Table of Contents
Disclaimer
HIPAA Essentials
HIPAA – Six Years Later
Implementation
Sample Job Descriptions – HIPAA Privacy Official and Contact Person and HIPAA
Security Official
HIPAA Self-Assessment Worksheet – Part 1: Data Gathering
HIPAA Self-Assessment Worksheet – Part 2: Analyze the Data
HIPAA Self-Assessment Worksheet – Part 3: Action Plan (blank)
HIPAA Self-Assessment Worksheet – Part 3: Action Plan (filled in)
Identify Your Business Associates
Business Associate Agreement Checklist
Sample Business Associate Contract Provisions
Policies, Procedures, and Sample Forms
HIPAA Privacy Rule – Policies, Procedures, and Documents
Instructions to Assist in Implementing Sample Forms and Policies and
Procedures
Notice of Privacy Practices (Policy & Procedures)
Notice of Privacy Practices
Notice of Privacy Practices Acknowledgement
Authorization to Use or Disclose Protected Health Information (Policy &
Procedures)
Authorization to Use or Disclose Protected Health Information
Revocation of Authorization to Use or Disclose Protected Health Information
(Policy & Procedures)
Revocation of Authorization to Use or Disclose Protected Health Information
Responding to Requests to Access and/or Copy Protected Health Information (Policy &
Procedures)
Denying Request to Access Protected Health Information
Request to Correct or Amend Protected Health Information (Policy & Procedures)
Request to Correct or Amend Protected Health Information
Denying Request to Correct or Amend Protected Health Information
Response to Defective Subpoena or Incomplete Request to Disclose Protected Health
Information
Responding to Request for Restrictions on the Use or Disclosure of Protected Health
Information (Policy & Procedures)
Response to Request for Restrictions on the Use or Disclosure of Protected Health
Information
Minimum Necessary Requirements for the Use and Disclosure of Protected Health
Information (Policy & Procedures)
Documenting of and Accounting for Disclosures of Protected Health Information (Policy
& Procedures)
Accounting Log for Protected Health Information Disclosures
Notification of Breach of Unsecured Protected Health Information (Policy & Procedures)
Breach Notification Checklist
Accounting Log for Notification of Breach of Unsecured Protected Health Information
Complaints and Grievances Relating to the Use or Disclosure of Protected Health
Information (Policy & Procedures)
Complaint / Grievance Resolution Letter
Training
HIPAA Privacy and Security Training (Policy & Procedures)
HIPAA Privacy and Security Training Checklist
HIPAA Privacy Rule: A Questionnaire for Nonclinical Staff
HIPAA Privacy Rule: A Questionnaire for Nonclinical Staff – Answer Key
HIPAA Privacy Rule: A Questionnaire for Clinical Staff
HIPAA Privacy Rule: A Questionnaire for Clinical Staff – Answer Key
Treatment of Minors and the Handling of Their Protected Health Information
Kinship Caregivers Informed Consent Declaration for Minors
Employee Confidentiality and HIPAA Training Acknowledgment Statement
Nonemployee Confidentiality and HIPAA Training Acknowledgment Statement
HIPAA Help – A Resource List
Security
Updates to the July 2004 HIPAA Model Security Policies and Procedures
July 2004 HIPAA Model Security Policies and Procedures
November 2009
Disclaimer
Physicians Insurance has produced the following materials to assist practices in their
efforts to comply with the Privacy and Security Rule promulgated under the Health
Insurance Portability & Accountability Act (HIPAA) of 1996, and new federal legislation,
the Health Information Technology for Economic and Clinical Health (HITECH) Act,
which is part of the American Recovery and Reinvestment Act (ARRA) that was signed
into law on February 17, 2009. The HITECH Act strengthens and expands HIPAA’s
current privacy and security requirements. These materials are current as of November
2009.
While we have made every effort to prepare these materials accurately and completely,
the complexity of these issues makes it impossible to guarantee their accuracy and
completeness. These materials are provided as general guidance and do not constitute
legal advice. Given the scope and complexity of the HIPAA Privacy and Security Rule
and HITECH Act requirements and the difficulty of identifying and incorporating all state
requirements that are more “stringent” than these rules, practices are well advised to
consult with private legal counsel concerning compliance issues.
The information in these materials is intended as risk management advice. It does not
constitute a legal opinion nor is it a substitute for legal advice. Legal inquiries about
topics covered in these materials should be directed to your attorney.
November 2009
HIPAA – Six Years Later
The Health Insurance Portability and Accountability Act of 1996, or HIPAA, as it has
become widely known, was enacted by the federal government to help workers maintain
their health insurance coverage during a time of job change, to establish privacy and
security rules for protected health information, to set standards for electronic billing of
health care services, and to develop a national provider identifier system.
The HIPAA Privacy Rule compliance date was April 14, 2003. Since that time, other
aspects of the act have come into effect and many states, including Washington, have
passed or revised state privacy regulations. On February 17, 2009, the American
Recovery and Reinvestment Act (ARRA), also known as the Stimulus Bill, was signed
into law. Enacted as part of this new federal legislation is the Health Information
Technology for Economic and Clinical Health (HITECH) Act. The HITECH Act
strengthens and expands HIPAA’s current privacy and security requirements.
This new legislation will require you to review and revise your current practices relating
to the use and disclosure of protected health information. To this end, this article is
intended to provide you with a checklist of items currently required under the HIPAA
Privacy and Security Rules and Washington state privacy regulations, and to outline new
regulations that will affect these rules.
Physicians Insurance has updated our HIPAA-related sample policies and procedures,
forms, and training materials to address these new federal requirements. In addition, we
have identified a number of helpful resources to assist you in meeting these new
regulations. This information is available to all policyholders and their staff on our Web
site at www.phyins.com.
Current HIPAA Privacy Rule requirements (Italicized articles and sample
documents are available on our Web site at www.phyins.com):
Designate a privacy/security official for your practice. You must designate a “HIPAA
Privacy Official” to assume responsibilities for the development, implementation, and
ongoing management and review of policies and procedures to protect the privacy of
protected health information (PHI). HIPAA also requires that you designate a “HIPAA
Security Official” who is responsible for the development of policies and procedures to
comply with requirements for the security of electronic protected health information.
- Sample Job Descriptions – HIPAA Privacy Official and Contact Person and
HIPAA Security Official
Develop, implement, and conduct ongoing reviews of your HIPAA privacy
program. Document the minutes of all meetings, administrative memos, or notes.
Develop an annual evaluation schedule for reviewing your privacy program.
- HIPAA Self-Assessment Worksheet – Part 1: Data Gathering
- HIPAA Self-Assessment Worksheet – Part 2: Analyze the Data
- HIPAA Self-Assessment Worksheet – Part 3: Action Plan – BLANK
- HIPAA Self-Assessment Worksheet – Part 3: Action Plan – FILLED IN
- Identify Your Business Associates
- Business Associate Agreement Checklist
- Sample Business Associate Contract Provisions
November 2009
Develop policies and procedures to comply with the HIPAA Privacy Rule. The
HIPAA Privacy Rule requires each covered entity to adopt written policies and
procedures with respect to protected health information. Develop an annual evaluation
schedule for reviewing your privacy program policies and procedures.
- HIPAA Privacy Rule – Policies, Procedures, and Documents
- Instructions to Assist in Implementing Sample Forms and Policies and
Procedures
- Notice of Privacy Practices (Policy & Procedures)
- Notice of Privacy Practices
- Notice of Privacy Practices Acknowledgment
- Authorization to Use or Disclose Protected Health Information (Policy &
Procedures)
- Authorization to Use or Disclose Protected Health Information
- Revocation of Authorization to Use or Disclose Protected Health Information
(Policy & Procedures)
- Revocation of Authorization to Use or Disclose Protected Health Information
- Responding to Requests to Access and/or Copy Protected Health
Information (Policy & Procedures)
- Denying Request to Access Protected Health Information
- Request to Correct or Amend Protected Health Information (Policy &
Procedures)
- Request to Correct or Amend Protected Health Information
- Denying Request to Correct or Amend Protected Health Information
- Response to Defective Subpoena or Incomplete Request to Disclose Protected
Health Information
- Responding to Request for Restrictions on the Use or Disclosure of Protected
Health Information (Policy & Procedures)
- Response to Request for Restrictions on the Use or Disclosure of Protected
Health Information
- Minimum Necessary Requirements for the Use and Disclosure of Protected
Health Information (Policy & Procedures)
- Documenting of and Accounting for Disclosures of Protected Health
Information (Policy & Procedures)
- Accounting Log for Protected Health Information Disclosures
- Notification of Breach of Unsecured Protected Health Information (Policy &
Procedures)
- Breach Notification Checklist
- Accounting Log for Notification of Breach of Unsecured Protected Health
Information
Designate a contact person to address patient privacy complaints. You must
designate a contact person or office responsible for receiving complaints under the
HIPAA Privacy Rules and providing further information about matters covered under the
Notice of Privacy Practices (NPP).
- Complaints and Grievances Relating to the Use or Disclosure of Protected
Health Information (Policy & Procedures)
- Complaint / Grievance Resolution Letter
Develop HIPAA privacy training program. The HIPAA Privacy Rule requires each
member of the workforce to receive privacy training as necessary and appropriate for the
member to carry out his or her job responsibilities. New members of the workforce
November 2009
should receive privacy training during their orientation period. Additional privacy training
should be provided to the workforce within a reasonable time period after
implementation of organizational policies and procedures that have undergone material
changes. Develop a schedule for ongoing retraining of the workforce.
- HIPAA Privacy and Security Training (Policy & Procedures)
- HIPAA Privacy and Security Training Checklist
- HIPAA Privacy Rule: A Questionnaire for Nonclinical Staff
- HIPAA Privacy Rule: A Questionnaire for Nonclinical Staff – Answer Key
- HIPAA Privacy Rule: A Questionnaire for Clinical Staff
- HIPAA Privacy Rule: A Questionnaire for Clinical Staff – Answer Key
- Treatment of Minors and the Handling of Their Protected Health Information
- Kinship Caregivers Informed Consent Declaration for Minors
- Employee Confidentiality and HIPAA Training Acknowledgment Statement
- Nonemployee Confidentiality and HIPAA Training Acknowledgment Statement
- HIPAA Help – A Resource List
Ongoing assessment of HIPAA security policies and procedures. Ongoing
assessment of HIPAA Security Policy and Procedures is required in order to comply with
the HIPAA Security Rule. The Security Rule specifies that “[s]ecurity measures
implemented to comply with standards and implementation specifications…must be
reviewed and modified as needed to continue provision of reasonable and appropriate
protection of electronic protected health information.”
- Updates to the July 2004 HIPAA Model Security Policies and Procedures
- July 2004 HIPAA Model Security Policies and Procedures
New provisions affecting HIPAA Privacy and Security Rules:
Business associates required to comply. Effective February 17, 2010, business
associates (BAs) will be subject to the same requirements as covered entities (CEs) for
implementing administrative, physical, and technical safeguards for protected health
information (PHI). BAs will also be required to have written policies and procedures
covering these requirements, and will be subject to the same civil and criminal penalties
as CEs. Prior to this change, HIPAA regulations were limited to health plans, health care
clearinghouses, and health care providers.
Health information exchanges are considered business associates. An organization
that provides data transmission of PHI to a CE (or its BA) and that requires access to
PHI in order to do so, such as a health information exchange or a regional health
information organization, is considered a BA of the participating CEs. This provision also
applies to vendors who provide personal health records functionality to CEs as a part of
an electronic health records system. CEs will need to maintain business associate
agreements with these organizations.
PHI breach notification rules. Beginning September 23, 2009, HIPAA CEs are
required to notify individuals if they discover a “breach” of “unsecured PHI.” “Breach”
means the acquisition, access, use, or disclosure of PHI in a manner not permitted
under the Privacy Rule that compromises the security or privacy of the PHI, meaning it
poses a significant risk of financial, reputational, or other harm to the individual.
“Unsecured PHI” means PHI that is not secured through a technology or methodology
that HHS considers as being capable of rendering the PHI unusable, unreadable, or
indecipherable to unauthorized individuals.
November 2009
Written notification must be provided to individuals via first-class mail. If the CE does not
have sufficient contact information for 10 or more affected individuals, notification must
also be made on the CE’s Web site home page or in major print or broadcast media. If
the breach involved more than 500 individuals, notification must also be made to
prominent media outlets.
Notification must be made without unreasonable delay and in no case later than 60 days
following discovery of the breach and must contain a brief description of what happened;
the date of the breach, if known; the date of discovery; and a description of the types of
unsecured PHI involved in the breach. The notice must include steps affected individuals
should take to protect themselves from potential harm resulting from the breach. The CE
must also include a brief description of what the CE has done and is planning to do to
investigate the breach, to mitigate losses, and to protect against further breaches. The
notice must be in plain language and include contact information for individuals to ask
questions or learn more. Business associates must notify CEs of any breach of
unsecured PHI. Notification must include the identity of each affected individual.
The CE must notify the Department of Health and Human Services (HHS) of all
breaches of unsecured PHI. Notification must occur immediately if the breach involves
500 or more individuals. The CE can maintain a log of breaches affecting less than 500
individuals and submit the log annually to HHS.
On April 17, 2009, the Secretary of HHS issued guidance which states that PHI that
is secured through encryption or destruction in accordance with specified
standards would not be considered “unsecured PHI.” A CE would not have to
comply with the breach notification rules if the CE utilizes the technologies and
methodologies that HHS prescribes.
On August 24, 2009, interim final regulations were published in the Federal Register
implementing the HITECH breach notification provisions. These regulations clarify
important exclusions from the breach notification requirements. A breach excludes:
• Any unintentional acquisition, access, or use of PHI by a workforce member or
person acting under the authority of a CE or BA made in good faith and within the
person’s scope of authority and does not result in further use or disclosure in a
manner not permitted under the Privacy Rule.
• Any inadvertent disclosure by a person who is authorized to access PHI at a CE
or BA to another person authorized to access PHI at the same CE or BA, or
organized health care arrangement (OHCA) in which the CE participates, and the
PHI received is not further used or disclosed in a manner not permitted under the
Privacy Rule.
• A disclosure of PHI where the CE or BA has a good faith belief that an
unauthorized person to whom the disclosure was made would not reasonably
have been able to retain such information.
CEs need to address the issue of unsecured PHI and develop policies and procedures
to provide for notification of breaches.
Patient access to electronic health records. Patients will have the right to receive a
copy of their PHI maintained in the electronic health record in an electronic format. A CE
may charge a fee that is no greater than the labor costs incurred to respond to the
November 2009
request. (In Washington, the labor costs are subject to the limit on handling fees under
WAC 246-08-400 which, until June 30, 2011, is $23.)
Accounting for disclosures of PHI for treatment, payment, and health care
operations. At present, HIPAA and Washington State privacy rules exempt a CE’s
obligation to provide individuals with an accounting of disclosures of their PHI if the
disclosure was for treatment, payment, or health care operations. Under the HITECH
Act, this exception would no longer be available to CEs that use electronic health
records (EHRs). The period for which an accounting is required will be limited to 3 years,
not the 6-year period currently required. This provision is delayed until January 14, 2014,
for CEs that acquired EHRs as of January 1, 2009. For entities that acquire EHRs after
January 1, 2009, the provision will be effective on January 1, 2011, or the date upon
which the entity acquires the EHR, whichever date is later. HHS is permitted to delay
both of these effective dates for up to two years. More guidance is expected from HHS
before these effective dates.
Minimum necessary standard. Under the current HIPAA Privacy Rule, a CE that uses,
discloses, or requests PHI must make reasonable efforts to limit the PHI to the
“minimum necessary” to accomplish the intended purpose. The HIPAA Privacy Rule
does not define “minimum necessary.” Under the HITECH Act, when using, disclosing,
or requesting PHI, CEs are required to limit “to the extent practicable” disclosure of PHI
to a “limited data set,” or if more information needed, to the minimum necessary “to
accomplish the intended purpose of such use, disclosure, or request.” The Privacy Rule
defines a “limited data set” as PHI from which all direct patient identifiers have been
removed. This would include name, postal address (other than city, state, and zip code),
telephone and fax numbers, e-mail address, social security and medical record
numbers, and other identifiers. Additionally, while the current Privacy Rule permits CEs
to rely on a request by other CEs and its business associates as being the minimum
necessary for a particular disclosure, the HITECH Act requires the CE to make the
determination of the minimum necessary for disclosure, rather than relying on others to
make that decision. HHS has until August 16, 2010, to publish guidance on what
constitutes “minimum necessary” under the Privacy Rule.
Nondisclosure of self-pay services. Currently under the HIPAA Privacy Rule, an
individual has a right to request special privacy protections for the use and disclosure of
PHI for treatment, payment, and health care operations. A CE is not required to grant
that request, although the individual’s request is retained in the record.
Under the HITECH Act, a CE will be required to honor a patient’s request that
information regarding a particular service not be disclosed to the patient’s health plan or
insurance if the patient pays for that service in full out of pocket. Failure to comply with
the request will be considered a violation and subject to HIPAA penalties.
Sale of records prohibited. On or before February 17, 2011, CEs and BAs will be
prohibited from directly or indirectly receiving payment in exchange for any PHI, unless
the individual specifically authorizes, in writing, that the PHI can be exchanged for
payment. Exceptions to this rule include exchanges for treatment purposes; for purposes
of a sale, transfer, merger, or consolidation of CEs; for public health activities; and for
certain activities of BAs. Exceptions to this rule also apply for research purposes, as long
as the price reflects only the costs of preparation and transmittal of the data.
November 2009
Marketing communications. Effective February 17, 2010, CEs may no longer use PHI
to inform an individual about the CE’s own health care products or services without the
individual’s written authorization if the CE receives payment from another party for doing
so. These marketing communications would be allowed if the communication describes
only a drug or biologic that is currently being prescribed for the patient and the payment
the CE receives is reasonable; the CE makes the communication itself and obtains a
written patient authorization; or a BA of the CE makes the communication, and the
communication is consistent with the business associate agreement between the CE
and the BA.
Fund-raising communications. Effective February 17, 2010, all fund-raising
communications that are considered health care operations must clearly provide
individuals with an opportunity to opt out of any future fund-raising solicitations.
Increased monetary penalties. Effective immediately is a new tiered civil monetary
penalty (CMP) system that imposes monetary penalties based upon the nature of the
improper conduct. In situations where the CE did not know (or by exercising reasonable
diligence would not have known) it violated HIPAA, a penalty of $100 per violation, up to
$25K per year, for each type of violation is applicable. If the violation is due to
“reasonable cause,” the maximum penalty rises to $1K per violation, up to $100K per
year. If the violation is due to “willful neglect,” depending on whether or not the violation
is corrected, the maximum penalty ranges from $10K to $50K per violation, up to
$250,000 to $1.5M per year. Beginning February 17, 2011, HHS is required to impose
civil penalties on a CE if the violation is determined to be due to “willful neglect.”
State attorneys general can bring actions. Effective immediately, state attorneys
general have the authority to bring civil actions to enforce HIPAA.
Criminal penalties for individuals. Effective immediately is a provision that criminal
penalties may be imposed under HIPAA on any individual or entity that wrongly obtains
or discloses PHI maintained by a CE. This provision clarifies an ongoing debate as to
whether criminal penalties under HIPAA can only be imposed upon a CE.
Authority to audit. Under the HITECH Act, HHS has the authority to audit CEs and BAs
to ensure compliance with the privacy portion of the HITECH Act and current HIPAA
privacy and security regulations.
To view the HITECH Act in its entirety, please go to: http://snipr.com/fexbr and see
Division A, Title XIII and Division B, Title IV.
Conclusion. HIPAA rules, regulations, and standards have and will continue to be a
moving target under the direction of the federal government. It is important that your
practice’s policies and procedures are periodically reviewed and updated as necessary
to reflect these changes. Initial training of new staff members and ongoing retraining of
existing staff is required under the HIPAA regulations.
In addition to the resources available on our Web site at www.phyins.com, the
Department of Health and Human Services Office for Civil Rights (OCR) is another
valuable source of information for meeting the various HIPAA requirements. The OCR
Web site is available at http://www.hhs.gov/ocr/privacy. You can find an extensive list of
November 2009
HIPAA-related questions and answers at http://www.hhs.gov/hipaafaq. HIPAA Security
Rule information can be found at http://www.cms.hhs.gov/securitystandard/.
We’re here to help you. Contact your Physicians Insurance risk management
representative for more information about the new legislation affecting the HIPAA
Privacy and Security Rules and Washington State privacy laws. Call our Seattle office at
(206) 343-7300 or 1-800-962-1399, or call our Spokane office at (509) 456-5868 or
1-800-962-1398. E-mail our experts at [email protected].
November 2009
Sample Job Descriptions – HIPAA Privacy Official and Contact Person and
HIPAA Security Official
According to the Privacy Rule, a health care provider must designate a “HIPAA Privacy Official” to assume
responsibilities for the development and implementation of policies and procedures to protect the privacy of
PHI, and must also designate a contact person or office responsible for receiving complaints under the
HIPAA Privacy Regulations and providing further information about matters covered in the Notice of Privacy
Practices.1 The Security Rule requires each health care provider to designate a “HIPAA Security Official”
who is responsible for the development of policies and procedures to comply with requirements for the
security of electronic protected health information.2
HIPAA responsibilities may be incorporated into the job duties of an existing member or members of your
staff. For smaller health care providers in particular, it is not necessary to designate an individual whose
sole role is HIPAA compliance. The same person may serve as your designated HIPAA Privacy Official and
contact person and your designated HIPAA Security Official, or, depending on organizational responsibility
for electronic protected health information, it may be more appropriate to have different individuals perform
these roles.
The following are samples of responsibilities for inclusion on the job description for your designated HIPAA
Privacy Official and contact person:
a. Oversees the development, implementation, and maintenance of appropriate privacy policies
and procedures.
(i) Reviews new or revised laws and regulations pertaining to patient privacy to determine if
all policies required by law have been developed in writing and if revisions of current
policies are needed. Writes or revises policies as necessary.
b. Identifies noncompliance with privacy practices to allow for consistent application of sanctions for
failure to comply with privacy policies for all individuals in the organization’s workforce.
c. Establishes and administers a process for receiving, documenting, tracking, investigating, and
taking action on all complaints concerning the organization’s privacy policies and procedures in
coordination and collaboration with other similar functions and, when necessary, legal counsel.
d. Conducts assessments and internal privacy audits to determine organizational compliance,
including reports of compliance activities.
e. Oversees, in cooperation with Security Official, the development, delivery, and documentation of
HIPAA Privacy and Security Rule training and awareness for all staff, including the orientation of
new employees and retraining of employees when material changes have been made in policies
and procedures or when necessary, e.g., retraining.
f. Participates in the development, implementation, and ongoing compliance monitoring of all
business associate agreements, to ensure all privacy concerns and requirements are addressed.
g. Maintains appropriate authorization forms, privacy notices, and other materials reflecting current
privacy practices and requirements.
h. Coordinates visits and cooperates with the Office for Civil Rights, other legal entities, and
organization officers in any compliance reviews or investigations.
i. Manages patient requests for amendments and requests for changes to their medical records.
j. Manages the release of patient records in accordance with established policies and procedures.
k. Manages patient requests regarding limiting disclosures to health plans when the patient has
paid in full out of pocket for the services that are the subject of the disclosure.
l. Serves as the designated contact person to receive questions, comments, and complaints, and
provide resources for patients and staff on the HIPAA privacy regulations.
m. Receives reports of potential breaches of unsecured PHI and works with Security Official to
investigate, make determinations, and provide notification if necessary.
While the above job duties may be delegated and shared among employees, it is recommended that duties
a, b, and c be assumed by your designated “HIPAA Privacy Official.”
November 2009
The following are samples of responsibilities for inclusion on the job description for your designated HIPAA
Security Official:
a. Performs initial and periodic written risk assessment related to security of electronic protected
health information (electronic PHI).
b. Implements, oversees, and monitors risk management measures to address security risks and
vulnerabilities identified by risk assessments.
c. Oversees the development, implementation, and maintenance of appropriate systems and/or
processes for the security of electronic PHI, including security policies and procedures.
d. Implements measures to protect against reasonably anticipated threats or hazards to security or
integrity of electronic PHI and reasonably anticipated unauthorized uses or disclosures.
e. Identifies noncompliance with security policies and procedures to allow for consistent application
of sanctions for failure to comply with security policies for all individuals in the organization’s
workforce.
f. Establishes and administers a process for regularly reviewing records of computer or information
system activity related to electronic PHI, such as audit logs, access reports, and security incident
tracking reports.
g. Develops and implements procedures for authorization and supervision of access to electronic
PHI by workforce members and termination of access.
h. Develops and implements access authorization policies for stored electronic PHI.
i. Oversees the development, implementation, and maintenance of appropriate security policies
and procedures, including those for physical and technical safeguards.
(i) Reviews new or revised laws and regulations pertaining to patient security of electronic
PHI to determine if all policies required by law have been developed in writing and if
revisions of current policies are needed. Writes or revises policies as necessary.
j. Oversees, in cooperation with Privacy Officer, the development, delivery, and documentation of
HIPAA Privacy and Security Rule training and awareness for all staff, including the orientation of
new employees and retraining of employees when material changes have been made in policies
and procedures or when necessary, e.g., retraining.
k. Participates in the development, implementation, and ongoing compliance monitoring of all
business associate agreements, to ensure all security concerns and requirements are
addressed.
l. Coordinates visits and cooperates with the Office for Civil Rights, other legal entities, and
organization officers in any compliance reviews or investigations.
m. Investigates and resolves security breaches involving electronic PHI, including breaches
reported by Business Associates, providing appropriate notifications as required by state and
federal law, after consulting as necessary with legal counsel.
n. Receives reports of potential breaches of unsecured PHI and works with Privacy Officer to
investigate, make determinations, and provide notification if necessary.
1
45 CFR § 164.530(a)(1)
2
45 CFR § 164.308(a)(2)
Policy effective date: ____/____/____ Revision date(s): ____/____/____
November 2009
HIPAA Self-Assessment Worksheet
PART 1: Data Gathering
______________________________________________________________________________
Organization Name
One of the first tasks to becoming HIPAA compliant is to conduct an assessment of your current
operations. Part 1 of the HIPAA Self-Assessment Worksheet has been designed to assist you with
this process. Attach additional sheets if necessary.
Part 2 of the HIPAA Self-Assessment Worksheet assists you in identifying additional issues and
analyzing the data you collect.
Keeping a record of your work is documentation of your compliance efforts and could be used to
defend your actions in the event of a claim, complaint investigation, or survey by the Office for Civil
Rights (OCR), etc. Part 3 of the HIPAA Self-Assessment Worksheet assists you in this effort.
It is recommended that these items be kept in a binder or folder with tabs to indicate the various
sections.
SECTION 1: Administration
Section 1 of your compliance records should include the following:
• The minutes of all meetings of your HIPAA compliance group, if applicable,
• Any administrative memos or notes relevant to your HIPAA compliance project, and
• Any budget information relevant to your HIPAA compliance project.
1. Individual in charge of HIPAA compliance:
Name _________________________________________________________________________
Contact information
_____________________________________________________________
_____________________________________________________________
2. Other individuals in your HIPAA compliance work group:
a. Name ________________________________________________________________
Contact information _____________________________________________________
b. Name ________________________________________________________________
Contact information _____________________________________________________
3. Compliance record keeper:______________________________________________________
4. Compliance budget: ____________________________________________________________
5. Meeting schedule: ___________________________________________________________
November 2009
6. Meeting location(s): __________________________________________________________
____________________________________________________________________________
SECTION 2: Record Keeping
Section 2 of your files should include all information and materials relevant to the locations where
patient information is kept.
7. How are paper medical records kept? (Note all that apply.)
a. Open shelves accessible to all: _____________________________________________
b. Open shelves accessible to staff only: ________________________________________
c. Open shelves in locked room: ______________________________________________
d. Filing cabinets with no locks: _______________________________________________
e. Shelves/filing cabinets with locks: ___________________________________________
f.
Off-site storage, no security: _______________________________________________
g. Off-site secure storage: ___________________________________________________
h. On a separate sheet, list all sites where paper medical records are kept.
8. How are paper claims and billing information kept? (Note all that apply.)
a. Open shelves accessible to all: _____________________________________________
b. Open shelves accessible to staff only: ________________________________________
c. Open shelves in locked room: ______________________________________________
d. Filing cabinets with no locks: _______________________________________________
e. Shelves/filing cabinets with locks: ___________________________________________
f.
Off-site storage, no security: _______________________________________________
g. Off-site secure storage: ___________________________________________________
h. On a separate sheet, list all sites where paper claims or billing information are kept.
9. How is other patient information on paper kept? (Note all that apply.)
a. Open shelves accessible to all: _____________________________________________
b. Open shelves accessible to staff only: ________________________________________
November 2009
c. Open shelves in locked room: ______________________________________________
d. Filing cabinets with no locks: _______________________________________________
e. Shelves/filing cabinets with locks: ___________________________________________
f.
Off-site storage, no security: _______________________________________________
g. Off-site secure storage: ___________________________________________________
h. On separate sheet, list all sites where other patient information on paper is kept.
10. How is patient information kept? (Note all that apply.)
a. Not applicable: __________________________________________________________
b. Personal computer(s), no network connections: ________________________________
c. Personal computers, internal network: _______________________________________
d. Personal computers, Internet connection: _____________________________________
e. Off-site personal computers/laptops permitted remote access
(dial-in, Internet, etc.): ____________________________________________________
f.
CDs/DVDs/backup tapes: ____________________________________________
g. Handheld devices (BlackBerry, iPhone, etc.):__________________________________
h. On separate sheet, list all equipment on which patient information is kept in electronic form.
i.
Microfilm/microfiche: _______________________
j.
Videotape: _______________________
k. Other form(s) of media: _______________________
11. How is access to patient information controlled?
Be prepared to document policies related to administrative restrictions, physical access, and
electronic access (e.g., log-ons, passwords, authentication, automatic time-outs) to equipment and
systems containing patient information.
12. Copy and attach all policies concerning:
a. Access to files containing patient information
b. Access to rooms, shelves, and filing cabinets where patient records are kept
c. Access to or use of electronic equipment on which patient information is stored
November 2009
SECTION 3: Personnel/Workforce
Section 3 should include all information and materials relevant to those individuals in your
organization who are allowed to have access to, use, or disclose patient information. You should
include not only employees, but also trainees and volunteers who are under your organization’s
control.
13. List all individuals who work in your organization. For each individual, state:
a. Job title and description
b. Whether he/she is permitted access to:
I. Patient clinical information
II. Patient billing and claims information
III. Other patient information
c. Whether he/she has signed a confidentiality agreement
d. Whether his/her employment agreement has confidentiality provisions
14. Copy and attach all policies concerning:
a. Confidentiality of and access to patient information
b. Use and disclosure of patient information by staff
c. Disciplinary procedures for breach of patient confidentiality
SECTION 4: Patient Relations
Section 4 should contain all relevant materials concerning the way your organization permits
patients to have access to, copy, or otherwise exercise some degree of control over the records
that pertain to them.
15. Copy and attach all forms, notices, and other material you give patients that affect the use or
disclosure of patient health information:
a. Standard or customary patient release of information forms
b. Any notice of information or privacy practices published or available to patients
c. Any patient brochures you may distribute related to records access
d. Any “patients’ rights” notices you may provide
e. Consents
f.
Other(s) not listed
November 2009
16. Copy and attach all policies concerning:
a. Patient review and copying of records
b. Patient requests to amend records
c. Accounting to patients for disclosures of patient information
d. Use or disclosure of patient information for marketing or general contact purposes
17. List all individuals and organizations to which you regularly disclose:
a. Patient clinical information
b. Patient billings and/or claims information
c. Any other patient information
SECTION 5: Business Associates
Section 5 should include an inventory of the individuals and organizations with which you
exchange, from which you receive, or to which you disclose patient information, not including the
patients themselves. You should include copies of all your existing contracts or agreements with
such individuals or organizations.
18. List all individuals and organizations with which you exchange:
a. Patient clinical information
b. Patient billings and/or claims information
c. Any other patient information
19. Attach copies of all contracts or agreements currently in effect with individuals and
organizations to or from which you regularly disclose or receive patient information.
CHOICE HIPAA Consultation Pilot – Initial Task List
© 2002 CHOICE Regional Health Network – Consent to reproduce for non-profit distribution
This information is intended as advisory in nature and should not be considered as legal advice nor is it a substitute for
legal advice. This information does not constitute technical information system/security advice. It is designed to assist
you in your own risk management activities. It is not intended to be exclusively relied upon or used as a substitute for
your own loss-control program. Accuracy and completeness are not guaranteed.
November 2009
HIPAA Self-Assessment Worksheet
Part 2: Analyze the Data
Parts 1 and 2 of the HIPAA Self-Assessment Worksheet were created to help you identify areas where action might be needed to comply with HIPAA.
The questions in this document may help you further analyze the data collected in Part 1.
DATE COMPLETED: ____________________________________________________________________ COMPLETED BY: _________________________________________________________________
YES
NO
COMMENTS
1) Steps have been taken to minimize the likelihood that patients and visitors can easily see or access computer
screens/monitors and other records containing PHI. For example:
Computer screens time out.
Files are put away or turned over to avoid easy viewing.
PDAs (hand-held computer devices) are kept in a secure manner by the authorized individual.
Records, including CDs and DVDs, are stored in a secure manner.
Other:_______________________________________________________________________________
2) Medical, financial, and other records containing PHI are secure and accessible only to those people employed by or
doing work on behalf of the practice that have a legitimate—job-related—need to know; e.g., maintained in locked file
cabinets or locked medical record rooms.
3) Computers are password protected—each user has a unique identifier—and passwords are changed on a regular
basis.
4) Access controls (e.g., passwords, computer accounts, combinations, keys) to computers, filing cabinets, and the
building are terminated or changed when employees or contract workers end their relationship with the practice.
5) Electronic equipment and other records containing PHI are stored in a secure location to prevent theft or vandalism—
using both physical security (e.g., alarms and locks) and electronic security (access controls, firewalls, and virus checks,
all for which you should consider seeking technical expertise).
6) Documents or records that contain patients’ personal, financial, and health information—and are no longer needed—
are destroyed.
Shredded or Incinerated.
Information is kept showing how, why, and by whom medical records were destroyed.
Medical records are retained at least:
•
6 years from the date of the patient’s death.
•
10 years from the date of the patient’s last medical service.
•
21 years from the date of a child’s birth for pediatric records and for the obstetric patient’s prenatal
records, or 10 years after the minor patient’s last medical service, whichever period is longer.
Patient management systems data (financial, etc.) is retained for 10 years.
Prior to sale or disposal of computer equipment that stores PHI, the hardware is completely erased by
reformatting the hard drive. (Technical knowledge needed.)
Other: ____________________________________________________________________________
This information is intended as advisory in nature and should not be considered as legal advice nor is it a substitute for legal advice. This information does not constitute technical information nor
system/security advice. It is designed to assist you in your own risk management activities. It is not intended to be exclusively relied upon or used as a substitute for your own loss-control program.
Accuracy and completeness are not guaranteed.
November 2009
YES
NO
COMMENTS
7) Computer systems containing PHI have systems to protect data integrity and to prevent data loss, for example:
Backup systems are used to prevent loss of data due to power outage, hackers, etc.
Audit trails systems are periodically audited.
8) Procedures address handling of medical, financial, or other records containing PHI—for example:
Original records are handled correctly (e.g., not removed from premises and charted appropriately,
including corrections).
Patient requests for copying of and amendment to records are handled correctly.
Patient requests for an accounting of disclosures of PHI are handled quickly and correctly.
Message boards, daily patient schedules, etc., that allow viewing of patient financial or health information
are maintained in areas restricted to employees who have a legitimate job-related need to know.
Measures are taken to ensure that conversations held with patients concerning financial and health
information maintain privacy. For example:
•
Exam room doors are closed.
•
Background music is used in waiting/reception areas to minimize the likelihood of overhearing PHI.
•
Solid core doors are used to minimize sound travel.
•
Phone messages are listened to in private.
Steps are taken to reduce the likelihood that facsimile transmissions may be sent to an incorrect telephone
number. For example:
•
Confidential disclaimer is utilized on facsimile or electronic transmission.
•
Transmissions are limited for urgent/emergent needs to transmit private health information.
•
Infrequently used fax numbers are verified prior to transmission.
Cell phone conversations about patients that require the release of Individually Identifiable Health
Information are conducted only to ensure continuity of care.
Steps are taken to protect the privacy and security of information, if e-mail or another electronic form of
communication is used to communicate personal health information.
9) Staff—including volunteers—are trained in privacy and in maintaining the security of health information. Education is
documented and includes:
Appropriate handling of personal health information, including specific policies.
Use of discretion when discussing personal health information within hearing of others.
Use of discretion when leaving telephone and electronic messages for patients.
Software password-security procedures.
Signed confidentiality statements.
Staff accountability for following procedures and applicable laws to protect privacy and security of PHI.
10) Criminal security/background checks are conducted prior to hiring employees.
11) Board members understand, and are trained in, maintaining the privacy and security of any PHI that they may have a
legitimate need to know. And, they:
Sign confidentiality agreements
This information is intended as advisory in nature and should not be considered as legal advice nor is it a substitute for legal advice. This information does not constitute technical information nor
system/security advice. It is designed to assist you in your own risk management activities. It is not intended to be exclusively relied upon or used as a substitute for your own loss-control program.
Accuracy and completeness are not guaranteed.
November 2009
YES
NO
COMMENTS
12) Policies address appropriate handling of patient concerns—including concerns related to the privacy and security of
PHI.
13) Forms and documents that affect the use and disclosure of patient health information (e.g., IRB authorization) have
been identified, reviewed for compliance with HIPAA, and modified as needed. Using the following list of forms, determine
which forms you currently use that you will no longer need.
a. Employee Confidentiality and HIPAA Training Acknowledgment Statement
b. Revocation of Authorization to Use or Disclose Protected Health Information
c. Request to Correct or Amend Protected Health Information
d. Authorization to Use or Disclose Protected Health Information
e. Notice of Privacy Practices
Assess the remaining forms for HIPAA compliance.
14) Business associates are expected to use reasonable measures to handle PHI in a private and secure manner.
If written agreements exist, consult legal counsel to ensure HIPAA provisions are met. If written agreements
do not exist, work with legal counsel to draft “Business Associate Agreements” required by HIPAA.
Business associates, as appropriate, are educated about pertinent practices/policies pertaining to privacy
and security when they have reason to perform any job-related functions on premises.
15) List other areas pertaining to your operations affected by HIPAA and not listed in this document.
a. _____________________________________________________________________________
b. _____________________________________________________________________________
c. _____________________________________________________________________________
If you responded with a “NO” to any item, further action may be necessary to provide reasonable protection for PHI.
You may want to use the HIPAA Self-Assessment Worksheet Part 3: Action Plan to document your actions, rationale behind your plan, and follow-up.
This information is intended as advisory in nature and should not be considered as legal advice nor is it a substitute for legal advice. This information does not constitute technical information nor
system/security advice. It is designed to assist you in your own risk management activities. It is not intended to be exclusively relied upon or used as a substitute for your own loss-control program.
Accuracy and completeness are not guaranteed.
November 2009
HIPAA Self-Assessment Worksheet
Part 3: Action Plan
Using Parts 1 and 2 of the HIPAA Self-Assessment Worksheet, identify each issue that might require further action to comply with HIPAA.
Then use this or a similar form to develop an action plan by documenting each issue, its action plan, the reason for your decision, your follow-up, and the responsible individual.
ISSUE
ACTION PLAN
REASON FOR DECISION
(Circle all changes that you plan to implement, and attach estimated costs)
(Check all that apply)
System/equipment change

