Signed in as:
filler@godaddy.com
HIPPA Compliance Policy and Procedures
Prominence Home Health Care Agency, LLC has adopted an HIPPA Compliance policy to maintain and protect the Compliance and security of our employee and client records. Please ensure the full adherence to this policy as in the insubordination, negligence, unintentional errors and recklessness could result in disciplinary action up to and not excluding separation from the agency.
Overview of Policy:
A. Patient Records
B. Minimum Necessary Uses and Disclosures of Protected Health Information
C. Notice of Privacy Practices
D. Safeguarding and Storing Protected Health Information
E. Emailing Protected Health Information
F. Faxing Protected Health Information
G. Uses and Disclosures of Protected Health Information
H. Authorization for Release of Protected Health Information
I. Clients Access to Protected Health Information
J. Complaints
K. Marketing and Fundraising
L. Retention of Protected Health Information
M. Destruction of Protected Health Information
A. Patient Records Purpose
To describe the documents that comprise the Patient Records.
Policy
The HIPAA Compliance Rule requires that Patients be permitted to request access and amendment to their Protected Health Information (“PHI”) that is maintained in a Patient Record. This policy documents the contents of the Patient Record.
Procedure
The Patient Record is a group of records maintained by or for the agency that consists of the Patient Record and billing records about a Patient and is used, in whole or in part, by or for the agency to make decisions about the patient. The term record means any item, collection, or grouping of information that includes PHI and is maintained, collected, used, or disseminated by or for the agency.
The Agency maintains the following as the Patient Record:
· The Patient’s Patient Record,
· The Patient’s Business Office File, and
· The Patient’s Personal Health Records.
The Patient Patient Record includes, at a minimum, the following:
· Activity documentation
· Intake/Discharge documentation
· Advance directives
· Assessments, flow sheets
· Care plan
· Informed consent
· History and physical exams and other related hospital records
· Minimum Data Set
· Medication and treatment records
· Nursing documentation/progress notes
· Nutritional services documentation
· Physician and professional consultant progress notes
· Physician’s orders
· Rehabilitative and restorative therapy records
· Reports from lab, x-ray and other diagnostic tests
· Fact sheet
· Social service documentation
Excluded from the Patient Record are source data, including photographs, films, monitoring strips, videotapes, slides, worksheets and daily communication sheets, and shadow files or charts, unless such data is used to make decisions related to the Patient’s care.
If records from other providers are used by the Agency to make decisions related to the care and treatment of the Patient, then these records are considered part of the Patient Record as well as the Patient Record, e.g., history and physical, discharge summary and labs from previous acute care hospitalization.
The Patient’s Business Office File includes, at a minimum, the following:
· Intake documents
· Acknowledgement of receipt of the Agency’s Notice of Privacy Practices
· Correspondence relating to coverage and payment from insurance companies, health plans, Medicare, Medicaid and other payor sources
· Patient claim information, including claim, remittance, eligibility response, and claim status response
· Statements of account balance
· Collection activity documents and correspondence
Personal Health Records consist of the Patient’s personal health information provided to the Agency by the Patient. If such records are used by the Agency to make health care related decisions, provide care services, or document observations, actions or instructions, then the records will be considered part of the Patient Record.
The following are excluded from the Patient Record:
Administrative data, such as audit trails, appointment schedules and practice guidelines that do not imbed PHI. Also excluded are incident reports, quality assurance data, vital certificate worksheets, and derived data such as accreditation reports, anonymous Patient data for research purposes, public health records and statistical reports.
The Patient Record is to be retained according to state and federal regulations and following Agency or company retention procedures.
B. Minimum Necessary Use and Disclosure of Protected Health Information
Purpose
To ensure the Agency’s uses and disclosures of Protected Health Information (“PHI”) are limited to the minimum necessary to accomplish the intended purpose.
Policy
It is the policy of the Agency to make a reasonable effort to use or disclose, or to request from another health care provider, the minimum amount of PHI required to achieve the particular use or disclosure unless an exception applies.
The Agency will identify people or classes of people in its work force who need access to PHI to carry out their duties, the category or categories of PHI to which access is needed, and any conditions appropriate to such access.
