HIPAA Notice of Privacy Practices

Effective date: Oct 1, 2013

HIPAA POLICIES AND PROCEDURES FOR AFFINITY HEARING

INTRODUCTION

The Health Insurance Portability and Accountability Act was enacted into law in 1996 with specific implications for health care providers. The law affects all healthcare organizations and providers, which includes public health authorities, insurers, clearinghouses, billing agencies, information system vendors, service organizations, universities and physicians.

The purpose of this manual is to provide the recommended policies and procedures to guide the employees of Affinity Hearing in meeting the requirements of the rules.

Training and compliance with the HIPAA rules is mandatory. Therefore the Affinity Hearing requires a review of these policies and procedures as part of the orientation and quality assurance programs. This review must be documented for all members of the workforce as required by the Privacy Rule. Improvement plans and training efforts must be documented. It is the Affinity Hearing Privacy Officers responsibility to assure training requirements are met and continued on an ongoing basis.

Sanctions will apply to employees who fail to comply with the Affinity Hearing policies and procedures. Sanctions include progressive disciplinary action up to dismissal from employment. The Federal government may impose civil penalties, which include imprisonment for deliberate violation of the privacy rules.

A covered entity may not retaliate against any person for exercising a right under the Privacy Rule, or for filing a complaint, participating in an investigation, or opposing any unlawful act relating to the Privacy Rule.

REFERENCES:

HIPAA: Title II, Subtitle F, Sections 261 through 264 of the Health Insurance Portability and Accountability Act of 1996.

Records, Computers and the Rights of Citizens; Report of the Secretary’s Advisory Committee on Automated Personal Data Systems, H.E.W., July 1975.

Various State and Federal Laws and regulations, a list of which can be obtained from the Department of Human Resources Office of Evaluation and Research.

 

AFFINITY HEARING HEALTH POLICY OF CONFIDENTIALITY

PURPOSE

The purpose of this policy is to protect and insure confidentiality and protection of client’s health information. Confidentiality is an ethical and legal issue. Employees of Affinity Hearing, especially those working with confidential health information must be extremely vigilant about protecting the client’s records. Federal Law protects the client’s right to privacy.

It is the policy of Affinity Hearing to respect and acknowledge the privacy and confidentiality of its clients.  Furthermore, it is policy that client information and records are company information and records and as such, may be shared with authorized staff on a need to know basis. A need to know basis is outlined in the Privacy Notice given to each client. Confidential client information may be released to persons or entities outside the company with proper authorizations or as specified in the Privacy Notice given to each client.

GENERAL POLICY

All client health information is confidential and will not be released or communicated by any employee to anyone other than the client, without valid written permission or as specified in the Privacy Notice, in a court order signed by a judge or in a life-threatening situation. All requests for release of protected health information (PHI) outside of these parameters will be routed to the Affinity Hearing Privacy Officer, or designee. The Privacy Officer or designee is authorized to release information and/or make decisions about access to PHI.    Release to appropriate “third parties” must have documented evidence of reasonable steps taken to verify the identity of the person receiving the PHI. No individually identifying information will be transmitted to any individual or outside agency that is not a business associate without an authorized release of information signed by the client or the client’s legal guardian.

Information (such as audiograms) shall be released to employees, law enforcement agencies or judicial systems with a written authorization signed by the client or legally responsible agent which specifies the person or agency to whom the information to be sent and the purpose for sending such information. Verbal information about clients is often exchanged between service providers of different agencies in order to make referrals or to provide continuity of care.  This information must be treated with the same concern as written information.  It is not necessary, however, to obtain a written authorization, provided it is done to further the health and welfare of the client and there is no risk that the shared information will result in harm to the client.  Casual conversation outside of the company about clients must be avoided at all times.

Federal or State regulations, which are more restrictive than this company policy, shall take precedence. The Privacy Officer or designee may consult with the County Attorney prior to releasing any information at any time.

SANCTIONS

Violation of this policy may result in disciplinary action up to and including termination of employment.

AFFINITY HEARING POLICY ON THE UNAUTHORIZED RELEASE OF PROTECTED HEALTH INFORMATION

PURPOSE

The purpose of this policy is to protect and insure confidentiality and protection of client’s health information. Confidentiality is an ethical and legal issue. Employees of Affinity Hearing, especially those working with confidential health information must be extremely vigilant about protecting the client’s records. Federal Law protects the client’s right to privacy.

It is the policy of Affinity Hearing to respect and acknowledge the privacy and confidentiality of its clients.  Furthermore, it is the policy that the client information and records are company information and records and as such, may be shared with authorized staff on a need to know basis. A need to know basis is outlined in the Privacy Notice given to each client. Confidential client information may be released to persons or entities outside the company with proper authorizations or as specified in the Privacy Notice given to each client.

GENERAL POLICY

Our patient’s privacy is a high priority, and we take unauthorized release of our patients’ personal health information seriously.  If you observe or have knowledge of any unauthorized release of protected health information from Affinity Hearing, you must immediately report this release to the Privacy Officer.  Failure to do so may result in discipline by the Privacy Officer as an accomplice to the unauthorized release.

PROCEDURES

  • Once the Privacy Officer has knowledge of an alleged unauthorized use or disclosure of PHI, he or she shall immediately begin a thorough investigation of the unauthorized release of PHI.  This may be performed through confidential interviews with staff members, inspection of release logs and/or access logs, and any other method(s) the Privacy Officer deems appropriate.  It may also be necessary for the Privacy Officer to ask for assistance from another staff member in conducting the investigation; if so, he or she shall ask for assistance from a staff member he or she has concluded is not party to the alleged unauthorized release of PHI.
  • The investigation may find a systemic issue with the Affinity Hearing’s policies and procedures on handling PHI, or the investigation may find a personnel issue, or both.  The Privacy Officer, upon concluding the investigation, shall implement appropriate changes to policies and/or personnel as he or she deems necessary, and shall do so as expeditiously as possible.  The following illustrates how the Privacy Officer may make changes:
    • Policy changes: the Privacy Officer may find the practice policies and/or procedures require adjustment(s).  With approval from the company owner, the Privacy Officer shall make the necessary modifications to the practice policies by adding addendum(s) to the current policies, and shall notify all staff members of the change(s) through inter-office memorandum.  This shall be done as expeditiously as possible.
    • Personnel changes: the Privacy Officer may find that one or more staff members either does not understand or refuses to abide by Affinity Hearing’s policies and procedures on maintaining the privacy and confidentiality of PHI.  It may be necessary for employees to be disciplined for violations of the practice policies.  The disciplinary action will be based on the severity of the unauthorized release.
  • In all cases, the Privacy Officer shall document in writing the unauthorized use(s) or disclosure(s) of PHI, the perpetrator(s), and what action(s) (if any) were taken as a result of the violation(s).