New policy/policy change
New form/form change

Job description change
Education
Facility upgrade
_______________
Options not feasible at
this time:
__________________
__________________
Date Completed:
____/____/____

Monitor

Budget for:
_______________
Other:
__________________
__________________
in _______________
(budget year)

Options selected
provide reasonable
protections of PHI.

Job description change
Education
Other: _____________________________________________
Budget for:

New policy/policy change
Facility upgrade

Other: _____________________________________________
New form/form change
Monitor
Options selected
provide reasonable
protections of PHI.
Education
System/equipment change

Job description change
Facility upgrade
____/____/____
in _______________
(budget year)

Options not feasible at
this time:
__________________
__________________
Other:
__________________
__________________
RESPONSIBLE PARTY
Date Completed:
Other:
__________________
__________________
New policy/policy change
New form/form change
Options not feasible at
this time:
__________________
__________________

Other: _____________________________________________
System/equipment change
Options selected
provide reasonable
protections of PHI.
FOLLOW-UP
Date Completed:
____/____/____

Monitor

Other:
Facility upgrade
__________________
Other: _____________________________________________
__________________
;
System/equipment change
Education
(see issue #1 action plan)
completed 8/1/09
Facility upgrade
Other: _____________________________________________
Budget for:
in __2010______
(budget year)
;
Other:
__________________
__________________
in _______________
(budget year)
;
Options selected
provide reasonable
protections of PHI.

;
Options not feasible at
this time: Upgrade on
hold - budget____
;
Other:
__________________
__________________
Cathy
$2000.00 stereo
Budget for:
Job description change
Education
;

New policy/policy change
New form/form change
Monitor
Monitor
Other: _____________________________________________
System/equipment change
;
;
scheduled 10/1/09
RESPONSIBLE PARTY
____/____/____
Options not feasible at
this time:
__________________
__________________
;
Facility upgrade
Date Completed:
;
New policy/policy change
New form/form change

Options selected
provide reasonable
protections of PHI.
Job description change
3.) Sensitive
information
discussed on
phone –
possibility of
being overheard
Options selected
provide reasonable
protections of PHI.
FOLLOW-UP
Date Completed:
Pat
_10_/__1__/__09
_______________
Date Completed:
Cathy
____/____/____
; Monitor
; Budget for:
$2000.00 stereo
in __2010______
(budget year)
This information is intended as advisory in nature and should not be considered as legal advice nor is it a substitute for legal advice. This information does not constitute technical information nor
system/security advice. It is designed to assist you in your own risk management activities. It is not intended to be exclusively relied upon or used as a substitute for your own loss-control program.
Accuracy and completeness are not guaranteed.
November 2009
HIPAA Self-Assessment Worksheet
Part 3: Action Plan
Using Parts 1 and 2 of the HIPAA Self-Assessment Worksheet, identify each issue that might require further action to comply with HIPAA.
Then use this or a similar form to develop an action plan by documenting each issue, its action plan, the reason for your decision, your follow-up, and the responsible individual.
ISSUE
4.) PHI left on
the counter –
accessible to
unauthorized
persons
ACTION PLAN
REASON FOR DECISION
(Circle all changes that you plan to implement, and attach estimated costs)
(Check all that apply)
Options selected
provide reasonable
protections of PHI.
;
Options not feasible at
this time:
__________________
__________________
;
Monitor

Budget for:

Other:
__________________
__________________
in _______________
(budget year)
;
Options selected
provide reasonable
protections of PHI.
;
Options not feasible at
this time:
__________________
__________________

Monitor

Budget for:
;
Other:
__________________
__________________
in _______________
(budget year)
;
Options selected
provide reasonable
protections of PHI.

;
System/equipment change
New policy/policy change
New form/form change
;
Job description change
Education
move information to restricted area ASAP
Facility upgrade
Other: _____________________________________________
5.) Files with
PHI accessible
to
unauthorized
persons
System/equipment change
New policy/policy change
New form/form change

Job description change
Education
Facility upgrade
Other: _____________________________________________
6. a) computer
screens visible
to patients
b) patients
may access
network
System/equipment change
Program for passwords and
New policy/policy change
add screen savers
New form/form change
;
Job description change
Education
Other:
assess computer system - possible upgrade
Options not feasible at
this time: assessment
of computer on hold
due to budget_
of policy changes
Facility upgrade
FOLLOW-UP
;
Other:
__________________
__________________
Date Completed:
RESPONSIBLE PARTY
Kathy
__10_/__1__/__09
_______________
Date Completed:
Dave
__10_/__1__/__09
_______________
Date Completed:
Kim
____/____/____
;
Monitor
;
Budget for:
Assessment
upgrade
in
2010
(budget year)
This information is intended as advisory in nature and should not be considered as legal advice nor is it a substitute for legal advice. This information does not constitute technical information nor
system/security advice. It is designed to assist you in your own risk management activities. It is not intended to be exclusively relied upon or used as a substitute for your own loss-control program.
Accuracy and completeness are not guaranteed.
HIPAA Self-Assessment Worksheet
Part 3: Action Plan
Using Parts 1 and 2 of the HIPAA Self-Assessment Worksheet, identify each issue that might require further action to comply with HIPAA.
Then use this or a similar form to develop an action plan by documenting each issue, its action plan, the reason for your decision, your follow-up, and the responsible individual.
ISSUE
7.) need business
associate
agreements:
• Transcription
• Accountant
• Collection
agency
ACTION PLAN
REASON FOR DECISION
(Circle all changes that you plan to implement, and attach estimated
costs)
(Check all that apply)
System/equipment change
;
New policy/policy change
New form/form change

Job description change
Education
Facility upgrade
Other:

obtain sample business assoc. agreements
System/equipment change

New policy/policy change
New form/form change

Job description change
Education
Facility upgrade
;
Budget for:
in
Options selected
provide reasonable
protections of PHI.

2010
(budget year)
Date Completed:
____/____/____

Monitor

Budget for:
_______________

Options not feasible at
this time:
__________________
__________________
Other:
__________________
__________________
Dennis
Legal review
Options selected
provide reasonable
protections of PHI.
Education
Other: _____________________________________________
Monitor

Job description change
Facility upgrade

in _______________
(budget year)

RESPONSIBLE PARTY
____/____/____
Other:
__________________
__________________
Options not feasible at
this time:
__________________
__________________
Date Completed:
Other:
__________________
__________________
New policy/policy change
New form/form change
Options not feasible at
this time:
__________________
__________________

Other: _____________________________________________
System/equipment change
Options selected
provide reasonable
protections of PHI.
FOLLOW-UP
Date Completed:
____/____/____