For any non-routine request for disclosure of PHI that does not meet an exception, the Agency will review the request for disclosure on an individual basis.
Minimum necessary requirements do not apply to disclosures to health care providers for treatment purposes.
Procedure
The Agency will identify role-based access to PHI per job description, including:
· People or classes of people in its workforce who need access to PHI to carry out their duties, and
· The category or categories of PHI to which access is needed, including any conditions that may be relevant to such access.
· The Agency, for any type of disclosure or request for disclosure that is on a routine and recurring basis, will limit the disclosed PHI, or the request for disclosure, to that which is reasonably necessary to achieve the purpose of the disclosure or request.
· The Agency, for disclosures or requests for that are not made on a routine and recurring basis (non-routine disclosures), will review the request to verify that PHI disclosed or requested is the minimum necessary.
All requests for non-routine disclosures or requests that do not meet an exception will be reviewed using standard criteria.
Exceptions to minimum necessary requirements:
The Agency will release information without concern for the minimum necessary standard as follows:
· Disclosures to or requests by a health care provider for treatment.
· Uses or disclosures made to the individual who is the subject of the PHI.
· Uses or disclosures made pursuant to an authorization signed by the individual.
· Disclosures made to the Secretary of the U.S. Department of Health and Human Services (federal government).
· Disclosures that are required by law (such as for Department of Health state surveys, federal surveys, public health reportable events, FDA as related to product quality, safety, effectiveness or recalls etc.).
· Uses and disclosures that are required for compliance with the HIPAA Compliance Rule.
The Agency may use or disclose an individual’s entire Patient Record only when such use or disclosure is specifically justified as the amount that is reasonably necessary to accomplish the intended purpose or one of the exceptions noted above applies. Requests for entire Patient Record that are not covered by an exception will be reviewed using standard criteria.
Reasonable Reliance:
The Agency may rely on a requested disclosure as minimum necessary for the stated purpose(s) when:
a. Making disclosures to public officials, if the official represents that the information is the minimum necessary for the stated purpose(s).
b. The information is requested by another covered entity (health care provider, clearinghouse or health plan).
c. The information is requested by a professional who is a member of the Agency’s workforce or is a Business Associate of the Agency for the purpose of providing professional services to the Agency, if the professional represents that the information requested is the minimum necessary for the stated purpose(s).
d. The information is requested for research purposes and the person requesting the information has provided documentation or representations to the Agency that meet the HIPAA Compliance Rule. Contact the Compliance Officer to assist in the determination of whether such requirements have been met.
The Agency, upon determination that the use, disclosure or request for PHI is the minimum necessary or one of the above exceptions apply, will release the PHI to the requestor.
Agency Requests for PHI from Another Covered Entity:
When requesting PHI from another Covered Entity, the Agency must limit its request for PHI to the amount reasonably necessary to accomplish the purpose for which the request is made.
For requests that are made on a routine and recurring basis, the Agency shall take reasonable steps to ensure that the request is limited to the amount of PHI reasonably necessary to accomplish the purpose for which the request is made.
For requests that are not on a routine or recurring basis, the Agency shall evaluate the request according to the following criteria:
· Is the purpose for the request stated with specificity?
· Is the amount of PHI to be disclosed limited to the intended purpose?
· Have the requirements for supporting documentation, statements, or representations been satisfied?
· Have all applicable requirements of the HIPAA Compliance Rule been satisfied with respect to the request?
C. Notice of Privacy Practices
Purpose
To ensure that a Notice of Privacy Practices is provided to, and acknowledged by, each patient or his/her personal representative upon Intake to the Agency.
Policy
The Agency’s policy is to provide a Notice of Privacy Practices (“Notice”) to each patient upon each Intake to the Agency and make a good faith effort to obtain a signed Acknowledgement of Receipt of Notice of Privacy Practices (“Acknowledgement”) from the patient.
The Notice shall include all elements and statements that are required by law. The Notice shall inform the patients of:
· Uses and disclosures of Protected Health Information (“PHI”) that may be made by the Agency;
· The patient’s rights with respect to his PHI; and
· The Agency’s legal duties with respect to such PHI.
Procedure
1. The Notice and Acknowledgement forms will be included in the standard Intake Packet. The Agency Intake Staff will provide the Notice to the patient at the time of Intake.