 

AFFINITY HEARING POLICY ON DISCLOSURE AUTHORIZATIONS/LIMITATIONS

PURPOSE

The purpose of this policy is to protect and insure confidentiality and protection of client’s health information. Confidentiality is an ethical and legal issue. Employees of Affinity Hearing, especially those working with confidential health information must be extremely vigilant about protecting the client’s records. Federal Law protects the client’s right to privacy.

It is the policy of Affinity Hearing to respect and acknowledge the privacy and confidentiality of its clients.  Furthermore, it is the policy that the client information and records are company information and records and as such, may be shared with authorized staff on a need to know basis. A need to know basis is outlined in the Privacy Notice given to each client. Confidential client information may be released to persons or entities outside the company with proper authorizations or as specified in the Privacy Notice given to each client.

GENERAL POLICY

The patient has the right to authorize a release of information pertaining to their treatment or payment to other providers or entities.  The patient also has the right to put limits on what information can or cannot be released and to whom that applies.

PROCEDURES

Authorized Release

  • Before releasing any protected health information the patient must fill out a Release of Medical Information Request form and it must be signed.
  • If the entire medical record is to be disclosed, a written explanation why the entire medical record may be disclosed is required.
  • If an expiration of the authorization date is known, it must be indicated on the form or the authorization will be in effect until written revocation of the authorization is received by the Privacy Officer.
  • The authorization is to be verified and given to the Privacy Officer for approval and action.
  • The Authorization will be noted as to the disclosure date, the person distributing the protected health information, and how it was distributed (fax, mail, etc.).
  • The Authorization will be added to the medical record and the date it is added will be recorded on the authorization form.
  • If/when a letter of revocation is received, it will be attached to the authorization form and the date and time the revocation is processed will be noted on the authorization form in the patient’s record.

Limited Release

  • If the patient elects to limit the disclosure of his/her protected health information and indicates such on the privacy notice acknowledgement, he/she must make arrangements to speak with the Privacy Officer or designee to discuss the limits requested and the medical records will be marked accordingly upon approval and action of the Privacy Officer.
  • If the patient later elects to remove the limited disclosure restrictions, he/she must inform the Privacy Officer in writing indicating that the restrictions can be removed from the medical record.  The Privacy Officer will note the medical records accordingly.

 

AFFINITY HEARING POLICY ON PATIENTS WHO REFUSE AUTHORIZATION

There may be times when you ask a patient for his or her authorization and they refuse to grant such an authorization.  When this occurs, you should inquire why the patient does not want Affinity Hearing to use his or her protected health information in the manner set forth in the authorization.  Your response to the patient’s reason(s) will vary depending on the situation; however, you may never condition treatment or other activity at Affinity Hearing on the patient’s willingness to sign an authorization.

If the patient refuses to sign the authorization, ask if the patient understands the use(s) as listed on the authorization form.  Inform the patient that Affinity Hearing is limited to those uses; any use outside the explanation on the form is a violation of federal regulation.  You may also explain to the patient the benefit(s) to Affinity Hearing for using that information.  However, you should not harass the patient into signing the form.  Remember, if at any time you need assistance in explaining the authorization to the patient, find the Privacy Officer and ask him or her to help you.

Even after your explanations, the patient may still refuse to sign the authorization form.  If you believe further discussion would not change the patient’s mind, simply note your attempt to have the patient sign the authorization form on the form itself (including date, time, and your name) and pass the unsigned form to the Privacy Officer.

 

AFFINITY HEARING POLICY ON HANDLING PHI IN THE OFFICE/CLINIC

PURPOSE

To ensure the confidential and appropriate handling of protected health information (PHI) in public and non-public areas of the office/clinic where patients and other unauthorized persons are found.

GENERAL POLICY

Affinity Hearing shall utilize reasonable effort to protect privacy and limit disclosure of such information.  Generally, if the information identifies the individual and relates to his or her health status (or the payment for health services), the information is considered PHI.  Reasonable effort does not imply a mandate for major reconstruction or changes that are cost prohibitive to the clinic/facility. Reasonable effort may include restructuring and/or reorganizing clinic/information flow in areas where information is collected from and given to patients; improving personnel practices and habits in day to day activities to better prevent random disclosure of PHI; initiating stricter practices to safeguard patient records stored/utilized in public/non-public areas; and incorporating more opportunities to allow patient choice in how and where they give and receive protected health information. The following procedures address these areas and are to be followed in limiting disclosure of protected health information.

PROCEDURES – PUBLIC AREAS

Waiting Area/Front Desk

  • Establish a protective barrier through reasonable means to separate the public waiting area from the front desk.
  • Politely defer all questions regarding a patient’s health status, reason for visit, etc. to the health care provider.
  • To significantly reduce patient interviews at the front desk, utilize patient enrollment forms to collect information on new patients or update information on established patients.
    • Keep all completed patient enrollment forms, records, etc. away from front desk area and public view and always out of reach i.e. table behind desk, shelf or shielded area underneath counter, closed file folder, record holder facing away from waiting area.
    • Position computer monitors away from public areas at all times to prevent anyone from viewing information on computer screens, or utilize privacy filters on monitor screen.
  • If feasible, place shredder in front desk area for immediate destruction of protected health information that is no longer necessary to be maintained in the client record, i.e. patient enrollment form after data has been entered in the computer.
  • Use reasonable caution when making/receiving phones calls in front desk area to prevent conversation from flowing into waiting area, i.e. speak in low tones.
  • When at all possible, never leave front desk unattended
  • At the close of the business day, place all patient records, and any other materials containing PHI in a preferably locked file cabinet in the front office/medical records room out of view and access of unauthorized persons, i.e. cleaning services, maintenance.
  • Lock door(s) to front desk/medical records room before leaving.

Clinical/Exam Areas

Care and caution must be exercised at all times to assure privacy and confidentiality of PHI in hallways, waiting areas, multi-use and/or private exam areas of the facility.

