6818 Fort Hamilton Parkway
Brooklyn, NY 11219
718.375.1100 phone
718.745.6735 fax
|
|
6818 Fort Hamilton Parkway Brooklyn, NY 11219 718.375.1100 phone 718.745.6735 fax |
|
HIPAA Policy Purpose: To provide administrative guidance for implementing privacy and security procedures for individual and personal health information to comply with the Health Insurance Portability And Accountability Act (HIPAA) of 1996. Policy: a. Authority: Each location will designate a Privacy Officer who will have the responsibility for: i. understanding privacy and security policies and procedures, ii. training staff in these privacy and security policies, iii. implementing privacy and security policies, and iv. monitoring the implementation and ongoing use of privacy and security policies. b. Training: Each staff member will be instructed in the guidelines mandated by HIPAA by: i. reading the privacy and security policies, ii. reading the Notice of Information Practices, iii. passing a test about the privacy and security policies, iv. signing a contract directing them to comply with privacy and security policies (applies to business associates and/or partners), and v. monitoring and reviewing work performance and/or compliance with privacy and security policies. c. Definitions: i. Personal Health Information (PHI): any individually identifiable health information maintained or transmitted via electronic media or any other form or medium. ii. Treatment, Payment, and Operational (TPO) activities: any activity routinely used for treatment, billing and/or collection, or performed for the operation of the business. d. Notice of Information Practice: Every location will maintain a Notice of Information Practices (the Privacy Notice) that provides information to patients about the PHI collected, used, and disclosed. The Privacy Notice must be: 1. posted in each location’s main showroom, 2. posted on the company’s website, 3. acknowledged in writing by the patient, 4. provided in a language or communication style the patient can understand, and 5. be made available to any person, whether a patient or not. Staff must: 1. discuss the Privacy Notice with each patient, or patient representative on the initial meeting, delivery or contact, 2. make their best effort to receive acknowledgment from the patient that they have received a copy and understand the Privacy Notice, 3. record in the patient’s record all attempts to seek patient acknowledgment, including refusals, 4. send Privacy Notice by mail on the initial meeting, delivery or contact if services are provided by phone, 5. provide a Privacy Notice and acknowledgment for all current patients on first direct treatment encounter after April 14th, 2003, and 6. document acknowledgment if initial meeting, delivery or contact was provided electronically. Revisions: 1. If the Privacy Notice is revised: a. an Effective Date will be placed at the top of the form, b. a current copy will be posted as stated in (i) above, c. it will be made available for patient pick up at any time during operating hours, d. it will affect all current and past uses of PHI, and e. it will be provided to all current patients on the next direct treatment encounter. 2. All past Privacy Notice versions will be kept for six years past their last effective date. e. PHI Disclosure: i. Routine disclosures (TPO) of PHI are covered by the Privacy Notice and must always be limited to the data that is minimally necessary to accomplish the need for the PHI. ii. Every non-routine (non-TPO) disclosure of PHI must have an accompanying separate authorization that provides permission to disclose such information signed by the patient or patient representative and filed in the patient’s record. iii. Each patient or patient representative has the right to further restrict the use and disclosure of their PHI: 1. Each request must be evaluated by the Office Manager and approved or disapproved. 2. Requests for further restriction on PHI disclosure do not have to be allowed. 3. All requests for further limitation of use and disclosure of PHI must be documented in the patient’s chart, including the reason for disapproval, if appropriate. 4. If further restrictions are approved, they must be honored. iv. Before any non-routine disclosure of PHI is granted, the identity of the receiving agent must be verified. 1. You may verify information that is not generally known, such as: a. phone number, b. contact information, c. requested data, or d. any other data that can reasonable assure the identity of the recipient. f. PHI Access and Amendment: i. Each patient, or patient representative, is provided access to their PHI as long as data is held or stored by the company. ii. Patients may make a written request for copies of their PHI at anytime. iii. There is a cost-based charge for labor, supplies, and delivery of PHI. There is no charge for making the request. 1. The company must act on each request within: a. 30 days of receiving, if PHI is kept on-site, or b. 60 days of receiving, if PHI is kept off-site, and c. may have a 30-day extension to the above time periods if a written reason is sent to the patient during the primary time period. 