Note: In the case of an emergency treatment situation, the Agency will provide the Notice to the patient as soon as reasonably practicable after the emergency treatment situation.
2. The Intake Staff will make a good faith effort to obtain the patient’s signature on the Acknowledgement at the time the Notice is provided. The Notice and signed Acknowledgementwill be kept in the patient’s Business Office File.
3. If the patient refuses or is otherwise unable to sign the Acknowledgement, the Intake Staff will document, on the Acknowledgement form, what actions were taken to obtain the patient’s signature on the Acknowledgementand the reason(s) why a signed Acknowledgement was not obtained. This document will then be placed in the patient’s Business Office File.
4. The Agency will provide a copy of the written Notice to patients and to other persons upon request.
5. The Agency will post a copy of the Notice in a clear and prominent location such as the entrance lobby or similar location.
Whenever the Noticeis revised, the Agency Compliance Official will assure that:
1. The revised Notice is made available upon request on or after the effective date of the revision; and
2. The revised Notice is posted in a clear and prominent location.
Material changes shall not be implemented prior to the effective date of the revised Notice. A copy of each Notice issued by the Agency will be maintained for at least six years from the date it was last in effect.
Any member of the workforce who has knowledge of a violation or potential violation of this Policy must make a report directly to the Compliance Officer.
D. Safeguarding and Storing Protected Health Information
Purpose
The purpose of this policy is to provide guidelines for the safeguarding of Protected Health Information (“PHI”) and to limit unauthorized disclosures of PHI that is contained in a Patient’s Patient Record, while at the same time ensuring that such PHI is easily accessible to those involved in the treatment of the patient.
Policy
The policy is to ensure, to the furthest extent possible, that PHI is not intentionally or unintentionally used or disclosed in a manner that would violate the HIPAA Privacy Rule or any other federal or state regulation governing confidentiality and privacy of health information.
The following procedure is designed to prevent improper uses and disclosures of PHI and limit incidental uses and disclosures of PHI that is, or will be, contained in a Patient’s Patient Record. At the same time, the Agency recognizes that easy access to all or part of a Patient’s Patient Record by health care practitioners involved in a Patient’s care (nurses, attending and consulting physicians, therapists, and others) is essential to ensure the efficient quality delivery of health care.
The Executive Director is responsible for the security of all Patient Record. All staff members are responsible for the security of the active Patient Record.
Procedure
The Agency Compliance Official and Executive Director shall periodically monitor the Agencies compliance regarding its reasonable efforts to safeguard PHI.
Safeguards for Verbal Uses
These procedures shall be followed, if reasonable by the agency, for any meeting or conversation where PHI is discussed.
Meetings during which PHI is discussed:
Specific types of meetings where PHI may be discussed include, but are not limited to:
I. Shift Change Report
II. Interdisciplinary Plan of Care meeting
III. Medicare meeting
IV. Bill review meetings
V. Family Care Conference
Conduct and place of meetings shall be as followed, but are not limited to:
I. Meetings will be conducted in an area that is not easily accessible to unauthorized persons.
II. Meetings will be conducted in a room with a door that closes, if possible.
III. Voices will be kept to a moderate level to avoid unauthorized persons from overhearing.
IV. Only staff members who have a “need to know” the information will be present at the meeting.
The PHI that is shared or discussed at the meeting will be limited to the minimum amount necessary to accomplish the purpose of sharing the PHI.
Telephone conversations:
Telephones used for discussing PHI are located in as private an area as possible.
Staff members will take reasonable measures to assure that unauthorized persons do not overhear telephone conversations involving PHI. Reasonable measures may include:
I. Lowering the voice
II. Requesting that unauthorized persons step away from the telephone area
III. Moving to a telephone in a more private area before continuing the conversation
PHI shared over the phone will be limited to the minimum amount necessary to accomplish the purpose of the use or disclosure.
In-Person conversations shall be conducted as followed:
I. In patient(s) room(s)
II. With patient/family in public areas
III. With authorized staff in public areas
Reasonable measures will be taken to assure that unauthorized persons do not overhear conversations involving PHI. Such measures may include:
I. Lowering the voice
II. Moving to a private area within the Agency
III. If in patient room, closing door for privacy
Safeguards for Written PHI
All documents containing PHI should be stored appropriately to reduce the potential for incidental use or disclosure. Documents should not be easily accessible to any unauthorized staff or visitors.