Hallways/Waiting Areas

  • Clinic Privacy Officers will enforce reasonable efforts to provide escort or clear directions for leading patients to exam rooms and check out area to maintain minimum risk of patients wandering unsupervised in areas where PHI may be accessed/overheard.
  • Charts must not be left unattended in rolling carts, on tabletops, in open unlocked file cabinets, or anywhere in full view or accessible to unauthorized persons in hallways and waiting areas.
  • When chart holders are used, charts must be placed in chart holders with identifying information facing away from hallways and public areas.
  • Doors to exam rooms should be closed during the interview or exam to reduce risk of conversation flowing into hallways and waiting areas.
  • All staff must exercise caution to avoid conversation in hallways and waiting areas regarding protected health information.

Private Office/Exam Room

  • During clinic hours when records are in use, and patients are in and out of private offices/exam rooms, records must be safeguarded at all times to prevent accidental disclosure of PHI.  A file cabinet, desk drawer, or shielded area behind the desk may be used to store records between patients when records require additional documentation, data entry into computer, quality assurance review, etc.
  • If the provider must take a phone call from another patient or in regard to another patient while in the exam room with a patient, he should excuse himself and take the call in another room, or write down the name and number, and return the call at a later time.  Extreme caution must be taken when speaking with or about patients in the presence of other patients.
    • If the provider must leave the patient unattended, the patient record should be placed in a file drawer, desk drawer or shielded location out of arm’s reach of the patient, or the provider may take it with him until he returns.
  • Private office/exam room doors should be closed when interviewing patients to reduce the risk of conversation flowing into hallways or waiting areas.
  • If other staff need to speak with the provider while he is in a private office or exam room with a patient, they should either call the provider if a phone is accessible in the room, or knock on the door and wait for the provider to answer.
  • Family members, friends, sales representatives, maintenance workers, cleaning service, other visitors must not be in clinical areas during office hours without good reason and authorization of the Privacy Officer.
  • If emergency repairs or cleanup are necessary in the clinic area during business hours, the provider will consult with the Privacy Officer to establish accommodations for these while making a good faith effort to abide by privacy policies to protect the privacy of patients who may be in the facility at the time.
  • When private offices/exam rooms are not in use they must be maintained in orderly fashion with no protected health information in view at any time.
  • On a periodic basis the Privacy Officer should walk through the clinic areas at the close of the business day and check to see that no PHI is inadvertently left out in view of cleaning service, maintenance workers, etc. who may have valid and authorized reason to be in clinic areas after hours.

PROCEDURES – NON-PUBLIC AREAS

Medical Records

Medical records must be secure at all times with every reasonable effort made to maintain privacy of patient records during and after business hours.

  • Medical records should be equipped with locks to prohibit access from unauthorized persons.
  • Patient records must be stored in a locked file cabinet when not in use, i.e. lunch breaks, after hours, etc.
  • Labels on medical records should include only a minimum of information as necessary to identify patient to whom the record belongs.
  • The Privacy Officer must ensure that an appropriate and confidential system is in place to assure that patient records are securely removed and routed from the front desk/record room to a secure location in the clinic area and appropriately handled by clinical staff while delivering services to patients. All staff must be fully trained and familiar with the clinic’s internal routing system for patient records from front desk/record room to private office/exam room, patient education/counseling areas and back to front desk/record room.
  • When medical records are in route from one internal location to another, they must be in the possession of authorized personnel only.  Patients will not be asked to carry their record from one area to another.
  • Specific secure locations must be designated in each area (front desk/check-in, multi-use clinical area, private office/exam room, counseling areas, check-out/billing office, etc.) for holding records when they are not in use.
  • Whenever possible, medical records should be completed and returned to the record room no later than the following day the service is provided, data entry and/or billing completed, or necessary documentation is added to the record.  Records should not be held by personnel for extended periods of time without good reason and authorization from the Privacy Officer.
  • Removal of medical records from the facility for reasons other than the delivery of services in the home or other non-traditional site is prohibited without good reason and authorization from the Privacy Officer.  When records are removed from the facility to provide services off-site, policies/procedures for removal of PHI from the facility must be followed.
  • At the close of business day, the Privacy Officer or his/her designee will assure that file cabinets in the records room will be locked, and the door to the room will be closed and locked (when applicable).

Staff Lounge/Break Room/Kitchen/Restrooms

 

  • Whenever practical, keep doorways closed in common areas where staff may frequent when not interacting with patients or utilize signs to prevent and/or discourage entry by unauthorized persons.
  • Family members visiting staff in the clinic must be accompanied at all times when they are in the building including when they are in areas designated for the comfort and personal utilization of staff.
  • Charts and any other form of protected health information must not be left unattended in lounge, break areas, kitchen, restrooms, etc.
  • Staff are discouraged from using break and personal areas of the building for discussing or sharing information regarding the care and/or condition of patients.  Such discussions or consultations should be done in secure locations in the clinical area or private offices where the potential for disclosure through verbal communications is minimized.

SANCTIONS

Violation of this policy may result in disciplinary action up to and including termination of employment.

 

AFFINITY HEARING POLICY ON REMOVAL OF PROTECTED HEALTH INFORMATION FROM THE CLINIC

PURPOSE

To provide guidelines for the removal of Protected Health Information (PHI) from the facility in a way that protects the client’s confidentiality in accordance with the Health Insurance Portability and Accountability Act of 1996.

Definitions:

PHI:Individually identifiable health information that is: 1) transmitted by electronic means, 2) maintained in any medium described in the definition of electronic media (Sec. 162.103), and 3) transmitted or maintained in any other form or medium.

Electronic Media:The mode of electronic transmission.  It includes the Internet (wide-open), Extranet (using Internet technology to link a business with information only accessible to collaborating parties), leased lines, dial-up lines, private networks, and those transmissions that are physically moved from one location to another using magnetic tape, disk, or compact disk media. (Sec. 162.103)

Mobile Media:Any type of storage media that is easily transported from one place to another.  Examples include disks, CD-ROMS, magnetic tape, laptops, and Personal Digital Assistants (PDA’s).

GENERAL POLICY

All reasonable efforts must be taken to protect and ensure clients’ PHI remains secure and confidential when removed, stored or transported away from the facility.