2. The company will provide a copy of the patient’s PHI in the format requested by the patient, if format is readily feasible. 3. The following information may not be disclosed: a. Psychotherapy notes, b. Information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action proceeding, and c. Clinical lab results exempted from the Clinical Laboratory Improvements Amendments of 1988 (CLIA). 4. The following are acceptable reasons for denying access to PHI: a. It is determined that inspection or copying PHI is reasonably likely to endanger the life or physical safety of the patient or any other person, b. The information was about another person (other than a health care provider) and a licensed health care professional determines the inspection and copying is reasonable likely to cause substantial harm to that other person, c. The information was obtained under a promise of confidentiality from someone other than a health care provider and the inspection and copying is likely to reveal the source of the information, d. The information was obtained by a covered provider in the course of a clinical trial, and patient agreed to denial of access in consenting to participate in the trial, and e. The information was compiled in reasonable anticipation of, or for use in, a legal proceeding. 5. If PHI access is refused: a. The patient will be notified in writing of the reason for such denial. b. The patient will be informed that they have a right to have a licensed health care professional evaluate the denial (who was not part of the initial decision). c. Access will be authorized if this reviewer decides it is appropriate. 6. PHI that is stored for peer review or quality assurance purposes is not required to be included in any disclosure of PHI. iv. Patients may make a written request for amendment of their PHI. 1. All amendment requests must be recorded in the patient’s chart. 2. Amendments will be honored if they correct any vague, misleading, or omitted information. 3. At no time will modifications be made that falsely represent the services or equipment provided. 4. Modification requests do not have to be honored. If not honored, the reason why the modification was not approved must be recorded in the patient’s chart and sent to the patient in written form. 5. Requests for amendment will be acted upon: a. within 60 days of receipt of request, and b. may have a 30-day extension to the above time period if a written reason is sent to the patient during the primary time period. 6. If an amendment is made, all affected parties will be notified in writing. 7. If the amendment is refused, the patient will have the right to file a statement of disagreement and request us to include notation in all future disclosures of this PHI that this amendment was refused, and that they may file a complaint with the DHHS. v. Patients are allowed access to an accounting of any non-routine disclosures of their PHI. 1. All requests for non-routine accounting disclosures must be in written form. 2. All requests for non-routine disclosure will only be allowed for dates of service on or after April 14, 2003. 3. The patient is allowed one free accounting in any twelve-month period. 4. Requests for accounting non-routine disclosures will be acted upon: a. within 60 days of receipt of request, and b. may have a 30-day extension to the above time period if a written reason is sent to the patient during the primary time period. g. Information Security: i. Manual Records: Manual records consist of any information that is originally created or converted to paper documents. 1. The privacy and security of patient records must be maintained at all times. 2. Approved staff only will be allowed access to appropriate records at appropriate locations only, e.g., only records at the location the authorized employee performs their duties. 3. Patient records will be locked up after business hours. 4. Patient records must be checked in and out of the file storage area. 5. Only the following staff job descriptions have patient record privileges in order to carryout their job duties: a. Administration and Management Staff b. Billing Clerks and Supervisors (or Billing Company) c. Clinicians (Including contracted) d. Customer Service Representatives e. Delivery Driver Technicians 6. Disposal of any PHI information will be by way of shredding by certified destruction company. No PHI is allowed to be discarded in the trash. ii. Electronic Records: Electronic records consist of any dissemination or storage of PHI by way of the Internet, magnetic or optical storage, email, or any other non-manual types of storage. 