Active Records in the Office:
I. Active Patient Records shall be stored in an area that allows staff providing care to patients to access the records quickly and easily as needed.
II. Authorized staff shall review the Patient Record at the main office, unless it is signed out in accordance with Agency procedures.
III. Active Patient Records shall not be left unattended on any desk or other areas where patients, visitors and unauthorized individuals could easily view the records.
IV. Medication Reminder Records, Treatment Administration Records, report sheets and other documents containing PHI shall not be left open and/or unattended.
V. Only authorized staff shall review the Patient Record. All authorized staff reviewing Patient Record shall do so in accordance with the minimum necessary standards.
VI. Patient Record shall be protected from loss, damage and destruction.
Active Business Office Files:
I. Active Business Office Files shall be stored in a secure area that allows authorized staff access as needed.
Thinned Records, Inactive Patient Record:
Thinned and inactive Patient Record will be filed in a systematic manner in a location that ensures the privacy and security of the information. The Compliance Officer or a designee shall monitor storage and security of such Patient Records. When records are left unattended, records will be in a locked room, file cabinet or drawer.
The Executive Director will identify and document those staff members with keys to stored Patient Records. The minimum number of staff necessary to assure that records are secure yet accessible shall have keys allowing access to stored Patient Records. Staff members with keys shall assure that the keys are not accessible to unauthorized individuals.
Inactive Patient Records must be signed out if removed from their designated storage area. Only authorized persons shall be allowed to sign out such records.
Records must be returned to storage promptly.
In the event that the confidentiality or security of PHI stored in an active or inactive Patient Record has been breached, the Agency Compliance Official and Executive Director shall be notified immediately.
Agency procedures will be followed if Patient Records are missing.
In the event of a change in ownership of the Agency, the Patient Records shall be maintained as specified in the Purchase and Sale Agreement.
Inactive Business Office Files:
Inactive Business Office Files shall be stored in a systematic manner in a location that ensures privacy and security of the information.
PHI Not a Part of the Patient Records:
Any documentation of PHI shall be stored in a location that ensures, to the extent possible, that such PHI is accessible only to authorized individuals.
Office Equipment Safeguards
Computer access:
Only staff members who need to use computers to accomplish work-related tasks shall have access to computer workstations or terminals.
All users of computer equipment must have unique login and passwords.
Passwords shall be changed every 90 days.
Posting, sharing and any other disclosure of passwords and/or access codes is strongly discouraged.
Access to computer-based PHI shall be limited to staff members who need the information for treatment, payment or health care operations.
Agency staff members shall log off their workstation when leaving the work area.
Computer monitors shall be positioned so that unauthorized persons cannot easily view information on the screen.
Employee access privileges will be removed promptly following their departure from employment.
Employees will immediately report any violations of this Policy to their supervisor, Executive Director or Compliance Officer.
Printers, copiers and fax machines:
Printers will be located in areas not easily accessible to unauthorized persons.
If equipment cannot be relocated to a secure location, a sign will be posted near the equipment indicating that unauthorized persons are prohibited from viewing documents from the equipment.
Sample language: “Only authorized staff may view documents generated by this (indicate printer, copier, fax, etc.). Access to such documents by unauthorized persons is prohibited by federal law.”
Documents containing PHI will be promptly removed from the printer, copier or fax machine and placed in an appropriate and secure location.
Documents containing PHI that must be disposed of due to error in printing will be destroyed by shredding or by placing the document in a secure recycling or shredding bin until destroyed.
Destruction
Written:
Documentation that is not part of the Patient Record and will not become part of the Patient Record (e.g., report sheets, shadow charts or files, notes, lists of vital signs, weights, etc.) shall be destroyed promptly when it is no longer needed by shredding or placing the information in a secure recycling or shredding bin until the time that it is destroyed.
Electronic:
Prior to the disposal of any computer equipment, including donation, sale or destruction, the Agency must determine if PHI has been stored in this equipment and will delete all PHI prior to the disposal of the equipment.
