult who has signed and dated a declaration under penalty of perjury stating that the adult person is a relative who is responsible for the health care of the minor patient. The following declaration applies to a person in category 5 listed above: I ________________________________am a relative of ______________________________; (print name) (print name of minor patient) and am responsible for his or her health care. I declare under penalty of perjury under the laws of the state of Washington that the foregoing is true and correct. Signed at ____________________________________________________________________ (place) (date) ____________________________________________________________________________ Signature Relationship to minor patient This declaration is effective for no more than six (6) months from the date on which it is signed. November 2009 Employee Confidentiality and Acknowledgment of HIPAA Training Statement All patient protected health information (PHI – which includes patient medical and financial information), employee records, financial and operating data of [insert name of practice or facility], and any other information of a private or sensitive nature are considered confidential. Confidential information should not be read or discussed by any employee unless pertaining to his or her specific job requirements. Examples of inappropriate disclosures include: • Employees discussing or revealing PHI or other confidential information to friends or family members. • Employees discussing or revealing PHI or other confidential information to other employees without a legitimate need to know. • The disclosure of a patient’s presence in the office, hospital, or other medical facility, without the patient’s consent, to an unauthorized party without a legitimate need to know, and that may indicate the nature of the illness and jeopardize confidentiality. • Using patient information for marketing purposes without express permission from [insert name of practice or facility] and patient. The unauthorized disclosure of PHI or other confidential information by employees can subject each individual employee and the practice to civil and criminal liability. Disclosure of PHI or other confidential information to unauthorized persons, or unauthorized access to, or misuse, theft, destruction, alteration, or sabotage of such information, is grounds for immediate disciplinary action up to and including termination. Employee confidentiality agreement I hereby acknowledge, by my signature below, that I understand that the PHI, other confidential records, and data which I learn or have access to in the course of my employment with [insert name of practice or facility] is to be kept confidential, private, and secure, and that maintaining confidentiality, privacy, and security of PHI and other confidential records and data is a condition of my employment. Such information shall not be disclosed to anyone under any circumstances, except to the extent necessary to fulfill my job requirements. I understand that my duty to maintain confidentiality, privacy, and security continues even after I am no longer employed. I have been trained in the Health Insurance Portability and Accountability Act (HIPAA) privacy and security policies and procedures of [insert name of practice or facility] and am familiar with the guidelines in place at [insert name of practice or facility] pertaining to the use and disclosure of patient PHI or other confidential information. Approval should first be obtained before any disclosure of PHI or other confidential information not addressed in the guidelines and policies and procedures of [insert name of practice or facility] is made. I also understand that the unauthorized use or disclosure of patient PHI and other confidential or proprietary information of [insert name of practice or facility] is grounds for disciplinary action, up to and including immediate dismissal. Print employee name: _____________________ Employee signature: ____________________ Date: ____________ Print supervisor name: ____________________ Supervisor signature: ____________________ Date: ____________ November 2009 Nonemployee Confidentiality and Acknowledgment of HIPAA Training Statement All patient protected health information (PHI—which includes patient medical and financial information), employee records, and financial and operating data of [insert name of practice or facility], and any other information of a private or sensitive nature, is considered confidential. Confidential information shall not be used or disclosed unless specific permission to do so has been obtained and granted by the privacy official or designee. Applicable federal and state laws shall be followed to seek patient permission for any use or disclosure of PHI. Examples of inappropriate disclosures include: • Discussing or revealing confidential information to friends or family members. • Discussing or revealing confidential information to other coworkers or employees without a legitimate need to know. • The disclosure of a patient’s presence in the office, hospital, or other medical facility, without the patient’s consent, to an unauthorized party without a legitimate need to know and that may indicate the nature of the illness and jeopardize confidentiality. • Using patient information for marketing purposes without express permission from [insert name of practice or facility] and patient. The unauthorized disclosure of PHI and other confidential information can subject an individual to civil and criminal liability. Disclosure of confidential information to unauthorized persons, or unauthorized access to, or misuse, theft, destruction, alteration, or sabotage of, such information, may result in your immediate removal from the premises and/or revocation of current and future visiting/working privileges of the individual and/or company, and may lead to legal action and/or a duty for you to mitigate damages. Confidentiality agreement I hereby acknowledge, by my signature below, that I understand that the PHI and other confidential records and data which I may see or hear or otherwise gain knowledge of in the course of my visit/work with [insert name of practice or facility] is to be kept confidential, private, and secure and that maintaining confidentiality, privacy, and security of PHI and other confidential records and data is a condition of my privilege to visit/work with [insert name of practice or facility]. Such information shall not be used or disclosed to anyone at any time, now or in the future, unless specifically authorized by [insert name of practice or facility]. The unauthorized use or disclosure of patient PHI is possible grounds for: immediate removal from the premises; revocation of all future visiting/working privileges; legal action; and/or a duty to mitigate damages. I have been trained in the Health Insurance Portability and Accountability Act (HIPAA) privacy and security policies and procedures of [insert name of practice or facility] and am familiar with the guidelines in place at [insert name of practice or facility] pertaining to the use and disclosure of patient PHI or other confidential information. Printed name: _________________________ Signature: _________________________ Date: _________________ Company: _______________________________________ Position: ______________________________________ November 2009 HIPAA Help – A Resource List Government Sites: U.S. Department of Health & Human Services Office for Civil Rights (OCR) – Administrative Simplification http://www.hhs.gov/ocr/privacy/hipaa/administrative/ Read the Health Insurance Portability and Accountability Act of 1996. Review the Privacy Rule, the Transactions and Code Sets Standards, the Security Rule, and the National Provider Identifier Standard. U.S. Department of Health & Human Services Office for Civil Rights (OCR) – Privacy Rule http://www.hhs.gov/ocr/privacy/ Learn about the Privacy Rule’s protection of the privacy of individually identifiable health information, the rights granted to individuals, OCR’s enforcement activities, and how to file a complaint with OCR. U.S. Department of Health & Human Services Office for Civil Rights (OCR) – Frequently Asked Questions http://www.hhs.gov/ocr/privacy/hipaa/faq/index.html Read about frequently asked questions that affect your patients and your practice. U.S. Department of Health & Human Services Office for Civil Rights (OCR) – Privacy Complaints http://www.hhs.gov/ocr/privacy/hipaa/complaints/hipcomplaintpackage.pdf Download instructions and documents for filing a privacy complaint with the Office for Civil Rights. U.S. Department of Health & Human Services Centers for Medicare and Medicaid Services (CMS) – Overview Security Standard http://www.cms.hhs.gov/securitystandard/ Read about the Security Standard and obtain links to other information about the Security Standard, including a pdf of HIPAA Security Guidance for Remote Use of and Access to Protected Health Information. U.S. Department of Health & Human Services Centers for Medicare and Medicaid Services (CMS) – Security Materials Education Series http://www.cms.hhs.gov/educationmaterials/04_securitymaterials.asp Obtain links to HIPAA Security Rule education materials designed to provide assistance with implementation of the security standards, including “Security Standards Implementation for Small Providers.” U.S. Department of Commerce National Institute of Standards and Technology http://www.nist.gov/index.html Find publications regarding standards for encryption or destruction of electronic PHI, as well as information regarding seminars, presentations, and other educational opportunities regarding HIPAA. November 2009 National Professional Organizations: American Health Information Management Association (AHIMA) http://ahima.org/ Find practice briefs, position statements, resolutions, sample forms, and policies to help users comply with the HIPAA Privacy Regulations. Users may also access the standards and regulations. This site also contains access to education opportunities. American Health Lawyers Association http://www.healthlawyers.org/pages/default.aspx Publications and educational opportunities, primarily for lawyers. HITECH Act Resource Guide is available for purchase. The American Hospital Association (AHA) http://www.aha.org/aha_app/issues/HIPAA/index.jsp Includes news, frequently asked questions, and articles. Members can access miscellaneous HIPAA tools. The American Medical Association (AMA) http://www.ama-assn.org/ama/pub/advocacy.shtml Find out about AMA advocacy efforts. Learn about additional resources to help you cope with HIPAA. American Society for Healthcare Risk Management (ASHRM) http://www.ashrm.org This organization provides updates on hot risk management topics in health care, including HIPAA. Educational opportunities and resource links are also available. Healthcare Information and Management Systems Society (HIMSS) http://www.himss.org/asp/topics_hipaa.asp Includes current HIPAA news, implementation tools, and additional resources. Medical Group Management Association (MGMA) http://www.mgma.com Find audiocassettes for purchase, and for members, access articles about various HIPAA issues. Workgroup on Electronic Data Interchange (WEDI) http://www.wedi.org/ Learn about WEDI, a national health care industry collaboration to promote electronic data interchange. Find news, events, industry updates, legislative news, and links to other HIPAA-related sites. State Professional Organizations: Community Health Information Technology Alliance (CHITA) http://www.chita.org/ Find out how this alliance of health care technology businesses and organizations provides leadership on e-business in health care. November 2009 Oregon Medical Association (OMA) www.theoma.org Locate news and information to help Oregon physicians and clinics manage HIPAA. Washington State Medical Association (WSMA) http://www.wsma.org Find learning opportunities and resources to help Washington State physicians and clinics. Washington State Hospital Association (WSHA) http://www.wsha.org Locate news and information concerning HIPAA. Find resources to assist hospitals with HIPAA compliance efforts. Washington State Health Information Management Association (WSHIMA) www.wshima.org/ The Washington State Health Information Management Association is a nonprofit association of professionals engaged in health information management providing support to members and strengthening the industry and profession. Other Resources to Consider: HIPAAdvisory http://www.phoenixhealth.com/hipaadvisory On the Web site of Phoenix Health Systems, find current HIPAA news, resources, and consulting services. HCPro’s himinfo.com http://www.hcpro.com/health-information-management Read the latest in electronic health records, HIPAA, and CPT coding. Subscribe to a free e-newsletter or join an audioconference on a variety of HIPAA-related topics. Center for Democracy & Technology (CDT) http://www.cdt.org/healthprivacy/ Access information on current health privacy issues. Review health privacy stories and myths and facts about HIPAA. We compiled this list as a tool for health care professionals. It is not an endorsement of the sites or of the materials accessible through these Web sites. Since HIPAA is multifaceted (including electronic billing requirements, technical information, security compliance, etc.), one resource will not likely provide all the answers. We cannot vouch for the completeness or accuracy of the information provided by each organization, nor is this a complete list of resources available. Remember that state law and accreditation standards will also affect your HIPAA compliance efforts and should be taken into consideration. November 2009 Updates to the July 2004 HIPAA Model Security Policies and Procedures Ongoing assessment of HIPAA Security Policies and Procedures is required in order to comply with the HIPAA Security Rule. The Security Rule specifies that “[s]ecurity measures implemented to comply with standards and implementation specifications…must be reviewed and modified as needed to continue provision of reasonable and appropriate protection of electronic protected health information.” Additionally, periodically reviewing and updating security policies and procedures as needed, in response to environmental or operational changes affecting the security of the electronic protected health information is a required implementation specification under the Security Rule. This update identifies a number of developments and changes since the Health Insurance Portability and Accountability Act Model Security Policies and Procedures were published in July 2004, that should be taken into consideration by practices as a part of their ongoing Security Rule compliance risk analysis and risk management. It includes both state and federal laws and regulations that pertain to references in the Model Security Policies and Procedures or changes in Security Rule compliance requirements. HIPAA breach notification requirements. On February 17, 2009, the American Recovery and Reinvestment Act (ARRA), also known as the Stimulus Bill, was signed into law. Enacted as part of this new federal legislation is the Health Information Technology for Economic and Clinical Health (HITECH) Act. The HITECH Act strengthens and expands HIPAA’s current privacy and security requirements. There are two provisions in the HITECH Act that impact HIPAA’s security requirements: (1) the Secretary of Health and Human Services (HHS) is required to annually issue security guidance; and (2) covered entities are required to provide specific notification to individuals if they discover a breach of unsecured protected health information. HHS has only issued guidance to date in connection with breach notification requirements. Effective September 23, 2009, HIPAA covered entities (CEs) are required to notify individuals if they discover a breach of “unsecured PHI,” although HHS has discretion not to begin enforcement of this new requirement until February 22, 2010. This new obligation has significant implications for practices and will require at a minimum that they: • Identify when PHI is unsecured (and determine whether more PHI should be secured) • Determine what methods will be used to discover a breach • Adopt a policy and procedure addressing breach notification • Provide additional workforce training regarding breach discovery and notification • Consider modifications to business associate (BA) agreements to address breach notification Breach determination. Not all breaches of PHI are subject to the new notification requirement. The rule applies to the acquisition, access, use, or disclosure of PHI in a manner not permitted under the Privacy Rule that compromises the security or privacy of the PHI (“breach”). The phrase “compromises the security or privacy of the PHI” means it poses a significant risk of financial, reputational, or other harm to the individual. As a result, the rule establishes a “significant risk harm” threshold for determining whether there has been a breach that requires notification. A CE has the burden of demonstrating that a use or disclosure of PHI in a manner not permitted under the Privacy Rule does not pose a “significant risk” of harm to an individual. The analysis and conclusion that there is not a significant risk of harm should be documented. November 2009 Interim regulations issued by HHS on August 24, 2009, clarify three important exceptions to the breach notification requirements. A breach has not occurred if: • A workforce member or person acting under the authority of a CE or BA, unintentionally acquires, accesses, or uses PHI, provided the acquisition, access, or use was in good faith, within the person’s scope of authority, and does not result in further use or disclosure in a manner not permitted under the Privacy Rule. • A person who is authorized to access PHI at a CE or BA inadvertently discloses PHI to another person authorized to access PHI at the same CE or BA, or organized health care arrangement (OHCA) in which the CE participates, provided the PHI received is not further used or disclosed in a manner not permitted under the Privacy Rule. • A CE or BA discloses PHI to an unauthorized person, provided the CE or BA has a good faith belief that the unauthorized person to whom the disclosure was made would not reasonably have been able to retain such information. Unsecured PHI. In addition to determining whether a “breach” has occurred, a CE must determine whether the breach involves “unsecured PHI.” “Unsecured PHI” means PHI that is not secured through a technology or methodology that HHS considers as being capable of rendering the PHI unusable, unreadable, or indecipherable to unauthorized individuals. PHI is rendered unusable, unreadable, or indecipherable to unauthorized individuals according to HHS if it is: • Encrypted as specified in the Security Rule by “the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key and such confidential process or key that might enable decryption has not been breached.” Certain National Institute of Standards and Technology (NIST) standards meet the standard. • Data at rest: NIST Special Publication 800-111 (Encryption) • Data in motion: NIST Special Publication 800-52 (Transport Layer Security); NIST Special Publication 800-77 and 800-113 (VPNs); and Federal Information Processing Standards (FIPS) 140-2 validated. • Destroyed by: • Shredding or destroying the paper, film, or other hard copy media holding the PHI such that the PHI cannot be read or otherwise cannot be reconstructed. • Media sanitation through clearing, purging, or destroying consistent with NIST Special Publication 800-88, Guidelines for Media Sanitization, such that the PHI cannot be retrieved. The breach notification rules are not applicable if the CE utilizes these technologies and methodologies that HHS has prescribed to render the PHI unusable, unreadable, or indecipherable to unauthorized individuals.1 Notification requirements. When there is a breach of “unsecured PHI” a CE must provide notice of the breach to individuals whose PHI has been, or is reasonably believed by the CE to have been acquired, accessed, or used as a result of the breach. Written notification must be provided to individuals via first-class mail. If the CE does not have sufficient contact information for 10 or more affected individuals, notification must also be made on the CE’s Web site home page or in major print or broadcast media. If the breach involves more than 500 individuals, notification also must be made to prominent media outlets. Notification must be made without unreasonable delay and in no case later than 60 days following discovery of the breach and must contain, in plain language: November 2009 • • • • • A brief description of what happened, including date of the