Monitor

Budget for:
_______________
in _______________
(budget year)
This information is intended as advisory in nature and should not be considered as legal advice nor is it a substitute for legal advice. This information does not constitute technical information nor
system/security advice. It is designed to assist you in your own risk management activities. It is not intended to be exclusively relied upon or used as a substitute for your own loss-control program.
Accuracy and completeness are not guaranteed.
November 2009
Identifying Your Business Associates
The HIPAA Privacy regulation allows you to share patient information with your Business
Associates in order to conduct health care operations, but only if you have a Business Associate
Agreement with them. The regulation defines Business Associates as persons outside of your
workforce who:
•
On your behalf, perform or assist in the performance of a function or activity involving
the use or disclosure of individually identifiable health information (e.g., claims
processing, data analysis, quality assurance, billing, practice management); or
•
Provide legal, actuarial, accounting, consulting, data aggregation, management,
administrative, accreditation, or financial services, where the service involves the
disclosure of individually identifiable health information.
Some examples of your Business Associates may be:
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Accountants
Attorneys
Billing companies
Clearinghouses
Consultants
Collection agencies
Transcription services
Data analysis or aggregation services
Information technology service providers
Temporary staffing agencies
Copy services
Document storage and destruction vendors
Professional liability insurers
Insurance agents and brokers
Health Information Exchanges (“HIEs”)
Regional Health Information Organizations (“RHIOs”)
E-prescribing Gateways
Vendors that allow you to offer a personal health record to patients as part of your
electronic health record
This list is not exhaustive. Think broadly when you are identifying your Business Associates.
Ask yourself:
•
•
•
•
•
Who are your Business Associates?
What function do they serve?
What information is disclosed to them?
Do you currently have some form of contract with them?
If so, when is the contract due to be renewed or renegotiated?
The sample form, Business Associate Agreement Checklist, will help you identify what needs to
be included in your Business Associate Agreement.
November 2009
Effective February 17, 2010, as a result of the ARRA, Business Associates will become
accountable to the federal and state authorities for failure to comply with the Privacy Rule
provisions applicable to them by their Business Associate Agreements and will be required to
directly comply with most provisions of the HIPAA Security Rule, including compliance with
administrative safeguards, technical safeguards, physical safeguards, and policies, procedures,
and documentation requirements applicable to Covered Entities. This means that Business
Associates will be required to undertake a security risk analysis, appoint a security official, and
maintain written security policies and procedures, as well as comply with other requirements of
the HIPAA Security Rule. The Secretary of Health and Human Services is required to
promulgate regulations to implement these requirements.
November 2009
Business Associate Agreement Checklist
HIPAA Privacy and Security regulations establish the following requirements for the Business
Associate Agreement:
Business Associate Agreement must:
Be in writing.
State permitted and required uses and disclosures.
Prohibit uses and disclosures not allowed in the Business Associate Agreement or by law
or that would be a violation of the Privacy Regulations if done by the Covered Entity (CE).
Require Business Associate (BA) to use appropriate safeguards to prevent any
unauthorized use or disclosure.
Require BA to report to the CE any unauthorized use or disclosure of which BA becomes
aware.
Require that any agents, including a subcontractor, to whom BA provides protected health
information received from the CE, or created or received by BA on behalf of the CE, agree
to the same restrictions and conditions that apply to the BA with respect to such protected
health information unless disclosures are required by law or unless disclosures are for BA’s
proper management or administration and BA obtains the “reasonable assurances”
described below from such downstream user.
Require BA to make available protected health information to the Individual in the
Designated Record Set in accordance with 45 C.F.R. §164.524. (While these provisions
must be in the Business Associate Agreement, actual access is not required if Business
Associate does not possess protected health information in the original Designated Record
Set.)
Require BA to make available and to incorporate any amendment to protected health
information in the Designated Record Set in accordance with 45 C.F.R. §164.526. (While
these provisions must be in the Business Associate Agreement, actual amendment is not
required if Business Associate does not possess protected health information in the original
Designated Record Set.)
When requested by CE, require BA to make available to CE the information required to
allow the CE to provide an accounting of disclosures in accordance with 45 C.F.R.
§164.528.
Require BA to make its internal practices, books, and records available to the Department
of Health and Human Services Office for Civil Rights for purposes of determining the CE’s
compliance with the Privacy Rule to the extent related to the uses and disclosure of
protected health information received from, or created or received by, the BA on behalf of
the CE.
Require return or destruction of protected health information at end of contract, if feasible;
but, if return or destruction is not feasible, extend the protection of the Business Associate
Agreement to the information and limit further uses and disclosures to the purposes listed in
the Business Associate Agreement.
Authorize termination of Agreement if BA violates material term of Business Associate
Agreement.
November 2009
Require BA to implement administrative, physical, and technical safeguards to protect the
confidentiality, integrity, and availability of electronic PHI.
Require BA to report any security incident of which it becomes aware.
Require BA to ensure that any agent or subcontractor implement reasonable and
appropriate safeguards to protect electronic PHI.
(Provisions for compliance with the HITECH Act of the ARRA after February 17,
2010)
Require BA to comply with the requirements of Title XII, Subtitle D of the Health Information
Technology for Economic and Clinical Health (HITECH) Act, codified at 42 U.S.C. §§1792117954 and regulations issued by the Department of Health and Human Services to
implement these statutes as of the date by which business associates are required to
comply.
Require BA to comply with Section 134-2 of Title XII, Subtitle D of the Health Information
Technology for Economic and Clinical Health (HITECH) Act, codified at 42 U.S.C. §17932
and regulations issued by the Department of Health and Human Services to implement this
statute as of the date by which business associates are required to comply by, among other
things, reporting to CE within five business days of BA’s discovery of any breach1 of
unsecured protected health information.2
Require BA to indemnify CE for any reasonable expenses CE incurs in notifying individual
of a breach of unsecured protected health information caused by BA or its subcontractors
or agents.
Optional terms
The Business Associate Agreement may permit the BA to use PHI for the proper
management and administration of the BA or to carry out its legal responsibilities.
The Business Associate Agreement may permit the BA to disclose protected health
information if needed for the proper management and administration of the BA or to carry
out the legal responsibilities of the BA if:
1. The disclosure is required by law
or
2. The BA obtains reasonable assurances from the person to whom PHI is disclosed that
the PHI will be held confidentially and used or further disclosed only as required by law
or for the purposes for which it was disclosed to the person, and the person agrees to
notify the BA of any instances of which it is aware in which the confidentiality of the PHI
has been breached.
The Business Associate Agreement may allow BA to provide Data Aggregation Services
relating to CE’s health care operations.
The Business Associate Agreement may include defined terms by either referencing the
Privacy Rule or including examples of specific definitions. If specific definitions are included,
the Business Associate Agreement may define: Protected Health Information; Electronic
Protected Health Information; Designated Record Set; De-identify; and Security Rule.
November 2009
The Business Associate Agreement may permit the BA to use PHI to create a Limited Data
Set and to use the Limited Data Set pursuant to a Data Use Agreement.3
The Business Associate Agreement may permit the BA to de-identify the PHI.
1
“Breach” is defined in Section 13400 of the HITECH Act as:
(a) In general.—The term “breach” means the unauthorized acquisition, access, use, or disclosure of protected health
information which compromises the security or privacy of such information, except where an unauthorized person to whom
such information is disclosed would not reasonably have been able to retain such information.
(b) Exceptions.—The term “breach” does not include—
(i) any unintentional acquisition, access, or use of protected health information by an employee or individual acting under
the authority of a covered entity or business associate if—
(I) such acquisition, access, or use was made in good faith and within the course and scope of the employment or
other professional relationship of such employee or individual, respectively, with the covered entity or business
associate; and
(II) such information is not further acquired, accessed, used, or disclosed by any person; or
(ii) any inadvertent disclosure from an individual who is otherwise authorized to access protected health information at a
facility operated by a covered entity or business associate to another similarly situated individual at the same facility;
and
(iii) any such information received as a result of such disclosure is not further acquired, accessed, used, or disclosed
without authorization by any person.
2
“Unsecured protected health information” has been defined by guidance issued by the Department of Health and Human Services on
April 17, 2009, as PHI that is encrypted or destroyed according to National Institute of Standards and Technology (“NIST”) standards. 74
Fed. Reg. 19006 (published April 27, 2009). The specific description is:
“Protected health information (PHI) is rendered unusable, unreadable, or indecipherable to unauthorized individuals only if
one or more of the following applies:
(a) Electronic PHI has been encrypted as specified in the HIPAA Security Rule by ‘the use of an algorithmic
process to transform data into a form in which there is a low probability of assigning meaning without use of a
confidential process or key’ and such confidential process or key that might enable decryption has not been
breached.” To avoid a breach of the confidential process or key, these decryption tools should be stored on a
device or at a location separate from the data they are used to encrypt or decrypt. The encryption processes
identified below have been tested by the National Institute of Standards and Technology (NIST) and judged to meet
this standard.
(i) Valid encryption processes for data at rest are consistent with NIST Special Publication 800-111,
Guide to Storage Encryption Technologies for End User Devices.
(ii) Valid encryption processes for data in motion are those which comply, as appropriate, with NIST
Special Publications 800-52, Guidelines for the Selection and Use of Transport Layer Security (TLS)
Implementations; 800-77, Guide to IPsec VPNs; or 800-113, Guide to SSLVPNs, or others which are
Federal Information Processing Standards (FIPS) 140-2 validated.
(b) The media on which the PHI is stored or recorded has been destroyed in one of the
following ways:
(i) Paper, film, or other hard copy media have been shredded or destroyed such that
the PHI cannot be read or otherwise cannot be reconstructed.
(ii) Electronic media have been cleared, purged, or destroyed consistent with NIST
Special Publication 800-88, Guidelines for Media Sanitization, such that the PHI
cannot be retrieved.”
3
A "Data Use Agreement" is a written agreement between a covered entity and the recipient of a limited data set that meets the
requirements of 45 CFR 164.514(e)(4) and governs the recipient's use and disclosure of the limited data set. A business associate
agreement may permit the BA to use the PHI to create a limited data set and use the limited data set pursuant to a Data Use
Agreement provided that the BA uses the limited data set only for the purposes of research, public health, or health care operations. A
"limited data set" is PHI that excludes certain direct identifiers of the individual, or of relatives, employers, or household members of the
individual listed in 45 CFR 164.514(e)(2).
November 2009
Sample Business Associate Contract Provisions1
(Published in FR 67 No.157 pg.53182, 53264 [August 14, 2002])
(The following Sample Business Associate Contract Provisions were prepared by the
Department of Health and Human Services and are available on their Web site. It was last
updated June 12, 2006. We have added in brackets comments and suggestions for
additional revisions as a result of the Security Rule and the ARRA HITECH Act.)
Statement of Intent
The Department provides these sample business associate contract provisions in response to
numerous requests for guidance. This is only sample language. These provisions are designed
to help covered entities more easily comply with the business associate contract requirements
of the Privacy Rule. However, use of these sample provisions is not required for compliance
with the Privacy Rule. The language may be amended to more accurately reflect business
arrangements between the covered entity and the business associate.
These or similar provisions may be incorporated into an agreement for the provision of services
between the entities or they may be incorporated into a separate business associate
agreement. These provisions only address concepts and requirements set forth in the Privacy
Rule and alone are not sufficient to result in a binding contract under State law. They do not
include many formalities and substantive provisions that are required or typically included in a
valid contract. Reliance on this sample is not sufficient for compliance with State law and does
not replace consultation with a lawyer or negotiations between the parties to the contract.
Furthermore, a covered entity may want to include other provisions that are related to the
Privacy Rule but that are not required by the Privacy Rule. For example, a covered entity may
want to add provisions in a business associate contract in order for the covered entity to be able
to rely on the business associate to help the covered entity meet its obligations under the
Privacy Rule. In addition, there may be permissible uses or disclosures by a business associate
that are not specifically addressed in these sample provisions, for example having a business
associate create a limited data set. These and other types of issues will need to be worked out
between the parties.
Sample Business Associate Contract Provisions2
Definitions (alternative approaches)
Catch-all definition:
Terms used, but not otherwise defined, in this Agreement shall have the same meaning as
those terms in the Privacy Rule.
Examples of specific definitions:
a. Business Associate. "Business Associate" shall mean [Insert Name of Business
Associate].
b. Covered Entity. "Covered Entity" shall mean [Insert Name of Covered Entity].
November 2009
c. Individual. "Individual" shall have the same meaning as the term "individual" in 45
CFR § 160.103 and shall include a person who qualifies as a personal
representative in accordance with 45 CFR § 164.502(g).
d. Privacy Rule. "Privacy Rule" shall mean the Standards for Privacy of Individually
Identifiable Health Information at 45 CFR Part 160 and Part 164, Subparts A and
E.
e. Protected Health Information. "Protected Health Information" shall have the same
meaning as the term "protected health information" in 45 CFR § 160.103, limited
to the information created or received by Business Associate from or on behalf of
Covered Entity.
f. Required By Law. "Required By Law" shall have the same meaning as the term
"required by law" in 45 CFR § 164.103.
g. Secretary. "Secretary" shall mean the Secretary of the Department of Health and
Human Services or his designee.
[Additional definitions might include:
To more precisely define the roles and responsibilities of the covered entity
and the business associate:
•
•
“De-identify” or “De-identified” means to remove, encode, encrypt, or
otherwise eliminate or conceal data which identifies an Individual, or
modify information so that there is no reasonable basis to believe that
the information can be used to identify an Individual.
“Designated Record Set” shall have the same meaning as the term
“designated record set” in 45 CFR § 164.501.
To implement the Security Rule requirements:
•
•
•
“Electronic Protected Health Information” shall have the same meaning
as the term “electronic protected health information” in 45 CFR §
160.103.
“Security Incident” shall have the same meaning as the term “security
incident” in 45 CFR § 164.304.
“Security Rule” shall mean the Security Standards and Implementation
Specifications at 45 CFR Part 160 and Part 164, subpart C.
To implement the HITECH Act requirements:
•
•
“Breach” shall have the same meaning as the term “breach” in 45 CFR
164.402
“Unsecured Protected Health Information” shall have the same meaning
as the term “unsecured protected health information” in 45 CFR
164.402.]
November 2009
Obligations and Activities of Business Associate
a. Business Associate agrees to not use or disclose Protected Health Information other
than as permitted or required by the Agreement or as Required By Law.
b. Business Associate agrees to use appropriate safeguards to prevent use or disclosure of
the Protected Health Information other than as provided for by this Agreement.
[To implement the Security Rule requirements, include:
•
Business Associate further agrees to implement administrative, physical, and
technical safeguards (including written policies and procedures) to reasonably
and appropriately protect the confidentiality, integrity, and availability of
electronic Protected Health Information that it creates, receives, maintains, or
transmits on behalf of Covered Entity as required by the Security Rule.
More specific requirements can also be included as follows:
•
•
•
Administrative Safeguards. Business Associate agrees to implement policies
and procedures to prevent, detect, contain, and correct security violations.
Physical Safeguards. Business Associate agrees to implement policies and
procedures to limit physical access to its electronic information systems and
the facility or facilities in which they are housed, while ensuring that properly
authorized access is allowed.
Technical Safeguards. Business Associate agrees to implement technical
policies and procedures for electronic information systems that maintain
electronic protected health information to allow access only to those persons
or software programs that have been granted access rights.
To provide for compliance with the HITECH Act of the ARRA after February 17, 2010,
include:
•
Business Associate agrees to comply with the requirements of Title XII,
Subtitle D of the Health Information Technology for Economic and Clinical
Health (HITECH) Act, codified at 42 USC §§17921-17954 and regulations issued
by the Department of Health and Human Services to implement these statutes
as of the date by which business associates are required to comply.]
c. Business Associate agrees to mitigate, to the extent practicable, any harmful effect that
is known to Business Associate of a use or disclosure of Protected Health Information by
Business Associate in violation of the requirements of this Agreement. [This provision
may be included if it is appropriate for the Covered Entity to pass on its duty to mitigate
damages to a Business Associate.]
d. Business Associate agrees to report to Covered Entity any use or disclosure of the
Protected Health Information not provided for by this Agreement of which it becomes
aware.
November 2009
[To provide for compliance with the Security Rule, include:
•
Business Associate agrees to report to Covered Entity any Security Incident of
which it becomes aware that results in unauthorized access, use, disclosure,
modification, or destruction of information or interference with systems
operations. Business Associate shall report such Security Incidents that do
not result in unauthorized access, use, disclosure, modification, or destruction
of information or interference with systems operations in aggregate numbers
and only as frequently as mutually agreed by the parties.
To provide for compliance with the HITECH Act of ARRA after February 17, 2010,
include:
•
Business Associate agrees to comply with Section 134-2 of Title XII, Subtitle D
of the Health Information Technology for Economic and Clinical Health
(HITECH) Act, codified at 42 USC §17932 and regulations issued by the
Department of Health and Human Services to implement this statute as of the
date by which business associates are required to comply by, among other
things, reporting to Covered Entity within five business days of Business
Associate’s discovery of any breach of unsecured protected health
information.]
e. Business Associate agrees to ensure that any agent, including a subcontractor, to whom
it provides Protected Health Information received from, or created or received by
Business Associate on behalf of Covered Entity agrees to the same restrictions and
conditions that apply through this Agreement to Business Associate with respect to such
information.
[To implement the Security Rule, include:
•
Business Associate shall ensure that any such agent or subcontractor agrees
to implement reasonable and appropriate safeguards to protect Covered
Entity’s Protected Health Information.]
f.
Business Associate agrees to provide access, at the request of Covered Entity, and in
the time and manner [insert negotiated terms], to Protected Health Information in a
Designated Record Set, to Covered Entity or, as directed by Covered Entity, to an
Individual in order to meet the requirements under 45 CFR § 164.524. [Not necessary if
business associate does not have protected health information in a designated
record set.]
g. Business Associate agrees to make any amendment(s) to Protected Health Information
in a Designated Record Set that the Covered Entity directs or agrees to pursuant to 45
CFR § 164.526 at the request of Covered Entity or an Individual, and in the time and
manner [insert negotiated terms]. [Not necessary if business associate does not
have protected health information in a designated record set.]
h. Business Associate agrees to make internal practices, books, and records, including
policies and procedures and Protected Health Information, relating to the use and
disclosure of Protected Health Information received from, or created or received by
Business Associate on behalf of, Covered Entity available [to the Covered Entity, or] to
the Secretary, in a time and manner [insert negotiated terms] or designated by the
November 2009
i.
j.
Secretary, for purposes of the Secretary determining Covered Entity's compliance with
the Privacy Rule.
Business Associate agrees to document such disclosures of Protected Health
Information and information related to such disclosures as would be required for
Covered Entity to respond to a request by an Individual for an accounting of disclosures
of Protected Health Information in accordance with 45 CFR § 164.528.
Business Associate agrees to provide to Covered Entity or an Individual, in time and
manner [insert negotiated terms], information collected in accordance with Section
[insert section number in contract where provision (i) appears] of this Agreement,
to permit Covered Entity to respond to a request by an Individual for an accounting of
disclosures of Protected Health Information in accordance with 45 CFR § 164.528.
Permitted Uses and Disclosures by Business Associate
General Use and Disclosure Provisions [(a) and (b) are alternative approaches]
a. Specify purposes:
Except as otherwise limited in this Agreement, Business Associate may use or disclose
Protected Health Information on behalf of, or to provide services to, Covered Entity for
the following purposes, if such use or disclosure of Protected Health Information would
not violate the Privacy Rule if done by Covered Entity or the minimum necessary policies
and procedures of the Covered Entity:
[List purposes]
b. Refer to underlying services agreement:
Except as otherwise limited in this Agreement, Business Associate may use or disclose
Protected Health Information to perform functions, activities, or services for, or on behalf
of, Covered Entity as specified in [insert name of services agreement], provided that
such use or disclosure would not violate the Privacy Rule if done by Covered Entity or
the minimum necessary policies and procedures of the Covered Entity.
Specific Use and Disclosure Provisions [Only necessary if parties wish to allow Business
Associate to engage in such activities.]
a. Except as otherwise limited in this Agreement, Business Associate may use Protected
Health Information for the proper management and administration of the Business
Associate or to carry out the legal responsibilities of the Business Associate.
b. Except as otherwise limited in this Agreement, Business Associate may disclose
Protected Health Information for the proper management and administration of the
Business Associate, provided that disclosures are Required By Law, or Business
Associate obtains reasonable assurances from the person to whom the information is
disclosed that it will remain confidential and used or further disclosed only as Required
By Law or for the purpose for which it was disclosed to the person, and the person
notifies the Business Associate of any instances of which it is aware in which the
confidentiality of the information has been breached.
c. Except as otherwise limited in this Agreement, Business Associate may use Protected
Health Information to provide Data Aggregation services to Covered Entity as permitted
by 45 CFR § 164.504(e)(2)(i)(B).
November 2009
d. Business Associate may use Protected Health Information to report violations of law to
appropriate Federal and State authorities, consistent with § 164.502(j)(1).
[If the business associate is to be permitted to de-identify the data or create a limited
data set, include:
•
•
De-Identification. Business Associate may De-identify any and all Protected
Health Information created or received by Business Associate under the
Agreement; provided, however, that the De-identification conforms to the
requirements of the Privacy Rule. Such resulting De-identified information
would not be subject to the terms of this Addendum.
Creating Limited Data Set. Business Associate may create a Limited Data Set
as defined in the Privacy Rule, and use such Limited Data Set pursuant to a
data use agreement that meets the requirements of the Privacy Rule.]
Obligations of Covered Entity
Provisions for Covered Entity to Inform Business Associate of Privacy Practices and
Restrictions [Provisions dependent on business arrangement.]
a. Covered Entity shall notify Business Associate of any limitation(s) in its notice of privacy
practices of Covered Entity in accordance with 45 CFR § 164.520, to the extent that
such limitation may affect Business Associate's use or disclosure of Protected Health
Information.
b. Covered Entity shall notify Business Associate of any changes in, or revocation of,
permission by Individual to use or disclose Protected Health Information, to the extent
that such changes may affect Business Associate's use or disclosure of Protected
Health Information.
c. Covered Entity shall notify Business Associate of any restriction to the use or disclosure
of Protected Health Information that Covered Entity has agreed to in accordance with 45
CFR § 164.522, to the extent that such restriction may affect Business Associate's use
or disclosure of Protected Health Information.
Permissible Requests by Covered Entity
Covered Entity shall not request Business Associate to use or disclose Protected Health
Information in any manner that would not be permissible under the Privacy Rule if done by
Covered Entity. [Include an exception if the Business Associate will use or disclose
protected health information for, and the contract includes provisions for, data
aggregation or management and administrative activities of Business Associate].
Term and Termination
a. Term. The Term of this Agreement shall be effective as of [insert effective date], and
shall terminate when all of the Protected Health Information provided by Covered Entity
to Business Associate, or created or received by Business Associate on behalf of
Covered Entity, is destroyed or returned to Covered Entity, or, if it is infeasible to return
or destroy Protected Health Information, protections are extended to such information, in
accordance with the termination provisions in this Section. [Term may differ.]
November 2009
b. Termination for Cause. Upon Covered Entity's knowledge of a material breach by
Business Associate, Covered Entity shall either:
1. Provide an opportunity for Business Associate to cure the breach or end the
violation and terminate this Agreement [and the _________ Agreement/
sections ____ of the ______________ Agreement] if Business Associate does
not cure the breach or end the violation within the time specified by Covered
Entity;
2. Immediately terminate this Agreement [and the _________ Agreement/
sections ____ of the ______________ Agreement] if Business Associate has
breached a material term of this Agreement and cure is not possible; or
3. If neither termination nor cure are feasible, Covered Entity shall report the
violation to the Secretary.
[Bracketed language in this provision may be necessary if there is an underlying
services agreement. Also, opportunity to cure is permitted, but not required by the
Privacy Rule.]
c. Effect of Termination.
1. Except as provided in paragraph (2) of this section, upon termination of this
Agreement, for any reason, Business Associate shall return or destroy all
Protected Health Information received from Covered Entity, or created or
received by Business Associate on behalf of Covered Entity. This provision shall
apply to Protected Health Information that is in the possession of subcontractors
or agents of Business Associate. Business Associate shall retain no copies of the
Protected Health Information.
2. In the event that Business Associate determines that returning or destroying the
Protected Health Information is infeasible, Business Associate shall provide to
Covered Entity notification of the conditions that make return or destruction
infeasible. Upon [insert negotiated terms] that return or destruction of
Protected Health Information is infeasible, Business Associate shall extend the
protections of this Agreement to such Protected Health Information and limit
further uses and disclosures of such Protected Health Information to those
purposes that make the return or destruction infeasible, for so long as Business
Associate maintains such Protected Health Information.
Miscellaneous
a. Regulatory References. A reference in this Agreement to a section in the Privacy Rule
means the section as in effect or as amended.
b. Amendment. The Parties agree to take such action as is necessary to amend this
Agreement from time to time as is necessary for Covered Entity to comply with the
requirements of the Privacy Rule and the Health Insurance Portability and Accountability
Act of 1996, Pub. L. No. 104-191.
c. Survival. The respective rights and obligations of Business Associate under Section
[insert section number related to "Effect of Termination"] of this Agreement shall
survive the termination of this Agreement.
d. Interpretation. Any ambiguity in this Agreement shall be resolved to permit Covered
Entity to comply with the Privacy Rule.
November 2009
[To avoid creating third party beneficiaries of Business Associate Agreement, include:
•
No Third Party Beneficiaries. Nothing in this Agreement shall confer upon any
person other than the Parties and their respective successors or assigns, any
rights, remedies, obligations, or liabilities whatsoever.
To address the potential costs of notice for breaches of unsecured protected health
information caused by the Business Associate or its subcontractors or agents, include
an indemnification provision:
•
Indemnification: Business Associate will indemnify Covered Entity for any
reasonable expenses Covered Entity incurs in notifying individuals of a breach of
unsecured protected health information caused by Business Associate or its
subcontractors or agents.]
1
This Web site version of Sample Business Associate Contract Provisions was revised June 12, 2006, to amend the regulatory
cites to the following terms: "individual"; "protected health information"; and "required by law."
2
Words or phrases contained in brackets are intended as either optional language or as instructions to the users of these sample
provisions and are not intended to be included in the contractual provisions.
November 2009
HIPAA Privacy Rule – Policies, Procedures, and Documents
The HIPAA Privacy Rule requires each covered entity to adopt written policies and procedures with
respect to protected health information designed to comply with the standards and other requirements
of the Rule. (See Section 164.530[i-j].) Every organization must develop or revise policies and
procedures—in formats that work best for the organization. Some prefer a limited number of policies,
with each policy addressing many issues. Others prefer separate, shorter policies addressing only
one issue each. The following tool is provided to help you address the necessary HIPAA Privacy Rule
elements. It includes the element and relevant citation to the section of the HIPAA Privacy Rule that
need to be addressed in policies and procedures if they apply to your organization. We have identified
which sections we have addressed and where we have addressed them (in italics)—in whole or in
part—in template forms, policies and procedures, and documents. Because of the unique needs of
each practice/health care facility, you need to review these documents to determine what, if any,
additional policies and procedures you may need to be HIPAA-compliant.
Policies and procedures are also included to address certain HIPAA privacy and security
requirements expanded by the HITECH Act.
•
Overview of Types of Permission Needed for Use and Disclosure of PHI
45 CFR §164.502
Notice of Privacy Practices
Authorization to Use or Disclose Protected Health Information (Policy & Procedures)
•
Required Disclosures
45 CFR §164.502
Notice of Privacy Practices
•
Handling of Deceased Individuals
45 CFR § 164.502
Authorization to Use or Disclose Protected Health Information (Policy & Procedures)
•
Un-Emancipated Minors
45 CFR § 164.502
Treatment of Minors and the Handling of Their Protected Health Information
•
Handling of Personal Representatives
45 CFR § 164.502
Authorization to Use or Disclose Protected Health Information (Policy & Procedures)
•
Business Associates
45 CFR § 164.502, 164.504
Identifying Your Business Associates
Business Associate Agreement Checklist
•
Organizational Documentation
45 CFR § 164.504
not applicable in most practices
Hybrid Organization
Affiliated Covered Entity
Organized Health Care Arrangement
Multiple Covered Functions
November 2009
•
Uses and Disclosures Without Authorization for Treatment, Payment, and Health Care
Operations
45 CFR § 164.506
Notice of Privacy Practices
Authorization to Use or Disclose Protected Health Information (Policy & Procedures)
•
Authorization
45 CFR § 164.508
Authorization to Use or Disclose Protected Health Information (Policy & Procedures)
•
Research
45 CFR § 164.508
Notice of Privacy Practices
Authorization to Use or Disclose Protected Health Information (Policy & Procedures)
•
Marketing
45 CFR § 164.508
Notice of Privacy Practices
Authorization to Use or Disclose Protected Health Information (Policy & Procedures)
•
Opportunity to Agree or Object
45 CFR § 164.510
Notice of Privacy Practices
•
Facility Directory
Notice of Privacy Practices (this is not applicable in most practices)
•
Persons Involved in Care or Payment
Notice of Privacy Practices
•
Disaster Relief
Notice of Privacy Practices
•
Public Policy Disclosures Without Authorization
45 CFR § 164.512
Notice of Privacy Practices
Authorization to Use or Disclose Protected Health Information (Policy & Procedures)
Minimum Necessary Requirements for the Use and Disclosure of Protected Health
Information (Policy & Procedures)
•
Minimum Necessary
45 CFR § 164.502, 164.514
HITECH Act Section 13405, codified at 42 U.S.C. § 17935
Minimum Necessary Requirements for the Use and Disclosure of Protected Health
Information (Policy & Procedures)
•
Fund-raising
45 CFR § 164.514
Notice of Privacy Practices
November 2009
•
De-Identification
45 CFR § 164.502 and 164.514 (this is not applicable in most practices)
•
Limited Data Set
45 CFR § 164.514
HITECH Act Section 13405, codified at 42 U.S.C. § 17935
Minimum Necessary Requirements for the Use and Disclosure of Protected Health
Information (Policy & Procedures)
•
Verification of Identity and Authority
45 CFR § 164.514
All policies and procedures pertaining to the use or disclosure of protected health
information to an individual or entity address this subject
•
Notice of Privacy Practices
45 CFR § 164.520
Notice of Privacy Practices
•
Requests for Confidential Communications
45 CFR § 164.522
Notice of Privacy Practices
•
Request for Restrictions on Uses and Disclosures
45 CFR § 164.522
HITECH Act Section 13405(a)
Notice of Privacy Practices
Responding to Requests for Restrictions on the Use or Disclosure of Protected Health
Information (Policies & Procedures)
•
Patient Access to Records
45 CFR § 164.524
Responding to Requests to Access and/or Copy Protected Health Information (Policy &
Procedures)
Notice of Privacy Practices
•
Amendment of Patient Records
45 CFR § 164.526
Requests to Correct or Amend Protected Health Information (Policy & Procedures)
Notice of Privacy Practices
•
Accounting of Disclosures
45 CFR § 164.528
Documenting of and Accounting for Disclosures of Protected Health Information (Policy &
Procedures)
Notice of Privacy Practices
•
Privacy Official
45 CFR § 164.530
Sample Job Descriptions – HIPAA Privacy Official and Contact Person and HIPAA
Security Official
November 2009
•
Complaint Process
45 CFR § 164.530
Notice of Privacy Practices
Complaints and Grievances Relating to the Use or Disclosure of Protected Health
Information (Policy & Procedures)
•
No Retaliation for Pursuing Privacy Rights or “Whistleblowing”
45 CFR § 164.530
Notice of Privacy Practices
Complaints and Grievances Relating to the Use or Disclosure of Protected Health
Information (Policy & Procedures)
•
Mitigation of Damages From Breach of Privacy
45 CFR § 164.530
Complaints and Grievances Relating to the Use or Disclosure of Protected Health
Information (Policy & Procedures)
•
Prohibition on Asking Patients to Waive Privacy Rights
45 CFR § 164.530
Complaints and Grievances Relating to the Use or Disclosure of Protected Health
Information (Policy & Procedures)
•
Training
45 CFR § 164.530
HIPAA Privacy and Security Training (Policy & Procedures)
HIPAA Privacy and Security Training Checklist
HIPAA Privacy Rule: A Questionnaire for Nonclinical Staff
HIPAA Privacy Rule: A Questionnaire for Nonclinical Staff – Answer Key
HIPAA Privacy Rule: A Questionnaire for Clinical Staff
HIPAA Privacy Rule: A Questionnaire for Clinical Staff – Answer Key
Treatment of Minors and the Handling of Their Protected Health Information
Kinship Caregivers Informed Consent Declaration for Minors
Employee Confidentiality and HIPAA Training Acknowledgment Statement
Nonemployee Confidentiality and HIPAA Training Acknowledgment Statement
HIPAA Help – A Resource List
•
Safeguards
45 CFR § 164.530
All forms/policies and procedures, Employee and Nonemployee Confidentiality and HIPAA
Training Acknowledgment Statements, and any safeguards that you utilize or put in place
[as identified in your work plan]
•
Discipline/Sanctions
45 CFR § 164.530
Employee Confidentiality and HIPAA Training Acknowledgment Statement
Nonemployee Confidentiality and HIPAA Training Acknowledgment Statement
•
Document Retention
45 CFR § 164.530
To comply with HIPAA, organizations need a retention policy that reflects that documents
are maintained for a period of six years from the date of the patient’s last medical service.
From a risk management perspective, however, you may want to retain documents for at
least 10 years following the date of the patient’s last medical service.
November 2009
•
Notification of Breach of Unsecured Protected Health Information
HITECH Act Section 13402, codified at 42 U.S.C. § 17935
45 CFR §§ 164.400 et seq.
Notification of Breach of Unsecured Protected Health Information (Policy & Procedures)
Accounting Log for Notification of Breach of Unsecured Protected Health Information
Organizations may access the HIPAA Privacy Rule by going to the US Department of Health and
Human Services Office for Civil Rights - HIPAA Web site at: http://www.hhs.gov/ocr/privacy/.
It is important to remember that more restrictive or more protective state and federal laws may
preempt the HIPAA Privacy Rule. Also, be sure to consider any privacy and security standards
established by accrediting bodies.
November 2009
Instructions for Implementing Sample HIPAA Forms and Policies and
Procedures
Review the document titled HIPAA Privacy Rule - Policies, Procedures, and Documents.
Identify any additional forms, policies, and procedures that you may need to develop to
comply with the HIPAA Privacy Rule—we have indicated on the HIPAA Privacy Rule Policies, Procedures, and Documents checklist which sample forms and policies and
procedures we have provided.
Review all forms, policies and procedures, and other sample documents.
Identify areas that will require customization to your health care operations:

To assist you in this process, we have indicated the areas that must be
personalized (e.g., [insert practice/health care facility], [insert name of
contact person and phone number here]). If the issue is required by state or
federal law, it must remain in the form and policy and procedures document.

