This notice describes how medical information about you may be used and disclosed and how you can get access to this information. (Updated 11/08/2017)
POLICY:
Richland Public Health (hereafter referred to as “Department”) shall conform to all requirements for privacy and confidentiality set forth in the Health Insurance Portability and Accountability Act (HIPAA), as amended, and all other applicable law, as enacted and amended. The Department shall not use or disclose Protected Health Information (PHI) except in accordance with applicable requirements.
PURPOSE
The purpose of this Policy is to provide guidance to Department staff regarding the proper protocol forgathering, storing, protecting and releasing PHI in accordance with HIPAA regulations (as amended), and all other applicable law, as enacted and amended.
WHAT IS PHI?
PHI includes information that:
- Relates to the client’s past, present or future physical or mental health or condition;
- Relates to the healthcare of the client;
- Relates to the past, present or future payment for the provision of health care to the client;
AND
- Either identifies the client, or for which there is a reasonable basis for the belief that it could be used to identify the client
DEPARTMENT RIGHTS AND RESPONSIBILITIES
The Department may use PHI for treatment, payment and health care operations without an individual’s release or authorization to the extent that such activities occur within the Department’s programs. Treatment: Generally means the provision, coordination or management of health care and related services among health care providers or by a health care provider with a third party, consultation between health care providers regarding a patient, or the referral of a patient from one health care provider to another. Payment: Encompasses the various activities of health care providers, to obtain payment or be reimbursed for their services, and of a health plan to obtain premiums, to fulfill their coverage responsibilities and provide benefits under the plan, and to obtain or provide reimbursement for the provision of health care.Health Care Operations: Are certain administrative, financial, legal, and quality improvement activities of a covered entity that are necessary to run its business and to support the core function of treatment and payment. These activities include:
- Conducting quality assessments and improvement activities, population based activities relating to time, improving health or reducing health care costs, and case management and care coordination;
- Reviewing the competence or qualifications of health care professionals, evaluating provider and health plan performance, training health care and nonhealth care professionals, accreditation certification, licensing, or credentialing activities;
- Underwriting and other activities related to the creation, renewal, or replacement of a contract of health insurance or health benefits, and coding, securing, or placing a contract for reinsurance of risk relating to health care claims;
- Conducting or arranging for a medical review, legal review and/or auditing services, including fraud/abuse detection and compliance programs;
- Business planning and development, such as conducting cost-management and planning analyses related to managing and operating the entity;
- Business management and general administrative activities; and
- Implementing and complying with the privacy rule and other administrative simplification rules, customer service, resolution of internal grievances, sales or transfer of assets, creating de-identified health information or limited data set, and fund raising for the benefit of the covered entity.
Confidentiality & The Minimum Necessary Standard: To keep PHI on a need-to-know basis and maintain the confidentiality of our patient’s medical history. When using or disclosing PHI, the Department will make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended legitimate purpose of the use, disclosure, or request. Access to PHI within the Department is granted on a need-to-know basis. Certain job responsibilities require access to more detailed information than others. It is your responsibility to maintain the confidentiality of this information and not share it with others that do not need it to carry out the duties of their job responsibilities. Your specific level of access to PHI will be identified and documented in your employee confidentiality agreement. Disclosures of PHI to patients who are the subject of the PHI do not need to be restricted to minimum necessary. In addition, disclosures authorized by patients are exempt from the minimum necessary requirements unless the authorization to disclose PHI is requested by our Department for its own purposes. If PHI is requested from another entity on a routine or recurring basis, the request must be limited to only the reasonably necessary information identified on the chart. For all other requests, the Privacy Officer or designee will determine what information is reasonably necessary for disclosure on a case-by-case basis.
AUTHORIZATION: PERMISSION AND DISCLOSURES
In compliance with HIPAA, all uses and disclosure of PHI beyond those otherwise permitted or required by law require a signed authorization (see Release of Information form). An authorization is required for each individual or entity that is to receive PHI except as provided by federal and Ohio law. The patient or the patient’s personal representative must sign each authorization. Persons recognized as the individual’s personal representative include the following:
If the individual is: | The personal representative is: |
An adult or An emancipated minor | A person with legal authority to make health care decisions on behalf of the individual Examples: Health care Power of Attorney Court appointed legal guardian General power of attorney |
An unemancipated minor | A parent, guardian or other person acting in loco parentis with legal authority to make health care decisions on behalf of the minor child. |
Deceased | A person with legal authority to act on behalf of the decedent or the estate (not restricted to health care decisions) Examples: Executor of the Estate Next of kin or other family member Durable Power of Attorney |
An authorization is deemed invalid if:
- The expiration date or event has passed;
- The authorization was not filled out completely;
- The authorization is revoked;
- The authorization lacks a required element; or
- The authorization violates requirements regarding compound authorizations.