Where electronic media is concerned, it is recommended that all files containing PHI be stored on file servers rather than hard drives of desktop computers, laptop computers, and other mobile media.  This greatly simplifies the protection of PHI, as well as improves the ability to provide backup and recovery of the PHI.  It is recognized, however, that there are situations that require PHI to be stored on media other than file servers.  In such situations, adherence to the following procedures is required.

PROCEDURES

Removing/Transporting PHI From the Facility

 

 

  • Prior approval must be obtained from the Privacy Officer before any PHI can be removed from the facility.
    • The Privacy Officer may grant standing approval for employees who regularly remove PHI from the facility in the performance of their jobs.
    • Secure the records according to DHR policy for transport, in a locked or sealed container
    • You will be held personally responsible for the security of PHI in your possession and if a breach of confidentiality occurs you are liable.

Storage Facility

 

  • Notify Privacy Officer of need to move records to a secure storage facility
  • Privacy Officer will assure that storage facility is a secure location, with access being limited to authorized personnel or covered business partners only by way of key, security id or key card
  • Upon approval by the Privacy Officer, the procedure for removing/transporting PHI from the facility must be followed

 

Mobile Media

  • Personal Digital Assistants (PDA’S) containing PHI must be password protected so that a password is required to boot the PDA.
  • Laptop computers containing PHI must be physically secured when not in use, or when left unattended.  This may be accomplished by placing the laptop in a locked cabinet/closet, leaving the laptop in a locked office, or use of a cable and lock type security system that allows the laptop to be secured to furniture.
  • As an additional means of protection, it is highly recommended that a file system encryption technology be used to encrypt files containing PHI.  This technology would require the use of a key, PIN, or both to gain access to the information in the file.

SANCTIONS

Violation of this policy may result in disciplinary action up to and including termination of employment.

 

AFFINITY HEARING POLICY ON PATIENT CHECK-IN AND CHECK-OUT

PURPOSE

To ensure the privacy of our patients’ health information.

GENERAL POLICY

To ensure the privacy of our patient’s health information, Affinity Hearing shall utilize best efforts for privacy during the check-in and checkout process.  This may include the installation of physical dividers, using written enrollment forms, or interviewing the patient in a private interview area.  Employees should never discuss a patient’s private health information while at the front desk and in hearing distance of other individuals.

Further, at no time should any employee leave any forms or other items that contain the patient’s health information on the top of the counter at the front desk or any other location where individuals in the waiting room can view them.

PROCEDURES

New Patient

When a new patient comes into the office for the first time, he or she is given a Notice of Health Information Practices, which outlines our standards on how their medical information is protected, as well as outlines their rights to view and copy their medical information.  The Notice includes a perforated acknowledgment that the patient should sign, listing any restrictions they wish for their protected health information.  This Notice is made available to the patient in paper form. The patient is instructed to have a seat, read, and fill-out the forms, sign, and return them to the front desk when completed.  The perforated section of the Notice must be maintained in the medical record system in a way that it can easily be retrieved.

If the patient has any questions about the Notice or wishes to request restrictions on their health information, the receptionist, if well-trained, may answer the patient’s questions or call the clinic’s Privacy Officer.

If the patient refuses to sign the Notice of Health Information practices, indicate on the form that you attempted to provide the information but the patient refused to sign on the perforated section, and sign your name.  Then, proceed to provide services under the assumption that they had signed, as we will not deny services because the patient is unwilling to sign the acknowledgement of the Notice.

Established Patient

When an established patient comes into the clinic, receptionist will verify that Affinity Hearing has a current HIPAA Acknowledgement Form signed by the patient and on file.  If not, the receptionist will follow the instructions for a new patient check-in above, and then skip below to the next step.

Registration

Once the patient has completed the necessary forms and returned them to the receptionist, the receptionist will remove the forms from the top of the desk and place them in a location where individuals in the waiting room cannot view them (e.g., below the top of the desk, on the opposite side of the computer terminal, etc.)  The receptionist will ask the patient to return to the waiting room to wait for his or her name to be called.  The receptionist can then enter the new or updated information into the patient record system.

Call Back

When an exam room is ready, a provider or other staff member will go to the waiting room and call the next patient’s name.  At no time will this individual announce the reason for the patient’s visit, any symptoms the patient may be experiencing, or any tests to be conducted on the patient.  The employee is limited to saying the patient’s name and the provider’s name that will see the patient; no other health-related information should be given to the patient.

If the patient asks a non-provider employee a question regarding their health status, inform the patient the provider will answer their questions after they enter the exam room and close the door.  Inform the patient this is to protect their privacy.

 

Check Out

After the patient has completed their visit and is back in the waiting room, the receptionist will present the patient with a statement of how much they owe (if necessary) and ask how they would like to make payment (cash, check, credit card).  If the patient wants to discuss more sensitive information regarding their account, the receptionist should decide whether or not to move to a more confidential area.

At no time shall the receptionist or other employee leave a patient’s bill or other private item unattended at the front desk.  If the patient is not ready to accept these items, the receptionist will keep them behind the counter at the front desk until the patient is present to accept these items.

SANCTIONS

Violation of this policy may result in disciplinary action up to and including termination of employment.

 

POLICY ON

THE NOTICE OF PRIVACY PRACTICES FOR PROTECTED HEALTH INFORMATION

PURPOSE

To assure every effort is made to adhere to the Health Insurance Portability and Accountability Act of 1996 to provide individuals with adequate notice of the uses and disclosures of protected health information that may be made by Affinity Hearing and the of employees responsibilities with respect to protected health information.

GENERAL POLICY

In a direct treatment relationship, it is our responsibility to make a good faith effort to obtain an individual’s written acknowledgement of receipt of the Affinity Hearing Notice of Privacy Practices no later than the date of the first service delivery, and must post the notice in a clear and prominent location at the service delivery site.  This notice must be available on request for individuals to take with them.

PROCEDURES

  • The Notice of Privacy Practices and the name and phone number of the current Privacy Officer are to be posted in the current Notice of Privacy Practices and be available for patients to take with them at the front desk.
    • If the Affinity Hearing should revise the Notice of Privacy Practices, the revised notice will be made available to clients.
  • When a client presents for service, he/she will be offered a copy of the Notice of Privacy Practices and will be asked to sign an acknowledgement of receipt of the notice.
    • When the client signs the acknowledgement of receipt, it is to be attached to the client’s paper record, or in the case of a service without a paper record, the receipt will be placed in a designated place in alphabetical order.  There is no time limit on retention of this form at this time.
    • If the client refuses to sign this receipt, the employee is to sign the attempt to obtain signature form and file this in the client record or alphabetically in a designated place.
  • In Emergency situations the notice is required to be provided when it is reasonably practicable after the emergency situation.
  • All requests for limited disclosure of private health information will be handled by the Affinity Hearing Privacy Officer.