If the issue is not a requirement of state or federal laws, evaluate the issue for
any liability concerns.
Make any necessary adjustments to the forms, policies and procedures, and sample
documents (sample documents can be downloaded from our Web site at www.phyins.com).
Provide staff training on new forms, policies and procedures, and documents.
Implement your HIPAA and state law-compliant policies only when you are able to fully
comply with such policies. If you implement policies and procedures that you cannot fully
comply with, you are potentially increasing your liability exposure.
Monitor the applicable federal and state laws for changes and modify forms, policies, and
procedures accordingly.
Retain forms, policies and procedures, and documents—including those that have been
superseded—in accordance with your record-retention policy.
We recommend that any new or revised forms, policies and procedures, and documents be
reviewed by legal counsel knowledgeable with applicable federal and state laws.
November 2009
Notice of Privacy Practices (Policy & Procedures)
Purpose: To provide patients and other interested persons with a defined opportunity to receive adequate
notice of 1) the uses and disclosures of protected health information (PHI) that may be made by the
provider; 2) patient rights concerning PHI; and 3) the provider’s legal duties pertaining to PHI.
Policy:
1. Reasonable effort shall be made to provide patients or their legally authorized representative the current
Notice of Privacy Practices (NPP) on the date of the first service delivery following April 14, 2003, except
where the first service delivery involves emergency medical treatment; in such cases, the NPP shall be
provided as soon as it is reasonably practicable to do so.
2. Except in emergencies, reasonable effort shall be made to obtain a signed acknowledgment of receipt of
the current NPP from the patient or the legally authorized representative.1
3. Document reasonable attempts to provide the current NPP by filing the signed acknowledgment of
receipt in the medical record. Refusals to sign the acknowledgment, or refusals to accept the NPP, shall
also be documented.
4. A current NPP will be posted in a prominent location where it is reasonable to expect that patients will
see and have an opportunity to read the document. At any time, a patient or the patient’s legally
authorized representative may request and receive a copy of the current NPP.
5. The Notice of Information Practices required by Washington State law will be placed in a conspicuous
place or provided to the patient in another notice. The Notice of Privacy Practices Acknowledgment may
contain this required Notice of Information Practices.2
6. The NPP shall describe actual privacy practices and examples of all uses and disclosures of PHI.3 Any
change to actual privacy practices shall be reflected in the NPP. Subsequent to any revision, a copy of
the “old” NPP shall be retained for 6 years from the date it was last effective.4
7. Any person, not only a patient, having questions about the NPP, or privacy/confidentiality practices,
shall be directed to the Privacy Official for further information if necessary.
8. Any member of the general public (who is not a patient or a patient’s legally authorized representative)
requesting the NPP shall be provided the current NPP as promptly as circumstances permit. The
documentation requirements do not apply.5
Primary Responsible Party:
Privacy Official and Admitting/Front Office Staff
Other Responsible Party:
All staff should have general knowledge and be able to direct questions and concerns appropriately.
Procedure:
1. Patients or their legally authorized representative must be provided the current Notice of Privacy
Practices (NPP) no later than the date of the first service delivery following April 14, 2003.6
a) Ask the individual to sign the written acknowledgment form attached to the NPP.7 The signed
document shall be filed and maintained in the patient record.
b) If the individual refuses the offered NPP or declines to sign the acknowledgment form:
• Document the refusal on the acknowledgment form, and
• File it in the medical record.
For example: “Mr. Smith declined to accept NPP” or “Mr. Smith accepted NPP, but refused to
sign the acknowledgment form when requested.”
• Sign and date the notation.
2. There is no requirement to provide the current NPP, or attempt to do so, where the first patient
encounter involves emergency medical treatment, making the provision of notice and related
documentation requirements impractical or inappropriate.
a) The documentation in the medical record should corroborate that the patient required and
received emergency medical treatment. In such cases, the current NPP shall be provided as
soon as it is reasonably practicable to do so. This may be when the patient has stabilized, at the
next scheduled appointment, via mail if it appears the patient may not return for another
November 2009
appointment, or by any other means reasonable and appropriate under the specific
circumstances.
b) When provision of the current NPP at the first service is not accomplished due to the emergency
exception, written acknowledgment of subsequent provision [is/is not] required. [Select the option
that works best for your practice/facility—the HIPAA Privacy Regulations do not require
acknowledgment in this case—but it is strongly recommended from a risk management
perspective.]
3. Copies of the current NPP shall be maintained and available to give to any patient, legally authorized
representative, or other person so requesting.8
4. The NPP shall be revised any time there are material changes to the uses and disclosures of PHI,
patient rights, provider duties, or other privacy practices referenced in the NPP.
5. Patients receiving the NPP who have questions or desire further information should be directed to the
practice/health care facility Privacy Official as necessary. Every effort should be made to help interested
patients understand the information contained in the NPP.
Policies and Procedures Specific to Electronic Notices of Privacy Practices and/or Electronic
Service Delivery:
1. The current NPP will be prominently posted on the Web site and made readily available electronically
through our Web site. [This section is mandatory and applies if you provide information on a Web site
about your services.]
2. The current NPP may be provided by e-mail if the patient or individual agrees. However, the patient or
individual retains the right to obtain a paper copy of the NPP upon request.
3. If the first service is delivered electronically, the patient shall be provided the current NPP automatically
and contemporaneously in response to the first request for service. The required “written
acknowledgment” should be captured electronically, by whatever means technologically feasible.9
References:
RCW: 70.02.120
45 CFR Subtitle A, Subchapter C. § 164.520
1
It is strongly recommended that such acknowledgments also be obtained from patients receiving the NPP after a first-service delivery that involves
emergency medical treatment.
2
While the cover sheet for the NPP may contain the required Washington State language, it is still advisable to post it in a prominent location since
patients do not have to sign the acknowledgment.
3
If you contact patients to remind them about appointments, or give them information about treatment alternatives or other health-related benefits
and services or fund-raising activities, you must make mention of these examples of uses or disclosures of PHI in the section pertaining to health
care operations in the NPP. The NPP need not mention the required offer to opt out of fund-raising that must accompany fund-raising solicitations.
4
The NPP must contain a statement reserving the right to make modifications to the practice/health care facility’s practices regarding the PHI
maintained.
5
Since the documentation requirements do not apply in these circumstances, it would be necessary to provide and document the provision of the
NPP if and when the individual becomes a patient at the practice/health care facility.
6
Providers and health care facilities may want to work together on a system to enable compliance with this requirement when the first-service
delivery is at the health care facilities in a nonemergency situation.
7
A copy of the notice must be distributed to the patient without any express or implied request to return it. It is permissible to have a “recycle” basket
with a sign stating, “You have a right to keep the Notice of Privacy Practices. If you do not wish to keep it, please place it in this basket.”
8
A charge for a copy of the NPP is not permissible under HIPAA.
9
If it is not feasible (patient does not have e-mail or facsimile machine) to deliver the NPP as required by the rule, we recommend that you inform
the patient that you will mail the NPP and the acknowledgment form (for the patient to complete and return) and document your actions.
Policy effective date: ___/____/____ Revision date(s): ____/____/____
November 2009
Notice of Privacy Practices
THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND
DISCLOSED, AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT
CAREFULLY.
[Insert name of practice or facility] respects your privacy. We understand that your personal health
information is very sensitive. The law protects the privacy of the health information we create and obtain in
providing care and services to you. Your protected health information includes your symptoms, test results,
diagnoses, treatment, health information from other providers, and billing and payment information relating
to these services.
We will not use or disclose your health information to others without your authorization, except as described
in this Notice, or as required by law.
Your health information rights
The health and billing records we create and store are the property of [insert name of practice or facility].
The protected health information in it, however, generally belongs to you. You have a right to:
• Receive, read, and ask questions about this Notice.
• Ask us to restrict certain uses and disclosures. You must deliver this request in writing to us. We
are not required to grant the request unless the request is to restrict disclosure of your protected
health information to a health plan for payment or health care operations and the protected
health information is about a service or treatment for which you paid directly.
• Request and receive from us a paper copy of the most current Notice of Privacy Practices
(“Notice”).
• Request that you be allowed to see and get a copy of your protected health information. You
may make this request in writing. We have a form available for this type of request.
• Have us review a denial of access to your health information—except in certain circumstances.
• Ask us to change your health information. You may give us this request in writing. You may write
a statement of disagreement if your request is denied. It will be stored in your medical record,
and included with any release of your records.
• When you request, we will give you a list of certain disclosures of your health information. The
list will not include disclosures for treatment, payment, or health care operations. You may
receive this information without charge once every 12 months. We will notify you of the cost
involved if you request this information more than once in 12 months.
• Ask that your health information be given to you by another means or at another location.
Please sign, date, and give us your request in writing.
• Cancel prior authorizations to use or disclose health information by giving us a written
revocation. Your revocation does not affect information that has already been released. It also
does not affect any action taken before we have it. Sometimes, you cannot cancel an
authorization if its purpose was to obtain insurance.
For help with these rights during normal business hours, please contact:
[Insert name or title of designated staff member]
[Insert phone number or address]
Our responsibilities
We are required to:
• Keep your protected health information private.
• Give you this Notice.
• Follow the terms of this Notice.
November 2009
We have the right to change our practices regarding the protected health information we maintain. If we
make changes, we will update this Notice. You may receive the most recent copy of this Notice by calling
and asking for it or by visiting our [office/medical records department] to pick one up.
To ask for help or complain.
If you have questions, want more information, or want to report a problem about the handling of your
protected health information, you may contact:
[Insert name or title of designated staff member]
[Insert phone number or address]
If you believe your privacy rights have been violated, you may discuss your concerns with any staff
member. You may also deliver a written complaint to [insert name or title of person] at [insert name of
practice or facility]. You may also file a complaint with the Department of Health and Human Services
Office for Civil Rights (OCR).
We respect your right to file a complaint with us or with the OCR. If you complain, we will not retaliate
against you.
How we may use and disclose your protected health information.
Under the law, we may use or disclose your protected health information under certain circumstances
without your permission. The following categories describe the different ways we may use and disclose your
protected health information. For each category, we will explain what we mean and give some examples.
Not every use or disclosure in a category will be listed. However, all of the ways we are permitted to use
and disclose health information will fall within one of the categories.
Examples of uses and disclosures of protected health information for treatment, payment, and
health care operations:
For treatment:
• Information obtained by a nurse, physician, or other member of our health care team will be
recorded in your medical record and used by members of our health care team to help decide
what care may be right for you.
• We may also provide information to health care providers outside our practice who are providing
you care or for a referral. This will help them stay informed about your care.
For payment:
• We request payment from your health insurance plan. Health plans need information from us
about your medical care. Information provided to health plans may include your diagnoses,
procedures performed, or recommended care.
• We bill you or the person you tell us is responsible for paying for your care if it is not covered by
your health insurance plan.
For health care operations:
• We may use your medical records to assess quality and improve services.
• We may use and disclose medical records to review the qualifications and performance of our
health care providers and to train our staff.
• We may use and disclose your information to conduct or arrange for services, including:
• Medical quality review by your health plan,
• Accounting, legal, risk management, and insurance services; and
• Audit functions, including fraud and abuse detection and compliance programs
November 2009
Statements about certain uses and disclosures.
•
•
•
We may contact you to remind you about appointments.
We may use and disclose your health information to give you information about treatment
alternatives or other health-related benefits and services.
We may contact you to raise funds. If we contact you for fund-raising, we will also provide you with a
way to opt out of receiving fund-raising requests in the future.
Some of the other ways that we may use or disclose your protected health information without your
authorization are as follows:
•
•
•
•
•
•
•
•
•
•
•
Required by law: We must make any disclosure required by state, federal, or local law.
Business Associates: We contract with individuals and entities to perform jobs for us or to provide
certain types of services that may require them to create, maintain, use, and/or disclose your health
information. We may disclose your health information to a business associate, but only after they
agree in writing to safeguard your health information. Examples include billing services, accountants,
and others who perform health care operations for us.
Notification of family and others: Unless you object, we may release health information about you
to a friend or family member who is involved in your medical care. We may also give information to
someone who helps pay for your care. We may tell your family or friends your condition and that you
are in a hospital.
Public health and safety purposes: As permitted or required by law, we may disclose protected
health information:
• To prevent or reduce a serious, immediate threat to the health or safety of a person or the public.
• To public health or legal authorities:
• To protect public health and safety.
• To prevent or control disease, injury, or disability.
• To report vital statistics such as births or deaths.
• To report suspected abuse or neglect to public authorities.
Research: We may disclose protected health information to researchers if the research has been
approved by an institutional review board or a privacy board and there are policies to protect the
privacy of your health information. We may also share information with medical researchers
preparing to conduct a research project.
Coroners, medical examiners. and funeral directors: We may disclose protected health
information to funeral directors and coroners consistent with applicable law to allow them to carry out
their duties.
Organ-procurement organizations: Consistent with applicable law, we may disclose protected
health information to organ-procurement organizations (tissue donation and transplant) or persons
who obtain, store, or transplant organs.
Food and Drug Administration (FDA): For problems with food, supplements, and products, we
may disclose protected health information to the FDA or entities subject to the jurisdiction of the
FDA.
Workplace injury or illness: Washington State law requires the disclosure of protected health
information to the Department of Labor and Industries, the employer, and the payer (including a selfinsured payer) for workers’ compensation and for crime victims’ claims. We also may disclose
protected health information for work-related conditions that could affect employee health; for
example, an employer may ask us to assess health risks on a job site.
Correctional institutions: If you are in jail or prison, we may disclose your protected health
information as necessary for your health and the health and safety of others.
Law enforcement: We may disclose protected health information to law enforcement officials as
required by law, such as reports of certain types of injuries or victims of a crime, or when we receive
a warrant, subpoena, court order, or other legal process.
November 2009
•
•
•
•
•
•
Government health and safety oversight activities: We may disclose protected health
information to an oversight agency that may be conducting an investigation. For example, we may
share health information with the Department of Health.
Disaster relief: We may share protected health information with disaster relief agencies to assist in
notification of your condition to family or others.
Military, Veteran, and Department of State: We may disclose protected health information to the
military authorities of U.S. and foreign military personnel; for example, the law may require us to
provide information necessary to a military mission.
Lawsuits and disputes: We are permitted to disclose protected health information in the course of
judicial/administrative proceedings at your request, or as directed by a subpoena or court order.
National Security: We are permitted to release protected health information to federal officials for
national security purposes authorized by law.
De-identifying information: We may use your protected health information by removing any
information that could be used to identify you.
Web site
•
We have a Web site that provides information about us. For your benefit, this Notice is on the
Web site at the following address: [Insert Web site address].
Effective date
[Insert effective date of the Notice]
November 2009
Notice of Privacy Practices Acknowledgment
We keep a record of the health care services we provide you. You may ask to see and copy that record.
You may also ask to correct that record. We will not disclose your record to others unless you direct us to
do so or unless the law authorizes or compels us to do so. You may see your record or get more
information about it by contacting [insert name or title of Privacy Official].
Our Notice of Privacy Practices describes in more detail how your health information may be used and
disclosed, and how you can access your information.
By my signature below I acknowledge receipt of the Notice of Privacy Practices.
_____________________________________________________________________________________
Patient or legally authorized individual signature
Date
Time
_____________________________________________________________________________________
Printed name if signed on behalf of the patient
Relationship (parent, legal guardian, personal representative)
(Notation, if any, by staff)
This form will be retained in your medical record.
November 2009
Authorization to Use or Disclose Protected Health Information (Policy &
Procedures)
Purpose: To provide a procedure for obtaining patient authorization for the use or disclosure of protected
health information (PHI) when required by law.
Policy:
1. In general, patient health care information should be released pursuant to a valid patient authorization.
Examples of when a valid patient authorization is needed include the use or disclosure of:
•
PHI to the individual to whom the PHI pertains
•
PHI for marketing1
•
Psychotherapy notes2
•
Some research purposes3
•
Legal requests
•
Life insurance requests
•
PHI to others not involved in patient care
2. An authorization is not required for uses or disclosures of PHI for:
•
Treatment,
•
Payment,
•
Health care operations, and
•
When permitted or required by law.4
3. In general, a valid authorization must be honored as written.5
4. Authorizations and the fulfillment of the disclosure/use request will be appropriately recorded and
become part of the patient medical record. [See Documenting of and Accounting for Disclosures of
Protected Health Information (Policy & Procedures).]
Primary Responsible Party:
Privacy Official, Medical Records Clerk, and Front Office Staff.
Other Responsible Party:
All staff should have general knowledge and be able to direct questions/concerns appropriately.
Procedure:
1. When a request is made to disclose PHI:
a.
Determine if an authorization is needed to release the PHI. See Policy Statements 1 and 2
above.
b.
If an authorization is required, ask the patient or legally authorized representative to complete
and sign the Authorization to Use or Disclose Protected Health Information form. If the
authorization is from an outside entity, see step 2 in this procedure to determine its validity.
(i) Generally, for an adult (18 years or older), a legally authorized representative is one
of the following in order of priority:
1.
Legal guardian
November 2009
2.
Durable power of attorney for health care
3.
Spouse
4.
Children of the patient who are at least eighteen years of age
5.
Birth or adoptive parent
6.
Adult siblings (all must agree.)
(ii) For a minor (under 18 years of age), a legally authorized representative is one of the
following in order of priority:
1.
Appointed guardian or legal custodian
2.
A person authorized by the court to consent to medical care for a child in or out
of home placement pursuant to RCW 13.32A or 13.34
3.
Parents
4.
An individual to whom the minor's parent has given a signed authorization to
make health care decisions for the minor patient
5.
A competent adult representing himself or herself to be a relative responsible
for the health care of the minor or a competent adult who has signed and dated
a declaration under penalty of perjury pursuant to RCW 9A.72.085 stating that
the adult person is a relative responsible for the health care of the minor.6
(iii) For deceased patients, an executor of the estate has priority over other legally
authorized representatives.
c.
Ask for verification of the identity and the authority of the individual if warranted (if the identity
or the authority of the individual is not known to the practice/health care facility).
d.
Advise when the request will be processed. Written, valid authorizations must be honored no
later than 15 working days from the date received.7
e.
Provide a copy of the completed and signed authorization form to the patient if:
(i) The patient requests, or
(ii) The practice/health care facility is asking the patient to sign the authorization.
2. Review the authorization for validity. A copy of a valid authorization is as binding as the original. The
following elements must be present and be honored:
a.
A description of the information to be used or disclosed.8
b.
The name of the entity authorized to release the information (e.g., the name of the
practice/health care facility).
c.
The name (or title) and institutional affiliation (if any) of the recipient(s).
d.
A description of each purpose for the disclosure/use (e.g., patient request, research, or
marketing). The authorization must mention remuneration, if any, for marketing purposes.
e.
One of the following must be specified: an expiration date (a specific date—e.g., January 1,
2012) OR when a specific event relating to the patient or the purpose of the use or disclosure
occurs (e.g., “when adoption of our child is final”).9 For research, the expiration may be “end
of research study.”
f.
Signature and date (time is optional but may be beneficial in dealing with revocations of
authorizations). (See 1[b][i] and 1[b][ii] in this procedure for a list of legally authorized
representatives able to sign on behalf of the patient.) 10
November 2009
g.
A statement regarding the individual’s right to revoke the authorization, the exceptions to
their right to revoke the authorization, and how they may revoke the authorization.11
h.
A statement regarding the ability or inability to condition health care treatment, payment,
enrollment, or eligibility for benefits on the authorization.12
i.
A statement that the information may be subject to re-disclosure and may no longer be
protected by federal or state privacy laws.
j.
The form must be in plain language.
k.
A description of the representative’s authority to act for the individual and/or relationship to
the individual if signed by a representative.
l.
The authorization may not be combined with any other document that would create a
compound authorization.13
3. Process the request14
a.
Honor the request as written. Information pertaining to HIV (AIDS virus), STDs, psychiatric
disorders, mental health, drug use, or alcohol use may not be disclosed or used unless
specified by the patient or legally authorized representative on the form.
b.
The request may not be processed if:
(i) All required elements are not present,
(ii) The authorization has expired,
(iii) There is knowledge that the authorization has been revoked (see Revocation of
Authorization to Use or Disclose Protected Health Information form and policy &
procedures),
(iv) There is knowledge that material information on the authorization is false, or
(v) The individual making the request is not authorized.
c.
Make copies and redact any PHI not authorized in the disclosure/use request from the
photocopies (e.g., HIV, AIDS virus, and STDs). You may wish to include a copy of the
following language: “We have enclosed all the information we are permitted by law to
disclose to you pursuant to the patient’s or legally authorized representative’s valid
authorization.”
d.
Prepare a statement for PHI copy fees.15
e.
Record on the authorization and the Accounting Log for Protected Health Information
Disclosures form [see Documenting of and Accounting for Disclosures of Protected Health
Information (Policy & Procedures)] the appropriate elements showing that the request was
fulfilled.
Internal References:
Documenting of and Accounting for Disclosures of Protected Health Information (Policy & Procedures)
Revocation of Authorization to Use or Disclose Protected Health Information (Policy & Procedures)
Minimum Necessary Requirements for the Use and Disclosure of Protected Health Information (Policy &
Procedures)
Responding to Requests to Access and/or Copy Protected Health Information (Policy & Procedures)
External References:
RCW 70.02
RCW 70.02.010(12) and WAC 246-08-400—Reasonable fee
45 CFR § 164.506, 164.508, 164.512 and 164.524
November 2009
1
45 CFR § 164.508(a)(3): An authorization for the practice/health care facility to even use PHI for marketing purposes is required except if the
communication is in the form of a face-to-face communication with the patient or if the communication is in the form of a promotional gift of nominal
value to the patient.
2
45 CFR §§ 164.501 & 164.508(a)(2): Psychotherapy notes are notes recorded by a mental health professional documenting or analyzing the
contents of conversation during a counseling session—that are separated from the rest of the individual’s medical record. A specific authorization to
use or disclose psychotherapy notes is required except if the notes are used or disclosed: by the originator of the notes for treatment; to a person or
persons reasonably able to prevent or lessen the threat (including the target of the threat), if there is a good faith belief that the use or disclosure is
necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public; if the notes are to be used in the
course of training students, trainees, or practitioners in mental health; to defend a legal action or any other legal proceeding brought by the patient;
when used by a medical examiner or coroner; for health oversight activities of the originator; or when required by law.
3
45 CFR §164.512(i): An authorization is required except if the covered entity can document affirmatively that a valid waiver of the authorization has
been approved by an IRB or a Privacy Committee.
4
45 CFR §§ 164.506, 164.512 & RCW 70.02.050: Authorizations are not required for any treatment or payment purposes. Authorizations are also
not required for the health care operations of the covered entity (e.g., administrative, legal, financial, or actuarial services) or, under certain
circumstances, for the health care operations of another covered entity (e.g., requests for credentialing and quality-improvement purposes). Further,
authorizations are not required when the use or disclosure is permitted or required by law.
5
45 CFR §164.524, RCW 70.02.030 and 70.02.090: There are a few rare exceptions. [See Responding to Requests to Access and/or Copy
Protected Health Information (Policy and Procedures.)]
6
Such declaration shall be effective for up to six months from the date of the declaration.
7
RCW 70.02.080: If the practice/health care facility is not able to honor the request for access because the information is in use or unusual
circumstances have delayed the handling of the request, the patient must be informed in writing of the reasons for the delay and the earliest date,
not later than 21 working days after receiving the request, when the information will be available.
8
45 CFR § 164.508(b)(3)(ii): (See also footnote 4) A valid authorization for psychotherapy notes must specifically identify that psychotherapy notes
are the subject of disclosure/use and the authorization for psychotherapy notes may not specify any other records to disclose/use. You may utilize
the Authorization to Use or Disclose Protected Health Information form; however, you must not combine the request with any other request for
record use or disclosure. Simply check “other” and indicate “psychotherapy notes” in the section labeled “You may use or disclose the following
health care information.”
9
If the authorization is for a disclosure to a financial institution or an employer of the patient for purposes other than payment, the authorization
expires 90 days after signing unless the authorization is renewed by the patient. RCW 70.02.030(6). Additional requirements for authorizations for
disclosures to researchers and third party payors are established under RCW 70.02.030(4), but apply only if disclosure without authorization is not
permitted under RCW 70.02.050 and HIPAA, which is almost never the case.
10
Electronic signatures on authorization may be accepted by practices.
11
If the authorization form does not contain this element, to be valid the entity must include this information in its Notice of Privacy Practices AND
they must refer to their “Notice of Privacy Practices” in their “Authorization to Use or Disclose Protected Health Information” form. See also the
Revocation of Authorization to Use or Disclose Protected Health Information form and policy and procedures.
12
45 CFR §164.508 (b)(4)(iii): You may condition the provision of health care on the signing of an authorization when the health care is solely for the
purpose of creating PHI for disclosure to a third party (e.g., an Independent Medical Exam, an exam to obtain life insurance) or as a condition of
taking part in a research study.
13
45 CFR §164.508 (b)(3)(i): However, an authorization for purposes of a research study may be combined with any other type of written permission
for the same research study (e.g., informed consent to participate in research or research protocols).
14
If there is a concern about honoring an authorization, consult the practice/health care facility’s legal counsel and/or malpractice carrier.
15
45 CFR § 164.524(c)(4) & RCW 70.02.010(12) & WAC 246-08-400: HIPAA and Washington State law limit the amount that may be charged for
duplication and searching services to a reasonable cost-based fee. A clerical searching and handling fee may be charged under state law, but
federal law prohibits charging this fee to the patient or to someone authorized to make health care decisions on behalf of the patient. When editing of
the record is required by statute and is done by the provider personally, Washington State law allows the provider to charge the usual and
customary charge for a basic office visit—as a result of the HIPAA Privacy Rule, individuals must agree to these charges in advance. Washington
State Department of Health discourages charging a fee in cases of financial hardship. Refusing to provide copies of records for treatment purposes