USES AND DISCLOSURES FOR WHICH NO RELEASE AUTHORIZATION IS REQUIRED
HIPAA regulations permit the disclosure of PHI under certain circumstances. Following are examples of the instances when no authorization is required: Business Associates: The Department will share PHI with third party “business associates” that facilitate activities (i.e., billing, and lab tests) for the Department. Whenever an arrangement between the Department and a business associate involves the use or disclosure of PHI a written contract (Business Associate Agreement) that contains terms that will protect the privacy of PHI will be in place.Appointment Reminders: The Department may use and disclose medical information to contact an individual as a reminder that they have an appointment for treatment or medical care. Treatment Alternatives: The Department may use and disclose medical information to tell an individual about or recommend possible treatment options or alternatives that may be of interest to them. Health Related Benefits and Services: The Department may use and disclose medical information to an individual about health-related benefits or services that may be of interest to them. This may be in the form of newsletters or brochures mailed to the residence. Research: Please see the Human Subject Research Protection Policy. The Department may disclose PHI about a patient/client to individuals preparing to conduct a research project. For example, assisting them look for patients with specific medical needs, as long as the PHI reviewed does not leave the Department. As Required By Law: The Department will disclose medical information about an individual when required to do so by federal, state or local law. To Avert a Serious Threat to Health or Safety: The Department may use and disclose medical information about an individual when necessary to prevent a serious threat to their health and safety or health and safety of the public or another person. Any disclosures, however, would only be to someone able to help prevent the threat.
SPECIAL SITUATIONS:
Organ and Tissue Donation: If the patient is an organ donor, the Department may release medical information to organizations that handle organ procurement or organ, eye or tissue transplantation or to an organ donation bank, as necessary to facilitate organ or tissue donation and transplantation. Military or Veterans: If the patient is a member of the armed forces, the Department may release PHI about them as required by military command authorities. The Department may also release medical information about foreign military personnel to the appropriate foreign military authority. PHI may be used and disclosed to components of the Department of Veterans Affairs to determine whether someone is eligible for certain benefits. Workers Compensation: The Department may release medical information about an individual for workers compensation or similar programs. These programs provide benefits for work-related injuries or illnesses. Public Health Risks: The Department may disclose medical information about an individual for public health activities. These activities generally include (but are not exclusive to) the following:
- To prevent or control disease, injury or disability;
- To report births and deaths;
- To report child abuse or neglect;
- To report reactions to medications or problems with products;
- To notify people of recalls of products they may be using;
- To notify a person who may have been exposed to a disease or may be at risk for contracting or spreading a disease or condition;
- To notify the appropriate government authority if we believe a patient has been the victim of abuse, neglect, or domestic violence. We will only make this disclosure if you agree or when required or authorized by law.
Health Oversight Activities: The Department may disclose medical information to public health agencies and health oversight agencies for activities authorized by law. These oversight activities include, for example, audit investigations, inspections, and licensure. These activities are necessary for the government to monitor the health care system, government programs, and compliance with civil rights laws. Law Enforcement: The Department may release medical information if asked to do so by law enforcement officials:
- In response to a court order, subpoena, warrant, summons or similar process;
- To identify or locate a suspect, fugitive, material witness, or missing person;
- About the victim of a crime, if, under certain limited circumstances, we are unable to obtain the person’s agreement;
- About criminal conduct at the clinic agency; and
- In emergency circumstances, to report a crime; the location of the crime, or victims; or the identity, description or location of the person who committed the crime.
The Department must comply with a lawful order but only with express terms of the order. The Department may comply with a subpoena, discovery request or other lawful process but only if the Department receives satisfactory assurance from the party seeking the information that reasonable efforts have been made by the party to ensure that the individual who is the subject of the PHI that has been requested in the order has been given notice of the request or that reasonable efforts have been made by the party to secure a qualified protective order. The Department shall not respond to a subpoena without review by an attorney to ensure compliance. Coroners. Medical Examiners, and Funeral Directors: The Department may release medical information to a coroner or medical examiner. This may be necessary, for example, to identify a deceased person or determine the cause of death. The Department may also release medical information about patients to funeral directors as necessary to carry out their duties. National Security and Intelligence Activities: The Department may release medical information about an individual to authorized federal officials for intelligence, counterintelligence, and other national security activities. Protective Services for the President and Others: The Department may disclose medical information about an individual to authorized federal officials so they may provide protection to the President, other authorized persons or foreign heads of state or conduct special investigations. Inmates: If someone is an inmate of a correctional institution or under the custody of a law enforcement official, the Department may release medical information about them to the correctional institution or law enforcement official. This release would be necessary (1) for the institution to provide health care; (2) to protect an individual’s health and safety or the health and safety of others; or (3) for the safety and security of the correctional institution.