SANCTIONS

Violation of this policy may result in disciplinary action up to and including termination of employment.

 

AFFINITY HEARING POLICY ON TELEPHONE REQUESTS FOR PHI

PURPOSE

To ensure the privacy of our patients’ health information, when disclosing private health information over the telephone.

GENERAL POLICY

Telephone conversations present the most difficulty in protecting our patients’ privacy.  To ensure the privacy of our patients’ health information, Affinity Hearing shall utilize best efforts to verify the person calling by telephone requesting protected health information, is indeed the person they state they are and also verify that we have permission to provide the caller with the requested information.

PROCEDURES

You should always be on guard when you speak on the telephone.  Never assume the caller is who they say they are; treat all callers as people who are impersonating patients in an attempt to gain access to personal health information.  This is true even if you know the patient or recognize his or her voice; you simply do not know who is calling.

 

If the caller is the patient:

If a caller claims to be a patient of Affinity Hearing you must take reasonable steps to verify his or her identity.  Therefore, before you reveal any personal health information over the telephone (including billing issues), you must take several steps to verify the identity of the caller.  You should ask the caller a few questions, such as the following:

  1. “What is your date of birth?”
  2. “What is your last name?”
  3. “What is your phone number?”
  4. “What is your mailing address?”

Once you have verified their identity by using the above questions, you may disclose personal health information to the patient.

 

If caller is another treatment provider:

Use your best effort to verify the person calling is another treatment provider of the patient.  Suggested ways to do this are:

  1. Tell the caller we will call them back at their published phone number.
  2. Check the patient’s record to see if they have been referred to this treatment provider or they have listed this treatment provider in their medical history

If you feel uncomfortable disclosing the requested information to the caller, refer the caller to the Privacy Officer.

If you feel sure the caller is another treatment provider, you may share any information as long as it relates to the treatment of that patient, but it should comply with the “minimum necessary” standards.  Log the disclosure in the patients event records.

If the caller is not the patient and not another treatment provider:

You can only provide protected health information to the patient or to another treatment provider.  You are not permitted to disclose any protected health information to anyone else, unless you have written authorization from the patient or unless the disclosure is required by law.  This includes spouses, children, friends, attorneys, or other “representatives” of the patient.

If the caller isn’t the patient or another treatment provider of the patient, ask:

  1. Who they are
  2. What information they are requesting
  3. Why do they need this information?
  4. Check the medical record to see if there is an authorization to release this information
  5. Check the Notice of Privacy Practices Acknowledgment Form to see if this person is listed as a personal representative.
  6. If not, explain to the caller that we are not permitted to disclose this information without authorization from the patient

If the caller is not satisfied, offer to refer him or her to the Privacy Officer, who will explain why Affinity Hearing is limited in what we can reveal over the telephone.

If a spouse is calling to make a payment on an account, you may take the information, but you cannotreveal any information, including the current balance.  In this situation, you may say, “I would be happy to take this information, but I cannot disclose any information to you.”

SANCTIONS

Violation of this policy may result in disciplinary action up to and including termination of employment.

 

POLICY ON MAIL DISTRIBUTION

PURPOSE

To assure every effort is made for adherence to the Health Insurance Portability & Accountability Act of 1996 and the Open Records Act, OCGA § 50-18-70 et seq., and the Open Meetings Act, OCGA § 50-14-1 et seq. Amendments effective July 1,1999.

GENERAL POLICY

Adherence to the Affinity Hearing Policy of Confidentiality is expected when receiving and distributing mail containing protected health information. Properly completed and signed authorizations must be obtained to release protected health information.

PROCEDURES

Incoming Mail

  • The front office staff will deliver the stamped, unopened envelopes or package to the designated program staff, support staff or person to whom the mail is addressed.
  • The designated staff will not open mail marked PERSONAL or CONFIDENTIAL, without the written authorization of the person the mail is addressed to.
  • Mail or courier packages that are not specifically addressed to a person or program should be opened by the front office staff, reviewed and delivered according to content.

In the event an unauthorized person receives mail containing PHI, they should notify the Privacy Officer for that agency immediately.

Outgoing Mail

  • Envelopes or packages must be sealed with the mailing address and return address clearly written on the outside of the envelope/package.
  • Place in the centrally designated location for the facility.
  • Assure proper postage is stamped clearly above the address in the upper right hand corner of the envelope or package

SANCTIONS

Violation of this policy may result in disciplinary action up to and including termination of employment.

 

AFFINITY HEARING’S POLICY ON FAXING PROTECTED HEALTH INFORMATION

PURPOSE

To provide guidelines for receipt, use and dissemination of protected health information by facsimile.

GENERAL POLICY

Adherence to Affinity Hearing’s Policy of Confidentiality is expected with the use of facsimile when transmitting patient health information. Properly completed and signed authorizations must be obtained to release patient information.  An authorization transmitted via fax machine is acceptable, with verification for signature. In medical emergencies, the information may be released without authorization when the provider or business associate requesting the information is required by law to treat the individual or when there are substantial communication barriers or threats to the health of the public.  When using faxed duplicates instead of the original medical record, destroy the copied material once the use is completed. Fax users must be instructed on the proper procedures for handling of confidential information. It is recommended that specific patient healthcare information be faxed only when the data are to be used for patient care. HIPAA provisions allow facsimile of data for treatment, payment and healthcare operations without an authorization. Use of the fax for these reasons should only occur when the original document or mail-delivered photocopies will not serve the purpose. Fax machines must be located in a secure area that is protected from public view and available only to those employees legitimately entitled to access protected health data.