1. The access to electronic PHI records will be limited at a level that will appropriately protect data while not hindering operations; this may include: a. The use of individual passwords that are assigned by management and changed every six months. b. The use of security modules that limit a system user to only parts of the system necessary to perform their job tasks. c. The use of biometric security devices, if appropriate and financially feasible: i. Finger print recognition ii. Retinal scanning iii. Smart Cards d. The use of a system firewall to limit incoming systems access. i. All communication portals, Net Meeting, Telnet, remote host, modems will be disabled after normal working hours and access log-ins monitored quarterly. ii. Access to the internal data will only be allowed if the connection can be encrypted with a Secure Socket Layer (SSL) or private/public encryption key. e. The use of a Proxy Server to limit outgoing information dissemination. f. Data will be backed up at regular intervals (see attached data backup schedule) and procedures will be documented for expedited data recovery (if needed): i. A daily onsite copy will be archived and stored in a data safe that is rated for a minimum of 1000 degrees Fahrenheit for 30 minutes. ii. A weekly offsite copy will be stored in a secured vessel. Weekly copies will rotate on a five-tape cycle (one for each possible week in a month). iii. A monthly offsite copy will be stored in a secure vessel. Monthly copies will rotate on a twelve-tape cycle (one for each month in a year). iv. An annual offsite copy will be stored in a safe deposit box at a financial institution. g. Battery back-up power supplies will be installed and used on key information system components. The power needs are recommended to provide enough power to perform a complete system back-up and power down satisfactorily, for example 2 hours. h. Every user is required to log out of the information system anytime they are not using the system or step away from their desk or workstation. i. If portable devices are used, e.g., laptop computers, portable digital assistants (PDAs), barcode readers, access must be secured to prevent unauthorized disclosures, including the possibility of the device being lost or stolen, 2. A privacy or confidentiality statement that directs an incorrect recipient what procedures to follow if it is delivered to them by mistake will accompany all transmissions of PHI, facsimile or email. 3. Sanctions: The company will discipline any employee who violates its security provisions, up to and including termination. All violations will be documented on a Security Violation Incident Report and brought to the Executive Committee for review and action. 4. Reviews: The Chief Information Officer, in conjunction with the appropriate department heads, will oversee an annual review of each employee’s system access privileges and make applicable modifications. 5. Workstation Evaluation: a. The Chief Information Officer, or designee, will evaluate each appropriate system access terminal semi-annually for unauthorized software (which may be malicious). If possible, locking devices should be used to limit the installation of any unauthorized software. b. The Chief Information Officer, or designee, will evaluate each employee’s system log-in attempts and report any unauthorized attempts to log into unauthorized system areas. A record of each unauthorized attempt will be maintained by this department and reviewed for insecure trending information. 6. Computer Maintenance: Any computer system or media that stores protected electronic information will be inventoried and their whereabouts will be known at all times. A list must also be maintained as to the authorized persons who can move or maintain these electronic storage systems. If any of the systems needs repair or maintenance, the employee or contracted employee or firm must have a Business Associate Agreement on file prior to being allowed to work on said machine. Each of these repairs or maintenances will be recorded and stored for 6 years. If any storage device needs to be replaced, the old device will be physically destroyed or reformatted before removal. iii. Oral Communication: Oral communication is any verbal communication that initiates from a staff member. 1. The verbal transmission (speaking) of PHI must be limited to only those people who have the necessity to know. a. Before any information is discussed or communicated, employees must make note if any unauthorized person may overhear their discussion. b. Discussions that take place will not use the patient’s name to identify the patient. The patient identification or work order number will be used for this purpose. c. Order intake personnel will be shielded with sound barriers, acoustical absorbing cubicles and be segregated from any retail showroom. d. PHI that is not allowed to be verbally relayed over two-way radio or cell phones are: i. Patient name, ii. Patient diagnosis or condition, ii i. Patient address, or i v. Any other information that can identify a specific patient. v. Breaches: All security violations will be documented and investigated fully. Each security violation will be reviewed by the Executive Committee within 7 days (that’s not mandatory, that’s our recommendation). If the security violation is considered severe by any management staff, the contingency plan will immediately be placed into action. vi. Contingency Plan: 1. In the case of an emergency