E. Emailing Protected Health Information
Purpose
To ensure the appropriate use of the email system when transmitting consumer HIPAA Compliance Protected Health Information (“PHI”).
Policy
It is the Policy and Procedures of this Agency to protect the electronic transmission of PHI as well as to fulfill our duty to protect the confidentiality and integrity of patient PHI as required by law, professional ethics and accreditation requirements. The information released will be limited to the minimum necessary to meet the requestor’s needs. Whenever possible, de-identified information will be used.
Procedure
1. E-mail users will be set up with a unique identity complete with unique password and file access controls.
2. E-mail users may not intercept, disclose or assist in intercepting and disclosing e-mail communications.
3. Patient specific information regarding highly sensitive health information must not be sent via e-mail, even within the internal email system (i.e. information relating to AIDS/HIV, drug and alcohol abuse and psychotherapy notes).
4. Users will restrict their use of email for communicating normal business information such as information about general care and treatment of patients, operational and administrative matters, such as billing.
5. Users should verify the accuracy of the email address before sending any PHI and, if possible, use email addresses loaded in the system address book.
PHI may be sent unprotected via e-mail within a properly secured, internal network of the organization. When sending PHI outside of this network, such as over the Internet, every effort should be made to secure the confidentiality and privacy of the information.
Sample security measures include, password protecting the document(s) being sent or encrypting the message. All e-mail containing PHI will contain a confidentiality statement (see sample below). Users should exercise extreme caution when forwarding messages.
Sensitive information, including patient information, must not be forwarded to any party outside the organization without using the same security safeguards as specified above. Users should periodically purge e-mail messages that are no longer needed for business purposes, per the organization’s records retention policy.
Employee e-mail access privileges will be removed promptly following their departure from the organization.
Email messages, regardless of content, should not be considered secure and private. The amount of information in any email will be limited to the minimum necessary to meet the needs of the recipient. Employees should immediately report any violations of this guideline to their supervisor, Executive Director or Compliance Officer.
Sample Confidentiality Statement
“The information contained in this e-mail is legally privileged and confidential information intended only for the use of the individual or entity to whom it is addressed. If the reader of this message is not the intended recipient, you are hereby notified that any viewing, dissemination, distribution, or copy of this e-mail message is strictly prohibited. If you have received and/or are viewing this e-mail in error, please immediately notify the sender by reply e-mail, and delete this e-mail from your system. Thank you.”
F. Faxing Protected Health Information
Purpose
To ensure that Protected Health Information (“PHI”) is appropriately safeguarded when it is sent or received via facsimile (fax) machine or software.
Policy
It is the policy of this Agency to allow the use of facsimile machines to transmit and receive PHI. The information released will be limited to the minimum necessary to meet the requestor’s needs.
Procedure
1. The fax machine should be located in an area that is not easily accessible to unauthorized persons. Examples include the business office, Patient Record office or a patient’s home. If possible, the fax machine should not be located in a public area where confidentiality of PHI might be compromised. If this is not possible, a sign should be posted regarding access to the documents.
2. Received documents will be removed promptly from the fax machine. To promote secure delivery, instructions on the cover page will be followed.
3. Unless otherwise prohibited by state law, information transmitted via facsimile is acceptable and may be included in the patient’s Patient Record.
4. Steps should be taken to ensure that the fax transmission is sent to the appropriate destination. These include:
I. Pre-programming and testing destination numbers whenever possible to eliminate errors in transmission due to misdialing.
II. Asking frequent recipients to notify the Agency of a fax number change.
III. Confirming the accuracy of the recipient’s fax number before pressing the send/start key.
IV. If possible, printing a confirmation of each fax transmission.
5. A cover page should be attached to any facsimile document that includes PHI. (See a sample cover page following this Policy.) The cover page should include:
I. Destination of the fax, including name, fax number and phone number;
II. Name, fax number and phone number of the sender;
III. Date;
IV. Number of pages transmitted; and
V. Confidentiality Statement (See sample below).
6. If a fax transmission fails to reach a recipient or if the sender becomes aware that a fax was misdirected, the internal logging system should be checked to obtain incorrect recipient’s fax number. Fax a letter to the receiver and ask that the material be returned or destroyed.