PROCEDURES

For Transmitting PHI

  • Use a cover letter for each fax transmission and retain it in correspondence.
  • Verify by telephone when possible the availability of the receiver and log the fax transaction.
  • Notify recipients of any misdirected or returned fax and file an incident report.
  • When the faxed information is to be included in a medical record, it must be clearly legible, complete, accurate and dated with appropriate signatures as indicated.
  • Faxed data must include:

Date and time of fax transmission

Sending facility’s name and address

Sending facility’s telephone and fax number

Sender’s name

Receiving facility’s name and address

Receiving facility’s telephone and fax number

Authorized receiver’s name

Number of copies sent

Statement regarding disclosure

Statement regarding confidentiality

If a fax transmission fails to reach the recipient, check the internal logging system of the fax machine to obtain the recipient’s fax number. Give the Privacy Officer the fax or letter. The Privacy Officer will then contact the requestor to get more details about the information requested and/or the intended use of the information. For information requested related to a legal proceeding, a copy of an official judicial subpoena or court order is required

For Receiving and Handling of Fax

 

  • Remove any incoming material
  • Count the number of pages received
  • Follow any instructions on the cover letter
  • Insure that the information is routed to the intended receiver in a prompt and secure manner.
  • If the recipient is not available to receive the information, seal the faxed documents in an envelope and set aside for pickup, or deliver to the recipient’s private mail or pick up basket.
  • If the Privacy Officer deems necessary, following receipt of a misdirected fax, send a request using the incorrect fax number, explain the misdirected information and ask for destruction of all documents received from the said facility.

Examples of Confidentiality Statements

“The information contained in this facsimile message is privileged and confidential information intended for the use of the addressee listed above.  If you are neither the intended recipient nor the employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any disclosure, copying, distribution or the taking of any action in reliance on the contents of this Tele-copied information is strictly prohibited.  If you have received this facsimile in error, please destroy it and immediately notify us by telephone by calling us at the number above.”

“The information contained in this facsimile message is privileged and confidential information intended for the use of the addressee listed above.  If you are neither the intended recipient nor the employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any disclosure, copying, distribution or the taking of any action in reliance on the contents of this facsimile is strictly prohibited.  If you have received this facsimile in error, please destroy it and immediately notify us by telephone by calling us at the number above.”

“This facsimile may contain confidential or privileged information and is intended only for the recipient named above.  Receipt of this transmission by any person other than the intended recipient does not constitute permission to examine, copy or distribute the accompanying material.  If you receive this facsimile in error, please notify us by telephone and return the original facsimile to us by mail.”

“This message is intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure under applicable law.  If the reader of this message is not the intended recipient or the employee or agent responsible for delivering the dissemination, distribution or copying of this communication is strictly prohibited.  If you received this communication in error, please notify us immediately by telephone and return the original message to us at the above address.  Thank you.”

SANCTIONS

Violation of this policy may result in disciplinary action up to and including termination of employment.

 

AFFINITY HEARING ON E-MAIL REGARDING PROTECTED HEALTH INFORMATION

PURPOSE

To assure that client Protected Health Information (PHI) confidentiality and privacy is maintained in accordance with the Health Insurance Portability And Accountability Act of 1996.

GENERAL POLICY

Our clients’ PHI is considered private and confidential and as such should remain secure at all times.  Whereas every attempt is made to provide security for our e-mail system it is not considered to be a completely secure environment. Therefore, every attempt should be made to de-identify PHI, and adhere to the minimum necessary rule when sending PHI through email.

PROCEDURES

PHI in E-Mail

 

  • Staff will de-identify PHI where applicable
  • Staff will send minimum necessary information
  • Email addresses must be verified; do not use Group addresses
  • Add a confidentiality statement to the body of the email message
  • Send PHI as an attachment
  • E-mail should be destroyed in accordance with the Destruction of PHI Policy

Receiving PHI in E-Mail in Error

 

  • Print the e-mail and attachments containing PHI
  • Delete the e-mail and attachments containing PHI
  • Empty e-mail trash
  • Notify Privacy Officer of incident providing printed documents containing sender name, sender location and PHI received

Example Confidentiality Statement

“This message and any included attachments are from the County Board of Health and are intended only for the addressee(s). The information contained herein may include privileged or otherwise confidential information. Unauthorized review, forwarding, printing, copying, distributing, or using such information is strictly prohibited. If you receive this message in error or have reason to believe you are not authorized to receive it, please promptly delete this message and notify the sender by email. Thank you.”

SANCTION

Violation of this policy may result in disciplinary action up to and including termination of employment.

 

AFFINITY HEARING POLICY ON PATIENT ACCESS TO PROTECTED HEALTH INFORMATION

PURPOSE

To protect and insure confidentiality of our patients’ protected health information.

GENERAL POLICY

The HIPAA Privacy Rule requires a health care organization to give a patient access to (inspect and obtain a copy of) the protected health information it keeps on that patient in a “designated record set”, for as long as it is maintained in the “designated record set”.  Patients have a right to protected health information that is used to make decisions about such things as their healthcare and insurance claims. According to the Privacy Rule, the protected health information must be provided with 30 days of the request.

The Georgia Open Records Act, (OCGA § 50-18-70(b), provides that medical records are exempt if their disclosure would be an invasion of privacy.  Since a patient’s access to their own medical records would not be an invasion of privacy, all requests by patients to access their own protected health information shall be permitted, under the Georgia Open Records Act.  Furthermore, access to the protected health information will be permitted within 3 business days, as required by the Act.

PROCEDURES

Identify the requestor by asking them:

1)    Who they are – ask to see their driver’s license, employment I.D., or other picture identification.

2)    What information they are requesting

3)    Why do they need this information

Once you are assured the requestor is the patient you may disclose the information.  Please refer to The Georgia Open Records Act for more information.

SANCTIONS

Violation of this policy may result in disciplinary action up to and including termination of employment.

 

AFFINITY HEARING POLICY ON PERSONAL REPRESENTATIVE’S ACCESS TO PROTECTED HEALTH INFORMATION

PURPOSE

To protect and insure confidentiality of our patients’ protected health information.