is unethical.
Policy effective date: ____/____/____ Revision date(s): ____/____/____
November 2009
Authorization to Use or Disclose Protected Health Information
Patient name: ___________________________________
Date of birth: _______________________________
Previous name: _________________________________________________________________________________
I. My Authorization
You may use or disclose the following health care information (check all that apply):
All health care information in my medical record
Health care information in my medical record relating to the following treatment or condition:
______________________________________________________________________________________
Health care information in my medical record for the date(s): ______________________________________
Other (e.g., X-rays, bills), specify date(s): _____________________________________________________
You may use or disclose health care information regarding testing, diagnosis, and treatment for (check
all that apply):
HIV (AIDS virus)
Sexually transmitted diseases
Psychiatric disorders/mental health
Drug and/or alcohol use
You may disclose this health care information to:
Name (or title) and organization or class of persons: _______________________________________________
Address (optional): __________________________________ City: ________________ State: ___ Zip: ______
Reason(s) for this authorization (check all that apply):
at my request
check only if [insert name of practice or facility] requests the authorization for
marketing purposes
other (specify)
check only if [insert name of practice or facility] will be paid or get something of value
___________
for providing health information for marketing purposes
This authorization ends:
on (date): ___________
when the following event occurs: _________________________________
in 90 days from the date signed (if disclosure is to a financial institution or an employer of the patient for
purposes other than payment)
II. My Rights
I understand I do not have to sign this authorization in order to get health care benefits (treatment, payment, or
enrollment). However, I do have to sign an authorization form:
• To take part in a research study or
• To receive health care when the purpose is to create health care information for a third party.
I may revoke this authorization in writing. If I did, it would not affect any actions already taken by [insert name of
practice or facility] based upon this authorization. I may not be able to revoke this authorization if its purpose
was to obtain insurance. Two ways to revoke this authorization are:
• Fill out a revocation form. A form is available from [insert name of practice or facility], or
• Write a letter to [insert name of practice or facility].
Once health care information is disclosed, the person or organization that receives it may re-disclose it. Privacy
laws may no longer protect it.
_____________________________________________________________________________________
Patient or legally authorized individual signature
Date
Time
_____________________________________________________________________________________
Printed name if signed on behalf of the patient
Relationship (parent, legal guardian, personal representative)
November 2009
Revocation of Authorization to Use or Disclose Protected Health Information
(Policy & Procedures)
Purpose: To provide a procedure to address an individual’s right to revoke an authorization to use or
disclose health care information as permitted by law.
Policy:
1. With few exceptions, individuals may revoke, in writing, an authorization to use or disclose PHI at any
time.
2. The revocation of an authorization to use or disclose PHI must become part of the patient record and
the information maintained according to the medical record retention schedule—but no less than six
years.
Responsible Party:
Medical Records staff
Other Responsible Party:
All staff must have sufficient understanding of the right to revoke an authorization to use or disclose PHI to
know where to refer a patient or the legally authorized representative.
Procedure:
1. When a request is made to revoke an authorization:
a. Ask for verification of the identity and the authority of the individual if warranted—if the identity or
the authority of the individual is not known to the practice/health care facility.
b. Ask the patient or legally authorized representative to submit the revocation in writing. The
revocation may be submitted in one of the following manners:1
i. Sign, date, and time the Revocation of Authorization to Use or Disclose Protected Health
Information form; or
ii. Write, sign, and date a letter to [insert name of practice or facility] to cancel the
authorization; or
iii. Write “Revoked” or “Cancelled” on the original or a copy of the Authorization to Use or
Disclose Protected Health Information form. These notations should be signed, dated, and
timed by the individual requesting the revocation.2
iv. If it is not feasible or practicable to obtain the individual’s written revocation:
1. Document the individual’s oral revocation on the affected Authorization to Use or
Disclose Protected Health Information form.
2. Document the date and time and whether the revocation was done in person or
over the phone.
3. If feasible, the oral revocation shall be witnessed and documented by a second
staff member.
c. Inform the individual that:
i. A valid request to revoke the authorization will be honored; and
ii. Any uses or disclosures already made based upon the original request will not be
affected; and
iii. Sometimes the practice/health care facility is allowed or required by law to use or disclose
information without patient permission; and
November 2009
iv. (if applicable) If the authorization form indicates that the original purpose of the form was
to obtain insurance—it is possible that the authorization may not be revocable.
2. Honor the request to the extent required by law (see 1[c][i-iv]).
3. If the revocation is not documented on the affected authorization, then link the affected authorization with
the documented revocation.
Internal References:
Authorization to Use or Disclose Protected Health Information (Policy & Procedures)
Documenting of and Accounting for Disclosures of Protected Health Information (Policy & Procedures)
External References:
RCW 70.02.040
45 CFR § 164.508(b) and (c)
1
These suggested elements are risk management recommendations designed to provide privacy safeguards. Federal and Washington State laws
require only that the revocation request be made by the patient or authorized individual in writing.
2
This option is available even though it may not be mentioned on the authorization form.
Policy effective date: ____/____/____ Revision date(s): ____/____/____
November 2009
Revocation of Authorization to Use or Disclose Protected Health Information
Patient name:
Date of birth:
Previous name:
Revoke my authorization dated:
Disclose no more information to:
Name (or title) and organization:
Address:
City:
State:
Zip:
I understand that this request does not apply to any uses or disclosures:
•
Before [insert name of practice or facility] gets this revocation, or
•
Allowed or required by law.
__________________________________________________________________________________
Patient or legally authorized individual signature
Date
Time
__________________________________________________________________________________
Printed name if other than patient
Relationship (parent, legal guardian, representative)
November 2009
Responding to Requests to Access and/or Copy Protected Health Information
(Policy & Procedures)
Purpose: To provide a process for handling requests by patients or their legally authorized representatives
to access and/or copy the patient’s protected health information (PHI) consistent with federal and state
laws.
Policy:
1. Subject to certain exceptions, a patient or the patient’s legally authorized representative has a right to
inspect and/or obtain a copy of the patient’s PHI maintained by the practice/health care facility.1
2. Requests must be approved or denied—in whole or in part—in a timely fashion.
3. Requests will be reviewed by the appropriate party(ies).
4. Requests and their disposition shall be documented, and any denial—in whole or in part—shall be in
writing.
5. Where applicable, the patient or the legally authorized representative shall be informed of the right to
request a review of a denial.
6. A reasonable, cost-based fee may be charged for copies or summaries of the PHI.
7. The medical records and other PHI subject to a request for patient access, e.g., the designated record
sets, are maintained [insert description of all places where medical and billing information is
maintained].2
Primary Responsible Party:
[Insert the title(s) of the persons or offices responsible for receiving and processing requests for
access (e.g., Privacy Official, medical records personnel)].
Other Responsible Party:
All staff must have sufficient understanding of the patient’s rights and the practice/health care facility’s
obligation to approve or deny requests—in whole or in part—according to pertinent laws.
Procedure:
1. When an individual makes a request to access and/or copy PHI:
a) Ask for verification of the identity and the authority of the individual if warranted (if the identity or
the authority of the individual is not known to the practice/health care facility).
b) File any written request in the medical record—the Authorization to Use or Disclose Health Care
Information form may be used for this purpose.
c) Document the date any written or verbal request was received.
d) Inform the individual either when the record (or copy) will be available or that you will be getting
back to them.
2. Access to the record (and any copy request) shall be granted or denied in whole or in part within 15
working days after receipt of the request.3 If there is a delay due to unusual circumstances (e.g., if the
record is in use), specify in writing, within the 15 working days, to the individual:
a) The reason for the delay.
b) The date the record will be available—but no later than 21 working days from the date the
request was received.4
3. If the request is denied in whole or in part, inform the individual in writing of the reason for the denial.
Permissible reasons are:
November 2009
a) The record does not exist or cannot be found.5
b) [Insert name of practice or facility] does not maintain the record, and if known, give the
individual the name and address of the health care provider who does maintain the record.6
c) Due to federal and state laws, the requested record is not available to the individual. These
include:7
i.
Psychotherapy notes;
ii. Information compiled in reasonable anticipation of, or for use in, a civil, criminal, or
administrative action or proceeding;
iii. PHI where access is prohibited by or exempt from Clinical Laboratory Improvements
Amendments of 1988, 42 U.S.C. 263a (CLIA);
iv. PHI contained in records subject to the Privacy Act, 5 U.S.C. 552a, if the denial of access
under the Privacy Act would meet the requirements of that law;
v. PHI maintained by a correctional institution, or a provider acting under the direction of a
correctional institution, if access would jeopardize the health, safety, security, custody, or
rehabilitation of the patient or other inmates, or the safety of persons at the institution or
those responsible for transporting the inmate;
vi. PHI created or obtained by a covered health care provider in the course of research—that
includes treatment—and the access is temporarily suspended for as long as the research is
in progress, provided that the individual has agreed to the denial of access when consenting
to participate in the research that includes treatment, and the covered health care provider
has informed the individual that the right of access will be reinstated upon completion of the
research;
vii. PHI obtained from someone other than a health care provider under a promise of
confidentiality, and the access requested would be reasonably likely to reveal the source of
the information;
viii. A licensed health care professional has determined, in the exercise of professional
judgment, that the access requested is reasonably likely to endanger the life or physical
safety of the patient or another person;
ix. The PHI makes reference to another person (unless such other person is a health care
provider) and a licensed health care professional has determined, in the exercise of
professional judgment, that the access requested is reasonably likely to cause substantial
harm to such other person; or
x. The request is made by the patient’s personal representative and a licensed health care
professional has determined, in the exercise of professional judgment, that the provision of
access to such personal representative is reasonably likely to cause substantial harm to the
patient or another person.
xi. The information requested is not part of the medical record, was not compiled for purposes of
making decisions about patient treatment or payment, or was compiled and is used solely for
litigation, quality assurance, peer review, or administrative purposes.
Grounds viii-x are reviewable upon request by the individual as described in section 5 (c) below.
4. Provision of access
a) If access is granted, permit an inspection and/or copying as requested, although if the record is
maintained at more than one site, it only has to be produced once.
b) It is permissible to discuss the scope, format, and other aspects of the request for access with
the individual to facilitate timely access, but any access must be within the time limits described
above.
November 2009
c) The information shall be provided in the form or format requested if it is readily producible in such
form or format, but if not, it shall be produced in readable hard copy or in any other form agreed
to by the individual, provided that if the information is in an electronic health record maintained or
used by the practice/facility, then the individual has the right to have the information in an
electronic format.
d) If the individual agrees in advance, it is permissible to produce a summary of the record in lieu of
allowing access. Any fees must also be agreed upon in advance.
e) Upon request, the practice/health care facility shall provide an explanation of any code or
abbreviation used in the record. The practice/health care facility may provide an explanation of
any other part of the record that has been produced if the individual agrees to it and agrees to
any associated fees in advance.
f) Assess a reasonable, cost-based fee for copies and for summaries and for explanations of the
record. Such fees cannot exceed actual costs and, by Washington State law, cannot exceed the
handling and copying fees described in WAC 246-08-400, which is modified every two years.
Until June 30, 2011, the maximum handling fee is $23, and the maximum fee for copying is
$1.02 per page for the first 30 pages and $0.78 per page for all subsequent pages. A clerical
searching and handling fee may be charged under state law, but federal law prohibits charging
this fee to the patient or someone authorized to make health care decisions on behalf of the
patient. Federal law also limits fees for information from an electronic health record used or
maintained by the practice/health care facility provided in electronic format to no more than the
labor costs incurred to respond to the request. These labor costs would be limited to the
maximum handling fee under state law. The individual must agree in advance to any fee for
explanations or summaries of the record. A basic office visit fee may be assessed whenever the
physician/health care provider is required by statute to personally edit confidential information
from the record.
5. Denial of access
a) If access is denied in whole or in part, then, to the extent possible, allow access to all other parts
of the record requested after excluding the portion to which access is denied.
b) Within the time limits described above, provide a written denial in plain language containing the
reason for the denial, a description of the individual’s right to a review of the denial, if any, and a
description of how to complain to the practice/health care facility or to the OCR. The description
must include the name, or title, and telephone number of the person or office designated to
receive complaints at the practice/health care facility. (See sample letter Denying Request to
Access Protected Health Information.)
c) The individual has a right to request a review of the denial if the reason for denying access is one
of the grounds described in section 3(c)(viii - x) above. When those grounds apply, the denial
letter shall:
i.
offer the individual the option to request that access and a copy of the denied record be
made available to another health care professional, licensed to care for the patient’s
condition, and chosen by the individual;8 and
ii. offer the option for review by a licensed health care professional chosen by the
practice/health care facility who did not directly participate in the original decision to deny.
When this latter option is chosen, the reviewer shall determine within a reasonable time
whether to provide access, and the practice/health care facility shall promptly provide the
individual with written notice of the reviewer’s decision and shall comply with that decision.9
November 2009
References:
45 CFR § 160.306, 164.524
RCW 70.02.080
RCW 70.02.090
WAC 246-08-400
1
The practice/health care facility may require a request to inspect and/or copy PHI to be in writing, provided the practice/health care facility informs
the patient or the legally authorized representative of this requirement and mentions this requirement in its “Notice of Privacy Practices.” (45 CFR §
164.524 [b][1] and RCW 70.02.080 (1).)
2
45 CFR § 164.524 (e)
3
RCW 70.02.080 (1)
4
RCW 70.02.080 (1)(d)
5
RCW 70.020.080 (1) (b)
6
RCW 70.020.080 (1)(c)
7
45 CFR § 164.524 (a) (1-3), RCW 70.02.090 (1). These are examples of federal and state laws that permit denial of access —these details (in i-xi)
do not have to be disclosed to the individual. However, sometimes it may be advisable to give the individual the more specific reason for the denial.
8
RCW 70.020.090 (3). While state law would require the patient to arrange for any compensation of the other provider, HIPAA does not address this
issue.
9
45 CFR § 164.524 (a)(4) and (d)(4)
Policy effective date: ____/____/____ Revision date(s): ____/____/____
November 2009
Denying Request to Access Protected Health Information
Dear ________________________:
We have received and reviewed your request to access your health information record. Unfortunately, we
cannot honor your request at this time because:
We do not maintain this information. Contact [insert name and address of the health care
provider who does maintain the information].
Due to federal and state laws, this health information is not available.
The record no longer exists or cannot be found.
You may contact [insert name or title of internal contact person] at [insert telephone number and
address], if you:
• Have questions.
• Want more information.
• Want to report a problem about the handling of your information.
You have the right to have this decision reviewed by another licensed health care professional.
If you wish to make this request:
Sign and date here __________________________________________________________________ and
Select one of the following:
Please have the following licensed health care professional review the decision:
___________________________________________________________________________
Name
Specialty
Please find a licensed health care professional to review the decision. This would be someone
not involved in the original decision.
Return this form to us.
If you believe your privacy rights have been violated, you may contact [insert name or title of person] at
our office by calling [insert telephone number]. We respect your right to file a complaint with us or with the
Department of Health and Human Services Office for Civil Rights.
Sincerely,
November 2009
Request to Correct or Amend Protected Health Information (Policy &
Procedures)
Purpose: To provide a process for handling requests by patients or their legally authorized representatives
to correct or amend protected health information (PHI) consistent with federal and state laws.
Policy:
1. In general, patients or their legally authorized representatives have a right to request to amend or
correct PHI maintained by the facility.
2. Verbal requests shall be reviewed in a timely fashion by an appropriate person1 and, if granted, the
correction shall be noted in the appropriate record.
3. Written requests must be approved or denied—in whole or in part—in a timely fashion.
4. The appropriate person shall review written requests.
5. Written requests and their disposition shall be documented, and any denial of a written request, in whole
or in part, shall be in writing.
6. Where applicable, the disposition of the request will be disclosed to others who need it.
Primary Responsible Party:
[Insert the title(s) of the persons or offices responsible for receiving and processing requests for
amendments (e.g., Privacy Official, medical records personnel)].
Other Responsible Party:
All staff must have sufficient understanding of the patient’s rights and the practice/health care facility’s
obligation to approve/deny requests—in whole or in part—according to pertinent laws.
Procedure:
Verbal Requests
1. When an individual makes a verbal request to correct or amend PHI, ask for verification of the identity
and the authority of the individual if warranted (if the identity or the authority of the individual is not
known to the practice/health care facility).
2. The appropriate person shall approve or deny the request.2
3. If the request is granted, see procedure 3 under Written Requests.
4. If a verbal request is denied, offer the individual the opportunity to make the request in writing by
completing and signing the Request to Correct or Amend Protected Health Information form.
5. If the individual chooses not to make a written request, then no additional procedures are required. In
some circumstances, it may be advisable to offer the patient the opportunity to have a statement of
disagreement included their record (see procedures 5 and 6 under Written Requests).
Written Requests
1. Written requests must be handled within 10 calendar days.3 If there is a delay due to unusual
circumstances (e.g., if the record is in use), specify in writing, within the 10 calendar days, to the
individual:
a. The reason for the delay
b. The date the request will be answered—but no later than 21 calendar days from the date the
request was received.4
November 2009
2. Written requests should be reviewed, and approved or denied, by the health care provider or other
person who completed the entry in question.5 It may be appropriate to first discuss the matter with the
patient or the legally authorized representative.
3. If the request is approved:
a. The correction or amendment shall be made in the appropriate record.
b. Mark the record affected by the change as corrected/amended at patient’s request.
c. Draw a single line through any information to be modified, and date and sign or initial it.
d. The affected record shall be attached or linked or shall otherwise indicate where in the record the
corrected or amended information is located.
e. In the next available space, document correction or amendment to chart note dated (insert
date of entry being corrected or amended), enter the new information, and date and sign the
entry.
f.
Inform the individual in a timely manner that the amendment is accepted.
g. Send a copy of the correction or amendment to any third-party payor or insurer that previously
received the changed PHI.
h. Obtain and document the individual’s identification of any persons the individual wants notified of
the correction or amendment, and take reasonable steps to notify such persons of the change
within a reasonable time.6
i.
Notify others that the practice/health care facility knows have the PHI that is the subject of the
correction or amendment and could rely on the un-amended information to the patient’s
detriment.7 Take reasonable steps to notify such persons of the change within a reasonable
time.
j.
Document the disclosures to the extent required [see Documenting of and Accounting for
Disclosures of Protected Health Information (Policy & Procedures)].
4. The following permissible reasons to deny any part of an individual’s request are noted on the Request
to Correct or Amend Protected Health Information form and on the sample letter Denying Request to
Correct or Amend Protected Health Information.
a. The existing health information is accurate and complete.8
b. Due to federal and state laws, the individual does not have access to the information (and
therefore it is not available for correction or amendment). Examples of when this reason could be
used include:9
i. Psychotherapy notes;
ii. Information compiled in reasonable anticipation of, or for use in, a civil, criminal, or
administrative action or proceeding;
iii. PHI where access is prohibited by or exempt from Clinical Laboratory Improvements
Amendments of 1988, 42 U.S.C. § 263a (CLIA);
iv. PHI contained in records subject to the Privacy Act, 5 U.S.C. § 552a, if the denial of
access under the Privacy Act would meet the requirements of that law;
v. PHI maintained by a correctional institution, or a provider acting under the direction of a
correctional institution, if access would jeopardize the health, safety, security, custody, or
rehabilitation of the patient or other inmates, or the safety of persons at the institution or
those responsible for transporting the inmate;
vi. PHI created or obtained by a covered health care provider in the course of research—
that includes treatment—and the access is temporarily suspended for as long as the
research is in progress, provided that the individual has agreed to the denial of access
when consenting to participate in the research that includes treatment, and the covered
November 2009
health care provider has informed the individual that the right of access will be reinstated
upon completion of the research;
vii. PHI obtained from someone other than a health care provider under a promise of
confidentiality, and the access requested would be reasonably likely to reveal the source
of the information;
viii. A licensed health care professional has determined, in the exercise of professional
judgment, that the access requested is reasonably likely to endanger the life or physical
safety of the patient or another person;
ix. The PHI makes reference to another person (unless such other person is a health care
provider) and a licensed health care professional has determined, in the exercise of
professional judgment, that the access requested is reasonably likely to cause
substantial harm to such other person; or
x. The request is made by the patient’s personal representative and a licensed health care
professional has determined, in the exercise of professional judgment, that the provision
of access to such personal representative is reasonably likely to cause substantial harm
to the patient or another person.
xi. The information requested is not part of the medical record, was not compiled for the
purposes of making decisions about patient treatment or payment, or was compiled and
is used solely for litigation, quality assurance, peer review, or administrative purposes.
c. The record no longer exists or cannot be found.
d. The request pertains to information that is not PHI, i.e., it does not pertain to the patient’s
medical and financial records and the information requested was not compiled or used to make
decisions about payment or treatment.10
e. The requested information was not created by [insert name of practice or facility]. Caution—if
there is reason to believe the originator of the information is not available, then this ground
cannot be used.11
f.
[Insert name of practice or facility] does not maintain the record. If known, give the individual
the name and address of the health care provider who does maintain the record.12
5. Individuals must be informed of the disposition of the written request. If the request is denied—in whole
or in part—they shall be informed in writing (see sample letter Denying Request to Correct or Amend
Protected Health Information). If the written request is denied:
a. Send the individual the denial letter and include the reason for denial and information about the
individual’s option to file a statement of disagreement.13
b. Document the reason for denial on the Request to Correct or Amend Protected Health
Information form.
c. Add the Request to Correct or Amend Protected Health Information form, any statement of
disagreement, and a copy of the denial letter to the medical and/or financial record.
d. Mark the challenged entry to indicate that the patient claims the entry is inaccurate or incomplete
and indicate where the request for amendment and any statement of disagreement is located in
the record.14
e. Send any statement of disagreement to any third-party payor or insurer that previously received
the disputed PHI.15
f.
Document the disclosure to the extent required [see Documenting of and Accounting for
Disclosures of Protected Health Information (Policy & Procedures)].
6. Future disclosures must include the written request, the denial and any statement of disagreement.16
However, if no statement of disagreement is filed, the written request and the denial can be included in
future disclosures ONLY upon request by the patient or authorized individual. The denial letter may
November 2009
provide an opportunity for the patient to make this request (see sample letter Denying Request to
Correct or Amend Protected Health Information).
7. If notified by another health care entity that an amendment or correction has been made to a patient’s
PHI, then:
a. The correction or amendment shall be filed in the appropriate record; and,
b. As necessary, the record affected by the change shall be marked as corrected or amended;
and
c. The affected record shall be attached or linked or otherwise indicate where in the record the
corrected or amended information is located.
Internal References:
Responding to Requests to Access and/or Copy Protected Health Information (Policy & Procedures)
Documenting of and Accounting for Disclosures of Protected Health Information (Policy & Procedures)
External References:
45 CFR § 164.524 (Access)
45 CFR § 164.526 (Amendment)
RCW 70.02.080-.110
1
As a risk management recommendation, the appropriate person should be the health care provider or other person who completed the entry in
question. See Procedure 2 under written requests and related footnote.
2
See Procedure 2 under Written Requests.
3
RCW 70.02.100(2)
4
RCW 70.02.100 (2)(d)
5
This is a risk management recommendation. The practice/health care facility may have another process in place for who makes the final
determination (e.g., medical director). For requests to amend medical information, if the individual is no longer available, consider having the current
provider or medical director review the request to correct or amend to determine whether or not the information in the challenged entry is accurate
and complete. At times, it may be appropriate to discuss the matter with the patient. If the information is indisputably incorrect (e.g., a typo), it is
appropriate to make the correction.
6
You may want the patient to sign an authorization form if the disclosure would ordinarily require the use of that form. See footnote 8.
7
45 CFR § 164.526(c)(3). State law neither requires these disclosures nor forbids them. State law only requires disclosure to third-party payors and
insurers. RCW 70.02.110(3). It is therefore unclear whether state law is more stringent here. However, to the extent that prior recipients are those to
which disclosures are permitted without authorization, this step seems appropriate. You may want to obtain the patient’s written authorization, not
just his permission, to disclose the change if the prior disclosure was made pursuant to a signed authorization.
8
45 CFR § 164.526 (a) (2) (iv)
9
45 CFR § 164.526 (a) (2) (iii). These are examples of federal and state laws that permit denial—these details in (i-x) do not have to be disclosed to
the patient. However, sometimes it may be advisable to give the patient the more specific reason for the denial.
10
45 CFR § 164.526 (a) (2) (ii). An example of when this reason could be used is when the information requested is not PHI because it was
compiled and used solely for quality improvement or peer review records or for the practice’s attorney or malpractice insurer.
11
45 CFR § 164.526 (a) (2) (i)
12
RCW 70.02.100 (2) (b) and (c)
13
See sample letter Denying Request to Correct or Amend Protected Health Information for other required information.
14
The practice/health care facility may, but need not, prepare and file in the medical record a written rebuttal to a statement of disagreement and
must provide the individual with a copy of any rebuttal. Generally, we recommend not preparing such a statement.
15
RCW 70.02.110 (3)
16
While HIPAA would allow the practice/health care facility to summarize the disagreement in lieu of sending copies, it is unclear whether state law
permits that option. From a risk management perspective, we recommend not preparing a summary.
Policy effective date: ____/____/____ Revision date(s): ____/____/____
November 2009
Request to Correct or Amend Protected Health Information
Patient name: _______________________________________________ Date of birth: ________________
Previous name: ________________________________________________________________________
Patient mailing address: __________________________________________________________________
I request a change to my records.
Please explain what the information in your record should say to be more accurate or complete. If you need
additional space, please include a separate page. Date of entry in record: ________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Patient’s or legally authorized individual’s signature
Date
_____________________________________________________________________________________
Relationship to patient if signed on patient’s behalf (parent, legal guardian, personal representative)
We will review your request and respond within ten (10) days of receiving your request. A copy of your