7. A written Authorization for any use or disclosure of PHI will be obtained when the use or disclosure is not for treatment, payment or healthcare operations or required by federal or state law or regulation.
8. The PHI disclosed will be the minimum necessary to meet the requestor’s needs.
9. Highly sensitive health information should not be sent by fax in certain states (e.g., information relating to AIDS/HIV, drug and alcohol abuse and psychotherapy notes).
G. Uses and Disclosures of Protected Health Information
Purpose
To ensure that disclosure of Protected Health Information (“PHI”) is made consistent with applicable laws, regulations and health information standards, and to ensure that any disclosures of a patient’s PHI to a patient’s family members, other relatives, close friends or other persons designated by the patient are appropriate.
Policy
Disclosure of PHI will only be allowed with a properly completed and signed authorization except:
I. When required or allowed by law (see “Request and Disclosure Table” following this Policy).
II. As defined in the Notice of Privacy Practices:
a) For continuing care (treatment)
b) To obtain payment for services (payment)
c) For the day-to-day operations of the Agency and the care given to the patients (health care operations)
Disclosure of PHI will be centralized through the Agency Compliance Officer. In some instances, the Agency Compliance Officer will need to track information that is disclosed. All disclosures designated as trackable on the “Request and Disclosure Table” must be approved by the Executive Director to enable the Compliance Officer to provide an accounting of disclosures when requested.
Disclosure of PHI will be carried out in accordance with all applicable legal requirements and in accordance with company policy. Each Agency will be responsible for researching and abiding by applicable state laws and regulations.
Original Patient Records will not be removed from the premises, except when ordered by subpoena or by other court order.
Procedure
Receiving a Request for Patient Records:
Requests for Patient Records shall be managed by the Agency Compliance Officer.
I. Other staff members will not release PHI without approval of the Agency Compliance Officer.
II. Only emergency release of information will be done after hours or on weekends.
III. After hours and on weekends, release of information for continuing care (i.e., transfer to a hospital or emergency clinic) is allowed.
Responding to Specific Types of Disclosures:
See the “Request and Disclosure Table” following this Policy for applicable requirements in responding to requests by specific entities/individuals.
I. Media: No PHI shall be released to the news media or commercial organizations without the authorization of the patient or his/her personal representative.
II. Telephone Requests: Staff members receiving requests for PHI via the telephone will make reasonable efforts to identify and verify that the requesting party is entitled to receive such information.
Disclosures to Persons Involved with a Patient’s Care:
1. The Agency may disclose to a family member, other relative, close friend, or any other person identified by the patient, PHI:
i. That is directly relevant to that person’s involvement with the patient’s care or payment for care; or
ii. To notify such person of the patient’s location, general condition, or death.
2. Conditions if the Patient is Present. If the patient is present for, or otherwise available, prior to a permitted disclosure, then the Agency may use or disclose the PHI only if the Agency:
i. Obtains the patient’s agreement;
ii. Provides the patient with an opportunity to object to the disclosure, and the patient does not express an objection (this opportunity to object and the patient’s response may be done orally); or
iii. May reasonably infer from the circumstances, based on the exercise of professional judgment, that the patient does not object to the disclosure.
3. Conditions if the patient is Not Present or is Incapacitated.
The Agency may, in the exercise of professional judgment, determine whether the disclosure is in the best interest of the patient, and, if so, disclose only that PHI which is directly relevant to the person’s involvement with the patient’s care if:
i. The patient is not present,
ii. The opportunity to agree/object to the use or disclosure cannot practicably be provided because of the patient’s incapacity, or
iii. In an emergency.
4. Confirming Identity.
The Agency shall take reasonable steps to confirm the identity of a patient’s family member or friend. The Agency is permitted to rely on the circumstances as confirmation of involvement in care. For example, the fact that a person admits a patient to the Agency and visits weekly is sufficient confirmation of involvement in the patient’s care.
H. Authorization for Release of Protected Health Information
Purpose
The purpose of this Policy is to set forth the Agency’s process for the use and disclosure of Protected Health Information (“PHI”) pursuant to a written authorization.