GENERAL POLICY

The HIPAA Privacy Rule requires a health care organization to give a patient’s personal representative access to (inspect and obtain a copy of) the protected health information it keeps on that patient in a “designated record set”, for as long as it is maintained in the “designated record set”.  Personal representatives have a right to protected health information that is used to make decisions about such things as the patient’s healthcare and insurance claims.  Personal representatives, as defined in the Georgia Medical Consent Law, OCGA § 31-9-2, are defined as:

1)    Any person authorized to give such consent for the adult under a health care agency complying with Chapter 36 of Title 31, the “Durable Power of Attorney for Health Care Act”

2)    In the absence or unavailability of a living spouse, any parent, whether an adult or a minor, for his minor child

3)    Any married person, whether an adult or a minor, for himself and for his spouse

4)    Any person temporarily standing in loco parentis, whether formally serving or not, for the minor under his care; and any guardian, for his ward

5)    Any female, regardless of age or marital status, for herself when in connection with pregnancy, or the prevention thereof, or childbirth

6)    Upon the inability of any adult to consent for himself and in the absence of any person to consent under 2 – 5 above, the following persons in the following order of priority

a)    Any adult child for his parents

b)    Any parent for his adult child

c)    Any adult for his brother or sister

d)    Any grandparent for his grandchild

According the Privacy Rule, the HIPAA rights, including the right to sign a Notice of Health Information Practices, an authorization form, and access rights, all flow to whomever has the “right to make health care decisions.”  The question then becomes whether the minor patient has the right to make his or her own health care decisions.  Please refer to the Georgia Medical Consent Law.

It is the policy of Affinity Hearing to abide by this rule according to the following procedures:

PROCEDURES

The facility privacy officer or treating provider will make decisions regarding a personal representative’s request to access the patient’s protected health information.  The district privacy officer or facility privacy officer (if not the person making the initial decision) will review decisions regarding a denial to allow a personal representative to access the patient’s protected health information, if the personal representative appeals the decision and requests a review, and if the appeal meets the appeal.

If the same protected health information is maintained at more than one location, you are only required to produce the information once per request for access.

There are eight exceptions to this requirement.  If these exceptions apply, covered entities may deny access, but are not required to do so.  You may provide all of the information requested or evaluate the requested information, consider the circumstances surrounding the personal representative’s request, and make a determination as to whether that request should be granted or denied, in whole or in part.  If you deny access, in whole or in part, you must, to the extent possible, give the personal representative access to any other protected health information requested after excluding the protected health information to which you have a ground to deny access.   The eight exceptions are as follows:

Exceptions – Non-Reviewable:

(If you deny access, personal representative does not have a right for a review.)

Psychotherapy Notes – notes recorded by a health care provider who is a mental health professionaldocumenting contents of conversation during a counseling session and that are separated from the remainder of the patient’s medical record.

Anticipation of a Legal Proceeding – information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding.

CLIA – information that is subject to or exempted from the Clinical Laboratory Improvements “Amendments of 1988.

Clinical Trial – information that was obtained in the course of a clinical trial or research, if the patient agreed to the denial of access in consenting to participate.  Once the trial or research is completed, the personal representative’s right of access is reinstated.

Promise of Confidentiality –  (all three must apply)

1)    information obtained from someone other than a health care provider, and

2)    obtained under the promise of confidentiality, and

3)    the inspection and copying would likely reveal the source of the information.

Exceptions – Reviewable Exceptions

(If you deny access you must have an appeal process in place to review the denial.)

 

Endanger the Life – a licensed health care professional determined the inspection and copying was reasonably likely to endanger the life or physical safety of the patient or another person.  Under this reason for denial, you may not deny access on the basis of the sensitivity of the health information or the potential for causing emotional or psychological harm.

Serious Harm – the information requested makes reference to someone other than the patient (and other than a health care provider) and a licensed health care professional determined the inspection and copying was reasonably likely to cause substantial harm to the other person.

Personal Representative – the request was made by the patient’s personal representative, and a licensed health care professional determined the inspection and copying was reasonably likely to cause substantial harm to the patient, his or her personal representative, or another person.

PROCEDURES

Simple Request: (a verbal request that can be answered simply, if they have permission, by asking limited information)

  1. Identify them by asking them:

a)    Who they are – ask to see their driver’s license, employment I.D., or other picture identification

b)    What information they are requesting

c)    Why do they need this information?

  1. Check the medical record to see if there is an authorization to release this information
  2. Check the Notice of Health Information Practices Acknowledgment Form to see if this person is listed as a personal representative.
  3. If authorized, release information and record in patient’s event file.
  4. If not, explain to the requestor that we are not permitted to disclose this information without authorization from the patient.

SANCTIONS

Violation of this policy may result in disciplinary action up to and including termination of employment.

 

AFFINITY HEARING’S POLICY ON

Requests for PHI by Other Than Patients, Their Treatment Providers, or Their Personal Representative

PURPOSE

To protect and insure confidentiality of our patients’ protected health information.

GENERAL POLICY

It is the policy of Affinity Hearing that the identity and authorization of all persons requesting protected health information are confirmed prior to release of any information.

PROCEDURES

You can only provide protected health information to the patient or to another treatment provider.  You are not permitted to disclose any protected health information to anyone else, unless you have written authorization from the patient or unless the disclosure is required by law.  This includes spouses, children, friends, attorneys, or other “representatives” of the patient.  You may receive a request for a patient’s protected health information from someone other than the patient, their personal representative, or their treatment provider.  When you receive such a request, you must follow these steps before revealing ANY protected health information.  No matter how insistent the requestor, you CANNOT disclose any information about the patient before completing these steps.

In person: If someone, other than the patient, their personal representative, or their treatment provider comes in to the office and makes a request for a patient’s protected health information, you must first verify the identity of the individual.

Simple Request: (a verbal request that can be answered simply, if they have permission, by asking limited information)

1)    Identify them by asking them:

a)    Who they are – ask to see their driver’s license, employment I.D., or other picture identification

b)    What information they are requesting

c)    Why do they need this information?

2)    Check the medical record to see if there is an authorization to release this information

3)    Check the Notice of Health Information Practices Acknowledgment Form to see if this person is listed as a personal representative.

4)    If authorized, release information and record in patient’s events file.

5)    If not, explain to the requestor that we are not permitted to disclose this information without authorization from the patient.

If the requestor is unhappy, refer him or her to the Privacy Officer, who will explain why Affinity Hearing is limited in what we can reveal about our patients

If the requestor is a public official, you must verify the identity of the individual making the request by examining an official letter from the agency or department where the individual is employed (or represents), a government identification badge, or similar proof of official status.  The individual must also present to you written evidence of the agency’s legal authority to obtain the information.

If the requestor is an attorney and the information is to be used in a legal proceeding, you must ask for and copy an official judicial subpoena or other official court document supporting the attorney’s legal authority to request the patient’s information.