request will be added to your record. If we grant your request, we will send changes to anyone you identify
and to anyone who received the information in the past and who needs to know about the change.
To be completed by the practice/health care facility:
Date received: _____________________
Correction/Amendment has been: accepted
denied
The review of this request for correction/amendment has been delayed. Your request will be processed
by the following date: _______________ (not later than 21 days after the request).
If denied, check reason for denial:
The existing health information is accurate and complete.
This request does not pertain to the patient’s medical and financial records.
Due to federal and state laws, this health information is not available and therefore cannot be amended
or corrected.
This health information was not created by this organization.
The record no longer exists or cannot be found.
The record is not maintained by this organization.
_____________________________________________________________________________________
Name of reviewing department or position
Date
November 2009
Denying Request to Correct or Amend Protected Health Information
Dear ___________________________:
We have received and reviewed your request to correct or amend your health information record.
Unfortunately, we cannot honor your request at this time because:
The existing health information is accurate and complete.
Your request does not pertain to your medical and financial records.
Due to federal and state laws, this health information is not available and therefore cannot be
amended or corrected.
This health information was not created by this organization.
The record no longer exists or cannot be found.
The record is not maintained by this organization.
You may contact [insert name or title of internal contact person] at [insert telephone number and
address] if you:
•
Have questions.
•
Want more information.
•
Want to report a problem about the handling of your health information.
•
Want to write a brief statement of disagreement to be added to your medical record. This is your
right. It may include:
•
The reason(s) you believe the health information should be corrected or amended.
•
Why you disagree with any decision to deny your request.
If you do not submit a statement of disagreement, you may request that in future disclosures we include a
copy of:
•
Your original request to correct or amend the health information.
•
This letter.
If you wish to make this request:
•
Sign and date here ____________________________________________________________ and
•
Return this form to us.
If you believe your privacy rights have been violated, you may contact [insert name or title of person] at
our office. We respect your right to file a complaint with us or with the Department of Health and Human
Services Office for Civil Rights.
Sincerely,
November 2009
Response to Defective Subpoena or Incomplete Request to Disclose
Protected Health Information
[This document is a sample only. Please customize this form to meet the specific needs of your practice.
Please also note that information presented in italics and brackets needs to be replaced with the
appropriate, specific information.]
[Place on letterhead of health care provider]
DATE:
[Insert today’s date]
TO:
[Insert name of party issuing subpoena or request]
[Insert address of party issuing subpoena or request]
FROM:
[(Insert name of records custodian), Records Custodian for (insert name of health
care provider)]
[insert phone number]
RE:
[Subpoena/Request] for Medical Records of [insert name of patient] Dated [insert
date subpoena issued or date of request for disclosure of information]
It is our intention to comply with your [subpoena/request] for medical records to the extent allowed by law.
However, we are not able to process your request at this time due to:
_____
Your request does not conform to the requirements of the UHCIA (RCW 70.02) and/or HIPAA
(45 CFR 160, 162 & 164).
_____
Your subpoena or discovery request does not conform to the requirements of RCW 70.02.60
and/or 45 CFR 164.512(e).
_____
We do not find authorization in our files allowing us to release any patient information to you.
_____
Your request is not signed by an authorized party noted in our files.
_____
We have documentation in our files which prohibits us from releasing the information to you at
this time.
_____
Information is not being released at this time as requested by authorities pursuant to further
investigation.
_____
We need additional information: _________________________________________________
_____
We do not find this patient in our records. Please advise us if you have another name or
additional information which would facilitate a further search.
_____
We do not provide the services you have listed.
_____
We do not possess the information you have requested.
_____
Other: _____________________________________________________________________
November 2009
Responding to Requests for Restrictions on the Use or Disclosure of
Protected Health Information (Policy & Procedures)
Purpose: To provide a process for handling requests by patients or their legally authorized representatives
to restrict the use or disclosure of the patient’s protected health information (PHI) consistent with federal
law.
Policy:
1. A patient or the patient’s legally authorized representative has a right to request certain uses or
disclosures of the patient’s protected health information by [insert name of practice or facility] be
restricted.1
2. Requests must be approved or denied—in whole or in part—in a timely fashion.
3. Requests will be reviewed by the appropriate party(ies).
4. Requests to restrict the use or disclosure of a patient’s protected health information to a health plan for
purposes of carrying out payment or health care operations (but not for purposes of carrying out
treatment) when the protected health information pertains solely to a health care item or service for
which [insert name of practice or facility] has been paid out of pocket in full by the patient must be
approved. Such restrictions may be terminated at any time by the patient.
5. Requests and their disposition shall be documented, and any denial—in whole or in part—shall be in
writing.
6. Restrictions, except restrictions on uses or disclosures to a health plan described in paragraph 4, may
be terminated at any time by either the patient or [insert name of practice or facility].
7. Restrictions on uses or disclosures do not apply to: protected health information that must be used or
disclosed to provide emergency treatment to the patient; prevent uses or disclosures to the Secretary of
Health and Human Services to investigate [insert name of practice or facility]’s compliance with the
Privacy Rule; or uses or disclosures that are otherwise required by law.
Primary Responsible Party:
[Insert the title(s) of the persons or offices responsible for receiving and processing requests for
restricting access for (e.g., Privacy Official, medical records personnel)].
Other Responsible Party:
All staff must have sufficient understanding of the patient’s rights and the practice/health care facility’s
obligation to approve or deny requests—in whole or in part—according to pertinent laws.
Procedure:
1. When an individual makes a request to restrict use or disclosure of protected health information:
a) Ask for verification of the identity and the authority of the individual if warranted (if the identity or
the authority of the individual is not known to the practice/health care facility).
b) File any written request in the medical record.
c) Document the date any written or verbal request was received.
d) Inform the individual when to expect a response to the request.
2. Approve the request if it is to restrict the use or disclosure of a patient’s protected health information to a
health plan for purposes of carrying out payment or health care operations when the protected health
information pertains solely to a health care item or service for which [insert name of practice or
facility] has been paid out of pocket in full by the patient and document the approval.
November 2009
3. For such approved requests, flag the information in the patient’s record related to any care that the
patient has paid for in full out of pocket to assure that the information is not used or disclosed to a health
plan for health care operations or payment.
4. Approve or deny other requests, and notify the patient or the patient’s legal representative. (See sample
letter Response to Request for Restrictions on the Use or Disclosure of Protected Health Information.)
Document any approved requests and flag the restricted information in the patient’s record so restricted
information is not disclosed.
5. Terminate approved restrictions if:
a) The patient agrees to or requests the termination in writing;
b) The patient orally agrees to the termination and the oral agreement is documented; or
c) Except as to restrictions approved under paragraph 2, [insert name of practice or facility]
informs the patient in writing it is terminating its agreement effective with protected health
information created or received after [insert name of practice or facility] informs the patient.
References:
45 CFR § 164.522
HITECH Act § 13405(a)
1
Uses and disclosures that may be restricted are: (i) to carry out treatment, payment, or health care operations; and (ii) to family members, other
relatives, or close personal friends identified by the patient, for involvement with the patient’s care or payment related to the care. 45 CFR § 164.522.
Policy effective date: ____/____/____ Revision date(s): ____/____/____
November 2009
Response to Request for Restrictions on the Use or Disclosure of Protected
Health Information
Dear ___________________________:
We received your request for restrictions on the use or disclosure of your health information record on
[insert date].
[Include one of the following:]
We have approved your request to restrict the use and disclosure of your health information regarding
[insert description of care or services that patient paid for in full out of pocket] to [insert name of
health plan] for the purposes of carrying out payment or health care operations (but not for the purpose of
carrying out treatment). This restriction will be effective as of the date of this letter. The restriction is not
effective to prevent uses or disclosures required by the Secretary of the Department of Health and Human
Services to investigate [insert name of practice or facility]’s compliance with the HIPAA Privacy Rule or
uses or disclosures otherwise required by law.
or
We have approved your request to restrict the use and disclosure of the following health information [insert
description] in the following manner and/or to not disclose your health information to [insert names of
individuals or entities]. This approval is subject to the following conditions and exceptions:
•
Either you or [insert name of practice or facility] may terminate this restriction at any time. If we
inform you that we are terminating our agreement to this restriction, the termination of the restriction
is only effective with respect to health information created or received after we inform you of the
termination.
•
If restricted health information must be used or disclosed to provide emergency treatment for you,
then this restriction is void.
•
The restriction is not effective to prevent uses or disclosures required by the Secretary of the
Department of Health and Human Services to investigate [insert name of practice or facility]’s
compliance with the Privacy Rule or uses or disclosures otherwise required by law.
•
If a restriction is not specifically listed above, it will not be effective.
or
Your request to restrict the use or disclosure of your health information has been denied. See our Notice of
Privacy Practices for more information about your rights. For a copy, contact [insert name and phone
number of contact person].
If you believe your privacy rights have been violated, you may contact [insert name or title of person] at
our office. We respect your right to file a complaint with us or with the Department of Health and Human
Services Office for Civil Rights.
Sincerely,
November 2009
Minimum Necessary1 Requirements for the Use and Disclosure of Protected Health
Information (Policy & Procedures)
Purpose: To provide a procedure that when using or disclosing protected health information (PHI) or when
requesting PHI from other entities, information will be limited to the extent practicable to a limited data set,2
or if more information is needed, to the minimum amount necessary to accomplish the intended purpose of
the use, disclosure, or request in accordance with applicable laws.
Policy:
1. For disclosures made or requested on a routine and recurring basis, PHI released from or requested by
the organization will be limited to either a limited data set or the minimum amount reasonably necessary
to achieve the purpose of the disclosure or request.
2. For disclosures made or requested on a nonroutine basis, PHI will be reviewed on an individual basis
and released or requested in accordance with procedures to limit the PHI to the extent practicable to a
limited data set, or if more information is needed, to the minimum amount reasonably necessary to
accomplish the purpose for which the disclosure or request is made.
3. These minimum necessary requirements do not apply to:
a. Disclosures to or requests by a health care provider for purposes of treatment, provided
disclosures are limited to the extent the recipient needs to know the information,3
b. Uses or disclosures made to the individual,4
c. Uses or disclosures made pursuant to a valid authorization,5
d. Disclosures made to the Department of Health and Human Services Office for Civil Rights to
ascertain compliance and enforcement of applicable requirements,6
e. Uses or disclosures that are required by law,7
f.
Uses or disclosures that are required for compliance with applicable requirements of the HIPAA
privacy regulations.
4. Requests of PHI received from other covered entities and business associates—that have a legitimate
need of the information—will be reviewed to determine whether it is practicable to fulfill the request with
a limited data set or whether more information is needed, in which case the amount of PHI provided
shall be the minimum necessary information, determined by [insert name of practice or facility] to be
needed to accomplish the purpose for which the disclosure is sought.8
5. To the extent practicable, disclosures made in response to requests for PHI from the following shall be
limited to a limited data set, and if not practicable, [insert name of practice or facility] shall determine
the minimum necessary information to accomplish the purpose for which the request is made:
a. Public officials,9
b. Professional staff at [insert name of practice or facility],
c. Researchers.10
6. Employees will access PHI in accordance with their specific job position within the organization and the
purposes for which the PHI is accessed.
7. Whenever the minimum necessary requirements apply, an entire medical record will not be released
unless accompanied by a request that specifies the reason for which the entire record is necessary.
Procedures:
Note: the following are samples of the types of disclosures an organization may make or request–
you will need to evaluate, establish, and individualize procedures for your routine and nonroutine
disclosures and requests of PHI. You will undoubtedly have numerous routine and nonroutine
situations for which you will need to establish procedures or protocols.
November 2009
1. Routine and Recurring Disclosures or Requests:
a. Release of information for treatment purposes is excluded from the minimum necessary rules.
Any health care provider who is treating the patient may receive PHI, to the extent they need to
know the information, with the following exceptions:
i.
Any restrictions that [insert name of practice or facility] has agreed to.
ii.
Psychotherapy notes—which require an authorization.
b. The following PHI is accessible for use by staff when they are involved in the care and treatment
of a patient, for securing payment for services rendered and for health care operations:
Job Position
Accessible PHI11
MD, ARNP, PA, RN, LPN, MA
Receptionist
Transcriptionist
Medical Records Clerk
Volunteer
(Include other staff)
All PHI
Health history, Billing information
Progress notes/H & P
All PHI
Directory
c. Patient Requests: Refer to Authorization to Use or Disclose Protected Health Information (Policy
& Procedures)
d. [Add any other routine disclosures or requests]
2. Nonroutine Disclosures or Requests:
The following are examples of disclosures or requests of PHI that your organization may encounter on a
nonroutine basis:
a. Subpoenas and/or court orders
b. Investigations by law enforcement
c. Abuse, neglect, or domestic violence investigations
d. Workers’ compensation
e. Regulatory or professional licensure reviews
f.
See other types of disclosures in the Notice of Privacy Practices and those in RCW 70.02.050
(1) (b-n), and RCW 70.02.050(2).
For each type of nonroutine disclosure or request described in your procedures, consider including the
following elements and issues:
a. Review request to determine if patient authorization or a subpoena or court order is required.12
b. In the case of a state court subpoena, determine whether the 14-day advance notice
requirement was satisfied.
c. Verify identity of requestor or investigator and their authority—including whether state and
federal law permit access—by requesting official documents, e.g., ID badge, other form of official
identification, and statutory authority.
d. Prior to disclosure, review requested PHI to determine whether a limited data set will satisfy the
request, and if not, whether the information requested is the minimum necessary for the purpose
of the disclosure.
e. Contact your legal counsel or insurer for unusual circumstances.
November 2009
Resources:
RCW 70.02.050
45 CFR § 164.502(b), 164.512, 164.514(d)
1
Section 13405 of the HITECH Act of the ARRA, codified at 42 U.S.C. § 17935, changed the “minimum necessary” standard under the privacy
regulations to provide that the minimum necessary is “to the extent practicable” a limited data set, or the “minimum necessary to accomplish the
intended purpose of such use, disclosure, or request.” HHS is to issue guidance regarding these changes by August 16, 2010.
2
A limited data set is partially de-identified information that removes the following direct identifiers from the PHI: names; postal addresses (other
than city, state, and zip code); telephone and fax numbers; e-mail addresses; social security numbers; medical record numbers; health plan
beneficiary numbers; account numbers; certificate/license numbers; vehicle identifiers and serial numbers; device identifiers and serial numbers;
URLs; IP address numbers; biometric identifiers; and full face photographic images.
3
Washington State law has a minimum necessary requirement for this type of disclosure. It allows disclosure of health information about a patient,
without the patient’s authorization, to a person who the provider reasonably believes is providing health care to the patient, but only to the extent the
recipient needs to know the information. RCW 70.02.050(1)(a).
4
Under certain circumstances, you can deny the individual access to PHI. See Responding to Requests to Access and/or Copy Protected Health
Information (Policy & Procedures).
5
See Authorization to Use or Disclose Protected Health Information (Policy & Procedures) and Revocation of Authorization to Use or Disclose
Protected Health Information (Policy & Procedures).
6
In accordance with 45 CFR §§ 160.300 160.312.
7
As described in 45 CFR § 164.512 (a).
8
Section 13405(b)(1) of the HITECH Act, codified at 42 U.S.C. §17935(b). The “to the extent the recipient needs to know the information” provision
of RCW 70.02.050(1)(a) should be taken into consideration as well.
9
Disclosures to public officials must comply with 45 CFR §164.512, which specifies the uses and disclosures for which an authorization, or
opportunity to agree or object, is not required.
10
Documentation or representations that comply with the applicable requirements of 45 CFR §164.512(i), which addresses uses and disclosures for
research purposes, must be provided by the researcher.
11
These limitations are examples only. Each practice/health care facility should determine the appropriate access level for its staff.
12
RCW 70.02.050 and 45 CFR § 164.512.
Policy effective date: ____/____/____ Revision date(s): ____/____/____
November 2009
Documenting of and Accounting for Disclosures of Protected Health
Information (Policy & Procedures)
(For all organizations until at least 1/1/2011; thereafter, organizations that use electronic health
records will need a revised policy.1 Visit our Web site, www.phyins.com, in 2010 for a sample
revised policy.)
Purpose: To provide a procedure for documenting of and accounting for the disclosure of protected
health information (PHI) in accordance with federal and state laws.
Policy:
1. Disclosures of PHI will be recorded and included in the patient’s medical record except disclosures:
(a) To carry out treatment, payment, and health care operations;
(b) To the patient of health care information about him or her;
(c) Incident to a use or disclosure that is otherwise permitted or required;
(d) Pursuant to an authorization where the patient authorized the disclosure of health care
information about himself or herself;
(e) Of directory information;
(f) To persons involved in the patient's care;
(g) For national security or intelligence purposes if an accounting of disclosures is not permitted
by law;
(h) To correctional institutions or law enforcement officials if an accounting of disclosures is not
permitted by law; and
(i) Of a limited data set that excludes direct identifiers of the patient or of relatives, employers, or
household members of the patient.
2. A patient has a right to receive an accounting of the disclosures of their protected health information
in the six (6) years prior to the date on which the accounting is requested with the exception of the
disclosures listed in 1(a)-(i) and for circumstances under which disclosure of health information may
be denied.2
3. Information to be recorded for the accounting of PHI disclosures shall include: date of request, brief
description of information released, name and address (if known) of the recipient of the information, a
brief statement of the purpose of the disclosure, date of disclosure, and name of individual releasing
PHI.3 (See Accounting Log for Protected Health Information Disclosures.)
4. A separate research accounting log for all research studies involving 50 or more patients will be
maintained. The list shall include the name of the research study; a description of the study; a brief
description of the type of PHI that was disclosed; date or period of time during which disclosures
occurred, including the last disclosure; the name, address, and telephone number of the entity
sponsoring the research and of the researcher to whom the information was disclosed; and a
statement that the individual’s PHI may or may not have been disclosed for a particular research
activity.4
5. The medical records office will handle PHI disclosure accounting requests and the processing of
requests.
Responsible Party:
Medical Records staff
November 2009
Procedures:
1. To document disclosures of PHI:
a. If a patient authorization for the release of PHI form has been signed, place the signed
authorization form in the patient’s medical record.
b. If an authorization for the release of PHI has not been obtained, record the disclosures for
which an accounting is required in the patient’s medical record.
2. When a request is made for an accounting of PHI disclosures:
a. Verify the identity and authority of the individual if not known.
b. Advise the patient if a fee is required.5
c. Review the patient record for the documented disclosures and record those disclosures on
the accounting log.
d. If multiple disclosures have been made to the same individual or entity for a single purpose
during the accounting period requested, the accounting may, with respect to these
disclosures, be summarized, e.g., list the initial disclosure; the frequency, periodicity, or
number of disclosures made; and the date of the last disclosure.
e. The accounting to the patient shall include:
i.
A copy of the accounting log, and
ii. A copy of the research accounting log, if applicable.
f.
Accounting disclosures shall be provided within 60 days of receipt of a disclosure accounting
request. This time period may be extended to 90 days with written notification to the patient,
within this initial 60 days, of the reasons for a delay and the expected date of providing the
accounting.
g. A copy of the written accounting that is provided will be maintained as part of the patient
medical record.
References:
45 CFR § 164.528
RCW 70.02.020
1
Electronic Health Record or “EHR” is defined as “an electronic record of health-related information on an individual that is created, gathered,
managed, and consulted by authorized health care clinicians and staff.” For organizations with EHRs as of January 1, 2009, expanded
accounting requirements will apply to disclosure of PHI made from those EHRs on and after January 1, 2014. For organizations with EHRs
acquired after January 1, 2009, expanded accounting requirements will apply to disclosure of PHI made from those EHRs on or after January 1,
2011. Under the expanded accounting requirements, disclosures to carry out treatment, payment, and health care operations made through an
electronic health record will be subject to accounting, although the right to accounting only applies to three years prior to the date on which the
accounting is requested rather than the current six years. HITECH Act, Section 13405(c)(1), codified at 42 U.S.C. §17935(b).
2
HIPAA regulations, 45 CFR § 164.524(a) and RCW 70.02.090, specify circumstances in which a patient’s request to access, examine, and/or
copy their records may be denied.
3
The date of request and the name of the individual releasing PHI are not required by 45 CFR § 64.528 (2), but they are recommended for
purposes of auditing compliance with HIPAA time limits.
4
If an accounting is made of research disclosures and it is reasonably likely the individual’s PHI was disclosed for research purposes, upon
request, the individual shall be assisted in contacting the research sponsor and the researcher. 45 CFR § 164.528(b)(4)(ii).
5
45 CFR §164.528 (c)(2) specifies that the first disclosure accounting within a 12-month period must be provided without charge; thereafter, a
reasonable, cost-based fee may be charged for an accounting requested by the same individual within the 12-month period provided that the
individual is advised and allowed to modify the request if desired.
Policy effective date: ____/____/____ Revision date(s): ____/____/____
November 2009
Accounting Log for Protected Health Information Disclosures
Note: in accordance with 45 CFR § 164.258(4)(i), track PHI disclosures for research purposes on a separate research accounting log.
Patient’s Name: _______________________________________
Date of
Request
Brief Description of
PHI Released
To Whom Disclosed
(Name and Address)
DOB/Medical Record Number: __________________________
Purpose of
Disclosure
Date of
Disclosure
Information Released By
(Name of Staff)
November 2009
Notification of Breach of Unsecured Protected Health Information (Policy &
Procedures)
Purpose: To provide a process for notifying individuals of a breach of unsecured PHI as required by law.
Policy:
1. Individuals must be notified when their unsecured PHI is acquired, accessed, used, or disclosed in a
manner not permitted under the Privacy Rule that poses a significant risk of financial, reputational, or
other harm to the individuals (“breach”).
2. Notice will be provided without unreasonable delay, but in any case not later than 60 calendar days from
the date of discovery of the breach.
3. The notice will be sent to the last known address of each individual by first class mail unless the
individual agrees to electronic notice, in which case notice may be provided by e-mail. If it is known that
the individual is deceased, the notice shall be sent to the next of kin or personal representative if that
person’s address is known.
4. Alternative forms of substitute notice may be provided depending on the number of individuals to be
notified and whether the unsecured PHI includes “personal information” as defined by Washington law.
•
If the unsecured PHI does not include the first name or initial and last name of the individual and one
of the following: the individual’s social security number; driver’s license number or Washington
identification card number; or account number or credit or debit card number in combination with any
required security code, access code, or password (“personal information”), then if there is insufficient
or out-of-date contact information preventing written notice by first class mail to 10 or fewer
individuals, notice may be provided by an alternative form of notice such as telephone. If there is
insufficient or out-of-date contact information for more than 10 individuals, substitute notice will be
provided by either posting notice on [insert name of practice or facility]’s Web site for 90 days or
by notice in a major print or broadcast media, with a toll-free number active for at least 90 days for a
person to call to learn whether his or her unsecured PHI was included in the breach.
•
If the unsecured PHI includes personal information, then if there is insufficient or out-of-date contact
information, notice may be provided by doing all of the following: e-mailing the notice if an e-mail
address is available; posting the notice on [insert name of practice or facility]’s Web site for 90
days; and notification to major statewide media, with a toll-free number active for at least 90 days.
5. If the breach involves more than 500 individuals, notice must be provided by prominent media outlets in
[insert state where practice or facility is located], and to the Secretary of Health and Human
Services. A log will be maintained of all other breaches and notice provided to the Secretary of HHS
annually.
6. Business Associates of [insert name of practice or facility] are required to notify [insert name of
practice or facility] of any breach without unreasonable delay and to the extent possible to identify the
individuals whose unsecured PHI is involved.
7. Notification may be delayed if a law enforcement official states to [insert name of practice or facility]
that notification would impede a criminal investigation.
Responsible Party:
Privacy Official and Security Official or designees
November 2009
Other Responsible Party:
All staff must have sufficient understanding of the Privacy Rule, “unsecured PHI,” and “breach” to report
potential situations in which unsecured PHI is acquired, accessed, used, or disclosed in a manner not
permitted under the Privacy Rule.
Procedure
1. Identify “unsecured PHI” to which notification of breach may apply. “Unsecured PHI” is PHI that is not
rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of a
technology or methodology specified by the Secretary of HHS.1 Encrypted PHI is not unsecured PHI.
However, “unsecured PHI” may be in any form or medium, including paper or oral, neither of which may
be encrypted. The remaining steps in the procedure apply only to “unsecured PHI.”
2. Promptly report to [insert name of practice or facility]’s Privacy and/or Security Official if unsecured
PHI is acquired, accessed, used, or disclosed in a manner not permitted under the Privacy Rule.
•
HIPAA Privacy and Security Training will include this policy and training regarding timely reporting of
breaches of unsecured PHI.
3. Investigate report to determine whether there has been a breach of unsecured PHI that requires
notification under HIPAA.2
•
Violation of the Security Rule does not in itself constitute a potential breach.
•
A breach does not include:
• Any unintentional acquisition, access, or use of PHI by a workforce member or person acting
under the authority of [insert name of practice or facility] or [insert name of practice or
facility]’s BA made in good faith and within the person’s scope of authority and does not
result in further use or disclosure in a manner not permitted under the Privacy Rule.
• Any inadvertent disclosure by a person who is authorized to access PHI at [insert name of
practice or facility] or [insert name of practice or facility]’s BA to another person
authorized to access PHI at [insert name of practice or facility] or [insert name of
practice or facility]’s BA, or organized health care arrangement (OHCA) in which [insert
name of practice or facility] participates, and the PHI received is not further used or
disclosed in a manner not permitted under the Privacy Rule.
• A disclosure of PHI where [insert name of practice or facility] or [insert name of practice
or facility]’s BA has a good faith belief that an unauthorized person to whom the disclosure
was made would not reasonably have been able to retain such information.
•
There is a breach only if there is a significant risk of financial, reputational, or other harm to an
individual as a result of a breach.
• If the PHI was a limited data set and did not include date of birth and zip code, there is no
significant risk of financial, reputational, or other harm to an individual as a result of a breach.
4. Document the determination as to whether there has been a breach, including the determination about
whether there is a significant risk of financial, reputational or other harm to an individual as a result of a
breach of unsecured PHI.
5. If there has been a breach of unsecured PHI, prepare a notice in plain language. The notice shall
include:
• A brief description of what happened, including date of the breach and the date of the discovery of
the breach, if known.
• A description of the types of unsecured PHI that were involved in the breach (such as whether full
name, social security number, date of birth, etc., were involved), but do not include the actual PHI.
November 2009
•
•
•
Any steps the individuals should take to protect themselves from potential harm resulting from the
breach.3
A brief description of what [insert name of practice or facility] is doing to investigate the breach,
mitigate the harm to individuals, and protect against further breaches.