breach and the date of the discovery of the breach, if known. A description of the types of unsecured PHI that were involved in the breach (such as whether full name, social security number, date of birth, etc., were involved), but do not include the actual PHI. Any steps the individuals should take to protect themselves from potential harm resulting from the breach.2 A brief description of what the CE is doing to investigate the breach, mitigate the harm to individuals, and protect against further breaches. Contact information if the individuals have questions or want to learn more—either a tollfree telephone number, an e-mail address, Web site, or postal address. Business associates (BAs) must notify CEs of any breach of unsecured PHI and include the identity of each affected individual. The CE must notify HHS of all breaches of unsecured PHI. Notification must occur immediately if the breach involves 500 or more individuals. The CE can maintain a log of breaches affecting less than 500 individuals and submit the log annually to HHS. Steps to take. CEs are required to address the issue of unsecured PHI and develop policies and procedures to provide for notification of breaches. A practice’s security incident and mitigation procedures (see, for example, Administrative Requirements—Security Incident Procedures) must be revised to address these new breach notification requirements if the security incident involves the breach of unsecured PHI and a significant risk of financial, reputational, or other harm to the individual. [For a model policy and procedure for addressing breach notification, see Notification of Breach of Unsecured Protected Health Information (Policy & Procedures).] As a part of implementing such a policy, a practice should consider what methods it has in place for identifying that a breach has occurred and what additional training will be provided to employees regarding identifying and providing notice of potential breaches. Encryption of electronic PHI. Encryption is not mandated under the Security Rule and remains an addressable implementation specification under Technical Safeguards for Access Control and Transmission Security. A CE is required to address whether it is reasonable and appropriate to use encryption when PHI is sent over an “open” network such as the Internet or when PHI is stored, particularly on a remote or portable device. A CE must document its rationale if it concludes that encryption is not a reasonable and appropriate safeguard in its environment. Justifying the decision not to encrypt electronic PHI that is transmitted, such as in e-mails to patients, or that is stored on portable or remote devices, as reasonable and appropriate is becoming increasing difficult. The breach notification regulation and the role of encryption in “securing” PHI is only the most recent confirmation that encrypting electronic PHI when possible or practical is a best practice. In December 2006, in response to a number of security incidents related to the use of laptops, home-based personal computers, PDAs, smart phones, and other portable or mobile devices with electronic PHI, the Centers for Medicare and Medicaid Services (CMS)3 issued HIPAA Security Guidance for Remote Use of and Access to Electronic Protected Health Information.4 As a part of the guidance, CMS recommended that CEs: • Require that all portable or remote devices that store electronic PHI employ encryption technologies of the appropriate strength. November 2009 • Deploy policies to encrypt backup and archival media, ensuring that policies direct the use of encryption technologies of the appropriate strength. In a 2008 HIPAA Compliance Review Analysis published jointly by CMS and the Office of EHealth Standards and Services, CMS referred to its prior guidance and stated: “The combination of CMS’s recommendation in the remote use guidance, the increasing number of incidents involving lost portable devices, and the decreasing cost of encryption solutions has resulted in an environment where encryption may not be optional under the mantra of reasonable and appropriate.” CMS’s recommendations to improve Security Rule compliance regarding the addressable implementation specification of encryption all involve the implementation of encryption.5 Additional HIPAA guidance available. In 2007, CMS issued, as part of its HIPAA Security Series, a document entitled “Security Standards: Implementation for the Small Provider” which can be found at: http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/smallprovider.pdf. It provides valuable guidance and serves to amplify, among other things, the Small Practice Security Risk Analysis found starting at page 59 of the HIPAA Model Security Policies and Procedures. Washington security breach notification requirements. Practices in Washington that maintain unencrypted computerized personal information have had certain security breach notification obligations since July 24, 2005. Any person conducting business in Washington that owns or licenses computerized personal information is required to disclose any “breach of the security of the system” by promptly notifying Washington residents whose unencrypted personal information is reasonably believed to have been acquired by an unauthorized individual.6 As with HIPAA, no notification is required if the information is encrypted. Breach determination. A “breach of the security of the system” occurs when there is an “unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information.” There is a statutory exception to breach where there is “[g]ood faith acquisition of personal information by an employee or agent of the person or business for the purposes of the person or business when the personal information is not used or subject to further unauthorized disclosures.” Additionally, there is no requirement to disclose a technical breach of the security system provided that the breach “does not seem reasonably likely to subject customers to a risk of criminal activity.” Information triggering notification. “Personal information” is limited to an individual’s unencrypted first name or first initial and last name in combination with any one or more of the following unencrypted elements: • Social security number; • Driver’s license number or Washington identification card number; or • Financial account or credit or debit card number in combination with any required security code, access code, or password. Moreover, personal information does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records. November 2009 Notification requirements. Subject to the foregoing definitions and exceptions, if there is a breach of a security system that either results in, or is reasonably believed to have resulted in, a Washington resident’s personal information being acquired by an unauthorized person, notice must be provided as expediently as possible and without unreasonable delay. Notification may be delayed if a law enforcement agency determines that the notification will impede a criminal investigation. The notice may be provided by one of the following methods: • Written notice • Electronic notice in compliance with E-Sign (15 U.S.C. Sec. 7001) • Substitute notice by e-mail (if e-mail address is available), Web-posting, and statewide media disclosure if the costs of notice would exceed $250,000, there are more than 500,000 intended recipients, or there is insufficient contact information. Steps to take. Adopting and complying with the model Notification of Breach of Unsecured Protected Health Information (Policy & Procedures) is sufficient to comply with the Washington state security breach notification requirements for PHI maintained by the CE. Any security breach by a CE involving PHI that requires notification under Washington law will also require notification under HIPAA. Moreover, complying with the HIPAA breach notification requirements will satisfy Washington breach notification requirements except in those instances where there is insufficient or out-of date contact information. Substitute notice under Washington law requires e-mail, Web-posting, and statewide media disclosure and does not permit notice by telephone. As a result, if breach notification is required under HIPAA and the unsecured PHI includes an individual’s first name or initial and last name together with one of the identifiers noted above, the CE must provide the more extensive substitute notice provisions described above and in the model policy. If in addition to computerized PHI, a practice maintains unencrypted computerized personal information, such as employee records that include employee names and social security numbers, any security system breach involving only those records would be subject only to the Washington notification requirements. 1 On April 17, 2009, the Secretary of HHS issued guidance which states that PHI that is secured through encryption or destruction in accordance with specified standards, as summarized herein, is not considered “unsecured PHI.” 74 Fed. Reg. 19006 (published April 27, 2009). Guidance will be available at the HHS Web site at http://www.hhs.gov/ocr/privacy/ 2 The Federal Trade Commission Web site provides information on how to protect against identity theft and can be found at: www.ftc.gov/bcp/edu/microsites/idtheft/consumers/defend.html 3 CMS had authority to administer and enforce the Security Rule until August 2009, when that authority was delegated by the Secretary of HHS to the Office of Civil Rights, which already had authority to administer and enforce the Privacy Rule. 4 The CMS HIPAA Security Guidance for Remote Use of and Access to Electronic Protected Health Information can be found at: http://www.cms.hhs.gov/securitystandard/downloads/securityguidanceforremoteusefinal122806rev.pdf The guidance proves a review of strategies that CMS states “may be reasonable and appropriate [the standard under the Security Rule] for covered entities to follow for offsite use of, or access to, ePHI. 5 The Compliance Review Analysis with its recommendations regarding encryption, among other topics, can be found at: http://www.cms.hhs.gov/enforcement/downloads/hipaacompliancereviewsumtopost508.pdf 6 RCW 19.255.010. November 2009 WASHINGTON STATE MEDICAL ASSOCIATION HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT MODEL SECURITY POLICIES AND PROCEDURES Revised July 2004 © 2002-2004 Illinois State Medical Society/ISMIE Mutual Insurance Company Reprinted with permission of the Illinois State Medical Society and ISMIE Mutual Insurance Company Forward NOTE: The requirements of the final HIPAA Security Rule were issued last year and are effective in 2005. It is important that you ensure your practice is working to implement all of the required Security Rule requirements in a timely fashion. This document does not include any policies and procedures related to the HIPAA Privacy Rule. It only includes policies and procedures related to the HIPAA Security Rule. It is important that you ensure your practice is following the HIPAA Privacy Rule requirements. Some of your existing Privacy policy and procedures most likely address the security of your confidential information. You may need to update those policies and procedures to incorporate the specific provisions of the final Security Rule. This document has been prepared by the Illinois State Medical Society (ISMS) and ISMIE Mutual Insurance Company to assist our members and policyholders in meeting the privacy and security requirements of the Health Insurance Portability and Accountability Act (HIPAA) passed by the Congress in 1996. The Washington State Medical Association (WSMA) is reprinting this document with the permission of ISMS and ISMIE. WSMA has made changes to the original document where Washington law differs from Illinois law so that this revised document will reflect Washington law and can be used by the WSMA membership. ISMS and ISMIE Mutual have attempted to compile all the basic information that physicians need to consider as they seek to comply with the HIPAA privacy and security requirements. For health care providers in Washington State, WSMA added to the foundation created by ISMS and ISMIE and, in conjunction with Physicians Insurance, has created a HIPAA Privacy Manual that supplies the provider with the information necessary to work towards HIPAA compliance with respect to the HIPAA Privacy Rules. The HIPAA Privacy materials can be found, free of charge, at http://www.physiciansinsurance.com/risk/hipaa.html. Does HIPAA Apply to You? HIPAA applies to payers, institutions, health care professionals and providers, from the largest multi-state integrated delivery networks to solo practice professionals who engage in any of the “standard electronic transmissions.” Most physicians do at least some of their business electronically, so HIPAA applies to them. Many submit claims electronically, either directly from their offices or through a billing service. Others receive electronic payment and remittance information from health plans. If your practice does any of the following electronically, either directly or through a billing service or other vendor, then HIPAA applies to you: © 2002-2004 ISMS/ISMIE Mutual Insurance Co. Forward • i • • • • • • • • submit claims; receive claim payment and remittance information; query insurance companies about the status of a claim; receive information about the status of a claim; query insurance companies about the eligibility of a patient to be covered for services; receive information about patient eligibility; send referral authorizations; or receive referral authorizations. If your practice does not do any of the above electronically, either directly or through a billing service or other vendor, then HIPAA does not apply to you. NOTE: In order to bill Medicare after October 16, 2003, practices with 10 or more full time workforce members including the physicians must bill Medicare electronically and, as a result, will be subject to the HIPAA requirements. Document Organization The document is divided into two general areas. The first deals with security policies and procedures and the second deals with administrative policies and procedures. Each topic area begins with a background and is followed by a model policy and a procedure. Each model policy is a general statement about the way a practice might want to approach each topic area. Each model procedure provides specific examples of how the practice might want to implement that general policy. Notes NOTE: The model policies and procedures must be reviewed by each practice and modified as necessary. You must determine if and how these model policies and procedures apply to your practice, modify them so they do reflect your practice, and make any necessary changes to ensure your practice is in compliance with the HIPAA Security Rule. NOTE: These model policies and procedures are copyright by ISMS/ISMIE Mutual Insurance Co. Permission is granted to ISMS members and ISMIE Mutual Co. policyholders to use and modify these model policies and procedures so that they can bring their practices into compliance with HIPAA. Permission also is granted to members of the Washington State Medical Association to use and modify these model policies and procedures so that they can bring their practices into compliance with HIPAA. Other individuals and groups wishing to use or modify these model policies and procedures must seek written permission from ISMS/ISMIE Mutual Insurance Co. and pay a royalty to ISMS/ISMIE Mutual Insurance Co. © 2002-2004 ISMS/ISMIE Mutual Insurance Co. Forward • ii NOTE: This document does not constitute legal advice. You are urged to seek legal advice if you have any questions regarding how HIPAA applies to your practice. Questions If you have questions about HIPAA, you can contact the Risk Management Department at Physicians Insurance A Mutual Company at 206-343-7300, or 1-800-962-1399, or [email protected]. © 2002-2004 ISMS/ISMIE Mutual Insurance Co. Forward • iii Table of Contents Organizational Overview ..................................................................1 Privacy Policies and Procedures.......................................................2 Security Policies and Procedures......................................................8 Administrative Safeguards ................................................................... 10 Administrative Safeguards – Risk Analysis, Risk Management and Ongoing Risk Evaluation...........................................................................11 Administrative Safeguards – Contingency Planning .......................................12 “PHI” Software Log...............................................................................................15 Backup Log............................................................................................................16 Administrative Safeguards – Physical Controls for Visitor Access ................17 Physical Safeguards ............................................................................... 18 Physical Safeguards – Access Control.............................................................19 Physical Safeguards – Records Processing – Receiving, Sending, and Disposing of PHI........................................................................................24 Physical Safeguards – Computer Workstation Use and Security ....................29 Physical Safeguards – Device and Media Controls .........................................31 Device and Media Controls Log ............................................................................33 Technical Safeguards ............................................................................ 34 Technical Safeguards – Personal or “Entity” Authentication..........................35 Technical Safeguards – Security Configuration – Documentation, Testing, Inventory, Virus Control............................................................................37 Technical Safeguards – Audit Controls and Integrity......................................39 Technical Safeguards – Transmission Security ...............................................40 Administrative Security Policies and Procedures.........................41 Administrative Requirements – Security Officer ............................................41 Administrative Requirements – Information Access Management .................42 Administrative Requirements – Security Incident Procedures ........................43 © 2002-2004 ISMS/ISMIE Mutual Insurance Co. Table of Contents • iv Security Incident Log.............................................................................................44 Administrative Requirements – Awareness and Training For Staff................45 Training Log ..........................................................................................................47 Model Acknowledgment of Training.....................................................................48 Administrative Requirements – Workforce Sanctions ....................................49 Administrative Requirements – Documentation..............................................52 HIPAA Security Readiness Checklist ............................................55 Small Practice Security Risk Analysis ...........................................59 © 2002-2004 ISMS/ISMIE Mutual Insurance Co. Table of Contents • v Organizational Overview Background There are a variety of provisions in the Privacy Rule related to organizational requirements. In general, a covered entity – including a physician – must determine the type of organization in which they operate. For small practices, this is a fairly straightforward task. Small practices usually are not complex organizations. Small practices: • • • • • • • provide health care services; usually do not provide multiple covered functions; usually are owned by some or all of the physicians; are not business associates; do not have “affiliates” (affiliates are separate legal entities with common ownership); are not “hybrid entities” (a hybrid entity is defined in a complex manner as “a single legal entity that is a covered entity and whose covered functions are not its primary functions”); and are not “organized health care arrangements” (separate covered entities that are integrated clinically or operationally are considered an organized health care arrangement if protected health information must be shared among the covered entities for the joint management and operations of the arrangement). NOTE: You may be an “organized health care arrangement” if you have a number of different independent physicians or other providers practicing in your office. NOTE: This section should be rewritten to talk about your organizational structure. Be sure to include the name, address, and telephone number of your practice, a brief description of the practice, and any other information that helps to define the organizational structure. NOTE: Most physicians will be involved in an organized health care entity such as a hospital or ambulatory surgical treatment center. Physicians involved in such an entity should be aware of the entity’s HIPAA policies and procedures. The entity’s policies and procedures, not yours, will most likely apply when you provide services in those settings. © 2002-2004 ISMS/ISMIE Mutual Insurance Co. 0BOrganizational Overview • 1 Privacy Policies and Procedures The Privacy Final Rule was issued December 28, 2000. The Privacy Final Rule was modified by the Privacy Modification Final Rule issued August 14, 2002. The Final Rule has subsequently been clarified through guidance issued by the government. All covered entities – including physician practices that engage in one of the standard HIPAA transactions, either directly or through a third party such as a billing service – are required to be in compliance with the rules. ISMS and ISMIE Mutual have developed model policies and procedures to assist our members and policyholders, particularly small practices, with HIPAA Privacy Rule compliance. These policies and procedures are not included in this document. Omitted Privacy Policies and Procedures, forms, and logs, include the following: Individual Rights Notice of Privacy Practices: One section of the Privacy Rule addresses the Notice of Privacy Practices. 