SANCTIONS

Violation of this policy may result in disciplinary action up to and including termination of employment.

 

AFFINITY HEARING POLICY ON AMENDING A PATIENT’S MEDICAL RECORD

PURPOSE

To provide guidelines for responding to a patient’s request to amend their medical record.

GENERAL POLICY

The HIPAA Privacy Rule gives individuals the right to request an amendment to their protected health information as long as Affinity Hearing maintains the information.

PROCEDURES

Patients who believe information in their health records is incomplete or incorrect may request an amendment or correction to the information.  The employee should follow the steps outlined below when a patient makes such as request.

The patient may approach the author of the entry (the treating provider), point out the error, and ask the author to correct it.  Alternatively, the patient can contact the Privacy Officer to ask for a correction to his/her medical information.

Corrections can be completed by the author and they may add a progress note to clarify content.

SANCTIONS

Violation of this policy may result in disciplinary action up to and including termination of employment.

 

AFFINITY HEARING POLICY ON BUSINESS ASSOCIATES

PURPOSE

To assure every effort is made to adhere to the Health Insurance Portability and Accountability Act of 1996.

GENERAL POLICY

Under current federal regulations, Affinity Hearing is required to ensure all individuals and organizations who have been deemed “Business Associates” as that term is defined in the federal regulations follow our policies and procedures on protecting our patient’s health information.  This includes both current Business Associates (BAs) as well as future BAs.  The Privacy Officer shall make the final determination as to 1) whether the organization with whom Affinity Hearing has a relationship is a BA within the meaning of the federal regulations, and 2) whether Affinity Hearing has received adequate, written assurances that the other entity will abide by our privacy and security policies.

PROCEDURES

Step One: Determining Affinity Hearing’s Business Associates

The federal regulations define a BA as an entity that performs certain services “for” Affinity Hearing, or an entity that acts “on behalf of” Affinity Hearing, as long as the services involve the use or disclosure of our patient’s protected health information.  Some examples of a BA are:

•     Legal

•     Actuarial

•     Accounting

•     Consulting

•     Management

•     Administrative accreditation

•     Data aggregation

•     Financial services

If any entity performs the above-mentioned services “on behalf of” Affinity Hearing AND the entity will use or disclose protected health information, they are deemed a Business Associate and therefore require the appropriate safeguards in any agreement.

Some entities may be obvious Business Associates; others, however, may require more investigation.  The Privacy Officer may need to review each entity’s agreement with Affinity Hearing.  Upon reasonable investigation, the Privacy Officer will determine whether there is a need for the BA safeguards as specified in the federal regulations, and will document his or her decision, which will be kept on file as an attachment to the current agreement or contract.

Step Two: Establishing Safeguards

Once a BA has been established, the Privacy Officer will use the BA Checklist survey to analyze whether adequate assurances are in place.  The Business Associate is not required to use our privacy policies and may submit their privacy policies to the Privacy Officer for his or her review.  The Privacy Officer may then accept the BAs policies without any additions, may submit to the BA additions to provide for additional safeguards, or may reject the BA’s policies altogether.

Current Business Associates

For current BAs, the Privacy Officer should contact the BA and inform them that under federal regulations, Affinity Hearing must attach an Addendum to the current contract between the two organizations.  This Addendum will add to the current agreement the necessary language so the BA and Affinity Hearing will comply with federal regulations.  The Privacy Officer should contact the BA as soon as practicable, and should send the Addendum to the BA for their approval, along with a copy of the Affinity Hearing’s current privacy policies.

Potential Business Associates

When Affinity Hearing begins a new relationship with another organization that involves the use or disclosure of protected health information, the other organization should be deemed a BA.  The Privacy Office must include in the agreement between Affinity Hearing and the other organization language that stipulates the other organization must abide by Affinity Hearing’s privacy policies and procedures.

 

AFFINITY HEARING POLICY ON

FILE SERVER SECURITY

PURPOSE

To provide guidelines for securing and protecting file servers that have Protected Health Information (PHI) stored on them.

GENERAL POLICY

It is critical that our clients PHI be kept secure and confidential in accordance with the Affinity Hearing Policy of Confidentiality.  Since PHI is stored on the application file server it is equally important that proper measures are taken to secure the application file server.

PROCEDURES

  • Physical Protection – Select low traffic area and one or more of the following methods for protecting the file server.
  • Secure the server to a permanent structure using a cable and lock
  • Place server in lockable server cabinet
  • Place server in a room that will be locked when authorized staff are not present
  • In addition to one of the above methods, the removal of the server monitor and/or keyboard should also be considered when either attachment is not required for use.
  • Backup Media – Designate staff to be responsible for backup and media storage. Store backup media in locked fireproof safe.  Rotate one copy to secure off site location.  Backup media should be placed in a locked container for transport and storage.
  • Firewall – Installation of firewall protection for the application file server should be considered

SANCTIONS

Violation of this policy may result in disciplinary action up to and including termination of employment.

 

AFFINITY HEARING POLICY ON THE

DESTRUCTION OF PROTECTED HEALTH INFORMATION

PURPOSE

To provide a guideline for destroying Protected Health Information (PHI) in a way that protects the client’s confidentiality in accordance with the HIPAA Privacy Rule.

GENERAL POLICY

To protect and insure that clients PHI remains secure and confidential after records are destroyed.

PROCEDURES

Protected health information should be destroyed in accordance with state approved records retention schedules (OCGA § 50-18-102).  This information must be destroyed so that they cannot be read, interpreted or reconstructed.   Further guidelines on records destruction can be found in DHR Operating Procedure No. IX, dated September 23, 1993.

  • Records are to be destroyed according to schedule referenced above if the schedule permits destruction.
  • Records not specified in the schedule referenced above should be destroyed whenever they are deemed of no further use.

Methods of Destruction

  • Paper records must be shredded or burned.
  • Email and attachments should be deleted, and THE “TRASH” MUST BE EMPTIED. 
  • Electronic media that has stored PHI must be destroyed if it is no longer being utilized.  Types of magnetic media and appropriate destruction methods are:
  • Hard disk drives – remove unused hard disk drives from computers and destroy the drive
  • Compact Disks – destroy by breaking the disk

SANCTIONS

Violation of this policy may result in disciplinary action up to and including termination of employment.