PRIVACY NOTICE:
Posting: The full text of the Privacy Notice will be legibly displayed within the offices of the Department in areas where billing/payment, health services and /or other services involving PHI occurs. This posting must be a clear and prominent location where individuals are likely to see it. Internet: The full text of the notice will be posted to the Department’s website along with relevant contact information of the Privacy Officer. Distribution: All clients who receive health services from the Department will receive a copy of the Privacy Notice no later than the date of the first service delivery to the individual following the implementation of this policy. The Department will make a good faith effort to receive a written acknowledgment of receipt of the notice. However, in no case should treatment be a condition of written acknowledgment of the Privacy Notice. In instances where more than one member of the family receives services from the Department, a single copy may be distributed providing the Department asks additional family members as to whether they would prefer their own copy. At any time a client or member of the public may request a copy of the Privacy Notice.
INFORMATION TRANSMITTAL
In order to secure the transfer of information and reduce the potential for accidental release of information during the normal course of treatment, payment, and healthcare operations, the Department has adopted the following guidelines to insure the security of PHI. For routine or recurring requests and disclosures, the following procedures may be used as standard protocols and limit the PHI disclosed or requested to that which is the minimum necessary for that particular type of disclosure or request. For non-routine disclosures and requests, requests must be reviewed on an individual basis in accordance with these criteria and limited accordingly. Of course, where PHI is disclosed to, or requested by, health care providers for treatment purposes, the minimum necessary standard does not apply. A log of disclosures made of PHI must be kept. The log must contain the date, the person or organization receiving the disclosure, the type of information disclosed and whether an authorization is on file. In situations where a patient has requested that the covered entity communicate with him in a confidential manner, such as by alternative means or at an alternative location, the Department must accommodate that request, if reasonable. Facsimile Transmissions: Oftentimes, patient information, including treatment and/or condition, is transmitted to authorized authorities via facsimile transmission as part of the normal operations of the Department. In instances where this is done, all facsimile transmissions will be accompanied by a fax cover sheet labeled “Confidential” and include information identifying the intended recipient to the most logical detail necessary and include the following statement: “This message is intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential, and prohibited from redisclosure under applicable law. If the reader of this notice is not the intended recipient, you are hereby notified that any dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by telephone at the number shown on this form and destroy or return these papers to us at the address shown above via postage due, first class mail.” Identifying PHI should be faxed only when 1) the original record or a mail delivered copy will not meet the needs of immediate patient care, 2) required by a third-party for ongoing certification of payment for a hospitalized patient. Routine disclosure of patient information to legitimate users should be delivered via mail or courier in cases where there is not an immediate need for patient care. Faxed information will only be enough to meet the minimum necessary needs of the sender. Documents either transmitted or received should be removed from the fax machine in a timely fashion. Individuals receiving the document should check for completeness and legibility and notify the sender of any problems resulting from the transmission. The staff member should then arrange for secure delivery of the document to the designated recipient. If a staff member discovers a fax not addressed to them, they must limit their review of the document to the minimum necessary to identify the intended recipient. Before the first use the facsimile to a new number, the staff must confirm the fax number by sending a test fax. Following the fax, the original document will be shredded or returned to the appropriate file. Phone: Phone conversations are a necessary part of the business day and must often take place in the presence of volunteers, employees and clients not directly involved in the treatment or care of a patient or who have legitimate access to PHI of a client. Staff must use their best judgment when engaging in these conversations and limit the amount of disclosure necessary to conduct the conversation. The Privacy Rule allows leaving messages for patients on their answering machines or with a family member or other person who answers the phone when the patient is not home. However, to reasonably safeguard the individual’s privacy, staff should take care to limit the amount of information disclosed. For example, leaving only the Department’s name and number and other information necessary to confirm an appointment, or ask the individual to call back. E-mail: E-mail exchanges, as with facsimile transmission, should be prominently identified as “Confidential” in the subject line and should begin with the following disclosure statement in the body: “Information contained within this email is confidential. If you have received this email in error, please contact (your name) immediately and delete this message. Thank you.” Information transmitted via the Department e-mail system should not be considered fool-proof and only the minimum necessary information transmitted. Traditional Mail: Traditional mail containing PHI will be sent in envelopes labeled with “Confidential” on the exterior, sealed appropriately, and addressed in the most specific way logical for appropriate delivery. All mail containing PHI must contain a cover letter with the following statement: “Items in this envelope are intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential, and prohibited from redisclosure under applicable law. If the reader of this Notice is not the intended recipient, you are hereby notified that any dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this package in error, please notify us immediately by telephone and destroy or return these papers to us at the address shown via postage due, first class mail.”Conversations: As part of the effective operation of the Department, it is often necessary to relate PHI to contracted service providers or other staff members. Such conversations, at a minimum, should maintain privacy:
- By speaking quietly when discussing a patient’s condition with family members in a waiting room or other public area;
- By avoiding using patient’s names in public hallways and elevators;
Extended consultations or discussions should be moved to an office, exam room, or other private area that will protect the privacy of the client’s information. The HIPAA Privacy Rule is not intended to prohibit providers from talking to each other and to their patients. Provisions of this Rule requiring covered entities to implement reasonable safeguards that reflect their particular circumstances and exempting treatment disclosures from certain requirements are intended to ensure that the providers’ primary consideration is the appropriate treatment of their patients. The Privacy Rule recognizes that oral communications often must occur freely and quickly in treatment settings. Thus, covered entities are free to engage in communications as required for quick, effective, and high quality health care. The Privacy Rule also recognizes that overheard communications in these settings may be unavoidable and allows for these incidental disclosures. For example, the following practices are permissible under the Privacy Rule, if reasonable precautions are taken to minimize the chance of incidental disclosures to others who may be nearby:
- Healthcare staff may orally coordinate services in clinical or office areas;
- Nurses or other health care professionals may discuss a patient’s condition over the phone with the patient, a provider, insurance carrier or a family member;
- A health care professional may discuss lab test results with a patient or other provider in a joint treatment area;
- An employee discussing a patient’s PHI on the phone may be overheard by another employee who is not authorized to handle patient information.
In these circumstances, reasonable precautions could include using lowered voices or talking apart from others when sharing PHI. However, in an emergency situation, or where a patient is hearing impaired, such precautions may not be practicable. Covered entities are free to engage in communications as required for quick, effective, and high quality health care. Waiting Room: Patient sign-in sheets or calling a patient’s name in a waiting room is expressly allowed by the Privacy Rule as incidental disclosure. However, staff should use their best judgment when engaging in such practice and attempt to limit the potential for disclosure during specifically posted clinics (i.e. prenatal) where visitors could easily surmise the purpose for a client’s visit. Diagnosis or reason for the visit should not appear on the sign-in sheet.
PROTECTION OF PHI
The Department shall have appropriate administrative, technical and physical safeguards in place to reasonably safeguard PHI from intentional and unintentional unauthorized use or disclosure. Access: The Department shall reasonably limit who within the organization has access to PHI, and under what conditions, based on job responsibilities and the nature of the business. Filing Cabinets: Cabinets containing PHI must be able to be locked. The cabinets must be locked every night before the responsible party leaves for the day. If the staff is exiting the office for several hours, the cabinets should also be locked unless there is a reasonable assumption of need by other members of the staff designated as having access to the documents. Desktops: Confidential records will not be left in open areas if the staff is away from their desk for an extended period. They may be placed in a drawer or covered by other files in order to satisfy the privacy requirement. At the end of the day the file must be locked in the cabinets or desk drawer. Home Visits or Satellite Clinics: Files should be transported in private containers, such as a brief case or storage box. When entering a home, the staff member should only take the file for the client for this visit.Non-Public Areas: Unauthorized individuals will not be allowed unescorted to the physical premise of the Department’s non-public areas. Such areas include employees break rooms, staff offices, storage facilities, or other areas containing PHI. Escort can include physical escort or may include Line of Sight escort based on the needs of the office at the time of the request. Shredding Documents: It is the responsibility of the Department to ensure that the destruction of hard-copy records is done in a manner that protects the confidentiality of patient, financial, and operational records in accordance with the HIPAA regulations. Every precaution must be taken by all employees to protect confidential information in all forms. Any papers containing PHI should never be left out waiting to be shredded. All PHI should be kept locked up until such time as it can be disposed of properly. Computers and Passwords: The procedures relating to the use of computers containing PHI is detailed in the Information Technology & Data Use Policy. This covers such information as the assignment and use of passwords. Training: The Department shall train existing members of its workforce on the HIPAA Privacy Rule requirements and the Department’s policies and procedures related to the privacy of PHI annually and as needed. New workforce members will receive HIPAA training as part of their orientation or within a reasonable period after their starting date. Monitoring. Auditing & Reporting: The Department will take reasonable steps to achieve compliance with this Policy by utilizing monitoring, auditing, and reporting systems that employees can use to reveal misconduct or privacy breaches without fear of retribution. Internal audits will be conducted periodically by designated staff and/or the Privacy Officer, where applicable, to detect and prevent any privacy breaches. As audits are conducted and questionable findings are revealed, the Privacy Officer will notify personnel responsible for matters in question. The Privacy Officer will instruct personnel in a manner to correct findings. Efforts will be made to educate employees to prevent ongoing errors through training and employee discipline. The Privacy Officer will recommend changes in policies or procedures where necessary and applicable.