1 In general, a covered entity – including a physician – is required to provide every direct care patient with a copy of the covered entity’s Notice of Privacy Practices. In addition, covered entities are required to request and make a good-faith effort to obtain a written patient acknowledgment that they received the Notice of Privacy Practices. The covered entity should document that the Notice was received or document why the acknowledgment could not be signed by the patient. Associated documents include a “Model Receipt of Notice of Privacy Practices Form” and a “Model Consent for Release and Use of Confidential Information and Receipt of Notice of Privacy Practices Form.” Accounting for Disclosures of PHI: Four sections of the Privacy Rule address the tracking of disclosures and the right of individuals to receive an accounting for disclosures. 2 In general, a covered entity – including a physician – is required to keep a history of when and with whom disclosures are made of protected health information (PHI) – confidential information. Physicians do not have to track disclosures in certain circumstances. Associated documents include a “Disclosures of PHI Tracking Log” and a “Requests for Accounting of Disclosures Log.” Inspect and Copy PHI: One section of the Privacy Rule addresses the right of individuals to inspect and copy PHI. 3 In general, a covered entity – including a physician – is required to allow an individual access to inspect and obtain a copy of protected health information (PHI) about the individual for as long as the information is maintained. The information must be maintained in a “designated record set.” This right does not extend to certain records. In addition, a covered entity may also deny access for several specific reasons listed in the Privacy Rule (see below). Associated documents include an “Inspection and Copying Request Log,” a “Model Request for 1 § 164.520 – Notice of Privacy Practices for PHI. § 164.508 – Uses and Disclosures for which Authorization is Required; § 164.512 – Uses and Disclosures for Which Consent, an Opportunity to Agree or Object is Not Required; § 164.528 – Accounting of Disclosures of Protected Health Information; and § 164.530 (j) – Documentation Requirements. 3 § 164.524 – Access of Individuals to Protected Health Information. 2 © 2002-2004 ISMS/ISMIE Mutual Insurance Co. 1BPrivacy Policies and Procedures • 2 Medical Records Acceptance Form Letter,” and a “Model Request For Inspection or Copying of Confidential Information Denial Form Letter.” Request Amendment to PHI: Two sections of the Privacy Rule address the right of individuals to request an amendment to PHI. 4 In general, a covered entity – including a physician – is required to amend PHI or a record about the individual in a “designated record set” for as long as the PHI is maintained in the “designated record set.” A covered entity may deny a request for amendment under certain circumstances. Associated documents include an “Amendment Request Log,” a “Model Acceptance of Request to Amend Medical or Billing Records Form Letter,” and a “Model Denial of Request to Amend Medical or Billing Records Form Letter.” Request Confidential Communications: Two sections of the Privacy Rule address the right of an individual to request confidential communications. 5 In general, a covered entity – including a physician – is required to accommodate all reasonable requests to keep communications confidential. Associated documents include a “Model Request for Confidential Communication” and a “Request for Confidential Communications Log.” Request Restriction of Disclosures: One section of the Privacy Rule addresses the right of individuals to request a restriction on disclosures. 6 In general, a covered entity – including a physician – is required to have a policy with respect to allowing individuals to request a restriction in the use and disclosure of their PHI. A covered entity is not required to agree to any restriction. Associated documents include a “Disclosure Restriction Log.” Authorizations: Nine sections of the Privacy Rule address patient authorizations. 7 In general, a covered entity – including a physician – is required to obtain an authorization for the use or release of information for other than treatment, payment, or health care operations, unless state or federal law requires such disclosure. Associated documents include a “Model Authorization Form for Release of Confidential Health Information.” Waiver of Rights: One section of the Privacy Rule addresses the waiver of individual rights. 8 In general, a covered entity – including a physician – may not require individuals to waive any of their individual rights as a condition of the provision of treatment, payment, enrollment in a health plan, or eligibility for benefits. 4 § 164.526 – Amendment of Protected Health Information; and § 164.524(a)(2)&(3) – Unreviewable and Reviewable Grounds for Denial. 5 § 164.522(b) – Rights to Request Privacy Protection for Protected Health Information – Standard – Confidential Communications Requirements; and § 164.502(h) – Uses and Disclosures of Protected Health Information – General Rules – Standard – Confidential Communications. 6 § 164.522(a) – Rights to Request Privacy Protection for Protected Health Information – Standard – Right of an Individual to Request Restriction of Uses and Disclosures. 7 § 164.506(a) – Standards for Consents and How Consents Differ from Authorizations; § 164.508(a) – Standard for Requirements and Exceptions for Authorizations; § 164.508(b) – Implementation Specifications for Authorizations; § 164.508(c) – Core elements and requirements; § 164.508(d) – Specifications for an Entity’s Own Uses and Disclosure; § 164.508(e) – Specifications for an Entity’s Disclosure to Others; § 164.508(f) – Specifications for Research and Treatment; § 164.520 – Requirements for Plain English Language; and § 164.512 – Uses and Disclosures for which Consent, an Authorization, or Opportunity to Agree or Object is Not Required. 8 § 164.530(b) – Administrative Requirements – Standard – Waiver of Rights. © 2002-2004 ISMS/ISMIE Mutual Insurance Co. 1BPrivacy Policies and Procedures • 3 Uses and Disclosures of Protected Health Information Verification of Identity: Five sections of the regulations address the release of PHI to appropriate individuals. 9 A covered entity – including a physician – must reasonably ensure that PHI is only used by and released to appropriate individuals. This requires verification of the identity of the individual using or receiving the information. Personal Representatives: Four sections of the regulations address the release of PHI to personal representatives. 10 In general, a covered entity – including a physician – must, with two exceptions, treat a personal representative as the individual. The final rule gives specific guidelines for personal representatives, adults and emancipated minors, unemancipated minors, deceased individuals, and abuse, neglect, and endangerment situations. Not Requiring Authorization: Several policies and procedures are addressed under this heading. • Disclosure to Those Involved in Individual’s Care: One section of the regulations addresses the disclosure of PHI to those involved in an individual’s care. 11 Generally, a covered entity – including a physician – is required to disclose PHI to family members, close friends, or other persons assisting in an individual’s care, as well as government agencies and disaster relief organizations conducting disaster relief activities. The disclosure may result from an oral agreement, without written authorization, so long as the covered entity informs individuals in advance of such use or release and provides a meaningful opportunity for the individual to prevent or restrict the disclosure. • Uses and Disclosures Required by Law: Five sections of the regulations address the provision of PHI as required by law. 12 Generally, a covered entity – including a physician – is required to use and disclose PHI as required by federal, state, and local laws. 9 § 164.514(h) – Other Procedural Requirements Relating to Uses and Disclosures of Protected Health Information – Standard – Verification Requirements; § 164.512(a) – Uses and Disclosures for which Consent, an Authorization or Opportunity to Objection is Not Required – Standard – Uses and Disclosures Required by Law; § 164.512(f) – Uses and Disclosures for which Consent, an Authorization, or Opportunity to Agree or Object is Not Required – Standard – Disclosures for Law Enforcement Purposes; § 164.502(f) – Uses and Disclosures of Protected Health Information – General Rules – Standard – Deceased Individuals; and § 164.510(b) – Uses and Disclosures Requiring an Opportunity for the Individual to Agree or to Object – Standard – Uses and Disclosures for Involvement in the Individual’s Care and Notification Purposes. 10 § 164.502(g) – Uses and Disclosures of Protected Health Information – General Rules – Standard – Personal Representatives; § 164.524 – Access of Individuals to Protected Health Information; § 164.528 – Accounting of Disclosures of Protected Health Information; and § 164.510(b) – Uses and Disclosures Requiring an Opportunity for the Individual to Agree or to Object – Standard – Uses and Disclosures for Involvement in the Individual’s Care and Notification Purposes. 11 § 164.510(b) – Uses and Disclosures for Involvement in the Individual’s Care and Notification Purposes – Standard. 12 § 164.501 – Definitions – Required by Law; § 164.512 – Uses and Disclosures for which Consent, an Authorization, or Opportunity to Agree or Object is Not Required; § 164.502(b)(2)(iv) – Standard – Minimum Necessary Does Not Apply; § 164.514(d)(3)(iii)(A) – Implementation Specification – Minimum Necessary Disclosures of Protected Health Information; and § 164.514(h)(1) – Verification Requirements. © 2002-2004 ISMS/ISMIE Mutual Insurance Co. 1BPrivacy Policies and Procedures • 4 • Uses and Disclosures in Emergency Situations: Six sections of the regulations address the provision of PHI in emergency situations. 13 Generally, a covered entity – including a physician – is allowed to use and disclose PHI in emergency situations without providing the covered entity’s Notice of Privacy Practices to the individual. As soon as possible after the use or disclosure of PHI in emergency situations, the covered entity should provide the Notice to direct treatment patients. • Marketing Purposes: Three sections of the regulations address the use and disclosure of PHI for marketing purposes. 14 Generally, a covered entity – including a physician – must limit the use and disclosure of PHI for marketing purposes, unless the patient signs an authorization allowing such use and disclosure. • De-Identification of PHI: Four sections of the regulations deal with the provision of “de-identified” PHI. 15 Generally, a covered entity – including a physician – may disclose “de-identified” PHI, so long as the covered entity meets the requirements for deidentifying PHI as outlined in the Privacy Rule which requires in part that PHI be stripped of 18 data elements. The process of de-identifying information is very complex and most physician practices have no need to release de-identified information. • Deceased Individual’s PHI: Three sections of the regulations address the provision of PHI of deceased individuals. 16 In general, a covered entity – including a physician – must protect the PHI of a deceased individual for as long as the covered entity maintains the PHI. The covered entity may disclose a decedent’s PHI to coroners, medical examiners, and funeral directors as required by law. In addition, the covered entity must treat individuals lawfully representing decedents as if the deceased individuals were still alive. Do Not Apply to Practice: Several policies and procedures are addressed under this heading. • Research Activities: PHI created for research is subject to the Privacy Rule requirements. 17 This is a particularly complex area of the regulations. To simplify these 13 § 164.506(a) Standard – Consent Requirement; § 164.506 (a)(3)(i)(A) – Consent During Emergency Treatment Situations §164.510(b)(3) – Limited Uses and Disclosures When the Individual is Not Present; § 164.512(f)(3) – Permitted Disclosure – Victims of a Crime; § 164.512(f)(6) – Permitted Disclosure – Reporting Crime in Emergencies; § 164.512(j) – Permitted Disclosure – To Avert a Serious Threat to Health or Safety; and § 164.522(a)(1) – Standard – Right of an Individual to Request Restriction of Uses and Disclosures. 14 § 164.501 – Definitions – Marketing; § 164.508(a) – Uses and Disclosures for Which Authorization is Required – Standard – General Rules; and § 164.508(b) – Implementation Specifications for Authorizations. 15 § 164.502(d) – Uses and Disclosures of Protected Health Information – Standard – Uses and Disclosures of De-identified Protected Health Information; § 164.514(a) – Other Requirements Relating to Uses and Disclosures of Protected Health Information – Standard – De-identification of Protected Health Information; § 164.514(b) – Other Requirements Relating to Uses and Disclosures of Protected Health Information – Implementation Specifications – Requirements for De-identification of Protected Health Information.; and § 164.514(c) – Re-identification of Information. 16 § 164.502(f) – Uses and Disclosures of Protected Health Information – General Rules – Standard – Deceased Individuals; § 164.502(g)(4) – Uses and Disclosures of Protected Health Information – General Rules – Standard – Personal Representatives – Implementation Specification – Deceased Individuals; and § 164.512(g) – Uses and Disclosures for which Consent, an Authorization, or Opportunity to Agree or Object is Not Required – Standard – Uses and Disclosures About Decedents. 17 § 164.506 – Consent for Uses or Disclosures to Carry Out Treatment, Payment, or Health Care Operations; § 164.508 – Uses and Disclosures for which an Authorization is Required; § 164.512(i) – Uses and Disclosures for which Consent, an © 2002-2004 ISMS/ISMIE Mutual Insurance Co. 1BPrivacy Policies and Procedures • 5 model policies and procedures, it is recommended that physicians at this time not participate in any research studies that involve PHI. • Other Uses and Disclosures: Several other uses and disclosures in the Privacy Rule generally do not apply to provider practices. These include: disclosure to an employer or health plan sponsor 18 ; use and disclosure for underwriting and related purposes 19 ; use and disclosure for facility directories 20 ; use and disclosure to brokers and agents 21 ; and use for fundraising. 22 Minimum Necessary: Two sections of the regulations address the minimum necessary requirements. 23 As stated in the Privacy Rule: “When using or disclosing protected health information or when requesting protected health information from another covered entity, a covered entity must make reasonable efforts to limit protected health information to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request.” Business Associates: Three sections of the Privacy Rule and three sections of the Security Rule address the release of PHI to business associates. 24 In general, a covered entity – including a physician – must enter into a Business Associate Agreement with any person who acts in a capacity other than as a member of the workforce of a covered entity to perform or assist in the performance of a function or activity on behalf of the covered entity involving the use or disclosure of PHI or any other function or activity otherwise governed by the Privacy Rule. Administrative Privacy Policies and Procedures Privacy Officer: Two sections of the Privacy Rule address the need to appoint a Privacy Officer and a contact person for all issues related to the Privacy Rule. 25 In general, a covered entity – including a physician – is required to have a Privacy Officer and a contact person. Authorization, or Opportunity to Agree or Object is Not Required Including the Standards for Uses and Disclosures for Research Purposes; § 164.524 – Access of Individuals to Protected Health Information; and § 164.532 – Transition Provisions. 18 § 164.504 – Uses and Disclosures: Organizational Requirements. 19 § 164.508(a) – Uses and Disclosures for which Authorization is Required – Standard – General Rules; § 164.508(b)(4)(A) and (B) – Prohibition on Conditioning of Authorizations (exceptions); § 164.514(g) – Other Requirements Relating to Uses and Disclosures of Protected Health Information – Standard – Uses and Disclosures for Underwriting and Related Purposes; § 164.504(f) – Uses and Disclosures: Organizational Requirements (standard requirements for group health plans); and § 164.528 – Accounting of Disclosures of Protected Health Information. 20 § 164.510(a) – Use and Disclosure for Facility Directories – Standard. 21 § 164.504(f) – Requirements for Group Health Plans; § 164.510(b)(2) – Uses and Disclosures with the -Individual Present; and § 164.510 – Uses and Disclosures for which an Authorization is Required. 22 § 164.508(a) – Uses and Disclosures for which Authorization is Required – Standard – General Rules; § 164.508(b) – Implementation Specifications for Authorizations; § 164.514(e) – Standard – Uses and Disclosures of Protected Health Information for Marketing; and § 164.514(f) – Standard: Uses and Disclosures of Protected Health Information for Fundraising. 23 § 164.502(b) – Uses and Disclosures of Protected Health Information: General Rules – Standard – Minimum Necessary; and § 164.514(d) – Other Requirements Relating to Uses and Disclosures of Protected Health Information – Standard – Minimum Necessary Requirements. 24 § 160.103 – Definitions – Business Associates; § 164.308(b)(1) – Standard – Business Associate Contracts; § 164.314(a) – Standard and Implementation Specification – Business Associate Contracts and Other Arrangements; § 164.316 – Policies and Procedures and Documentation Requirements; § 164.502(e) – Uses and Disclosures of Protected Health Information – General Rules – Standard – Disclosures to Business Associates; and § 164.504(e) – Uses and Disclosures – Organizational Requirements – Standard: Business Associate Contracts. 25 § 164.530(a) – Administration Requirements – Designation of a Privacy Official and Contact Person; and § 164.526(d)(1)(iv) – Administration Requirements – Amendment of Protected Health Information. © 2002-2004 ISMS/ISMIE Mutual Insurance Co. 1BPrivacy Policies and Procedures • 6 Changes in Law: Two sections of the Privacy Rule address changes in law. 26 In general, a covered entity – including a physician – is required to change the covered entity’s policies and procedures whenever a change in law necessitates such a change. In addition, the covered entity must promptly revise and distribute its Notice of Privacy Practices whenever there is a material change to the uses or disclosures of information, the individual’s rights, the covered entity’s legal duties, or other privacy practices stated in the notice. Keep in mind that the practice also must comply with all state and federal laws related to security. Complaint Process: Nine sections of the Privacy Rule address the complaint process. 27 In general, a covered entity – including a physician – is required to have a process for individuals to file complaints with the covered entity and with the Secretary. Mitigation of Privacy Breaches: One section of the Privacy Rule addresses the requirement for mitigation. 