Contact information if the individuals have questions or want to learn more—either a toll-free
telephone number, an e-mail address, Web site, or postal address.
6. Send the notice via first class mail to the last known address of individuals whose unsecured PHI was
accessed, acquired, used, or disclosed in a manner not permissible under the Privacy Rule without
unreasonable delay, but no later than 60 days following its discovery. The notice may be sent by
electronic mail if the individual agrees to electronic notice and such agreement has not been withdrawn.
If an individual is deceased, mail the notice to the individual’s next of kin or personal representative, if
that person’s address is known.
7. If the contact information is insufficient or out-of-date, determine whether the PHI includes the first name
or initial and last name of the individual and one of the following: the individual’s social security number;
driver’s license number or Washington identification card number; or account number or credit or debit
card number in combination with any required security code, access code, or password.
• If the PHI does not include such information:
• For fewer than 10 individuals involved, provide the notice by telephone or other means.
• For 10 or more individuals, provide the notice by either:
• Conspicuously posting the notice for 90 days on the home page of [insert name of
practice or facility]’s Web site; or
• Provide notice in major print or broadcast media where the individuals reside and
include a toll-free phone number that remains active for at least 90 days, so
individuals can call to learn whether their unsecured PHI was involved in the breach.
• If the PHI includes the first name or initial and last name of the individual and one of the following:
the individual’s social security number; driver’s license number or Washington identification card
number; or account number or credit or debit card number in combination with any required security
code, access code, or password, then:
• E-mail notice if an e-mail address is available;
• Conspicuously post the notice on the home page of [insert name of practice or facility]’s
Web site for 90 days; and
• Post the notice in major print or broadcast media where the individuals reside and include a
toll-free phone number that remains active for at least 90 days.
8. If the breach involves more than 500 individuals, provide the notice to prominent media outlets and to
the Secretary of HHS in the manner specified on the HHS Web site. The HHS Office for Civil Rights has
posted a form for covered entities to use to provide notice to the Secretary of HHS of a breach of
unsecured, protected health information. This form can be found at
http://transparency.cit.nih.gov/breach/index.cfm.
9. For breaches that involve fewer than 500 individuals, record the breach in the Accounting Log for
Breaches of Unsecured Protected Health Information, attach copy of notice, and provide notification
annually to the Secretary of HHS.
References:
45 CFR Section 164, subpart D
RCW 19.255.010
1
“Unsecured protected health information” has been defined by guidance issued by the Department of Health and Human Services on April 17,
2009, as PHI that is encrypted or destroyed according to National Institute of Standards and Technology (“NIST”) standards. 74 Fed. Reg. 19006
(published April 27, 2009). Guidance will be available at the HHS Web site at http://www/hhs,gov/ocr/privacy/. The specific description is:
“Protected health information (PHI) is rendered unusable, unreadable, or indecipherable to unauthorized individuals only if one or more
of the following applies:
November 2009
(a) Electronic PHI has been encrypted as specified in the HIPAA Security Rule by ‘the use of an algorithmic process to
transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key
and such confidential process or key that might enable decryption has not been breached.’ To avoid a breach of the confidential
process or key, these decryption tools should be stored on a device or at a location separate from the data they are used to
encrypt or decrypt. The encryption processes identified below have been tested by the National Institute of Standards and
Technology (NIST) and judged to meet this standard.
(i) Valid encryption processes for data at rest are consistent with NIST Special Publication 800-111, Guide to Storage
Encryption Technologies for End User Devices.
(ii) Valid encryption processes for data in motion are those which comply, as appropriate, with NIST Special
Publications 800-52, Guidelines for the Selection and Use of Transport Layer Security (TLS)
Implementations; 800-77, Guide to IPsec VPNs; or 800-113, Guide to SSLVPNs, or others which are
Federal Information Processing Standards (FIPS) 140-2 validated.
(b) The media on which the PHI is stored or recorded has been destroyed in one of the following ways:
(i) Paper, film, or other hard copy media have been shredded or destroyed such that the PHI cannot be
read or otherwise cannot be reconstructed.
(ii) Electronic media have been cleared, purged, or destroyed consistent with NIST Special Publication
800-88, Guidelines for Media Sanitization, such that the PHI cannot be retrieved.”
2
Washington law requires businesses to promptly notify individuals whose computerized personal information (an individual’s first name or initial,
last name and SSN, driver’s license number, State ID card number, or account or bank card number) is reasonably believed to have been obtained
by an unauthorized person. RCW 19.255.010.
3
The Federal Trade Commission Web site provides information on how to protect against identity theft and can be found at:
http://www.ftc.gov/bcp/edu/microsites/idtheft/consumers/defend.html
Policy Effective Date: ____/____/____ Policy Revision Date: ____/____/____
November 2009
Breach Notification Checklist
HIPAA Privacy and Security regulations require individuals be notified when a covered entity knows or
should have known a breach of unsecured protected health information (PHI) that poses a significant risk
of harm to the individuals has occurred. Notice must be provided without unreasonable delay and in no
case later than 60 calendar days after discovery of the breach unless a law enforcement official requests
a delay.
The following is a checklist to use to confirm that the necessary steps have been taken to respond to a
breach of unsecured PHI.
Discovery of or reasonable belief of an impermissible use or disclosure of PHI that
compromises the security or privacy of PHI (a breach).
•
PHI was acquired, accessed, used, or disclosed in a manner not permitted under the
Privacy Rule.
•
Applies to PHI in any medium—oral, paper, electronic.
Assess whether the PHI was “unsecured PHI.”
•
PHI was not encrypted in accordance with the Security Rule, or
•
PHI was not destroyed.
If PHI was secured, then no further action is required. If PHI was unsecured, then:
Report breach to [insert name of practice or facility]’s Privacy and/or Security Official.
Conduct a risk assessment.
•
Investigate to determine whether impermissible use or disclosure of PHI poses a
significant risk of financial, reputational, or other harm to the individual(s).
•
Make a fact-based evaluation of: the nature of the PHI, the number of identifiers
contained within the PHI, the recipient of the PHI, and any mitigation possible to lessen
potential harm.
• If the PHI was a limited data set and did not include date of birth and zip code,
there is no significant risk of financial, reputational, or other harm to the
individual(s) as a result of the breach.
• If PHI was mistakenly disclosed to the wrong covered entity, since a covered entity
must comply with the Privacy and Security Rules, there is low risk of harm to the
individual(s).
• If an unencrypted laptop containing PHI is lost, but upon recovery it can be
confirmed that PHI has not been accessed, the breach does not pose risk of harm.
Document results of risk assessment.
If there is no significant risk of financial, reputational, or other harm to the individual(s), no further
action is required. If there is a significant risk of harm, then:
Determine if the incident falls under any exceptions to the definition of breach.
•
Unintentional access or use by workforce member or business associate (BA).
Any unintentional acquisition, access, or use of PHI by a workforce member or person
acting under the authority of [insert name of practice or facility] or [insert name of
practice or facility]’s BA made in good faith and within the person’s scope of authority
and does not result in further use or disclosure in a manner not permitted under the
Privacy Rule.
•
Inadvertent disclosure. Any inadvertent disclosure by a person who is authorized to
access PHI at [insert name of practice or facility] or [insert name of practice or
November 2009
facility]’s BA to another person authorized to access PHI at [insert name of practice
or facility] or [insert name of practice or facility]’s BA, or organized health care
arrangement (OHCA) in which [insert name of practice or facility] participates, and
the PHI received is not further used or disclosed in a manner not permitted under the
Privacy Rule.
•
Good faith belief that PHI was not retained. A disclosure of PHI where [insert name
of practice or facility] or [insert name of practice or facility]’s BA has a good faith
belief that an unauthorized person to whom the disclosure was made would not
reasonably have been able to retain such information.
Document determination as to whether the breach falls under an exception.
If the breach falls under an exception, no further action is required. If no exception applies:
Prepare a notice of the breach in plain language that includes:
•
A brief description of what happened, including the date of the breach and the date of
the discovery of the breach, if known.
•
A description of the types of unsecured PHI that were involved in the breach (such as
whether full name, social security number, date of birth, etc., were involved), but do not
include the actual PHI.
•
Any steps the individuals should take to protect themselves from potential harm resulting
from the breach.1
•
A brief description of what [insert name of practice or facility] is doing to investigate
the breach, mitigate the harm to individuals, and protect against further breaches.
•
Contact information if the individuals have questions or want to learn more—either a tollfree telephone number, an e-mail address, Web site, or postal address.
Delay sending the notice if a law enforcement official determines that the notice would
impede a criminal investigation or damage national security.
If no delay of the notice is required by law enforcement:
Send the notice: (i) via first class mail to the last known address of each individual whose
PHI was breached; or (ii) via electronic mail if the individual whose PHI was breached has
agreed to electronic notice and such agreement has not been withdrawn.
•
If an individual is deceased, mail the notice to the individual’s next of kin or personal
representative, if that person’s address is known.
Send notice without unreasonable delay, but no later than 60 calendar days following
discovery of the breach.
If the contact information is insufficient or out-of-date, provide substitute notice as follows:
Determine the content of PHI and number of individuals affected.2
If the PHI is not in electronic format or, if in electronic format, does not include the first name or
initial and last name of the individual and one of the following: the individual’s social security
number; driver’s license number or Washington identification card number; or account number or
credit or debit card number in combination with any required security code, access code, or
password, then:
If fewer than 10 individuals are affected, provide notice by alternative written notice,
telephone, or other means.
If more than 10 individuals are affected, provide notice by either: (i) conspicuously posting
the notice for 90 days on the home page of [insert name of practice or facility]’s Web site;
or (ii) conspicuous notice in major print or broadcast media where the individuals reside.
•
Notice must include a toll-free phone number that remains active for at least 90 days, so
individuals can call to learn whether their unsecured PHI was involved in the breach.
November 2009
If the PHI is in electronic format and includes the first name or initial and last name of the
individual and one of the following: the individual’s social security number; driver’s license
number or Washington identification card number; or account number or credit or debit card
number in combination with any required security code, access code, or password, then:
E-mail notice if an e-mail address is available;
Conspicuously post the notice on the home page of [insert name of practice or facility]’s
Web site for 90 days;
Post the notice in major print or broadcast media where the individuals reside; and
Include a toll-free phone number that remains active for at least 90 days.
If the breach involves fewer than 500 individuals:
Record the breach in the Accounting Log for Notification of Breach of Unsecured Protected
Health Information
Attach copy of notice to the Accounting Log for Notification of Breach of Unsecured
Protected Health Information
Provide notification annually to the Secretary of Health and Human Services.
If the breach involves more than 500 individuals:
Provide the notice to prominent media outlets;
Provide the notice simultaneously to the Secretary of HHS in the manner specified on the
HHS Web site.
The DHHS Office for Civil Rights has posted a form for covered entities to use to provide notice to the
Secretary of HHS of a breach of unsecured, protected health information. This form can be found at
http://transparency.cit.nih.gov/breach/index.cfm.
1
The Federal Trade Commission Web site provides information on how to protect against identity theft and can be found at:
www.ftc.gov/bcp/edu/microsites/idtheft/cosumers/defend.html
2
Complies with breach notification requirements under RCW 19.255.010
November 2009
Accounting Log for Breaches of Unsecured Protected Health Information
Date of
Breach
Date of Discovery
of Breach
Nature of Breach
(What happened)
Types of
Unsecured PHI
Date of Notice
to Individuals
Copy of Notice
Attached
November 2009
Complaints and Grievances Relating to the Use or Disclosure of Protected Health
Information (Policy & Procedures)
Purpose: To support our mission to continually improve the quality of the services we provide and to provide
a process for handling complaints and grievances related to the use or disclosure of protected health
information (PHI).
Definitions:
Complaint: an oral concern about our compliance with health-information privacy laws and regulations
Grievance: a written concern about our compliance with health-information privacy laws and regulations
Policy:
1. Complaints and grievances about PHI shall be investigated and managed in a timely and respectful
manner.
2. Complaints and grievances concerning PHI and their disposition or resolution must be documented.
3. To the extent practicable, any known harmful effect of a use or disclosure of PHI in violation of our
policies and procedures and the requirements of applicable laws by [insert name of practice or
facility] or our business associates must be mitigated.
4. [Insert name of practice or facility] will not retaliate in any way (e.g., intimidation, threatening
behavior, coercion, and discrimination) against an individual lodging a complaint or grievance, or for
testifying, assisting, or participating in any investigation or administrative action. Nor will any individual
be asked to waive the rights permitted to him or her under state or federal privacy laws as a condition of
treatment payment, enrollment, or eligibility for benefits.
Responsible Party:
All Staff
Procedure for responding to a complaint:
1. Listen—communication considerations:
•
Actively listen. Take steps to minimize interruptions by others and interrupting the individual.
•
Restate your understanding of the nature of the issue.
2. Address the individual’s concern if authorized and able to do so, or advise the individual that you would
be happy to report the problem or that he or she may report the problem to [insert name of internal
contact person and telephone number]. Consider the following:
a. Remember confidentiality concerns (e.g., if a relative informed you of the concerns, do you have the
authority to discuss the patient health care information with the relative—or do you need a signed
authorization form?).
b. An individual has the right to request to file a written complaint to [insert name of internal contact
person and telephone number].
c. If the individual expresses a desire to complain to the Department of Health and Human Services
Office for Civil Rights, advise the individual that “we also respect your right to file a complaint and
that [insert name of practice or facility] will not retaliate against you.”
3. Write down concerns.1 This document should be routed to the individual responsible for oversight of
complaints involving PHI. The complaint disposition or resolution should be noted on this document as
well.
4. Follow up as needed (e.g., if indicated that the privacy official would call the individual within the week,
contact the privacy official to ensure follow-up).
Responsible party:
Internal Contact Person (this may be the Privacy Official or the designee)—responsible for overseeing the
management and documentation requirements related to complaints and grievances regarding the use or
disclosure of PHI. This individual also reviews and responds to complaints or grievances concerning PHI as
needed.
November 2009
Procedure for responding to a grievance or a complaint that cannot be resolved by anyone other
than the Privacy Official or the designee:
1. Respond to grievances in writing. Reply to complaints verbally—unless the individual requests otherwise
or it is deemed more appropriate to respond in writing.
2. Consider confidentiality concerns (e.g., if a relative informed you of the concerns, do you have the
authority to discuss the patient’s health care information with the relative—or do you need a signed
authorization form?).
3. Notify or consult with the appropriate insurance carrier and/or legal counsel on issues involving liability
and litigation potential.
4. Respond in a timely fashion (e.g., the initial response could simply be “We will investigate and inform
you of the final decision if enough information is not available to make an immediate determination”). A
letter with the final resolution or disposition shall be sent to the individual (see Complaint / Grievance
Resolution Letter).
5. Notify the appropriate individual to address any pertinent employment issues (e.g., investigation,
counseling, disciplinary action, or termination) according to applicable policies/procedures and state and
federal laws.
6. Work to mitigate, to the extent practicable, any harmful effect that is known because of a use or
disclosure of protected health information in violation of [insert name of practice or facility] policies
and procedures or the requirements of applicable laws by [insert name of practice or facility] or
business associates. If the complaint involves a breach of unsecured PHI2, refer to Notification of
Breach of Unsecured Protected Health Information (Policy & Procedures).
7. Take steps to ensure that [insert name of practice or facility] will not retaliate in any way (e.g.,
intimidation, threatening behavior, coercion, and discrimination) against an individual lodging a
complaint or grievance.
8. Document the resolution or disposition of the grievance and maintain the information in a file labeled “In
anticipation of litigation.”3
1
If applicable, consider using your existing quality improvement/incident reporting system for this purpose.
Unsecured PHI is defined as PHI that is not rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of a
technology or methodology specified by the Secretary of HHS.
3
If applicable, consider using your existing quality improvement/incident reporting system for this purpose.
2
Policy effective date: ____/____/____ Revision date(s): ____/____/____
November 2009
Complaint / Grievance Resolution Letter
Date:
Address:
Dear [insert name of individual]:
I am writing to respond to the concerns that you documented in your letter dated [insert date]. You
expressed concerns regarding the [handling/use/disclosure] of [insert patient name]’s protected health
information. We respect your right to file a concern. We are very sorry that you are upset.
(Option 1—If a complaint is made by the patient or the patient’s legally authorized representative.)
Based on your concerns, we completed an investigation on [insert date]. We [insert steps taken to
investigate the complaint - interviewed staff, reviewed our policies, etc.]. We found that [insert brief
summary of the facts of the investigation].
(Option 2—If a complaint is made by someone other than a patient or the patient’s legally authorized
representative, and patient permission has not been granted to authorize disclosure.) Based on your
concerns, we completed an investigation on [insert date]. We [insert steps taken to investigate the
complaint - contacted the patient, interviewed staff, reviewed policies, etc.]. Due to privacy and
security laws, we cannot tell you any details of our investigation or findings. However, we would be happy to
give you information if the patient permits us to do so.
Thank you for bringing your concerns to our attention. We try hard to protect all of the health information
that we handle. You have given us an opportunity to review our practices and to make improvements.
If you have additional questions, please contact [insert name] at [insert phone number].
Sincerely,
Privacy Official or Designee
November 2009
HIPAA Privacy and Security Training (Policy & Procedures)
Purpose: To provide a procedure for educating the workforce on privacy and security of protected health
information (PHI) policies and procedures as required by law.
Policy:
1. Each member of the workforce will receive training on the privacy and security of PHI as necessary and
appropriate for the member to carry out his or her job responsibilities. New members of the workforce
shall receive privacy and security training during their orientation period.
2. Additional privacy and security training will be provided to the workforce within a reasonable time period
after implementation of organizational policies and procedures that have undergone material changes.
3. Training will be documented for each member of the workforce.
4. Each workforce member will sign an Employee Confidentiality and Acknowledgment of HIPAA Training
Statement acknowledging the confidentiality of PHI and that he or she has been trained and
understands [insert name of practice or facility]’s policies and procedures regarding PHI.
5. Training records will be maintained for at least six years.
6. Periodic retraining will be conducted as needed and appropriate, or at least once a year.
Responsible Party:
Privacy Official or the designee
Procedure (here is one example of how you may structure your training program):
1. All members of the workforce shall review the following materials:
a. Notice of Privacy Practices
b. Complaints and Grievances Relating to the Use or Disclosure of Protected Health Information
(Policy & Procedures)
c. Minimum Necessary Requirements for the Use and Disclosure of Protected Health Information
(Policy & Procedures)
d. Administrative Safeguards—Physical Controls for Visitor Access
e. Physical Safeguards—Access Control
f. Technical Safeguards—Personal or “Entity” Authentication
g. Notification of Breach of Unsecured Protected Health Information (Policies & Procedures)
h. Job-specific and other newly developed HIPAA privacy policies and procedures
2. Each member of the workforce shall review job-specific privacy and security practices and complete the
HIPAA Privacy Rule: A Questionnaire for Nonclinical Staff or the HIPPA Privacy Rule: A Questionnaire
for Clinical Staff.
3. Each member’s training shall be documented, e.g., written confidentiality and acknowledgment of
training statement, personnel files, continuing education records.
Policy effective date: ____/____/____ Revision date(s): ____/____/____
November 2009
HIPAA Privacy and Security Training Checklist
[This checklist contains a listing of suggested training materials to help document the
job-specific training required by the HIPAA Privacy and Security Rules. It should be
personalized to meet the needs of your organization and each job position.]
For each area, place a check in the box as each item is completed:
Read your Notice of Privacy Practices.
Read your Complaints and Grievances Relating to the Use or Disclosure of Protected
Health Information (Policy & Procedure).
Read your Minimum Necessary Requirements for the Use and Disclosure of Protected
Health Information (Policy & Procedure).
Read your Administrative Safeguards—Physical Controls for Visitor Access.
Read your Physical Safeguards—Access Control.
Read your Technical Safeguards—Personal or “Entity” Authentication.
Read your Notification of Breach of Unsecured Protected Health Information (Policy &
Procedures.
Read your job-specific HIPAA privacy and security policies and procedures.
As applicable, understand other newly developed privacy and security policies and
procedures and your role in implementation:
(List p & p: _____________________________________)
(List p & p: _____________________________________)
(List p & p: _____________________________________)
(Other specific training materials: ___________________)
(Other specific training materials: ___________________)
(Other specific training materials: ___________________)
Read, complete, and submit HIPAA Privacy Rule Questionnaire.
Sign Employee Confidentiality and Acknowledgment of HIPAA Training Statement.
____________________________________________________________________________
Signature and Title of Employee
Date Completed
____________________________________________________________________________
Reviewing Supervisor
Date Reviewed
November 2009
HIPAA Privacy Rule: A Questionnaire for Nonclinical Staff
This questionnaire is designed to address common privacy issues encountered in a variety of
clinical settings. Please read and answer each question.
General Privacy Issues
1. What does PHI stand for?
a. Protected Health Information
b. Personal Health Information
c. Private Health Information
d. Presidential Health Information
Telephone Messages
2. You are calling to confirm a patient’s appointment with her doctor. You dial and get an
answering machine. Can you leave a message? If so, what should you say?
General Privacy Issues
3. A well-known high school athlete, Gary, goes to the doctor for treatment of a sexually
transmitted disease (STD). Jane, an employee at the clinic, happens to have a daughter, Sue,
who attends high school with Lisa. Lisa is dating the athlete, Gary.
a. Jane is concerned about Lisa, whom she believes is sexually active with the boy. She is
good friends with Lisa’s mother and tells you—her coworker—that she is considering
advising Linda—Lisa’s mother—“in confidence,” of course, that Gary was seen at the
clinic for treatment of an STD. Jane says she believes she has an obligation to do this
to prevent Lisa from contracting an STD. What, if any, privacy concerns do you see?
b. What do you say to Jane?
Release of Information
4. True or false? You can comply with a request by a school nurse to fax over a student’s
immunization record because the student’s mother has not submitted the required records.
November 2009
Privacy and Minors
5. A parent demands to see her daughter’s medical record. The daughter is 12 years old. The
record has information from the patient about her sexual activity, provided in confidence. What
do you do?
Privacy Practices
6. You overhear a discussion between a patient and a visitor regarding the new federal privacy
laws. The visitor asks you, “What are your office’s privacy practices?” What will you do?
General Privacy Issues
7. True or false? A surgeon requests portions of his patient’s medical record relating to his
surgical care. You are able to provide these copies without patient authorization.
8. A family member of a patient comes to you quite upset. He just overheard two employees
discussing his relative’s health status in the cafeteria over lunch. He wants to file a complaint.
How would you assist him in this process? You:
a. Refer him to the individual your facility has designated to handle privacy complaints.
b. Advise him to contact the Department of Health and Human Services Office for Civil
Rights and provide the telephone number.
c. Document the complaint in the medical record and complete an incident report.
d. Listen to the complaint and advise him that you will take care of the problem.
9. What do you do if a patient asks you for a list of the individuals that have received copies of his
or her medical record?
10. True or false? A nurse and a physician may discuss a patient’s medical condition in the hall
outside a patient’s room.
November 2009
HIPAA Privacy Rule: A Questionnaire for Nonclinical Staff
(Answer Key)
We have provided these responses to address common privacy issues encountered in a variety of
clinical settings. While a case study may focus on a particular setting (e.g., a clinic or hospital), the
privacy principles apply to everyone. Some answers may depend upon your facility’s policies and
procedures and should be modified to meet your operational needs.
1. a. Protected Health Information.
2. Yes, you may leave a limited message. Be sure to be discreet when doing so, as others may
be present when the individual replays the message—or another person may pick up the
message. An appropriate message for an appointment of a general nature might be:
“Hello. This is Lynne from Dr. Olson’s office calling to remind Susan of her appointment at
3:00 tomorrow afternoon. Please have her call me at 206-111-2222 if there are any
questions.”
Never leave information about a diagnosis, medical condition, or laboratory or test result on an
answering machine—even if the result is good news—unless the patient has requested you to
do so. Be sure to document the patient’s request in the medical record.
3. The privacy concern in this scenario is that Jane is considering an unauthorized disclosure of
PHI. In general, disclosures of PHI for any purpose other than treatment, payment, or health
care operations require the patient to sign an authorization. Releasing such information violates
state and federal laws and may also subject the individual and facility to criminal or civil fines
and penalties. Further, it would violate the organization’s privacy policies and subject Jane to
disciplinary action that may include termination from her job.
How to handle this situation: Advise Jane that Gary’s health information is protected by law.
Jane could share her concerns with the doctor. The doctor may then take whatever action is
clinically appropriate. Jane should not share information with anyone else unless the disclosure
is in the performance of her job-related duties to facilitate treatment, payment, or health care
operations.
4. True, if the request is for purposes of treating the student/patient.
The Washington State Department of Health has advised that sharing immunization records
with the nurse or a designee—regardless of purpose—is acceptable. However, we are not
aware of any provision in the HIPAA Privacy Rule or Washington State laws that would allow
sharing this information for any purposes other than treatment. Therefore, we recommend that
if the request is for school administrative purposes, the parent’s permission be obtained prior to
sending the records to the school. A signed authorization is preferred (though a facsimile is
acceptable). However, authorization could be obtained from the parent over the phone. The
oral permission should be documented, along with the date and time, and signed by the staff.
Be sure to use reasonable precautions to protect the privacy of information sent via facsimile
(e.g., double-check the number before sending and use a facsimile cover sheet with a
disclaimer).
November 2009
5. An individual trained and familiar with handling issues relating to treatment of minors should
deal with this issue (e.g., a clinician, a manager, or medical records personnel). Appropriate
answers might include:
a. Refer to a manager, or
b. Refer to medical records staff.
Appropriately trained staff should consider the following when responding to the mother:
• Minors may consent independently at any age for treatment related to pregnancy—provided
they have the capacity to understand the nature of the treatment and the risks associated
with the treatment.
• Minors may consent independently at age 14 for treatment related to sexually transmitted
diseases (STDs) provided they have the capacity to understand the nature of the treatment
and the risks associated with the treatment.
• Emancipated minors may consent for treatment of any condition independently.
Emancipation may be determined by the courts or for medical treatment purposes by the
physician.
• The health care information may be released to the mother if the highly sensitive areas that
require the minor’s permission for release are redacted from the copy of the record.
Consultation with the treating provider may be necessary to determine whether providing the
mother with access is permissible. You might inform the mother that patient privacy laws
protect the information in the medical record. Urge the mother to discuss the reason for the visit
with her daughter.
When in doubt, it is advisable to obtain the minor’s permission prior to releasing the
information.
6. Provide the current Notice of Privacy Practices (NPP) to the visitor or direct the visitor to the
appropriate individual or department to obtain a copy of the current NPP. Patients must be
given a copy of the NPP at their first contact with the facility. Reasonable attempts must be
made to obtain a signed acknowledgment of receipt of the NPP. The regulations also require
the facility to provide a copy to ANY individual upon his or her request—and this does not need
to be documented.
7. True. Trained and authorized staff may provide the copy to the surgeon because it is for
treatment purposes.
8. Appropriate responses may be a, c, or d, depending upon the job position, circumstances, or