REPORTING PRIVACY BREACHES
All Department staff will take reasonable steps to protect the privacy and confidentiality of the PHI (PHI) of all clients. Employees are also expected to report any breaches or violations of a client’s privacy and confidentiality, including client PHI. Examples of privacy breaches that should be reported include:
- Communicating private information with an individual at a location that they had requested not to be contacted (or using a means of communication that the individual requested not be used);
- Unauthorized use or disclosure of PHI;
- Using or disclosing PHI that the individual requested to be restricted (and such request was approved);
- Using or disclosing inaccurate or incomplete PHI that was to be amended as requested by the individual;
- Knowing or suspecting that an unauthorized employee is using or disclosing and individual’s PHI.
Procedure:
- Employees must IMMEDIATELY report (verbally or in writing) any suspected or actual privacy breaches or concerns to both the Privacy Officer and Director of Nursing (DON);
- The Privacy Officer and/or DON shall immediately investigate all reports of suspected or actual privacy breaches or concerns to determine if a breach has occurred;
- In the event a breach has been identified, the Privacy Officer and/or DON and appropriate staff members shall take all reasonable steps to respond to and limit the exposure of the breach while performing all legally required response actions;
- In the event a potential, but not actual, breach has been identified by the Privacy Officer and/or DON, immediate appropriate actions shall be taken to avoid any actual breach from occurring.
- In the event no grounds for concern of a potential or actual breach are found by the Privacy Officer and/or DON, either the Privacy Officer or DON shall communicate such findings to the reporting employee.
PATIENT’S HEALTH INFORMATION RIGHTS
Although a health record is the physical property of Richland Public Health, the information contained therein belongs to the individual. They have the right to:
- Request a Restriction on any uses or disclosures of their PHI, though the Department need not agree to the requested restriction, and cannot agree to a restriction relating to disclosures required under law (e.g., disclosures to the U. S. Secretary of Health and Human Services for HIPAA enforcement purposes);
- Obtain a copy of the Notice of Privacy Practices upon request;
- Access to inspect and obtain a copy of their health record (subject to the limits on rights and access contained herein);
- Amend their health record if warranted and approved;
- Obtain an accounting of disclosures of their PHI;
- Request communications of their PHI by alternate means;
- Authorize the use or disclosure of PHI for reasons other than treatment, payment or health care operations;
- Revoke their authorization to use or disclose PHI except to the extent that action has already been taken.
The Department will respond to a request no later than sixty (60) days from the date of the request. The Department will keep documentation relating to disclosures for at least six (6) years. Sanctions: Failure to comply with this Policy will be deemed a willful disregard of a rule, regulation, policy or directive of the Department and will be treated as such under the progressive disciplinary policy. Sanctions may not be applied in a manner, which would be reasonably construed as intimidation or retaliation. The Department may not impose sanctions for disclosure of PHI against a member of its workforce who is the victim of a criminal act if the victim discloses PHI to a law enforcement official, provided that: The PHI disclosed is about the suspected perpetrator of the criminal act; The PHI disclosed is limited to the following information:
- Name and address;
- Date and place of birth;
- Social security number;
- ABO blood type and Rh factor;
- Type of injury;
- Date and time of treatment;
- Date and time of death, if applicable ; and
- A description of distinguishing physical characteristics, including height, weight, gender, race, hair and eye color, presence or absence of facial hair (beard or moustache), scars and tattoos.
Complaints: If a client feels that their privacy rights have been violated, they may file a complaint with our Privacy Officer or with the Secretary of the Department of Health and Human Services. All complaints must be in writing.