28 In general, a covered entity – including a physician – is required to take action to mitigate breaches in the use or disclosure of PHI. A breach occurs whenever PHI is used or disclosed in violation of the covered entity’s policies and or procedures. In addition, a business associate must be terminated when possible after a material breach that has not been resolved. If the agreement cannot be terminated, then the practice must inform the Secretary of the situation. Whistleblowers/Crime Victims: Two sections of the Privacy Rule address whistleblowers and the reporting of violations. 29 In general, a covered entity – including a physician – is required to use and disclose PHI in whistleblower and crime victim cases without an authorization. 26 § 164.530 (i)(3) – Changes in Law – Implementation Specification – Standard – Policies and Procedures; and § 164.520 (b)(3) – Revision to Notice – Implementation Specification – Content of Notice – Standard – Notice of Privacy Practices. 27 § 160.306 – Complaints to the Secretary; § 160.310(b) – Responsibilities of Covered Entities to Cooperate With Complaint Investigations and Compliance Review; § 160.312 – Secretarial Action Regarding Complaints and Compliance Reviews; § 164.530(a)(1)(ii) – Administrative Requirements – Standard – Personnel Designations; § 164.530(d) – Administrative Requirements – Standard – Complaints to the Covered Entity; § 164.530(g) – Administrative Requirements – Standard – Refraining from Intimidating or Retaliatory Action; § 164.520(B)(vi) – Notice of Privacy Practices – Complaints; § 164.524(d)(2)(iii) – Access of Individuals to Protected Health Information – Implementation Specifications – Denial of Access; and § 164.526(d)(iv) – Amendment of Protected Health Information – Implementation Specifications – Denial of Amendment. 28 § 164.530(f) – Administrative Requirements – Mitigation. 29 § 164.502(j) – Standard – Disclosures by Whistleblowers and Workforce Member Crime Victims; and § 164.512(f)(2)(i) – Listing of the Protected Health Information that May Be Disclosed by a Workforce Member Who is a Victim of a Crime. © 2002-2004 ISMS/ISMIE Mutual Insurance Co. 1BPrivacy Policies and Procedures • 7 Security Policies and Procedures The Security Proposed Rule was issued in 1999. The Security Final Rule was issued February 20, 2003, and its compliance date is April 2005. It applies to the security of electronic information. The Final Privacy Rule includes ' 164.530(c)(1) – Administrative requirements; Standard: safeguards. This provision states that “[a] covered entity must have in place appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information.” In addition, it adds “[a] covered entity must reasonably safeguard protected health information from any intentional or unintentional use or disclosure that is in violation of the standards, implementation specifications or other requirements of this subpart.” In other words, even though the Security Final Rule does not have to be complied with until April 2005, a practice must implement security policies and procedures now to safeguard its protected health information – both paper and electronic – to comply with the Privacy Rule. This section presents model security policies and procedures. ISMS and ISMIE Mutual have developed these model policies and procedures to enable our members and policyholders, particularly small practices, to come into compliance with the HIPAA Privacy Rule. For the State of Washington, WSMA has amended the ISMS and ISMIE Mutual materials to address legal issues that are specific to Washington State or where the laws of the States of Washington and Illinois differ. These model policies and procedures reflect the requirements in the Security Rule. requirements are placed in three categories: • • • The administrative safeguards addressing the administrative policies and procedures that need to be developed and implemented; physical safeguards addressing the physical aspects of security that need to be addressed; and technical safeguards addressing the computer programs and other processes that need to be implemented. In each of these areas there are a number of requirements. In addition, some of the requirements overlap, e.g., the assignment and use of passwords is an administrative safeguard that is implemented using a software program (technical safeguard). Where possible, requirements that overlap are consolidated. NOTE: The model policies and procedures must be reviewed by each practice and modified as necessary. You must determine if and how these model policies and procedures apply to your practice, modify them so they do reflect your practice, and make any necessary changes to ensure your practice is in compliance with the HIPAA Security Rules. © 2002-2004 ISMS/ISMIE Mutual Insurance Co. 2BSecurity Policies and Procedures • 8 You must meet the requirements of the Security Final Rule by April 2005. The model policies and procedures in this document are consistent with the final rule and implement the requirements of the final rule. NOTE: These model policies and procedures are copyright by ISMS/ISMIE Mutual Insurance Co. Permission is granted to ISMS members and ISMIE Mutual Co. policyholders to use and modify these model policies and procedures so that they can bring their practices into compliance with HIPAA. Permission also is granted to members of the Washington State Medical Association to use and modify these model policies and procedures so that they can bring their practices into compliance with HIPAA. Other individuals and groups wishing to use or modify these model policies and procedures must seek written permission from ISMS/ISMIE Mutual Insurance Co. and pay a royalty to ISMS/ISMIE Mutual Insurance Co. NOTE: This document does not constitute legal advice. You are urged to seek legal advice if you have any questions regarding how HIPAA applies to your practice. © 2002-2004 ISMS/ISMIE Mutual Insurance Co. 2BSecurity Policies and Procedures • 9 Administrative Safeguards Numerous sections of the final Security Rule address administrative safeguards. The rule defines administrative safeguards as “actions, and policies and procedures, to manage the selection, development, implementation, and maintenance of security measures to protect electronic protected health information and to manage the conduct of the covered entity’s workforce in relation to the protection of that information.” Small practices are required to implement appropriate policies and procedures to protect their protected health information (PHI) – confidential information – and ensure that it remains secure. Recall that the Security Rule only covers electronic information. The Privacy Rule also addresses confidential information kept in paper and other forms. In order to meet the Privacy Rule requirements, the practice also must protect paper-based information. The following portions of this document address the administrative safeguard policies and procedures that practices need to consider when implementing HIPAA privacy and security. Several of the Security Rule administrative requirements are included in these Model Policies and Procedures under the heading of “Administrative Security Policies and Procedures” (see page 41). © 2002-2004 ISMS/ISMIE Mutual Insurance Co. 2BSecurity Policies and Procedures • 10 Administrative Safeguards – Risk Analysis, Risk Management and Ongoing Risk Evaluation Background Three sections of the Security Rule address risk analysis, risk management and evaluation. 30 In general, a covered entity – including a physician – must conduct a risk analysis and ongoing evaluations to identify potential security risks and to determine how to address significant risks. Model Policy The practice has undertaken an initial risk analysis and ongoing evaluations to identify potential risks and to identify how to manage significant risks. Model Procedures NOTE: This section is written on the assumption that you have completed the Small Practice Security Risk Analysis, page 59. Risk Assessment: The practice has completed an initial risk analysis (Small Practice Security Risk Analysis, page 59). As required by the final rule, this risk analysis provided an “accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the” practice. Recognizing that the Privacy Rule requires the practice to protect paper and oral PHI as well as electronic, this risk assessment addressed the full range of PHI held by the practice. Evaluation: The practice undertakes an evaluation of its security annually. This evaluation involves updating the risk analysis to ensure that all potential risks are identified and to identify any new or evolving risks that need to be managed. In addition to the periodic scheduled evaluations, the practice completes an evaluation wherever there is a significant change to any of its systems, e.g., new programs or hardware are implemented, physical plant, e.g., space is added or modified, or administrative operations, e.g., the flow of information in the office is modified. Risk Management: On the basis of the risk assessment and the ongoing evaluations, the practice adequately manages its risks. The policies and procedures included in this manual reflect the actions taken by the practice to manage its risk. 30 § 164.308(a)(8) – Standard – Evaluation; § 164.316(a)(2)(i) – Implementation Specification – Risk Analysis; and § 164.316(a)(2)(ii) – Implementation Specification – Risk Management. © 2002-2004 ISMS/ISMIE Mutual Insurance Co. 2BSecurity Policies and Procedures • 11 Administrative Safeguards – Contingency Planning Background Eight sections of the Security Rule address contingency planning. 31 In general, a covered entity – including a physician – must have in place contingency plans to ensure mission critical electronic-based information is available in a timely fashion. Model Policy The practice has in place appropriate contingency plans so that it can continue to provide critical functions if it is faced with a loss of access to electronic-based protected health information (PHI). Model Procedures Criticality Analysis: The practice keeps logs of its devices and media (Device and Media Controls Log, page 33) and the software on each of its devices that may contain PHI (see “PHI” Software Log, page 15). These logs note which systems contain PHI and specifically which files contain PHI so that those files can be backed up and are maintained by the Security Officer. The practice does not store its medical records electronically [or keeps paper copies of all medical records]. Accordingly, the recovery of lost electronic-based PHI is not time-critical to patient care. NOTE: If a practice has electronic medical records and does not keep paper copies of those medical records, this section will have to be expanded. The criticality analysis will have to document which systems are necessary to ensure timely patient care. Data Backup Plan: The practice backs up all PHI maintained on its computer systems. The information is backed up on a weekly basis to a [insert media type, e.g., diskettes, Zip Drive, CD]. The information is password protected. Two copies are made. One copy is stored at the practice and the second copy is stored offsite. In an emergency, the information is backed up as soon as possible and removed offsite. In addition, PHI is backed up prior to moving any computer or modifying any software containing PHI. Backups are recorded on the Backup Log, page 16. 31 § 164.308(a)(7)(i) – Administrative Safeguards – Standard: Contingency Plan; § 164.308(a)(7)(ii)(A) – Administrative Safeguards – Implementation Specifications – Data Backup Plan; § 164.308(a)(7)(ii)(B) – Administrative Safeguards – Implementation Specifications – Disaster Recovery Plan; § 164.308(a)(7)(ii)(C) – Administrative Safeguards – Implementation Specifications – Emergency Mode Operation Plan; § 164.308(a)(7)(ii)(D) – Administrative Safeguards – Implementation Specifications – Testing and Revision Procedures; § 164.308(a)(7)(ii)(E) – Administrative Safeguards – Implementation Specifications – Applications and Data Criticality Analysis; § 164.316(a) – Standard – Policies and Procedures; and § 164.316(b) – Standard – Documentation. © 2002-2004 ISMS/ISMIE Mutual Insurance Co. 2BSecurity Policies and Procedures • 12 Copies are retained by 4 weeks and then destroyed or recycled. (See Physical Safeguards – Device and Media Controls, page 31.) NOTE: The practice will have to determine where to store the back up media. If you have two practice sites, consider storing the information at the second site. Perhaps you can store the information in a safe deposit box, or make arrangements to store it at one of your Business Associates, e.g., an attorney, accountant, or billing service. Make sure the backup is stored at a site where it is secure and protects the privacy of the information on the backup media. The Security Officer or another workforce member authorized in writing by the Security Officer may retrieve the backup as required. The practice does not store its medical records electronically [or keeps paper copies of all medical records]. Accordingly, the recovery of lost electronic-based PHI is not time-critical to patient care. NOTE: If you keep medical records electronically, you will have to modify this language accordingly. In this case, recovery of electronic PHI may be critical to patient care. Testing Restoration: Once a year, when critical new software is installed, and when new devices are installed, the practice checks to make sure it can recover lost data from its backup. Specifically, the practice reviews the back up files and compares them to the files on its computers. This is accomplished by comparing the size and dates of the files to ensure they are identical. Disaster Recovery Plan: The practice does not store its medical records electronically [or keeps paper copies of all medical records]. Accordingly, the recovery of lost electronic-based PHI is not time-critical to patient care. When a disaster has occurred – when electronic information is lost for whatever reason – the practice’s Security Officer implements the disaster recovery plan. The specific plan depends on the type and scope of the disaster: • • • If PHI has been lost and the computer systems still function, the practice will attempt to restore the information from backup media. If PHI has been lost and some portion of the computer systems still function, the practice will attempt to restore the information from backup media to that portion of the computer system. If PHI has been lost and: • the computer systems still function, but the practice is unable to restore the information from backup media; © 2002-2004 ISMS/ISMIE Mutual Insurance Co. 2BSecurity Policies and Procedures • 13 • • some portion of the computer systems still function, but the practice is unable to restore the information from backup media to that portion of the computer system; or the entire computer system has failed, the practice will obtain new computer equipment, install appropriate software, and restore the PHI in a timely fashion. NOTE: If a practice has two locations, it may be able to restore the PHI at its second site. This would be an acceptable short-term solution. NOTE: If a practice has electronic medical records and does not keep paper copies of those medical records, this section will have to be expanded. Restoration of the PHI becomes critical to the treatment of patients and must be accessible in a timely fashion. Emergency Mode Operation: The practice does not need its electronic-based PHI to operate in emergency situations. All PHI needed in emergency situations is stored in paper format (paper medical records). Accordingly, the practice does not need any computer systems emergency mode operation plan. NOTE: If a practice has electronic medical records and does not keep paper copies of those medical records, this section will have to be expanded. Restoration and emergency mode operation become critical to the treatment of patients and must be accessible in a timely fashion. Education: The practice trains all workforce members regarding its contingency plans. The Security Officer is responsible for ensuring that back ups are made and stored offsite as required by these procedures. NOTE: If a practice has electronic medical records and does not keep paper copies of those medical records, this section will have to be expanded. It will have to include more training to ensure that workforce members understand how to restore PHI and operate in emergency mode. © 2002-2004 ISMS/ISMIE Mutual Insurance Co. 2BSecurity Policies and Procedures • 14 “PHI” Software Log Date Description of Software © 2002-2004 ISMS/ISMIE Mutual Insurance Co. Action Location of PHI 2BSecurity Policies and Procedures • 15 Backup Log Date 2 Copies Made Backups Made By Date Backup Sent Offsite © 2002-2004 ISMS/ISMIE Mutual Insurance Co. Confirm Backup Received Offsite Date Backup Media Destroyed/Resued 2BSecurity Policies and Procedures • 16 Administrative Safeguards – Physical Controls for Visitor Access Background One section of the Security Rule addresses physical controls for visitors. 32 In general, a covered entity – including a physician – must ensure that visitors do not have inappropriate or unauthorized access to PHI. Model Policy The practice ensures that visitors do not have inappropriate and unauthorized access to protected health information (PHI). Model Procedures The practice minimizes the presence of visitors in the office. All visitors, including salespeople and pharmaceutical representatives, must sign in. Patients (and those accompanying patients) do not need to sign in as their presence is automatically documented by the practice. If appropriate, the practice provides visitors an escort to ensure they do not have inappropriate or unauthorized access to PHI. 32 § 164.310(a)(2)(iii) – Physical Safeguards – Implementation Specifications – Access Control and Validation Procedures. © 2002-2004 ISMS/ISMIE Mutual Insurance Co. 2BSecurity Policies and Procedures • 17 Physical Safeguards Numerous sections of the final Security Rule address physical safeguards. 33 The rule defines physical safeguards as “physical measures, policies and procedures to protect a covered entity’s electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion.” Small practices are required to implement appropriate policies and procedures to protect their protected health information (PHI) – confidential information – and ensure that it remains secure. Recall that the Security Rule only covers electronic information. The Privacy Rule also addresses confidential information kept in paper and other forms. In order to meet the Privacy Rule requirements, the practice also must protect paper-based information. The following portions of this document address the physical safeguard policies and procedures that practices need to consider when implementing HIPAA privacy and security. 33 § 164.304 – Definition – Physical safeguards; § 164.310 – Physical Safeguards; § 164.310(a)(1) – Standard – Facility Access Controls; § 164.310(a)(2)(i) – Contingency Operations; § 164.310(a)(2)(ii) – Facility Security Plan; § 164.310(a)(2)(iii) – Access Control and Validation Procedures; § 164.310(a)(2)(iv) – Maintenance Records; § 164.310(b) – Standard – Workstation Use; § 164.310(c) – Standard – Workstation Security; § 164.310(d)(1) – Standard – Device and Media Controls; § 164.310(d)(2)(i) – Implementation Specification – Disposal; § 164.310(d)(2)(ii) – Implementation Specification – Media Reuse; § 164.310(d)(2)(iii) – Implementation Specification – Accountability; and § 164.310(d)(2)(iv) – Implementation Specification – Data Backup and Storage. © 2002-2004 ISMS/ISMIE Mutual Insurance Co. 2BSecurity Policies and Procedures • 18 Physical Safeguards – Access Control Background One key section of the Privacy Rule and numerous sections of the final Security Rule address access controls. 34 In general, a covered entity – including a physician – must have access control procedures to protect against unauthorized access to any PHI, paper or electronic. Model Policy The practice has appropriate access controls in place to ensure that only authorized persons have access to protected health information (PHI) on an appropriate basis. Model Procedures Facility Maintenance: The facility documents all facility repairs and modifications to the physical components of a facility, including maintenance, that impacts security, such as repairs to walls, adding or removing locks, doors, or hardware. Personnel Security: The practice ensures that only authorized workforce members or business associates have access to PHI. All workforce members have access to PHI, as needed, to ensure the efficient operation of the practice. In addition, given the size and configuration of the practice, all workforce members have access to all computer terminals in the office, all programs on those computers, and all PHI used in those programs on an as needed basis. The practice assesses annually whether the duties of any workforce member have changed such that their current access is no longer appropriate. NOTE: You will have to change this procedure if you limit access to computer programs or computers to specific personnel. Termination: The practice terminates a workforce member’s access to all PHI when the workforce member is terminated. The terminated workforce member is required to turn in any keys or other access devices that may have been issued by the practice and all passwords are deactivated. 