or natural disaster: a. As part of an emergency preparedness plan, a current equipment rental list (of critical pieces of equipment) will be printed weekly. b. If electrical power is interrupted: i. All system users will expeditiously finish their task and log out of the system (if applicable). ii. After all users have completed their tasks and logged out, a system back-up will be performed and then the system will be powered down. iii. The main server room will be locked and access will not be allowed until power has been restored. iv. Any tasks that can still be performed, for example order intake, will be done manually with the appropriate secure standards. v. All access doors not required to be open during normal operating hours will be locked. Access to each building should be limited to one entry portal. c. If telephonic access to Company is lost for more than 30 minutes, the phone company will be notified to transfer all company calls to an automatic call forward number, for example a cell phone number. d. If any other natural disaster prevents access to a location, the system should be shut down and all work performed manually. e. If the system is destroyed, the software vendor will be contacted for a replacement system or system purchase requirements. The data will be recovered from the most recent data back-up as soon as possible. f. All contingency plans will be reviewed each year and tested biennially. 2. In any case where a severe security violation has occurred, the following procedures will be immediately enacted: a. A complete electronic back-up file will be generated and saved for investigational purposes. b. All electronic passwords will be changed immediately by the Chief Information Officer. c. All outside electronic access into the system will be temporarily restricted. d. All record storage, management, and personnel policies will be reviewed for any improvements that can prevent a like security violation. e. The affected parties (of information) will be notified by telephonic means and sent a letter designating what happened and the procedures being taken. vi. Physical Structures: 1. Each building that contains access to or physical information systems will be alarmed and access limited to only those with a need to enter. These systems will be set to notify any applicable authority automatically in case of alarm parameter violation. 2. A report of log-ins will be ordered and reviewed each month from the alarm-monitoring company. 3. Each person that has access to activate and deactivate a location’s alarms will have a separate user code that is changed once every six months. 4. Each building will have additional alarms for fire and smoke detection. 5. Each building will also have a back-up system, such as a cellular or long-range wireless back-up in case telephonic notification is unavailable or limited. 6. No visitor will be allowed access without appropriate supervision to any location that has personal protective information stored or used. 7. All repairs or modifications to physical structures, which are related to security, will be documented and stored for 6 years. h. Business Associates. All business associates who have access to PHI will be evaluated before contract signing and annually thereafter, as to the procedures and polices that pertain to the regulations mandated by HIPAA. i. Marketing. The company will not use or disclose any PHI for any marketing purpose without formal written patient authorization. j. Research. The company will not use or disclose any PHI for any research or clinical trial purposes without formal written patient authorization. k. Complaints. The company will document each privacy violation or complaint filed, either in written, electronic, or in verbal forms, in the patient’s chart. i. Each complaint will be recorded on a standard complaint form (Available in Forms Library). ii. If immediate response is needed to remedy any complaint, the employee taking the complaint has the authority, within their job classification, to immediately correct this discrepancy. iii. The form is then immediately delivered to the appropriate manager for immediate action. iv. The manager will investigate and make their recommendations as to company actions necessary to remedy the situation, if any. v. If the manager cannot perform the solution, it must be determined whether an executive meeting is necessary. If it is, then the Executive Board will be scheduled to meet at the soonest opportunity. vi. When resolved, the resolution and the complaint form will be posted in the patient’s chart and in the company’s complaint file. This also includes if “no action” was determined to be appropriate. vii. The patient will then be called about the actions or inaction taken. This conversation will be followed by a written response mailed to the patient’s address of record. viii. No retaliation is allowed because of filing a complaint. l. Compliance. The company will cooperate with any government agency that has jurisdiction over HIPAA regulations, including responding to information requests.
|
|
 |
