HIPPA
HIPPA
Privacy Policies & Procedures
Administrative
Purpose:
The purpose of this policy is to ensure confidentiality with respect to protected health information (PHI) and to demonstrate compliance with the HIPAA privacy requirements.
Policy & Procedure:
I. Documentation
A. The WETZEL-TYLER HEALTH DEPARTMENT will maintain in writing or electronic form all policies and procedures required throughout the federal regulations and any other communication, action, activity, or designation that is required to be documented in accordance with HIPAA for a period of six (6) years.
B. The WETZEL-TYLER HEALTH DEPARTMENT will maintain all copies of Notices of Privacy Practices that are issued.
C. Although the WETZEL-TYLER HEALTH DEPARTMENT is not required to agree with restrictions requested by a patient, if the WETZEL-TYLER HEALTH DEPARTMENT does agree to restriction(s), the request that was granted and the restriction(s) agreed to must be documented and a copy maintained (see Request to Restrict Use and/or Disclosure Form).
D. The WETZEL-TYLER HEALTH DEPARTMENT will document what constitutes the “designated record set” that is subject to access by patients along with the titles of those individuals who are responsible for receiving and processing requests for access and requests for amendments.
E. A patient may request an accounting of disclosures for up to six (6) years from the date of the request (see Request for Accounting of Disclosure Log). The WETZEL-TYLER HEALTH DEPARTMENT will maintain the following information as part of this accounting:
1) the date of disclosure;
2) the name of the entity or person who received the PHI and the address, if known;
3) a brief description of the PHI disclosed;
4) a brief statement of the purpose of the disclosure, providing reasonable basis of disclosure to the individual;
5) the written accounting that is provided to the patient; and
6) the title of the person responsible for receiving and processing requests for accounting of disclosures.
F. The WETZEL-TYLER HEALTH DEPARTMENT will maintain documentation of:
1) any signed authorization;
2) all complaints received and their disposition;
3) any sanctions rendered to employees or agents of the WETZEL-TYLER HEALTH DEPARTMENT that are applied as result of non-compliance; and
4) any use or disclosure of PHI for research without the patient’s authorization (see Uses and Disclosures for Research Without Authorization Form and Log).
II. Mitigation
The WETZEL-TYLER HEALTH DEPARTMENT will, to the extent practical, mitigate any known harmful effect resulting from the use or disclosure of PHI in violation of its, or its business associates, policies and procedures.
II. Changes in Law
When changes in the law necessitate modification of the WETZEL-TYLER HEALTH DEPARTMENT’s policies and procedures, the WETZEL-TYLER HEALTH DEPARTMENT will promptly document and implement the revised policies and procedures in a manner that complies with the material change. This may include but is not limited to: 1) use and disclosures, 2) the patient’s rights, 3) the WETZEL-TYLER HEALTH DEPARTMENT’s legal duties, or 4) privacy practices stated in the notice.
Unless changes in law require immediate action, the WETZEL-TYLER HEALTH DEPARTMENT shall not implement changes to the Notice of Privacy Practices until the actual notice has been modified and published (i.e. a statement on the Notice of Privacy Practices which tells the patient “This notice was published on __________ (date) and becomes effective on _____________ (date).”)
IV. Preemption of State Law
Federal regulations related to privacy of PHI preempt State regulations pertaining to privacy, with the following exceptions:
1) the State law is necessary to prevent health care fraud and abuse;
2) the State law is necessary to ensure regulation of insurance and health plans;
3) the State law is necessary for State reporting on health care delivery or costs;
4) the State law serves a compelling need related to public health, safety or welfare;
5) the purpose of the State law is regulation of controlled substances;
6) the State law is more stringent than the federal regulation;
7) the State law is necessary for reporting, surveillance, investigation or intervention in matters of public health; or
8) the State law pertains to monitoring, licensure or certification of facilities or individuals.
V. Privacy Officer or Contact Person
A written or electronic record of the designation of a privacy officer will be maintained by the WETZEL-TYLER HEALTH DEPARTMENT (see Privacy Officer Designation). This person is ultimately responsible for:
1) receiving complaints concerning the substance of the WETZEL-TYLER HEALTH DEPARTMENT’s policies and procedures adopted to comply with the privacy rule;
2) receiving complaints concerning the WETZEL-TYLER HEALTH DEPARTMENT’s compliance with these policies and procedures or with the requirements of the privacy regulation;
3) providing any additional information required by the privacy rule.
VI. Training for Staff
The WETZEL-TYLER HEALTH DEPARTMENT will provide training on its policies and procedures, related to PHI, to all members of the workforce according to the following:
1) new members will be provided training within a reasonable time;
2) additional training to each member of the workforce whose functions are impacted by a material change in the policy and procedure within a reasonable time after the change becomes effective;
3) written or electronic documentation that training has been provided. This documentation will be retained for six (6) years (see Training Form and Log).
VII. Complaint Process
The WETZEL-TYLER HEALTH DEPARTMENT understands that any patient has a right to file an internal complaint with our HEALTH DEPARTMENT or to the Secretary of Health and Human Services (DHHS). The WETZEL-TYLER HEALTH DEPARTMENT agrees to cooperate with any investigation by the Secretary, permitting access to information requested by the investigator.
The WETZEL-TYLER HEALTH DEPARTMENT designates our PRIVACY OFFICER to be responsible for receiving complaints regarding our privacy practices. Complaints and their disposition will be documented and retained for six (6) years (see Complaint Form and Log). The WETZEL-TYLER HEALTH DEPARTMENT agrees not to threaten, intimidate or retaliate against any individual filing a complaint.
In any situation in which a patient is denied access to his/her PHI or a request for amendment(s) to their medical record, the WETZEL-TYLER HEALTH DEPARTMENT agrees to provide this patient with information on how to file an internal complaint and a complaint to the Secretary of DHHS. Patients are notified of the procedure for submitting a complaint by the Notice of Privacy Practices provided to them by the WETZEL-TYLER HEALTH DEPARTMENT.
VIII. Sanctions
The WETZEL-TYLER HEALTH DEPARTMENT will establish and apply appropriate sanctions (appropriate to the nature of the violation) against members of its workforce who fail to comply with the these privacy policies and procedures, with consideration given to the following exceptions: 1) whistle blower; 2) crime victim and complaints, 3) investigations, and 4) opposition with good faith belief of unlawful practice without disclosure of PHI.
IX. Organizational Requirements
The WETZEL-TYLER HEALTH DEPARTMENT is a covered entity utilizing business associates. Through business associate agreements the WETZEL-TYLER HEALTH DEPARTMENT ensures that all business associates uphold consistent privacy practices and training programs for employees. Mechanisms are in place to notify business associates (or to be notified by them) regarding changes in relationships (see Business Associate Agreements).
X. Safeguards
The WETZEL-TYLER HEALTH DEPARTMENT will have in place appropriate administrative, technical, and physical safeguards to protect the privacy of PHI and will use reasonable steps to prevent intentional or unintentional use or disclosure that may be in violation of the HIPAA Privacy Rules. These safeguards include but are not limited to: 1) using computer passwords to limit access to those who need it, and 2) limiting the way that information is recorded or posted.