34 § 164.530(c)(1) – Administrative Requirements – Standard – Safeguards; § 164.530(c)(2) Administrative Requirements – Implementation Specification – Safeguards; § 164.308(a)(1)(ii)(D) – Administrative Safeguards – Implementation Specifications – Risk Analysis – Information System Activity Review; § 164.308(a)(ii)(D)(3)(I) – Administrative Safeguards – Implementation Specifications – Standard: Workforce Security; § 164.308(a)(ii)(D)(3)(ii)(A) – Administrative Safeguards – Implementation Specifications – Authorization and/or Supervision; § 164.308(a)(ii)(D)(3)(ii)(B) – Administrative Safeguards – Implementation Specifications – Workforce Clearance Procedure; § 164.308(a)(ii)(D)(3)(ii)(C) – Administrative Safeguards – Implementation Specifications – Termination Procedures; § 164.308(a)(ii)(D)(4)(ii)(B) – Administrative Safeguards – Standard: Information Access Management – Implementation Specification: Access Authorization; § 164.308(a)(ii)(D)(3)(ii)(C) – Administrative Safeguards – Standard – Information Access Management – Access Establishment and Modification; § 164.312(a)(1) – Technical Safeguards – Standard – Access Control; § 164.312(d) – Technical Safeguards – Standard – Person or Entity Authentication; and § 164.312(e)(1) – Technical Safeguards – Standard – Transmission Security. © 2002-2004 ISMS/ISMIE Mutual Insurance Co. 2BSecurity Policies and Procedures • 19 Physical Safeguards: The practice ensures that paper-based and electronic-media based PHI – PHI that is in physical formats and access to electronic-based PHI – is safeguarded. Paper Records Management: The practice maintains paper medical and billing records. Each medical record and billing record contains PHI. The practice manages the medical records to ensure the privacy of the PHI in the medical records. • • • • • Medical records are removed from the medical record files only for review by a workforce member for treatment, payment, or health care operations, to release records pursuant to an authorization, or as otherwise authorized by law. • When a medical record is removed from the medical record files for other than treatment, the medical record remains in the staff office and is not allowed to leave that area. When finished using the medical records, the record will be refiled. • When a medical record is removed from the medical record files for treatment purposes, the medical record either remains in the staff office (and is used and refiled) or is hand delivered by a workforce member to a physician’s office for review. • When a medical record is in a physician’s office, the medical record is kept behind the physician’s desk and away from the reach of any patient who may be in the physician’s office for a consultation. In addition, the medical record is kept in a folder so that any visitors to the physician’s office cannot see any PHI, including the patient’s name, which may reside on the cover of the medical record. When the physician is done using the medical record, it is hand delivered by a workforce member to the staff office for appropriate use and refiling. The practice places medical records in the door outside exam rooms when a patient is in the exam room awaiting the physician. The medical record is placed such that no PHI is visible to anyone walking by the exam room. When a physician and patient leave the exam room, the medical record is taken from the exam room and handed to another workforce member for processing and filing or placed in the physician’s office for further review. The medical records do not reside in cabinets that lock; however, the practice does lock the office at night thereby securing the medical records. The doors to the practice are locked whenever the practice is closed and no one is present to monitor the practice and protect access to the medical records. NOTE: If your medical records reside in locking cabinets, you will need to change these procedures. It is recommended that you have locking cabinets. In lieu of such cabinets, make sure the medical records room can be locked. You may have to lock the entire practice to secure the medical records. This is a minimally secure way of restricting access to your medical records. NOTE: You need to review these procedures in detail to ensure they reflect your practice. Make whatever changes are necessary to ensure the procedures match your practice. The practice manages the billing records to ensure the privacy of the PHI in the billing records. © 2002-2004 ISMS/ISMIE Mutual Insurance Co. 2BSecurity Policies and Procedures • 20 • • • Billing records are removed from the billing record files only for review by a workforce member for payment, health care operations, or as otherwise allowed by law. In such cases, the billing record remains in the staff office and is not allowed to leave that area. When finished using the billing records, they will be refiled. The billing records reside in cabinets that do not lock; however, the office is locked at night. The doors to the practice are locked whenever the practice is closed and no one is present to monitor the practice and protect access to the billing records. NOTE: If your billing records reside in locking cabinets, you will need to change these procedures. It is recommended that you have locking cabinets. In lieu of such cabinets, make sure the billing records room can be locked. You may have to lock the entire practice to secure the billing records. This is a minimally secure way of restricting access to your billing records. NOTE: You need to review these procedures in detail to ensure they reflect your practice. Make whatever changes are necessary to ensure the procedures match your practice. Posting of PHI: The practice does not post any PHI, including schedules, where it could be viewed by visitors or patients. Schedules and other PHI needed for the functioning of the practice is kept in places not accessible by patients and referred to as needed by workforce personnel. Conversations Including PHI: The practice is careful to restrict conversations containing PHI. • • • • Conversations with a patient present occur in an exam room or a physician’s office with the doors closed. Conversations in hallways or the reception area are avoided unless specifically initiated by the patient. Conversations in the hallway, especially near the reception area or other areas where patients may overhear the conversations are avoided whenever possible. Workforce members, including a physician, do not take patient telephone calls in an exam room or in their office when another patient is present. The staff office is next to the reception area. Precautions are taken to minimize the PHI disclosed in telephone calls and other discussions that occur in the staff office. Whenever possible those discussions occur in the back of the staff office farthest away from the reception area. NOTE: This is a very sensitive portion of the regulations. Patients will be in the reception area and will be aware of conversations occurring in the staff office that they can overhear. You need to evaluate your practice to ensure that your office is organized in a manner that minimizes the release of PHI. FAXes: The receipt and sending of FAXes is addressed under Physical Safeguards – Records Processing – Receiving, Sending, and Disposing of PHI, page 24. © 2002-2004 ISMS/ISMIE Mutual Insurance Co. 2BSecurity Policies and Procedures • 21 Access to Computers: Access to computers is addressed under Administrative Safeguards – Physical Controls for Visitor Access, page 17, Physical Safeguards – Computer Workstation Use and Security, page 29, and Technical Safeguards – Personal or “Entity” Authentication, page 35. Need-to-Know: The practice recognizes that each workforce member should have access only to the PHI they need to perform his or her particular job functions. Workforce members are not allowed access to PHI beyond the scope of their current job functions. This principle is closely related to the minimum necessary standards for use, disclosure or request of PHI. Uses of PHI: The practice has a very small workforce. Everyone in the office is responsible for every task from time to time. Accordingly, everyone in the office may have a need to review all PHI. The practice allows all members of its workforce to have access to all PHI, as necessary for them to carry out their job functions. The practice limits access to PHI to that information necessary for a member of its workforce to carry out his or her job functions. The amount and type of PHI necessary to carry out job functions varies depending on the specific tasks assigned to the member of the workforce each day depending on the needs of the practice. Disclosures of PHI: The practice limits the PHI it discloses to that necessary to meet the purpose of the disclosure. For disclosures for: • • payment, the practice releases the information required to file a claim and, if requested, additional information requested by a health plan to adjudicate the claim (psychotherapy notes are not released without patient authorization for payment purposes); and health care operations, the practice releases the specific information required by the entity engaging in the health care operation, e.g., utilization review, quality assurance. NOTE: The practice should list additional routine disclosures that it makes. For example, if the practice discloses information to a transcription service, accountant, or practice management company, it should specify the kinds of information disclosed. The practice reviews such routine requests to ensure that they are reasonable and do not seek PHI beyond that reasonably required by the requestor to complete the purpose of the request. If, in the opinion of the practice, the requestor has requested more information than necessary, the practice so notifies the requestor and seeks clarification regarding what PHI they actually need. The practice relies on a request for disclosure as being for the necessary amount of information if: • • • the disclosure is to a public official and the public official represents that the request is for the minimum necessary information; the request is from another covered entity; or the request is from a business associate in order to provide a professional service to the practice and the professional represents that the request is for the minimum necessary information. © 2002-2004 ISMS/ISMIE Mutual Insurance Co. 2BSecurity Policies and Procedures • 22 Requests for PHI: The practice sometimes has a need to request PHI from other entities, particularly other health care providers. In such instances, the practice will limit its request to that information that is “reasonably necessary” to accomplish the purpose of the request. For routine, recurring requests, the practice will describe the information being requested and purpose for the request. Most often the practice requests information related to the treatment of a patient. The minimum necessary requirements do not apply when the request is for purposes of treatment of a patient. Use and Disclosure of Medical Record: The practice limits the use, disclosure, or request for a medical record to what is specifically needed in the professional judgment of the practice. For example, if there is a question regarding payment for a practice service, only the portion of the medical record related to that service is released. The practice does not routinely use or disclose the entire medical record, unless such use or disclosure is necessary, authorized by the patient, or allowed by law. If requested by a health care provider, the entire medical record will be made available to those involved in the treatment of the patient. © 2002-2004 ISMS/ISMIE Mutual Insurance Co. 2BSecurity Policies and Procedures • 23 Physical Safeguards – Records Processing – Receiving, Sending, and Disposing of PHI Background One key section of the Privacy Rule and one section of the Security Rule address records processing. 35 In general, a covered entity – including a physician – must ensure that PHI sent, received or disposed of by the practice is secure. Model Policy The practice has procedures to ensure that protected health information (PHI) sent, received and disposed of by the practice is secure. Model Procedures Receipt of PHI From Outside the Practice The practice often receives PHI from outside the practice. PHI is received in three general formats: paper-based or electronic-media based (e.g., CD and diskette), FAX, and electronic transmission. Paper-Based or Electronic Media-Based PHI: The practice often has PHI delivered to the practice in a physical format, e.g., paper records, CD, or diskette. When the practice receives such PHI, it immediately treats the PHI in the same manner as other PHI in the practice. Often the information is entered into the medical record, e.g., paper medical records and reports from other health care providers, or the practice’s computer system, e.g., a remittance advice or explanation of benefits. The practice handles the delivered PHI in the same manner as other PHI in the practice when the PHI is delivered via: • • the mail: • when the mail is initially reviewed and sorted • if the envelop indicates it contains confidential information or PHI; or • if the envelop is from a source that commonly sends PHI to the practice, e.g., a laboratory or health plan; or • when the mail is opened and read and it becomes clear it contains PHI; a delivery or messenger service: • when the practice initially receives and signs for or receives the letter or package • if the envelop indicates it contains confidential information of PHI; or 35 § 164.530(c)(1) – Administrative Requirements –Standard – Safeguards; § 164.530(c) – Administrative Requirements – Implementation Specification – Safeguards; and §164.312(e)(1) – Technical Safeguards – Transmission Security. © 2002-2004 ISMS/ISMIE Mutual Insurance Co. 2BSecurity Policies and Procedures • 24 • • if the envelope is from a source that commonly sends PHI to the practice, e.g., a laboratory or health plan; or • when the letter or package is opened and read and it becomes clear it contains PHI; or a patient: • when the patient indicates the delivery includes PHI or • when the practice reviews the delivery and becomes aware the delivery includes PHI. FAXed PHI: The practice receives PHI via the FAX. The FAX machine is kept in the _____________ area of the office. When the office is open, the FAX is monitored at all times by the practice’s workforce, and visitors are restricted from accessing the FAX machine. After hours, a FAX may be received. The same access controls apply to the FAX machine as apply to other paper-based records in the practice (see Physical Safeguards – Access Control, page 19). Electronic PHI: The practice controls access to all computers through its policies and procedures, including Physical Safeguards – Access Control, page 19, Technical Safeguards – Personal or “Entity” Authentication, page 35, and Physical Safeguards – Device and Media Controls, page 31. Any PHI received electronically is sent to one of the practice’s computers and is secured in accordance with the practice’s policies and procedures governing electronic PHI as soon as it is received. Sending PHI Outside the Practice The practice sends PHI outside the practice. PHI is sent in two general formats: paper-based or electronic-media based (e.g., CD and diskette) and FAX. Paper-Based or Electronic Media-Based PHI: The practice sends paper-based or, on occasion, electronic-media based PHI, outside the practice. The practice stamps all packages and envelopes containing such PHI as “CONFIDENTIAL: PROTECTED HEALTH INFORMATION ENCLOSED” or alternatively “CONFIDENTIAL.” The practice charges reasonable fees based on actual cost of fulfilling requests for records. The practice determines the appropriate charge for providing the requested records and informs the requestor in advance of providing the records. If the requestor agrees to pay the fee in advance, the records will be provided. Otherwise, the records will not be provided, unless the Privacy Officer determines that the charge is burdensome to the requestor. Washington law allows a health care provider to charge fees for searching and duplicating medical records. The fees a health care provider may charge cannot exceed eighty-eight cents per page for the first thirty pages and sixty-seven cents for all other pages beyond the first thirty. 36 Additionally, Washington law allows a health care provider to charge a twenty dollar clerical fee for searching and handling records. 37 While Washington State law permits the 36 WAC 246-08-400, effective 7/01/03 through 6/30/05. This regulation is amended and updated every two years, at a minimum. 37 Even though Washington law allows a health care provider to charge twenty dollars for a clerical fee for searching and handling records, HIPAA specifically does not allow for the charging of “handling fees,” “chart pulling fees,” or per page fees in excess of the direct cost of supplies and labor necessary for © 2002-2004 ISMS/ISMIE Mutual Insurance Co. 2BSecurity Policies and Procedures • 25 charging of a twenty dollar “handling fee”, HIPAA regulations prohibit charging this fee to the patient or their representative. Review thoroughly the text found in footnotes 36 and 37. If the health care provider personally edits confidential information from the medical record as required by statute, the health care provider can also charge the usual fee for a basic office visit. The practice limits charges to the amount allowed by Washington law unless preempted by HIPAA. The packages and envelopes are sent: • • via mail [or registered mail or return receipt only or deliver to addressee only]; or via messenger or delivery service (e.g., United Parcel Service and FEDEX), deliver to addressee only. FAXed PHI: The practice sends PHI via FAX, especially when the PHI is needed in a timely basis. Prior to sending PHI via FAX to a FAX number used on a regular basis, the practice initially confirms the FAX number as follows. The practice programs the FAX number into its FAX machine. It then autodials the FAX number and sends a test FAX containing no PHI. Finally, the practice calls the location to which the FAX is being sent to confirm that the FAX was received. For all other FAX numbers, the practice calls the location to which the PHI is being sent. The practice verifies the FAX number, that someone is present to receive the PHI, and that the PHI will be handled appropriately. The practice then sends the FAX. A FAX confirmation sheet is printed by the FAX machine and placed in the patient medical record. FAXes are sent with a cover sheet. The cover sheet reads, in part: IMPORTANT: THIS FAX IS INTENDED ONLY FOR THE INDIVIDUAL OR ENTITY TO WHICH IT IS ADDRESSED, AND MAY CONTAIN INFORMATION THAT IS PRIVILEGED, CONFIDENTIAL AND EXEMPT FROM DISCLOSURE UNDER APPLICABLE LAW. IF THE READER OF THIS MESSAGE IS NOT THE INTENDED RECIPIENT, OR THE EMPLOYEE OR AGENT RESPONSIBLE FOR DELIVERING THE MESSAGE TO THE INTENDED RECIPIENT, YOU ARE HEREBY INFORMED THAT ANY USE, DISCLOSURE, DISTRIBUTION OR COPYING OF THIS COMMUNICATION IS STRICTLY PROHIBITED. IF YOU HAVE RECEIVED THIS COMMUNICATION IN ERROR, PLEASE NOTIFY US IMMEDIATELY BY TELEPHONE AND RETURN copying the protected health information requested by the individual. 