| Purpose: The
following privacy policy is adopted to ensure that this medical
practice complies fully with all federal and state privacy
protection laws and regulations. Protection of patient privacy
is of paramount importance to this organization. Violations
of any of these provisions will result in severe disciplinary
action including termination of employment and possible referral
for criminal prosecution.
Effective Date: This policy is
in effect as of May 1, 2004.
It is the policy of this medical practice that we will adopt,
maintain and comply with our Notice of Privacy Practices,
which shall be consistent with HIPAA and California law.
Notice of Privacy Practices
Notice of Privacy Practices
It is the policy of this medical practice
that a notice of privacy practices must be published, that
this notice be provided to all subject individuals at the
first patient encounter if possible, and that all uses and
disclosures of protected health information be done in accord
with this organization’s notice of privacy practices.
It is the policy of this medical practice to post the most
current notice of privacy practices in our “waiting
room” area, and to have copies available for distribution
at our reception desk.
Assigning Privacy and Security
Responsibilities
It is the policy of this medical practice that specific
individuals within our workforce are assigned the responsibility
of implementing and maintaining the HIPAA Privacy and Security
Rule’s requirements. Furthermore, it is the policy
of this medical practice that these individuals will be
provided sufficient resources and authority to fulfill their
responsibilities. At a minimum it is the policy of this
medical practice that there will be one individual or job
description designated as the Privacy Official. This organizations
Privacy and Security Official is the Project Coordinator
of the Brinton Psychiatric Homeless project.
Deceased Individuals
It is the policy of this medical practice that privacy
protections extend to information concerning deceased individuals
Minimum Necessary Use and Disclosure of Protected
Health Information
It is the policy of this medical practice that for all
routine and recurring uses and disclosures of PHI (except
for uses or disclosures made 1) for treatment purposes,
2) to or as authorized by the patient or 3) as required
by law for HIPAA compliance such uses and disclosures of
protected health information must be limited to the minimum
amount of information needed to accomplish the purpose of
the use or disclosure. It is also the policy of this medical
practice that non-routine uses and disclosures will be handled
pursuant to established criteria. It is also the policy
of this organization that all requests for protected health
information (except as specified above) must be limited
to the minimum amount of information needed to accomplish
the purpose of the request.
Marketing Activities
It is the policy of this medical practice that any uses
or disclosures of protected health information for marketing
activities will be done only after a valid authorization
is in effect. It is the policy of this organization to consider
marketing any communication to purchase or use a product
or service where an arrangement exists in exchange for direct
or indirect remuneration, or where this organization encourages
purchase or use of a product or service. This organization
does not consider the communication of alternate forms of
treatment, or the use of products and services in treatment
to be marketing. Further, this organization adheres to the
HIPAA Privacy Rule that a face to face communication made
by us to the patient, or a promotional gift of nominal value
given to the patient does not require an Authorization.
Mental Health Records
It is the policy of this medical practice to require an
authorization for any use or disclosure of psychotherapy
notes, as defined in the HIPAA regulations, except for treatment,
payment or health care operations as follows:
A. Use by originator for treatment;
B. Use for training physicians or other mental health
professionals as authorized by the regulations;
C. Use or disclosure in defense of a legal action brought
by the individual whose records are in issue;
D. Use or disclosures as required by law, or as authorized
by law to enable health oversight agencies to oversee
the originator of the psychotherapy notes.
Complaints
It is the policy of this medical practice that all complaints
relating to the protection of health information be investigated
and resolved in a timely fashion. Furthermore, it is the
policy of this medical practice that all complaints will
be addressed to the Project Coordinator who is duly authorized
to investigate complaints and implement resolutions if the
complaint stems from a valid area of non-compliance with
the HIPAA Privacy and Security Rule. The Project Coordinator
will provide written documentation of all complaints investigated.
Prohibited Activities-No Retaliation
or Intimidation
It is the policy of this medical practice that no employee
or contractor may engage in any intimidating or retaliatory
acts against persons who file complaints or otherwise exercise
their rights under HIPAA regulations. It is also the policy
of this organization that no employee or contractor may
condition treatment, payment, enrollment or eligibility
for benefits on the provision of an authorization to disclose
protected health information except as expressly authorized
under the regulations.
Responsibility
It is the policy of this medical practice that the responsibility
for designing and implementing procedures to implement this
policy lies with the Privacy Official.
Verification of Identity
It is the policy of this medical practice that the identity
of all persons who request access to protected health information
be verified before such access is granted.
Fund Raising
It is the policy of this medical practice to use de-identified
PHI in our fundraising activities
Mitigation
It is the policy of this medical practice that the effects
of any unauthorized use or disclosure of protected health
information be mitigated to the extent possible.
Safeguards
It is the policy of this medical practice that appropriate
physical safeguards will be in place to reasonably safeguard
protected health information from any intentional or unintentional
use or disclosure that is in violation of the HIPAA Privacy
Rule. These safeguards will include physical protection
of premises and PHI, technical protection of PHI maintained
electronically and administrative protection. These safeguards
will extend to the oral communication of PHI. These safeguards
will extend to PHI that is removed from this organization.
Business Associates
It is the policy of this medical practice that business
associates must be contractually bound to protect health
information to the same degree as set forth in this policy.
It is also the policy of this organization that business
associates who violate their agreement will be dealt with
first by an attempt to correct the problem, and if that
fails by termination of the agreement and discontinuation
of services by the business associate.
Training and Awareness
It is the policy of this medical practice that all members
of our workforce have been trained by the compliance date
on the policies and procedures governing protected health
information and how this medical practice complies with
the HIPAA Privacy and Security Rules. It is also the policy
of this medical practice that new members of our workforce
receive training on these matters within 30 days after they
have joined the workforce. It is the policy of this medical
practice to provide training should any policy or procedure
related to the HIPAA Privacy and Security Rule materially
change. This training will be provided within 30 days after
the policy or procedure materially changes. Furthermore,
it is the policy of this medical practice that training
will be documented indicating participants, date and subject
matter.
Sanctions
It is the policy of this medical practice that sanctions
will be in effect for any member of the workforce who intentionally
or unintentionally violates any of these policies or any
procedures related to the fulfillment of these policies.
Sanctions will be implemented on a case to case basis by
the administrative staff of PFNC taking into account the
severity of the violation. Such sanctions will be recorded
in the individual’s personnel file.
Retention of Records
It is the policy of this medical practice that the HIPAA
Privacy Rule records retention requirement of six years
will be strictly adhered to. All records designated by HIPAA
in this retention requirement will be maintained in a manner
that allows for access within a reasonable period of time.
This records retention time requirement may be extended
at this organization’s discretion to meet with other
governmental regulations or those requirements imposed by
our professional liability carrier.
Regulatory Currency
It is the policy of this medical practice to remain current
in our compliance program with HIPAA regulations.
Cooperation with Privacy Oversight Authorities
It is the policy of this medical practice that oversight
agencies such as the Office for Civil Rights of the Department
of Health and Human Services be given full support and cooperation
in their efforts to ensure the protection of health information
within this organization. It is also the policy of this
organization that all personnel must cooperate fully with
all privacy compliance reviews and investigations.
|