Policy
In accordance with the HIPAA Privacy Rule, when PHI is to be used or disclosed for purposes other than treatment, payment, or health care operations, the Agency will use and disclose it only pursuant to a valid, written authorization, unless such use or disclosure is otherwise permitted or required by law. Use or disclosure pursuant to an authorization will be consistent with the terms of such authorization.
Procedure
Exceptions to Authorization Requirements
PHI may be disclosed without an authorization if the disclosure is:
1. Requested by the patient or his personal representative (authorization is never required);
2. For the purpose of treatment;
3. For the purpose of the Agency’s payment activities, or the payment activities of the entity receiving the PHI;
4. For the purpose of the Agency’s health care operations;
5. In limited circumstances, for the health care operations of another Covered Entity, if the other Covered Entity has or had a relationship with the patient;
6. To the Secretary of the U.S. Department of Health and Human Services for the purpose of determining compliance with the HIPAA Privacy Rule; or
7. Required by other state or federal law. (See “Request and Disclosure Table” in the “Uses and Disclosures of Protected Health Information” Policy for other exceptions.)
Use or Disclosure Pursuant to an Authorization
1. When the Agency receives a request for disclosure of PHI, the Agency Compliance Officer shall determine whether an authorization is required prior to disclosing the PHI.
2. PHI may never be used or disclosed in the absence of a valid written authorization if the use or disclosure is:
a) Of psychotherapy notes as defined by the HIPAA Privacy Rule;
b) For the purpose of marketing; or
c) For the purpose of fundraising.
3. If the use or disclosure requires a written authorization, the Agency shall not use or disclose the PHI unless the request for disclosure is accompanied by a valid authorization.
4. If the request for disclosure is not accompanied by a written authorization, the Agency Compliance Officer shall notify the requestor that it is unable to provide the PHI requested. The Compliance Officer will supply the requestor with an Authorization to Use or Disclose PHI ("Authorization") form.
5. If the request for disclosure is accompanied by a written authorization, the Compliance Officer will review the authorization to assure that it is valid (see the “Checklist for Valid Authorization” following this Policy).
6. If the authorization is lacking a required element or does not otherwise satisfy the HIPAA requirements, the Compliance Officer will notify the requestor, in writing, of the deficiencies in the authorization. No PHI will be disclosed unless and until a valid authorization is received.
7. If the authorization is valid, the Compliance Officer will disclose the requested PHI to the requester. Only the PHI specified in the authorization will be disclosed.
8. Each authorization shall be filed in the patient’s Patient Record.
Preparing an Authorization for Use or Disclosure
1. When the Agency is using or disclosing PHI and an authorization is required for the use or disclosure, the Agency will not use or disclose the PHI without a valid written authorization from the patient or the patient’s personal representative.
2. The Authorization form must be fully completed, signed and dated by the patient or the patient’s personal representative before the PHI is used or disclosed.
3. The Agency may not condition the provision of treatment on the receipt of an authorization except in the following limited circumstances:
a) The provision of research-related treatment; or
b) The provision of health care that is solely for the purpose of creating PHI for disclosure to a third party (i.e., performing an independent medical examination at the request of an insurer or other third party).
4. An authorization may not be combined with any other document unless one of the following exceptions applies:
a) Authorizations to use or disclose PHI for a research study may be combined with any other type of written permission for the same research study, including a consent to participate in such research;
b) Authorizations to use or disclose psychotherapy notes may only be combined with another authorization related to psychotherapy notes; or
c) Authorizations to use or disclose PHI other than psychotherapy notes may be combined, but only if the Agency has not conditioned the provision of treatment or payment upon obtaining the authorization.
Revocation of Authorization
1. The patient may revoke his authorization at any time.
2. The authorization may ONLY be revoked in writing. If the patient or the patient’s personal representative informs the Agency that he/she wants to revoke the authorization, the Agency will assist him/her to revoke in writing.
3. Upon receipt of a written revocation, the Compliance Officer will write the effective date of the revocation on the Authorization form.
4. Upon receipt of a written revocation, the home health Agency may no longer use or disclose a patient’s PHI pursuant to the authorization.
5. Each revocation will be filed in the Patient’s Patient Record.
Copyright © 2024 Prominence Home Health Care Agency, LLC - All Rights Reserved.
Please use the link below to fill out our Client Referral Form for further assistance!