45 C.F.R. §164.524. Therefore, to the extent that Washington law allows the health care provider to charge more than what is allowed by HIPAA, Washington law is preempted by HIPAA and HIPAA should be followed. It is important to keep in mind that the HIPAA preemption forbidding the provider from charging a chart pulling fee or the like applies only if the requestor is the patient or the personal representative of the patient. For requestors other than the patient or the personal representative of the patient, such as third parties who present a valid authorization, the provider may charge the chart pulling fee. © 2002-2004 ISMS/ISMIE Mutual Insurance Co. 2BSecurity Policies and Procedures • 26 THE ORIGINAL MESSAGE TO US AT THE ABOVE ADDRESS VIA THE UNITED STATE POSTAL SERVICE. THANK YOU. NOTE: These model policies and procedures assume you are not sending PHI electronically, including confidential communications with your patients via email. If you send PHI electronically via the Internet or using an “Intranet,” additional procedures will need to be added to ensure the security of that PHI, including the appropriate encryption and/or password protection of the communications. Disposal of PHI The practice often has to dispose of PHI. Most often the PHI is in paper form, and includes notes, including telephone notes, duplicate copies of tests, and old medical records. The practice also has to dispose of PHI on electronic media, e.g., old computer file backups, and from time to time the electronic PHI itself. Record Retention: The practice recognizes the need to establish a record retention policy. In general, WSMA recommends the following minimum record retention policy (based upon current Washington State and federal law): • • • • • • • • 10 years from the date of the patient’s last visit, prescription refill, telephone contact, test, or other patient contact; 5 years from the date of the patient’s death; 21 years from the date of a minor patient’s birth; 10 years after the last date a claim is paid for a Medicare patient; 6 years after the last date a claim is paid for a Medicaid patient; 38 6 years for any documentation required by HIPAA; 39 indefinitely for childhood immunizations; indefinitely if the patient is incompetent or if the physician is aware of any problems with a patient’s care or has any reason to believe that the patient may sue. To be absolutely safe, a physician should, if at all possible, retain patients’ medical records indefinitely. NOTE: Many practices adopt a policy of 10 years after the last patient encounter or, in the case of a minor, three years following the minor’s 18th birthday, or 10 years following the minor’s most recent discharge, whichever is longer, because Washington law requires hospitals to maintain medical records for these time periods. RCW 70.41.190. Any policy should not be less than the recommendations set forth above. 38 WAC 388-502-0020(c). 39 45 C.F.R. §164.528. © 2002-2004 ISMS/ISMIE Mutual Insurance Co. 2BSecurity Policies and Procedures • 27 Paper-Based PHI: The practice disposes of paper-based or electronic media-based PHI as follows: • Day-to-day paper containing PHI is not thrown out with the rest of the trash. It is collected and shredded by the practice. This includes telephone notes, draft letters, copies of memos, tests and other items that no longer are needed, and information that is printed out for viewing and is maintained permanently electronically. NOTE: If you intend to dispose of “day to day” paper in another manner, you must change this procedure accordingly. You may want to consider the use of locked “Shred-It” bins that can be emptied and shredded as needed. That avoids having to shred paper everyday. • From time to time the practice cleans out old medical records and other files that may contain PHI. Such PHI is boxed and marked “CONFIDENTIAL: CONTAINS PROTECTED HEALTH INFORMATION” or simply “CONFIDENTIAL.” A company that shreds the PHI for the practice then picks it up. The shredding company is a Business Associate and maintains the privacy of the PHI until it is shredded and appropriately disposed of. FAXed PHI: FAXed PHI is disposed of in the same manner as paper-based PHI. Electronic or Electronic Media-Based PHI: The practice disposes of electronic PHI in a manner that ensures that no trace of the PHI remains and that the PHI cannot be restored using commonly available commercial programs (see Physical Safeguards – Device and Media Controls, page 31). © 2002-2004 ISMS/ISMIE Mutual Insurance Co. 2BSecurity Policies and Procedures • 28 Physical Safeguards – Computer Workstation Use and Security Background Four sections of the Security Rule address computer workstations. 40 In general, a covered entity – including a physician – must ensure that computer workstations are secure and cannot be used by unauthorized individuals or in an unauthorized manner. Model Policy The practice ensures that computer workstations and other devices are secure and protected, and are used appropriately only by authorized individuals. Model Procedures The practice has a limited number of workforce members and, in generally, each member is entitled to access all the protected health information (PHI) on each computer. When a workforce member logs onto a computer, they are entitled to view all the PHI accessible from that computer. Each workforce member has his or her personal password and computers have passwordprotected screen savers (see Technical Safeguards – Personal or “Entity” Authentication, page 35). Each workforce member logs off their computer when they are finished for the day or when they are away from their computer for longer than 1 hour. The computers in the practice are located in _____________________. These locations are locked when the practice is closed. In addition, computers are secured at their locations using computer locks. Electronic media are protected in the same manner as paper-based PHI (see Physical Safeguards – Access Control, page 19). The computer screens are positioned in such a manner as to minimize the ability of unauthorized individuals to view information on the screens. Individuals are not allowed in areas of the office where they will be able to view screens, except in passing. NOTE: If the practice keeps PHI on mobile devices, you must include language regarding how you secure the PHI on those devices. The practice protects PHI on mobile devices, including laptop computers, PDAs and cell phones. 40 § 164.304 – Definitions – Workstation; § 164.304 – Definitions – Security or Security Measures; § 164.310(b) –Standard – Workstation use; and § 164.310(c) – Standard – Workstation security. © 2002-2004 ISMS/ISMIE Mutual Insurance Co. 2BSecurity Policies and Procedures • 29 • Laptop computers are logged in and out of the practice. The computers are password protected and the screen savers set to password protect the computers after 10 minutes of inactivity. Laptops also are backed up in a timely fashion (see Administrative Safeguards – Contingency Planning, page 12). The practice maintains the following laptops: o LIST SPECIFIC LAPTOP o LIST SPECIFIC LAPTOP • PDAs commonly include patient schedule information and notes. The PDAs are password protected and synchronized with the computer workstations regularly to ensure timely backup (see Administrative Safeguards – Contingency Planning, page 12). The practice maintains the following PDAs: o LIST SPECIFIC PDA o LIST SPECIFIC PDA • Cell phones contain phone numbers and, often, names of patients. They may also include text messaging, notes, and e-mail. Cell phones are password protected to limit inappropriate access. In addition, the call lists are periodically reviewed and unneeded telephone numbers deleted. The practice maintains the following cell phones: o LIST SPECIFIC CELL PHONE o LIST SPECIFIC CELL PHONE NOTE: If the practice keeps PHI on other devices, such as testing equipment with electronic memory capabilities (including sonogram or audiology equipment) you must include language on how you secure these devices. If these devices do not contain patient-identifying information, they do not contain PHI. The practice maintains PHI on a number of medical devices. The practice daily copies this information from the devices and places the information in the appropriate patient’s medical record, and then deletes this information from the devices. In addition, the devices are locked up at night to ensure that they are not removed from the office. The practice maintains the following devices that contain or may contain PHI: • • LIST SPECIFIC DEVICE LIST SPECIFIC DEVICE © 2002-2004 ISMS/ISMIE Mutual Insurance Co. 2BSecurity Policies and Procedures • 30 Physical Safeguards – Device and Media Controls Background Six sections of the Security Rule address device and media controls. 41 In general, a covered entity – including a physician – must ensure that PHI is appropriately protected when computer hardware (including electronic media, e.g., diskettes, tapes, CDs) and software are received, transported, or removed. Model Policy The practice ensures protected health information (PHI) is appropriately protected when computer hardware and software and computer devices are received by the practice, transported by the practice or moved within the practice, or removed from the practice. Model Procedures Accountability: The practice maintains a record of all computer hardware and electronic media that store PHI (see Device and Media Controls Log, page 33). This log indicates which workforce members are authorized to access PHI on each computer and electronic media and when the computer or media is removed from the practice location. This log is a integral part of the practice’s risk assessment and ongoing evaluation. (See Administrative Safeguards – Risk Analysis, Risk Management and Ongoing Risk Evaluation, page 11). The practice records all devices and media that may contain PHI. This includes computers and related devices as well as other equipment, e.g., cell phones, personal digital assistants (PDAs), clinical devices that store patient-specific information, fax machines, and duplicating machines and printers that may store images. Media Re-Use: Media may be reused only when all electronic PHI previously stored on the media is removed and unrecoverable. The practice only reuses media internally. Such media are always maintained securely and considered to contain PHI, even when they have been “cleaned.” This procedure is used due to the difficultly of completely destroying all traces of information on any electronic media to ensure that “cleaned” media cannot be recovered using a variety of techniques. Media are not “cleaned” for reuse and then sent out of the practice to be used by others. Rather, media are disposed of as discussed below. Disposal of Devices and Media: The practice disposes of devices and media in a fashion that prevents the disclosure of PHI. 41 § 164.103 – Definitions – Physical Safeguards, Electronic Media, and Facility; § 164.310(d)(1) – Physical Safeguards – Standard – Device and Media Controls; § 164.310(d)(2)(i) – Physical Safeguards – Implementation Specifications – Disposal; § 164.310(d)(2)(ii) – Physical Safeguards – Implementation Specifications – Media Reuse; § 164.310(d)(2)(iii) – Physical Safeguards – Implementation Specifications – Accountability; and § 164.310(d)(2)(iii) – Physical safeguards – Implementation specifications – Data backup and storage. © 2002-2004 ISMS/ISMIE Mutual Insurance Co. 2BSecurity Policies and Procedures • 31 • • Devices: PHI stored on devices is stored in a variety of different media. Computer information is stored on a hard drive and possibly diskettes, CDs, and DVDs. Cell phones, PDAs, and clinical devices also have storage devices that must be “cleaned” prior to disposal. Media: The practice stores information on diskettes, CDs, and DVDs. The practice recognizes that simply deleting files does not remove the PHI from the media. o Whenever possible the practice overwrites the media completely using a commercially available program. The media is overwritten three times to ensure all PHI is destroyed. This includes data drives. o When data cannot be overwritten, e.g., on a CD or DVD that cannot be overwritten, the practice first makes a series of deep scratches on the media and then breaks the media in two pieces. NOTE: If you do not store information on CDs or DVDs, you have to edit the above language. If you use other storage devices, e.g., memory sticks, Zip drives and digital cameras, you will have to expand this language. Data Backup and Storage: An important aspect of controlling PHI on devices and media is ensuring PHI is appropriately backup up and securely stored. In addition, it is vital to backup PHI prior to movement of equipment and media. Note that data backup also is addressed under Administrative Safeguards – Contingency Planning (page 12). Data backups are recorded as discussed under Contingency Planning. Removal of Devices and Media: The practice may remove devices and media from the practice site, e.g., a portable computer or a PDA. In such instances, the practice will treat the device or media in the same fashion that it treats paper medical records. (See Physical Safeguards – Access Control, page 19.) Removed devices and media are documented on the Device and Media Controls Log, page 33. © 2002-2004 ISMS/ISMIE Mutual Insurance Co. 2BSecurity Policies and Procedures • 32 Device and Media Controls Log Date Description of Device or Media © 2002-2004 ISMS/ISMIE Mutual Insurance Co. Action Access Limited? 2BSecurity Policies and Procedures • 33 Technical Safeguards Numerous sections of the final Security Rule address technical safeguards. 42 The rule defines technical safeguards as “the technology and the policy and procedures for its use that protect electronic protected health information and control access to it.” Small practices are required to implement appropriate policies and procedures to protect their protected health information (PHI) – confidential information – and ensure that it remains secure. Recall that the Security Rule only covers electronic information. The Privacy Rule also addresses confidential information kept in paper and other forms. In order to meet the Privacy Rule requirements, the practice also must protect paper-based information. The following portions of this document address the technical safeguard policies and procedures that practices need to consider when implementing HIPAA privacy and security. 42 § 164.312 Technical Safeguards. © 2002-2004 ISMS/ISMIE Mutual Insurance Co. 2BSecurity Policies and Procedures • 34 Technical Safeguards – Personal or “Entity” Authentication Background Five sections of the Security Rule address personal or entity authentication. 43 As used here, authentication is the means of establishing the validity of the identity of a user of the system. In general, a covered entity – including a physician – must have systems in place to ensure that only authorized users have access to PHI. Model Policy The practice ensures that only appropriate individuals can access protected health information (PHI) and has appropriate security mechanisms in place. Model Procedures Identification and Authentication: The practice issues each member of the workforce a unique user name and an initial password. Passwords must be changed at least once every 90 days. The Security Officer can override all workforce member passwords on an as needed basis and will ensure that new passwords are issued when such an override is necessary. The practice uses the standard password protection programs to access the computer and the programs in which it stores PHI, including Word, ______________________________________. NOTE: The practice should list the specific programs in which it stores PHI and password protects that information, including any practice management system, electronic health record, word processing, and data base management programs. Workforce members are educated regarding the appropriate choice of passwords (e.g., no names) and the need to keep passwords confidential. Workforce members do not keep passwords in written or electronic form in the practice and do not share passwords. Automatic Logoff: The practice requires that all computers “lock up” and require an individual to sign on after a 15-minute period of not being used. Specifically, if a workforce member does not use his or her computer for 15 minutes, the system invokes a screen saver (so no one can view the information on the screen) and the workforce member has to reenter his or her password prior to continuing to work on the computer. 43 § 164.308(a)(5)(ii)(D) – Administrative Safeguards – Implementation Specifications – Password Management; § 164.312(a)(1) – Standard – Access Control; § 164.312(a)(2)(i) – Implementation Specification – Unique User Identification; § 164.312(a)(2)(iii) – Technical Specifications – Implementation Specifications – Automatic Logoff; and § 164.312(d) – Technical Specifications – Standard – Persons or Entity Authentication. © 2002-2004 ISMS/ISMIE Mutual Insurance Co. 2BSecurity Policies and Procedures • 35 Another individual is not able to access the computer until the first individual reenters their password and then logs off the system. Password Deletion: The Security Officer deletes passwords when a workforce member is terminated or no longer has rights to access a particular system or computer. © 2002-2004 ISMS/ISMIE Mutual Insurance Co. 2BSecurity Policies and Procedures • 36 Technical Safeguards – Security Configuration – Documentation, Testing, Inventory, Virus Control Background Three sections of the Security Rule address security configuration. 44 In general, a covered entity – including a physician – must have in place measures to ensure electronic-based PHI is not compromised as a result of software or hardware changes. Model Policy The practice has in place procedures to manage the integrity of its electronic-based protected health information (PHI) to ensure that system security is not compromised as a result of hardware or software changes. Model Procedures Documentation: The practice documents measures put in place to control access to data. This is addressed in other sections of these policies and procedures, including Physical Safeguards – Access Control, page 19, Technical Safeguards – Personal or “Entity” Authentication, page 35, and Physical Safeguards – Device and Media Controls, page 31. Testing: The practice tests all hardware and software to ensure it meets the practice’s security policies and procedures. This testing occurs when the hardware or software is installed and not less often than once a year thereafter. Inventory: The practice has in an inventory of all hardware and software used by the practice. This inventory lists each computer and its hardware configuration, as well as the software running on each computer. (See Device and Media Controls Log, page 33, and “PHI” Software Log, page 15.) Virus Detection: The practice has in place a virus detection program to protect the practice’s data. The practice uses a commercially available program and updates it as recommended by the vendor. The practice runs a virus scan on each of its computers daily. The practice educates its workforce concerning virus protection, including how to prevent infections and the potential harm that can be caused by them, what to do if a virus is suspected, Trojan horse programs (password stealing), worms, and virus transport via various media types (e.g., diskettes and CDs). 44 § 164.308(a)(5)(ii)(B) – Administrative Safeguards – Implementation Specifications – Protection from Malicious Software; § 164.308(a)(7)(ii)(D) – Administrative Safeguards – Implementation Specifications – Testing and Revision Procedures; and § 164.316 – Policies and Procedures and Documentation Requirements. © 2002-2004 ISMS/ISMIE Mutual Insurance Co. 2BSecurity Policies and Procedures • 37 Firewall: The practice has in place a firewall program to protect the practice’s data. The practice uses a commercially available program and updates it as recommended by the vendor. The practice educates its workforce concerning the firewall and how to respond to firewall alerts to maximize protection of its computers. Windows Update: The practice uses the Windows operating system. The practice checks at least once a week (every Monday morning) for critical updates by running the “Windows Update.” Any critical updates are installed on all of the practice’s computers. This helps to ensure that appropriate security “patches” are installed in a timely fashion. NOTE: If the practice does not use the Windows operating system, then the previous paragraph needs to be changed to reflect how the practice’s operating system is updated in accordance with the system vendor’s recommendations. © 2002-2004 ISMS/ISMIE Mutual Insurance Co. 2BSecurity Policies and Procedures • 38 Technical Safeguards – Audit Controls and Integrity Background Four sections of the Security Rule address audit controls and monitoring of internal system activity. 45 These provisions are complex to implement for small practices. In general, a covered entity – including a physician – must have in place measures to audit access to and use of protected health information to ensure that the PHI only is accessed and used appropriately and to ensure the integrity of the PHI. Model Policy The practice has in place procedures to audit access to and use of its protected health information (PHI) and to ensure the integrity of its electronic-based PHI. Model Procedures The practice audits use of its PHI – both paper and electronic. This is done through monitoring and controlling access to its computers and paper records as discussed above (see Physical Safeguards – Access Control, page 19, Administrative Safeguards – Physical Controls for Visitor Access, page 17, Physical Safeguards – Computer Workstation Use and Security, page 29, and Technical Safeguards – Personal or “Entity” Authentication, page 35). The practice also conducts periodic walkthroughs of its facility to ensure appropriate placement of FAX machines, medical records and other PHI. Given appropriate access controls, the PHI should not be changed inappropriately, thereby ensuring the integrity of the PHI. If the practice has any reason to believe the PHI has been inappropriately changed, the practice will compare the PHI to the latest backup (see Administrative Safeguards – Contingency Planning, page 12). 45 § 164.308(a)(2)(D) – Administrative Safeguards – Implementation Specifications – Information System Activity Review; § 164.312(b) – Technical Safeguards – Standard – Audit Controls; § 164.312(c)(1) – Technical Safeguards – Standard – Integrity; and § 164.312(c)(2) – Technical Safeguards – Implementation Specifications – Mechanism to Authenticate Electronic Protected Health Information. © 2002-2004 ISMS/ISMIE Mutual Insurance Co. 2BSecurity Policies and Procedures • 39 Technical Safeguards – Transmission Security NOTE: The model policies and procedures included above assume that you are not sending or receiving PHI electronically, e.g., via e-mail or over the Internet. If you do send any PHI electronically, the practice must ensure the “transmission security” of the PHI. Please fill in the blanks and select the options below as appropriate. Background Three sections of the Security Rule address transmission security.46 In general, a covered entity – including a physician – must have in place measures to ensure transmission security when PHI is electronically transmitted. Transmission security will ensure the integrity of PHI in transit. Model Policy The practice has in place procedures to secure protected health information (PHI) sent electronically. Model Procedures The practices uses [program name] to protect PHI sent electronically. Specifically, the practice locks all data files using [a secure password] and/or [an encryption methodology]. [Passwords] and/or [encryption keys] are sent to the receiving party in a separate secure transaction [or are incorporated into the software or use public-private key encryption]. 46 § 164.312(e)(1) – Standard – Transmission security; § 164.312(e)(2)(i) – Implementation specification – Integrity controls; and § 164.312(e)(1) – Implementation specification – Encryption. © 2002-2004 ISMS/ISMIE Mutual Insurance Co. 2BSecurity Policies and Procedures • 40 Administrative Security Policies and Procedures Administrative Requirements – Security Officer Background Three sections of the Security Rule address the need to appoint a Security Officer and a contact person for all issues related to the Security Rule. 47 In general, a covered entity – including a physician – is required to have a Security Officer and a contact person. Model Policy The practice has a Security Officer that serves as the contact person for all issues related to the Security Rule. Model Procedure The practice designates as its Security Officer _[FILL IN NAME OR TITLE OF PERSON]. This person serves as the practice’s contact person for all issues related to the Security Rule and works closely with the Privacy Officer. NOTE: The practice should consider whether the Privacy Officer and Security Officer should be the same person. In smaller practices this probably makes sense. Privacy issues will in many instances result from security breaches, and security breaches almost always result in privacy violations. Documentation The practice keeps a written record of the names of each Security Officer. This information is maintained for a period of six years from the date of its creation. 47 § 164.306 – Standard – General Rules – Maintenance; § 164.308(a)(2) – Standard – Assigned Security Responsibility; § 164.316(b) – Standard – Documentation. © 2002-2004 ISMS/ISMIE Mutual Insurance Co. 3BAdministrative Security Policies and Procedures • 41 Administrative Requirements – Information Access Management Background Seven sections of the Security Rule address the requirement for information access management. 48 In general, a covered entity – including a physician – must: (1) authorize who can have access to what specific confidential information, system by system; (2) establish and modify access on an as needed basis; (3) supervise the workforce to ensure that only appropriate access is occurring; and (4) terminate access when required. Model Policy The practice only authorizes workforce members access to protected health information (PHI) on an as needed basis. Model Procedure Authorization: The practice authorizes all workforce members to have access to all PHI in the practice. The practice has a very small workforce. Everyone in the office is responsible for every task from time to time. Accordingly, everyone in the office has a need to review all PHI. The practice allows all members of its workforce to have access to all PHI, as necessary for them to carry out their job functions and support the efficient operation of the practice. The practice limits access to PHI to that information necessary for a member of its workforce to carry out his or her job functions. The amount and type of PHI necessary to carry out job functions varies depending on the specific tasks assigned to the member of the workforce each day depending on the needs of the practice. Access is only terminated when a workforce member leaves the practice. Supervision: The Privacy Officer and the Security Office monitor the practice’s operations to ensure that all workforce members are accessing PHI appropriately. Ongoing training and education about the need to access only that PHI required for each specific job task is a key part of the supervision. Termination: As discussed under Physical Safeguards – Access Control, page 19), the practice terminates a workforce member’s access to all PHI when the workforce member is terminated. The terminated workforce member is required to turn in any keys or other access devices that may have been issued by the practice and all passwords are deactivated. 48 § 164.308(a) Standard – Workforce Security; § 164.308(a)(3)(ii)(A) – Implementation Specification – Authorization and/or Supervision; § 164.308(a)(3)(ii)(B) – Implementation Specification – Workforce Clearance Procedures; § 164.308(a)(ii)(C) Implementation Specification – Termination Procedures; § 164.308(a)(4)(i) Standard – Information Access Management; § 164.308(a)(4)(ii)(B) Implementation Specification – Access Authorization; and § 164.308(a)(4)(ii)(C) Implementation Specification – Access Establishment and Modification. © 2002-2004 ISMS/ISMIE Mutual Insurance Co. 3BAdministrative Security Policies and Procedures • 42 Administrative Requirements – Security Incident Procedures Background Six sections of the Security Rule address security incident procedures. 49 In general, a covered entity – including a physician – must record and address security incidents – “the attempted or successful unauthorized access, use, disclosure, modification, or destruction” of electronic protected health information. Model Policy The practice monitors, records, and responds to all security incidents in a timely fashion. Model Procedures The practice monitors information system activity to detect security incidents – “the attempted or successful unauthorized access, use, disclosure, modification, or destruction” of electronic protected health information. The practice records and follows up when it determines: someone or some program has entered its computer system from outside the practice, e.g., a virus or worm, or someone inside the practice accesses, uses, or changes PHI in an unauthorized manner. In the event of a security incident, the practice documents the occurrence on the Security Incident Log, page 44. The Security Officer determines if there have been any harmful effects as a result of the incident. If there have been harmful effects, the Security Officer takes steps to mitigate those harmful effects. If specific individual PHI has been disclosed, the Privacy Officer records this information on the Mitigation Log and the practice’s mitigation procedures followed (see Mitigation of Privacy Breaches, page 7). The practice trains the workforce to deal with security incidents and minimize harmful effects of security incidents. NOTE: A “virus” is computer code that can damage your software, hardware or files and is designed to travel from computer to computer. A “worm” is like a virus, but it travels from computer to computer on its own by using e-mail or a similar system. 49 § 164.304 – Definition of Security Incident; § 164.308(a)(1)(ii)(D) – Implementation Specification – Security Incident Tracking Reports as a Part of Information System Activity Review; § 164.308(a)(6)(i) – Standard – Security Incident Procedures; § 164.308(a)(6)(ii) – Implementation Specification – Response and Reporting; § 164.314(a)(2)(i)(C) – Implementation Specification – Obligation of Business Associates, Created by Business Associate Contracts, to Report Security Incidents to Covered Entities; and § 164.314(a)(2)(iv) – Implementation Specification – Obligation of Plan Sponsors, Created by Plan Document Amendment, to Report Security Incidents to the Group Health Plan. © 2002-2004 ISMS/ISMIE Mutual Insurance Co. 3BAdministrative Security Policies and Procedures • 43 Security Incident Log Date Description of Incident © 2002-2004 ISMS/ISMIE Mutual Insurance Co. Record on Mitigation Log? Steps Taken to Mitigate Any Harmful Effects 3BAdministrative Security Policies and Procedures • 44 Administrative Requirements – Awareness and Training For Staff Background One section of the Privacy Rule and five sections of the Security Rule address the requirements for training staff. 50 In general, a covered entity – including a physician – is required to ensure its workforce is trained with respect to the covered entity’s privacy and related security policies and procedures. All workforce members who have access to PHI in any way must be trained. Model Policy The practice trains its workforce on all aspects of its privacy and related security policies and procedures. Model Procedure The practice provides training to its workforce with respect to the privacy and security of protected health information (PHI). Specifically, the practice: • • • • provided each member of its workforce initial training no later than April 14, 2003, or within the first 30 days of work at the practice, if that date is on or after April 14, 2003; provides additional training to each member of its workforce when there is a material change in the practice’s policies and procedures prior to the effective date of those changes (unless the change is required by law and occurs prior to changes being made to the policies and procedures, in which case the training occurs as soon as possible after the practice becomes aware of the required change); documents on its Training Log that the training has been provided; and requires each workforce member to sign a statement (attached) that the workforce member has been trained and understands the practice’s policies and procedures regarding PHI. The practice initially educates workforce members by reviewing the practice’s privacy and related security policies and procedures as contained in this document, including protection from malicious software (see Technical Safeguards – Security Configuration – Documentation, Testing, Inventory, Virus Control, page 37) and proper use of passwords (see Technical Safeguards – Personal or “Entity” Authentication page 35). The Privacy Officer and Security Officer then work with each workforce member to ensure they are implementing the policies and procedures as required. 50 § 164.308(a)(5)(ii)(A) – Implementation Specification – Security Reminders; § 164.308(a)(5)(ii)(B) – Implementation Specification – Protection from Malicious Software; § 164.308(a)(5)(ii)(C) – Implementation Specification – Log-in Monitoring; § 164.308(a)(5)(ii)(D) – Implementation Specification – Password Management; § 164.530 (b) – Administrative Requirements – Standard – Training; and § 164.308(a)(5)(i) – Administrative Safeguards – Standard – Security Awareness and Training. © 2002-2004 ISMS/ISMIE Mutual Insurance Co. 3BAdministrative Security Policies and Procedures • 45 The practice provides periodic education to workforce members. At least once a year, or whenever specific issues are identified, the practice provides additional training to ensure that all workforce members follow the practice’s privacy and security policies and procedures. In addition, the practice reviews specific privacy and security issues at its monthly staff meetings. Documentation The practice documents all workforce training on its Training Log, page 47. The practice records the date of the training, the workforce members trained, and the material covered in the training session. The practice also requires each workforce member to sign a statement that they have been trained and understand the practice’s policies and procedures (see Model Acknowledgment of Training, page 48). The practice maintains this information for a period of six years from the date of its creation. © 2002-2004 ISMS/ISMIE Mutual Insurance Co. 3BAdministrative Security Policies and Procedures • 46 Training Log Workforce Member Name Date of Training © 2002-2004 ISMS/ISMIE Mutual Insurance Co. Description of Training 3BAdministrative Security Policies and Procedures • 47 Model Acknowledgment of Training (ON PRACTICE LETTERHEAD) I, ___________________ , acknowledge that I have been trained in the Health Insurance (Print name of Workforce Member) Portability and Accountability Act (HIPAA) privacy and security policies and procedures of [FILL IN NAME OF THE PRACTICE]. I understand that I must keep private and secure the protected health information of the practice. I understand and agree to adhere to all of these policies and procedures. Further, I understand that I am subject to sanctions, up to and including, termination, for violation of the practice’s policies and procedures. Signature: ___________________________________________ Date: ___________________ © 2002-2004 ISMS/ISMIE Mutual Insurance Co. 3BAdministrative Security Policies and Procedures • 48 Administrative Requirements – Workforce Sanctions Background Six sections of the Privacy Rule and one section of the Security Rule address sanctions against members of a covered entity’s workforce. 51 In general, a covered entity – including a physician – is required to sanction members of its workforce who do not comply with the covered entity’s policies and procedures. Model Policy The practice sanctions workforce members who use or disclose protected health information (PHI) in violation of the practice’s policies and procedures. Model Procedure The practice applies appropriate sanctions against workforce members who fail to comply with the practice’s privacy and security policies and procedures. The particular sanction depends on the harm created by the unauthorized use or disclosure of PHI, whether the use or disclosure was intentional or unintentional, and whether or not the workforce member has previously used or disclosed PHI in violation of the practice’s privacy policies and procedures. Generally sanctions will be imposed as follows: • For an initial violation by a member of the practice’s workforce of the practice’s policies and procedures that occurs: • unintentionally, the workforce member receives a warning. In addition, the practice requires the workforce member clearly to understand how the unintentional use or disclosure occurred and how to avoid future such uses or disclosures. • intentionally and causes: • no or minimal harm to the subject of the PHI or to other individuals, the workforce member receives a warning. In addition, the practice requires the workforce member clearly to understand the need not to use or disclose PHI in violation of the practice’s policies and procedures. • significant harm to the subject of the PHI or to other individuals, the workforce member is given time off without pay. The amount of time off will range from 1 to 3 days and will depend on the harm caused. In addition, the practice requires the workforce member clearly to understand the need not to use or disclose PHI in violation of the practice’s policies and procedures. 51 § 164.308(a)(3)(ii)(C) – Implementation Specification – Termination Procedures; § 164.502(j)(1) – Disclosures by Whistleblowers; § 164.502(j)(2) – Disclosures by Workforce Members who are Victims of a Crime; § 164.530(e)(1) – Standard – Sanctions; § 164.530(e)(2) – Implementation Specifications – Documentation; § 164.530(g) – Standard – Refraining from Intimidating or Retaliatory Acts; and § 164.530(j) – Standard – Documentation. © 2002-2004 ISMS/ISMIE Mutual Insurance Co. 3BAdministrative Security Policies and Procedures • 49 • For a repeat violation by a member of the practice’s workforce of the practice’s policies and procedures that occurs: • unintentionally, the workforce member will receive time off without pay. The time off will range from 1 to 3 days and will depend on how much harm, if any, was caused to the subject of the PHI or to other individuals. In addition, the practice requires the workforce member clearly to understand how the unintentional use or disclosure occurred and how to avoid future such uses or disclosures. • intentionally and causes: • no or minimal harm to the subject of the PHI or to other individuals, the workforce member receives time off without pay. The time off will range from 3 to 5 days and will depend on how much PHI was used or disclosed and for what purpose. In addition, the practice requires the workforce member clearly to understand the need not to use or disclose PHI in violation of the practice’s policies and procedures. • significant harm to the subject of the PHI or to other individuals, the workforce member is given time off without pay. The amount of time off will range from 3-7 days depending on how much harm was caused to the subject of the PHI or to other individuals. In addition, the practice requires the workforce member clearly to understand the need not to use or disclose PHI in violation of the practice’s policies and procedures. • If a workforce member intentionally uses or discloses PHI four or more times, the workforce member will be terminated. Exceptions to Applying Sanctions to Workforce Members There are three exceptions to workforce sanctions: the whistleblower exception, the crime victim exception, and the complaints, investigations, and opposition exception. Whistleblower Exception: The practice will not impose sanctions against a workforce member for the use or disclosure of PHI made in accordance with the whistleblower provisions. Crime Victim Exception: The practice will not impose sanctions against a workforce member for the use or disclosure of PHI made in accordance with the crime victim provisions. Complaints, Investigations and Opposition Exceptions: The practice does not intimidate, threaten, coerce, discriminate against, or take other retaliatory action against workforce members and others who: • • • file a complaint with the secretary of DHHS; testify, assist, or participate in an investigation, compliance review, proceeding, or hearing under Part C of Title XI – utilization and peer review programs for Medicare and Medicaid; or oppose any act or practice made unlawful by the Privacy Rules, provided the workforce member or business associate has a good faith belief that the practice is unlawful, and the manner of the opposition is reasonable and does not involve disclosure of PHI. © 2002-2004 ISMS/ISMIE Mutual Insurance Co. 3BAdministrative Security Policies and Procedures • 50 Documentation The practice will document all sanctions taken against workforce members in its personnel files. The practice maintains this information for a period of six years from the date of its creation. © 2002-2004 ISMS/ISMIE Mutual Insurance Co. 3BAdministrative Security Policies and Procedures • 51 Administrative Requirements – Documentation Background Eight sections of the Privacy Rule and five sections of the Security Rule address the need for documentation. 52 In general, a covered entity – including a physician – is required to document when PHI is released for other than payment, treatment, or health care operations, when an individual makes a request of the practice and the response of the practice, a disclosure is made pursuant to an authorization, and when information is used for research purposes. Additionally, under Washington law, a health care provider must chart all disclosures, except to third-party payors, of health care information, such chartings to become part of the patient’s health care information. 53 Model Policy The practice maintains all documentation as required by the Privacy and Security Rules and discussed throughout this policy and procedures manual. NOTE: Only Security Rule documentation is included below. The Privacy Rule requires additional documentation that should be addressed in Privacy Policies and Procedures. Model Procedure Document Retention: All documentation is maintained for a period of six years. Documentation of Security Requirements Risk Analysis: The practice has completed a risk analysis (see Small Practice Security Risk Analysis, page 59). Evaluation: The practice updates its risk analysis on an annual basis (see Administrative Safeguards – Risk Analysis, Risk Management and Ongoing Risk Evaluation, page 11). 52 § 164.316(a) – Standard – Policies and Procedures; § 164.314(b) – Standard – Documentation; § 164.316(b)(2)(i) – Implementation specification – Time Limits; § 164.316(b)(2)(ii) – Implementation specification – Availability; § 164.316(b)(2)(iii) – Implementation specification – Updates; § 164.508 – Uses and Disclosures for which an Authorization is Required; § 164.512(i) – Uses and Disclosures for Research Purposes – Documentation Requirements of IRB; § 164.520(e) – Notice of Privacy Practices for Protected Health Information – Implementation Specifications – Documentation; § 164.522 – Rights to Request Privacy Protection for Protected Health Information; § 164.524(e) – Access of Individuals to Protected Health Information – Implementation Specification – Documentation; § 164.526(f) – Amendment of Protected Health Information – Implementation Specification – Documentation; § 164.528(d) – Accounting of Disclosures of Protected Health Information – Implementation Specification: Documentation; and § 164.530(j) – Administrative Requirements – Standard – Documentation. 53 RCW 70.02.020. © 2002-2004 ISMS/ISMIE Mutual Insurance Co. 3BAdministrative Security Policies and Procedures • 52 PHI Software Log: The practice maintains a log of all software containing or using PHI (see “PHI” Software Log, page 15). PHI Backup Log: The practice maintains a log of all its PHI data backups (see Backup Log, page 16). Device and Media Controls Log: The practice keeps a log of all computer devices and electronic media (see Device and Media Controls Log, page 33). Documentation of Administrative Requirements Security Officer: The practice documents the name and title of its Security Officer (see page 41). Security Incidents: The practice documents all security incidents (see Security Incident Log, page 44). Training: The practice documents the training provided to each workforce member (see Training Log, page 47). Workforce Sanctions: members (see page 51). The practice documents all sanctions it takes against workforce © 2002-2004 ISMS/ISMIE Mutual Insurance Co. 3BAdministrative Security Policies and Procedures • 53 HIPAA Security Readiness Checklist SECURITY POLICIES AND PROCEDURES Topic Policy Procedure Procedure Need to Policy Procedure Developed Developed Tested Modify? Finalized Finalized SECURITY – ADMINISTRATIVE SAFEGUARDS Risk Analysis, Risk Management, and Ongoing Risk Evaluation Yes No Contingency Planning Yes No Physical Controls for Visitor Access Yes No SECURITY – PHYSICAL SAFEGUARDS Access Control Yes No Records Processing – Receiving, Sending, and Disposing of PHI Yes No Computer Workstation Use and Security Yes No Device and Media Controls Yes No © 2002-2004 ISMS/ISMIE Mutual Insurance Co. 4BHIPAA Security Readiness Checklist • 55 SECURITY POLICIES AND PROCEDURES Topic Policy Procedure Procedure Need to Policy Procedure Developed Developed Tested Modify? Finalized Finalized SECURITY – TECHNICAL SAFEGUARDS Personal or “Entity” Authentication Yes No Security Configuration – Documentation, Testing, Inventory, Virus Control Yes No Audit Controls and Integrity Yes No Transmission Security Yes No SECURITY ADMINISTRATIVE REQUIREMENTS Security Officer Yes No Information Access Management Yes No Security Incident Procedures Yes No Awareness and Training for Staff Yes No Workforce Sanctions Yes No © 2002-2004 ISMS/ISMIE Mutual Insurance Co. 4BHIPAA Security Readiness Checklist • 56 SECURITY POLICIES AND PROCEDURES Topic Documentation © 2002-2004 ISMS/ISMIE Mutual Insurance Co. Policy Procedure Procedure Need to Policy Procedure Developed Developed Tested Modify? Finalized Finalized Yes No 4BHIPAA Security Readiness Checklist • 57 RECOMMENDED SECURITY TRACKING LOGS Developed Incorporated into Procedures “PHI” Software Log Backup Log Device and Media Controls Log Complaint Log Mitigation Log Security Incident Log Training Log OTHER SECURITY FORMS Developed Incorporated into Procedures Acknowledgment of Training Form © 2002-2004 ISMS/ISMIE Mutual Insurance Co. HIPAA Privacy and Security Readiness Checklist• 58 Small Practice Security Risk Analysis This risk analysis follows the ISMS and ISMIE Mutual Insurance Company Model Security Policies and Procedures. If you answer “YES” to all the questions in this risk analysis, then your practice is on the way to meeting the HIPAA Security Rule requirements as reflected in those model policies and procedures. The policies and procedures list more specific implementation specifications and need to be reviewed in detail to ensure that they reflect the actual procedures in your office. Keep in mind that some items may appear in several places in the model policies and procedures. In most instances, those items are addressed only once in this risk analysis. If you answer “NO” to any of the questions in the risk analysis, you need to evaluate your practice to determine if you need to alter your current policies and procedures to ensure compliance with the HIPAA Security Rule. In addition, the model policies and procedures will need to be modified if you decide that it is reasonable for your practice to answer “NO” to any of the questions. Please file your completed risk analysis with your other HIPAA documentation. This is an important piece in documenting that you are complying with the HIPAA Security Rule. This risk analysis should be reviewed and updated once a year or more frequently as required by your policies and procedures. Administrative Safeguards Contingency Planning “Criticality” Analysis: Does the practice keep a log of its devices and media and a log of the software on each of its devices that may contain confidential information? Yes No Yes No Yes Yes Yes No No No NOTE: If a practice has electronic medical records and does not keep paper copies of those medical records, this section will have to be expanded. The analysis will have to document which systems are necessary – critical – to ensure timely patient care. Data Backup Plan Does the practice backup all protected health information (PHI) – confidential information – maintained on its computer systems on at least a weekly basis? Is the backup password protected? Are two copies made and one stored at a secure off-site location? Are backups logged? © 2002-2004 ISMS/ISMIE Mutual Insurance Co. Small Practice HIPAA Readiness Analysis • 59 Are copies retained for four weeks and then destroyed or recycled? Is the Security Officer or another authorized workforce member able to retrieve the backup as required? Testing Restoration: Once every six months, when new software is installed, and when new devices are installed, does the practice check to make sure it can recover lost data from its backup? Disaster Recovery Plan Does the practice have a disaster recovery plan that depends on the type and scope of the disaster, e.g., PHI has been lost and the computer systems still function or only some portion of the computer systems still function? When a disaster has occurred – when electronic information is lost for whatever reason – does the practice’s Security Officer implement the disaster recovery plan? Yes Yes No No Yes No Yes No Yes No NOTE: If a practice has electronic medical records and does not keep paper copies of those medical records, this section will have to be expanded. Restoration of PHI becomes critical to the treatment of patients and must be accessible in a timely fashion. Emergency Mode Operation: The practice does not need its electronic- Not Applicable based PHI to operate in emergency situations. NOTE: If a practice has electronic medical records and does not keep paper copies of those medical records, this section will have to be expanded. Restoration and emergency mode operation become critical to the treatment of patients and must be accessible in a timely fashion. Physical Controls for Visitor Access Does the practice minimizes the presence of visitors in the office? Does the practice require all visitors (not patients) to sign in? If appropriate, does the practice will provide visitors an escort to ensure they do not have inappropriate or unauthorized access to PHI? Yes Yes Yes No No No Yes No Yes No Yes No Yes No Physical Safeguards Access Control Personnel Security Does the practice ensure that only authorized workforce members have access to PHI? Given the size and configuration of the practice, do all workforce members have access to all computer terminals in the office, all programs on those computers, and all PHI used in those programs on an as needed basis? Termination Does the practice terminate a workforce member’s access to all PHI when the workforce member is terminated? Does the practice require the terminated workforce member to turn in any keys or other access devices that may have been issued by the practice? © 2002-2004 ISMS/ISMIE Mutual Insurance Co. Small Practice HIPAA Readiness Analysis • 60 Does the practice deactivate all passwords of the terminated workforce member? © 2002-2004 ISMS/ISMIE Mutual Insurance Co. Yes No Small Practice HIPAA Readiness Analysis • 61 Physical Safeguards Does the practice ensure that paper-based and electronic-media based PHI are safeguarded? Does the practice manage medical records to ensure the privacy of the PHI in the medical records? Does the practice manage the billing records to ensure the privacy of the PHI in the billing records? Is the careful not to post any PHI, including schedules? Is the practice careful to restrict conversations containing PHI? Need-to-Know Does the practice recognize that each workforce member only has access to the PHI he or she needs to perform his or her particular job functions? Does the practice limit the PHI it discloses to that necessary to meet the purpose of the disclosure, including for payment and health care operations? Does the practice limit its requests for PHI to information that is “reasonably necessary” to accomplish the purpose of the request, and for routine, recurring requests, have in place a description of the information being requested and the purpose for the request? Yes No Yes No Yes No Yes Yes No No Yes No Yes No Yes No Yes No Yes No Yes No Yes No Yes No Yes No Yes No Yes No Yes No Records Processing – Receiving, Sending, and Disposing of PHI Receiving PHI Does the practice handle PHI delivered from outside the practice (electronic media or paper records) in the same manner as other PHI in the practice when the PHI is delivered via the mail or by a patient? If the practice receives PHI via fax, is the fax machine kept in a secure area of the office? When the office is open, is the fax monitored at all times by the practice’s workforce and are visitors restricted from accessing the fax machine? Is any PHI received electronically sent to one of the practice’s computers and secured in accordance with the practice’s policies and procedures governing electronic PHI? Sending PHI When the practice sends PHI outside the practice, does it stamp all packages and envelopes containing such PHI as “CONFIDENTIAL: PROTECTED HEALTH INFORMATION ENCLOSED” or simply “CONFIDENTIAL”? Prior to sending PHI via fax to a fax number used on a regular basis, does the practice initially confirm the fax number by actually sending a fax and confirming its receipt? Are all faxes sent with a cover sheet that indicates the confidential nature of the fax and how to proceed if the fax was received in error? Disposal of Paper-Based PHI: Does the practice collect and shred paperbased PHI, including telephone notes, draft letters, copies of memos, tests and other items that no longer are needed, and information that is printed out for viewing and is maintained permanently electronically? Computer Workstation Use and Security Does each workforce member have his or her personal password? © 2002-2004 ISMS/ISMIE Mutual Insurance Co. Small Practice HIPAA Readiness Analysis • 62 Do the practice’s computers have password-protected screen savers? Does each workforce member log off his or her computer when he or she is finished for the day or when away from their computer for longer than one hour? Are the locations that contain the computers locked when the practice is closed? Are the computers secured at their locations using computer locks? Are electronic media protected in the same manner as paper-based PHI? Are the computer screens positioned in such a manner as to minimize the ability of unauthorized individuals to view information on the screens? Are individuals not allowed in areas of the office where they will be able to view screens, except in passing? Yes Yes No No Yes No Yes Yes Yes No No No Yes No NOTE: If the practice keeps PHI on mobile devices, you must include language regarding how you secure the PHI on those devices. Yes No Yes No Yes No Yes No Yes No Yes No Yes No Does the practice protect PHI on mobile devices, including laptop computers, personal digital assistants (PDAs) and cell phones? NOTE: If the practice keeps PHI on other devices, such as testing equipment, you must include language on how you secure these devices. If these devices do not contain patient-identifying information, they do not contain PHI. Device and Media Controls Accountability Does the practice maintain a record of all computer hardware and electronic media that store PHI, and does this log indicate (1) which workforce members are authorized to access PHI on each computer and electronic media and (2) when the computer or media is removed from the practice location? Does the practice record all devices and media that may contain PHI, including computers and related devices as well as other equipment, e.g., cell phones, PDAs, clinical devices that store patient-specific information, fax machines, and duplicating machines and printers that may store images? Media Re-Use: Does the practice reuse media only when all electronic PHI previously stored on the media is removed and unrecoverable? Disposal of Devices and Media: Does the practice dispose of devices and media in a fashion that prevents the disclosure of PHI? Removal of Devices and Media: When the practice removes devices and media from the practice site, e.g., a portable computer or a PDA, does the practice treat the device or media in the same fashion that it treats paper medical records? Technical Safeguards Personal or “Entity” Authentication Identification and Authentication Does the practice issue each member of the workforce a unique user name and an initial password? © 2002-2004 ISMS/ISMIE Mutual Insurance Co. Small Practice HIPAA Readiness Analysis • 63 Are passwords changed at least once every 90 days? Does the practice use the standard password protection programs for log on and in each of the programs in which it stores PHI? Are workforce members educated regarding the appropriate choice of passwords (e.g., no names) and the need to keep passwords confidential? Are workforce members educated to not keep passwords in written or electronic form in the practice and to not share passwords? Automatic Logoff Does the practice require that all computers “lock up” and require an individual to sign on after a 15-minute period of not being used? Does the practice configure its computers such that another individual is not able to access the computer until the first individual re-enters his or her password and then logs off the system? Password Deletion: Does the Security Officer delete passwords when a workforce member is terminated or no longer has rights to access a particular system or computer? Documentation, Testing, Inventory, Virus Control Testing: Does the practice periodically test all hardware and software to ensure it meets the practice’s security policies and procedures? Inventory: Does the practice have an inventory of all hardware and software used by the practice? Virus Detection: Does the practice have in place a virus detection program to protect the practice’s data, run a virus scan on each of its computers daily, and update the virus protection on a regular basis? Firewall: Does the practice have in place an up-to-date firewall program to protect the practice’s data? Windows Update: Does the practice use the Windows operating system and check at least once a week for critical updates by running the “Windows Update”? Yes Yes No No Yes No Yes No Yes No Yes No Yes No Yes No Yes No Yes No Yes No Yes No Yes No NOTE: If the practice does not use the Windows operating system, then the previous paragraph needs to be changed to reflect how the practice’s operating system is updated in accordance with the system vendor’s recommendations. Transmission Security NOTE: The model policies and procedures included above assume that you are not sending or receiving PHI electronically, e.g., via e-mail or over the Internet. If you do send any PHI electronically, the practice must ensure the “transmission security” of the PHI. Does the practice use a program to protect PHI sent electronically, e.g., locking all data files? Other Administrative Policies and Procedures Security Officer Does the practice have a Security Officer? Does the practice document who is the Security Officer and maintain that document for six years? © 2002-2004 ISMS/ISMIE Mutual Insurance Co. Yes Yes No No Small Practice HIPAA Readiness Analysis • 64 Information Access Management Does the practice allow all members of its workforce to have access to all PHI as necessary for them to carry out their job functions and support the efficient operation of the practice? Does the practice limit access to PHI to that information necessary for a member of its workforce to carry out his or her job functions? Does the Security Officer monitor the practice’s operations to ensure that all workforce members are accessing PHI appropriately? Yes No Yes No Yes No Yes No Yes No Yes No Yes No Yes No Yes No Yes No Yes No Yes No Security Incident Procedures Does the practice monitor information system activity to detect security incidents? Does the practice record and follow up when it determines someone or some program has entered its computer system from outside the practice or someone inside the practice accesses, uses, or changes PHI in an unauthorized manner? If there have been harmful effects, does the Security Officer take steps to mitigate those harmful effects? Does the practice train the workforce to deal with security incidents and minimize harmful effects of security incidents? Awareness and Training for Staff Does the practice provide training to its workforce with respect to the security of protected health information (PHI), have ongoing training and periodic training updates, and document that each member of the workforce is trained? Workforce Sanctions Does the practice apply appropriate sanctions against workforce members who fail to comply with the practice’s security policies and procedures? Is the particular sanction dependent on the harm created by the unauthorized use or disclosure of PHI, whether the use or disclosure was intentional or unintentional, and whether or not the workforce member has previously used or disclosed PHI in violation of the practice’s policies and procedures? Does the practice have in place exceptions to applying the sanctions to workforce members in the case of a “whistleblower,” crime victim, and complaints and investigations? Does the practice document all sanctions taken against workforce members in its personnel files and maintain this information for a period of six years from the date of its creation? Risk Analysis, Risk Management, and Ongoing Risk Evaluation Risk Analysis: Has the practice completed this risk analysis? Risk Management: Has the practice addressed any item for which you answered “No” on this risk analysis? If not, now is the time to do such to ensure your practice meets the requirements of the Security Rule. Ongoing Evaluation: Is the practice planning to update this risk analysis on an ongoing basis? © 2002-2004 ISMS/ISMIE Mutual Insurance Co. Yes Yes No No Yes No Small Practice HIPAA Readiness Analysis • 65