the organization’s policies and procedures. HIPAA requires that organizations have a policy in
place to address complaints pertaining to the handling of PHI—which must be followed.
9. Patients have a right to obtain a list of the individuals that have received copies of their PHI in
certain circumstances when the disclosure has not been made for treatment, payment, or
health care operations and the patient has not authorized the disclosure. This should be
referred to an appropriately trained and authorized individual to handle according to the
organization’s Documenting of and Accounting for Disclosures of Protected Health Information
(Policy and Procedures). The trained and authorized individual should be able to provide
details about how to handle the request—as outlined in your policy.
10. True—if the disclosure is necessary for continuity of care. Discretion (e.g., reasonable and
appropriate safeguards) should be used as appropriate.
November 2009
HIPAA Privacy Rule: A Questionnaire for Clinical Staff
This questionnaire is designed to address common privacy issues encountered in a variety of
clinical settings. Please read and answer each question.
Telephone Messages
1. You are a nurse calling on behalf of a physician at an OB/GYN clinic to advise a patient
about her pregnancy-test results. You dial and get an answering machine. Can you leave a
message? If so, what should you say?
General Privacy Issues
2. What does PHI stand for?
a. Protected Health Information
b. Personal Health Information
c. Private Health Information
d. Presidential Health Information
3. A well-known high school athlete, Gary, goes to the doctor for treatment of a sexually
transmitted disease (STD). Jane, an employee at the clinic, has a daughter, Sue, who
attends high school with Lisa. Lisa is dating the athlete, Gary.
a. Jane is concerned about Lisa, whom she believes is sexually active with the boy.
She is good friends with Lisa’s mother and tells you—her coworker—that she is
considering advising Linda—Lisa’s mother—“in confidence,” of course, that Gary
was seen at the clinic for treatment of an STD. Jane says she believes she has an
obligation to do this to prevent Lisa from contracting an STD. What, if any, privacy
concerns do you see?
b. What do you say to Jane?
November 2009
Information Release
4. True or false? You can comply with a request by a school nurse to fax over a student’s
immunization record because the student’s mother has not submitted the required records.
Record Amendment Request
5. You approach Sally Jones, your patient, and see that she has been reading her medical
record. She disagrees with an entry in the record that the nurse made about her “being very
demanding and requesting multiple prescriptions for Percodan.” She demands that the entry
be stricken from the record. How do you handle Sally’s request?
General Privacy Issues
6. You find Dr. Rota reviewing medical records at the nurses’ station. You notice he is
reviewing the record of another physician’s patient—Dr. Rota is not involved in that patient’s
care. How do you handle the situation?
7. What do you do if a patient asks for a list of the individuals who have received copies of his
or her medical record?
8. True or false? A nurse and a physician may discuss a patient’s medical condition in the hall
outside a patient’s room.
Privacy Practices
9. You overhear a discussion between a patient and a visitor regarding the federal privacy
laws. The visitor asks you, “What are your office’s privacy practices?” What will you do?
November 2009
Complaint Management
10. A family member of a patient comes to you quite upset. He just overheard two employees
discussing his relative’s health status in the cafeteria over lunch. He wants to file a formal
complaint. How would you assist him in this process? You:
a. Refer him to the individual your facility has designated to handle privacy complaints.
b. Advise him to contact the Department of Health and Human Services Office for Civil
Rights and provide the telephone number.
c. Document the complaint in the medical record and complete an incident report.
d. Listen to the complaint and advise him you will take care of the problem.
Privacy and Minors
11. True or false? You may discuss the health information of a child with the child’s stepparent.
12. A parent demands information about why her daughter was seen at the clinic. The daughter
is 12 years old. The record has a discussion documented about the patient’s sexual activity
and a request for birth control pills, provided in confidence. How do you handle the
situation?
November 2009
HIPAA Privacy Rule: A Questionnaire for Clinical Staff
(Answer Key)
We have provided these responses to address common privacy issues encountered in a variety of
clinical settings. Some answers may depend upon your facility’s policies and procedures and
should be modified to meet your operational needs.
1. Yes, you may leave a limited message. Be sure to be discreet when doing so, as others may
be present when the individual replays the message—or another person may pick up the
message.
For an appointment involving highly sensitive PHI (e.g., pregnancy, mental health, STDs, or
substance abuse, an appropriate message might be limited to:
“Hello, this is Lynne calling for Susan. Please have her call me at 206-111-2222.”
Never leave information about a diagnosis, medical condition, or laboratory or test result on an
answering machine—even if the result is good news—unless the patient has requested you to
do so. Be sure to document the patient’s request in the medical record.
2. a. Protected Health Information
3. The privacy concern in this scenario is that Jane is considering an unauthorized disclosure of
PHI. In general, disclosures of PHI for any purpose other than treatment, payment, or health
care operations require the patient to sign an authorization. Releasing such information violates
state and federal laws and may also subject the individual and facility to criminal or civil fines
and penalties. Further, it would violate the organization’s privacy policies and subject Jane to
disciplinary action that may include termination from her job.
How to handle this situation: Advise Jane that Gary’s health information is protected by law.
Jane could share her concerns with the doctor. The doctor may then take whatever action is
clinically appropriate. Jane should not share information with anyone else unless the disclosure
is in the performance of her job-related duties to facilitate treatment, payment, or health care
operations.
4. True, if the request is for purposes of treating the student/patient.
The Washington State Department of Health has advised that sharing immunization records
with the nurse or a designee—regardless of purpose—is acceptable. However, we are not
aware of any provision in the HIPAA Privacy Rule or Washington State laws that would allow
sharing this information for any purposes other than treatment. Therefore, we recommend that
if the request is for school administrative purposes, the parent’s permission be obtained prior to
sending the records to the school. A signed authorization is preferred (though a facsimile is
acceptable). However, authorization could be obtained over the phone from the parent. The
oral permission should be documented, dated, timed, and signed by the staff.
Be sure to use reasonable precautions to protect the privacy of information sent via facsimile
(e.g., double-check the number before sending and use a facsimile cover sheet with a
disclaimer).
November 2009
5. The patient has a right to request a correction or amendment to her PHI. Initially, you may wish
to discuss her request with her. If this was a note that you authored, then you could review the
note and approve or deny the request. If the note was made by someone else, refer Sally to the
appropriate individual according to your organization’s Request to Correct or Amend Protected
Health Information (Policy & Procedures).
6. State and federal privacy laws permit access to PHI by those involved in treatment, payment,
or health care operations without a patient authorization. In this case it does not appear that Dr.
Rota has a legitimate need to know the information—as he is not directly involved in the
patient’s care (i.e., he is not the attending or a consulting physician for this patient). Unless Dr.
Rota was performing some other health care operation for the organization, such as a quality
improvement review, access to this patient’s information is not appropriate. In such a case you
might inquire about the reason for Dr. Rota’s need for the information. If the reason given does
not coincide with patient privacy laws, you might: 1) ask for the patient’s chart and indicate that
due to patient privacy laws he is not permitted to access this patient’s information or 2) go up
the chain of command.
7. Patients have a right to obtain a list of the individuals that have received copies of their PHI in
certain circumstances when the disclosure has not been made for treatment, payment, or
health care operations and the patient has not authorized the disclosure. This should be
referred to an appropriately trained and authorized individual to handle according to the
organization’s Documenting of and Accounting for Disclosures of Protected Health Information
(Policy & Procedures). The trained and authorized individual should be able to provide details
about how to handle the request—as outlined in your policy.
8. True—if the disclosure is necessary for continuity of care. Discretion (e.g., reasonable and
appropriate safeguards) should be used as appropriate.
9. Provide the current Notice of Privacy Practices (NPP) to the visitor or direct the visitor to the
appropriate individual or department to obtain a copy of the current NPP. Patients must be
given a copy of the NPP at their first contact with the facility. Reasonable attempts must be
made to obtain a signed acknowledgment of receipt of the NPP. The regulations also require
the facility to provide a copy to ANY individual upon his or her request - and this does not need
to be documented.
10. Appropriate responses may be a, c, or d, depending upon the job position, circumstances, or
the organization’s policies and procedures. HIPAA requires that organizations have a policy in
place to address complaints pertaining to the handling of PHI—which must be followed.
11. False---unless it is an emergency, the stepparent has adopted the child, the stepparent is
representing himself or herself to be a relative responsible for the health care of this minor
patient, or the stepparent has obtained permission from one of the birth parents. From a risk
management perspective, it is suggested that the stepparent complete a Kinship Caregivers
Informed Consent Declaration for Minors form if he or she is representing himself or herself to
be a relative responsible for the health care of this minor patient. If the stepparent obtains
permission from the birth parent, it should be in writing and a copy should be filed in the
medical record. Authorization from the birth parent can also be obtained over the phone. The
oral permission should be documented, along with the date and time, and signed by the staff.
12. As a general rule, the right to consent for care is a companion right to release of information.
When responding to the mother, clinical staff should consider the following:
November 2009
•
•
•
•
Minors may consent independently at any age for treatment related to pregnancy and
reproductive care—provided the provider determines the minor has the capacity to
understand the nature of the treatment and the risks associated with the treatment.
Minors may consent independently at age 14 for treatment related to sexually transmitted
diseases (STDs) provided they have the capacity to understand the nature of the treatment
and the risks associated with the treatment. Since the minor is 12 in this scenario, this
would not apply.
Emancipated minors may consent for treatment of any condition independently.
Emancipation may be determined by the courts or for medical treatment purposes by the
physician.
The health care information may be released to the mother if the highly sensitive areas that
require the minor’s permission for release are redacted from the copy of the record.
Consultation with the treating provider may be necessary to determine whether providing the
mother with access is permissible. You might inform the mother that patient privacy laws
protect the information in the medical record. Urge the mother to discuss the reason for the visit
with her daughter.
When in doubt, it is advisable to obtain the minor’s permission prior to releasing the
information.
November 2009
Treatment of Minors and the Handling of Their Protected Health
Information
State law allows minors under the age of 18 to consent to medical care and treatment
under certain conditions that are described below. State law allows minors to make
decisions about the handling of their protected health information (PHI) when the law
allows them to consent for their own treatment.
In Washington a person under the age of 18 cannot consent to medical care unless one
or more of the following exceptions apply:
•
If the minor is emancipated (legally independent) or married to someone at or
above age 18 (RCW 26.28.020).
•
In the event emergency care is necessary (when impractical to get parental
consent first).
•
For birth control and pregnancy-related care at any age (see State v. Koome).
•
For outpatient drug- and alcohol-abuse treatment beginning at age 13 (RCW
70.96A.095).
•
For mental health treatment beginning at age 13 (RCW 71.34.500 and
71.34.530).
•
For sexually transmitted diseases, including HIV/AIDS, beginning at age 14
(RCW 70.24.110).
In Oregon minors have the right to consent to certain health care without a parent or
guardian’s consent. A minor may consent to medical care:
•
At age 15 or above for most types of medical treatment (ORS 109.640).
•
In the event emergency care is necessary (ORS 418.307).
•
For birth control and pregnancy-related care at any age (ORS 109.610 and ORS
109.640).
•
For outpatient chemical dependency (excluding methadone maintenance), and
outpatient mental health diagnosis and treatment beginning at age 14. Parents or
guardians must be involved at some time prior to the end of treatment except
under special circumstances (ORS 109.675).
•
For sexually transmitted diseases at any age (ORS 109.610 and ORS 109.640).
•
For HIV testing and treatment at any age. Additionally, HIV test results and
details regarding treatment of HIV/AIDS may not be disclosed to anyone without
the express consent of the minor (ORS 433.045).
November 2009
In Idaho a person under the age of 18 cannot consent to medical care unless one or
more of the following exceptions apply (these exceptions are much more limited in
Idaho):
•
If the minor is emancipated (economic self-sufficiency, Ireland v. Ireland 123
Idaho 955(1993).
•
If the minor is or has been married (Idaho Code 32-101).
•
For treatment of infectious, contagious, or communicable disease, beginning at
age 14, if the disease or condition is one required by law or regulation to be
reported to the local health officer (Idaho Code 39-3801).
Other treatment of minor issues in Idaho law are not easily summarized and we
recommend you contact a risk management consultant or attorney if you have
questions.
Documentation
The underlying facts for the application of any of these exceptions should be
documented in the medical record at the time of treatment. When consent forms are
applicable to these exceptions, such as pregnancy termination, the minor may sign
these forms. Due to the minor patient’s relative immaturity and lack of sophistication,
adequate time needs to be spent concerning these consent issues.
Emancipation
A person under the age of 18 who is either emancipated or married (Idaho) to a spouse
18 years of age or older (Washington) can consent to his or her own medical care. An
emancipated minor is an individual who is free from parental control and is selfsupporting.
Emergencies
Washington State law provides that no clinician or hospital is liable for failing to secure
consent when rendering emergency medical, surgical, hospital, or health services to any
individual, regardless of age, where the patient is unable to provide consent for any
reason and where there is no other person reasonably available who is legally
authorized to give such consent. In Washington, Oregon, and Idaho, though not
specifically addressed in Idaho, emergency care should not be unduly delayed pending
attempts to obtain any such consent. If the child’s condition could deteriorate, treatment
should begin at once and permission to treat should be sought concurrently. Although
“emergency” can be defined either broadly or narrowly, we believe the interpretation
should be considered as broader than “life-threatening.” For example, in the instance of
an upper respiratory infection in a child, we believe that treatment should be started
even if consent is not readily available. Although it could be argued that in most cases a
delay in treatment of an upper respiratory infection will not cause sequelae, clearly a
delay in treatment increases a child’s suffering, and we can’t conceive of an instance
where a parent would refuse this care and a court would support such a decision. As in
most cases, the issue of determining when to treat without parental or guardian consent
requires good judgment and common sense.
November 2009
In cases involving minors, clinicians or hospital personnel should thoroughly chart their
efforts to contact the parent or guardian for consent for emergency care. If parental
consent is obtained by phone, document it in the chart.
Sexual activity, substance abuse, and mental health
Some courts and legislatures have granted minors the right to consent to medical care in
a number of situations where forced consultation would most likely deter the minor from
seeking needed treatment. In Washington and Oregon a minor may consent to medical
care relating to birth control, medical conditions relating to pregnancy, and pregnancy
terminations. In Washington persons 14 years of age or older may give their own
consent for medical care relating to HIV/AIDS or sexually transmitted diseases. In
Idaho, beginning at age 14, minors can consent to treatment of some STDs as described
by Statute 39-3801 as quoted above. Persons 13 years of age or older (14 in Oregon)
may give their own consent for outpatient mental health care or the outpatient treatment
of substance abuse. However, minors cannot be admitted for inpatient treatment of
substance abuse or mental health without parental consent or a commitment order.
Cost of care
For other than emergency care, parents or guardians are not liable for the cost of care
provided without their consent when the minor has the right to consent without
consulting the parents. In these instances, each minor needs to be informed that he or
she will be responsible for paying for services, and appropriate arrangements should be
made.
Divorced or separated parents
For health care of a minor that does require parental consent, the parent or guardian
who brings the child to the medical office can provide consent for the child’s care. A
parent or guardian can provide consent for the treatment of a minor child regardless of
whether the parents are married, unmarried, or separated at the time of the treatment.
This applies whether the parent is the custodial parent or not, and would only be
impacted by a court order limiting the parent’s parental rights, including the right to direct
medical care. You may treat a minor when one parent provides consent to care even if
the other parent demands you not treat the minor, although there may be occasional
circumstances where, in your judgment, you choose not to provide care when the
parents disagree.
6.3
Conclusion
The law concerning treatment of minors has numerous exceptions and nuances, and
this article attempts to focus on the most common issues. It does not address the more
case-specific problems related to extremely immature minors who may lack mental
competence to consent, the court-ordered treatment of minors, or the right of minors to
refuse medical care. If health care providers use their common sense and their best
judgment, with an emphasis on what is best for the patient, the liability risk will be
minimized. Whenever difficult case-specific consent issues arise, Physicians Insurance
members can call the Risk Management Department at (206) 343-7300 or 1-800-9621399 (Western Washington) or (509) 456-5868 or 1-800-962-1398 (Eastern
Washington).
November 2009
Kinship Caregivers Informed Consent Declaration for Minors
Persons authorized to provide informed consent to health care on behalf of a child under the
age of 18 must be a member of one of the following classes of persons in the following order of
priority (RCW 7.70.065):
1. A guardian or legal custodian appointed by the court;
2. A person authorized by the court to consent to medical care for a child in out-of-home
placement pursuant to the dependency and termination of parental rights statutes;
3. Parents of the minor patient;
4. A person to whom the minor’s parent has given a signed authorization to make health
care decisions for the minor patient; and
5. A competent adult representing himself or herself to be a relative responsible for the
health care of such minor patient or a competent adult who has signed and dated a
declaration under penalty of perjury stating that the adult person is a relative who is
responsible for the health care of the minor patient.
The following declaration applies to a person in category 5 listed above:
I ________________________________am a relative of ______________________________;
(print name)
(print name of minor patient)
and am responsible for his or her health care. I declare under penalty of perjury under the laws
of the state of Washington that the foregoing is true and correct.
Signed at ____________________________________________________________________
(place)
(date)
____________________________________________________________________________
Signature
Relationship to minor patient
This declaration is effective for no more than six (6) months from the date on which it is signed.
November 2009
Employee Confidentiality and Acknowledgment of HIPAA Training Statement
All patient protected health information (PHI – which includes patient medical and financial information), employee
records, financial and operating data of [insert name of practice or facility], and any other information of a private or
sensitive nature are considered confidential. Confidential information should not be read or discussed by any
employee unless pertaining to his or her specific job requirements. Examples of inappropriate disclosures include:
•
Employees discussing or revealing PHI or other confidential information to friends or family members.
•
Employees discussing or revealing PHI or other confidential information to other employees without a legitimate
need to know.
•
The disclosure of a patient’s presence in the office, hospital, or other medical facility, without the patient’s consent,
to an unauthorized party without a legitimate need to know, and that may indicate the nature of the illness and
jeopardize confidentiality.
•
Using patient information for marketing purposes without express permission from [insert name of practice or
facility] and patient.
The unauthorized disclosure of PHI or other confidential information by employees can subject each individual
employee and the practice to civil and criminal liability. Disclosure of PHI or other confidential information to
unauthorized persons, or unauthorized access to, or misuse, theft, destruction, alteration, or sabotage of such
information, is grounds for immediate disciplinary action up to and including termination.
Employee confidentiality agreement
I hereby acknowledge, by my signature below, that I understand that the PHI, other confidential records, and data
which I learn or have access to in the course of my employment with [insert name of practice or facility] is to be kept
confidential, private, and secure, and that maintaining confidentiality, privacy, and security of PHI and other
confidential records and data is a condition of my employment. Such information shall not be disclosed to anyone
under any circumstances, except to the extent necessary to fulfill my job requirements. I understand that my duty to
maintain confidentiality, privacy, and security continues even after I am no longer employed.
I have been trained in the Health Insurance Portability and Accountability Act (HIPAA) privacy and security policies and
procedures of [insert name of practice or facility] and am familiar with the guidelines in place at [insert name of
practice or facility] pertaining to the use and disclosure of patient PHI or other confidential information. Approval
should first be obtained before any disclosure of PHI or other confidential information not addressed in the guidelines
and policies and procedures of [insert name of practice or facility] is made. I also understand that the unauthorized
use or disclosure of patient PHI and other confidential or proprietary information of [insert name of practice or
facility] is grounds for disciplinary action, up to and including immediate dismissal.
Print employee name: _____________________ Employee signature: ____________________ Date: ____________
Print supervisor name: ____________________ Supervisor signature: ____________________ Date: ____________
November 2009
Nonemployee Confidentiality and Acknowledgment of HIPAA Training Statement
All patient protected health information (PHI—which includes patient medical and financial information), employee
records, and financial and operating data of [insert name of practice or facility], and any other information of a
private or sensitive nature, is considered confidential. Confidential information shall not be used or disclosed unless
specific permission to do so has been obtained and granted by the privacy official or designee. Applicable federal and
state laws shall be followed to seek patient permission for any use or disclosure of PHI. Examples of inappropriate
disclosures include:
•
Discussing or revealing confidential information to friends or family members.
•
Discussing or revealing confidential information to other coworkers or employees without a legitimate need to
know.
•
The disclosure of a patient’s presence in the office, hospital, or other medical facility, without the patient’s
consent, to an unauthorized party without a legitimate need to know and that may indicate the nature of the
illness and jeopardize confidentiality.
•
Using patient information for marketing purposes without express permission from [insert name of practice
or facility] and patient.
The unauthorized disclosure of PHI and other confidential information can subject an individual to civil and criminal
liability. Disclosure of confidential information to unauthorized persons, or unauthorized access to, or misuse, theft,
destruction, alteration, or sabotage of, such information, may result in your immediate removal from the premises
and/or revocation of current and future visiting/working privileges of the individual and/or company, and may lead to
legal action and/or a duty for you to mitigate damages.
Confidentiality agreement
I hereby acknowledge, by my signature below, that I understand that the PHI and other confidential records and data
which I may see or hear or otherwise gain knowledge of in the course of my visit/work with [insert name of practice
or facility] is to be kept confidential, private, and secure and that maintaining confidentiality, privacy, and security of
PHI and other confidential records and data is a condition of my privilege to visit/work with [insert name of practice or
facility]. Such information shall not be used or disclosed to anyone at any time, now or in the future, unless specifically
authorized by [insert name of practice or facility]. The unauthorized use or disclosure of patient PHI is possible
grounds for: immediate removal from the premises; revocation of all future visiting/working privileges; legal action;
and/or a duty to mitigate damages.
I have been trained in the Health Insurance Portability and Accountability Act (HIPAA) privacy and security policies and
procedures of [insert name of practice or facility] and am familiar with the guidelines in place at [insert name of
practice or facility] pertaining to the use and disclosure of patient PHI or other confidential information.
Printed name: _________________________ Signature: _________________________ Date: _________________
Company: _______________________________________ Position: ______________________________________
November 2009
HIPAA Help – A Resource List
Government Sites:
U.S. Department of Health & Human Services Office for Civil Rights (OCR) –
Administrative Simplification
http://www.hhs.gov/ocr/privacy/hipaa/administrative/
Read the Health Insurance Portability and Accountability Act of 1996. Review the
Privacy Rule, the Transactions and Code Sets Standards, the Security Rule, and the
National Provider Identifier Standard.
U.S. Department of Health & Human Services Office for Civil Rights (OCR) –
Privacy Rule
http://www.hhs.gov/ocr/privacy/
Learn about the Privacy Rule’s protection of the privacy of individually identifiable health
information, the rights granted to individuals, OCR’s enforcement activities, and how to
file a complaint with OCR.
U.S. Department of Health & Human Services Office for Civil Rights (OCR) –
Frequently Asked Questions
http://www.hhs.gov/ocr/privacy/hipaa/faq/index.html
Read about frequently asked questions that affect your patients and your practice.
U.S. Department of Health & Human Services Office for Civil Rights (OCR) –
Privacy Complaints
http://www.hhs.gov/ocr/privacy/hipaa/complaints/hipcomplaintpackage.pdf
Download instructions and documents for filing a privacy complaint with the Office for
Civil Rights.
U.S. Department of Health & Human Services Centers for Medicare and Medicaid
Services (CMS) – Overview Security Standard
http://www.cms.hhs.gov/securitystandard/
Read about the Security Standard and obtain links to other information about the
Security Standard, including a pdf of HIPAA Security Guidance for Remote Use of and
Access to Protected Health Information.
U.S. Department of Health & Human Services Centers for Medicare and Medicaid
Services (CMS) – Security Materials Education Series
http://www.cms.hhs.gov/educationmaterials/04_securitymaterials.asp
Obtain links to HIPAA Security Rule education materials designed to provide assistance
with implementation of the security standards, including “Security Standards
Implementation for Small Providers.”
U.S. Department of Commerce National Institute of Standards and Technology
http://www.nist.gov/index.html
Find publications regarding standards for encryption or destruction of electronic PHI, as
well as information regarding seminars, presentations, and other educational
opportunities regarding HIPAA.
November 2009
National Professional Organizations:
American Health Information Management Association (AHIMA)
http://ahima.org/
Find practice briefs, position statements, resolutions, sample forms, and policies to help
users comply with the HIPAA Privacy Regulations. Users may also access the standards
and regulations. This site also contains access to education opportunities.
American Health Lawyers Association
http://www.healthlawyers.org/pages/default.aspx
Publications and educational opportunities, primarily for lawyers. HITECH Act Resource
Guide is available for purchase.
The American Hospital Association (AHA)
http://www.aha.org/aha_app/issues/HIPAA/index.jsp
Includes news, frequently asked questions, and articles. Members can access
miscellaneous HIPAA tools.
The American Medical Association (AMA)
http://www.ama-assn.org/ama/pub/advocacy.shtml
Find out about AMA advocacy efforts. Learn about additional resources to help you cope
with HIPAA.
American Society for Healthcare Risk Management (ASHRM)
http://www.ashrm.org
This organization provides updates on hot risk management topics in health care,
including HIPAA. Educational opportunities and resource links are also available.
Healthcare Information and Management Systems Society (HIMSS)
http://www.himss.org/asp/topics_hipaa.asp
Includes current HIPAA news, implementation tools, and additional resources.
Medical Group Management Association (MGMA)
http://www.mgma.com
Find audiocassettes for purchase, and for members, access articles about various
HIPAA issues.
Workgroup on Electronic Data Interchange (WEDI)
http://www.wedi.org/
Learn about WEDI, a national health care industry collaboration to promote electronic
data interchange. Find news, events, industry updates, legislative news, and links to
other HIPAA-related sites.
State Professional Organizations:
Community Health Information Technology Alliance (CHITA)
http://www.chita.org/
Find out how this alliance of health care technology businesses and organizations
provides leadership on e-business in health care.
November 2009
Oregon Medical Association (OMA)
www.theoma.org
Locate news and information to help Oregon physicians and clinics manage HIPAA.
Washington State Medical Association (WSMA)
http://www.wsma.org
Find learning opportunities and resources to help Washington State physicians and
clinics.
Washington State Hospital Association (WSHA)
http://www.wsha.org
Locate news and information concerning HIPAA. Find resources to assist hospitals with
HIPAA compliance efforts.
Washington State Health Information Management Association (WSHIMA)
www.wshima.org/
The Washington State Health Information Management Association is a nonprofit
association of professionals engaged in health information management providing
support to members and strengthening the industry and profession.
Other Resources to Consider:
HIPAAdvisory
http://www.phoenixhealth.com/hipaadvisory
On the Web site of Phoenix Health Systems, find current HIPAA news, resources, and
consulting services.
HCPro’s himinfo.com
http://www.hcpro.com/health-information-management
Read the latest in electronic health records, HIPAA, and CPT coding. Subscribe to a free
e-newsletter or join an audioconference on a variety of HIPAA-related topics.
Center for Democracy & Technology (CDT)
http://www.cdt.org/healthprivacy/
Access information on current health privacy issues. Review health privacy stories and
myths and facts about HIPAA.
We compiled this list as a tool for health care professionals. It is not an endorsement of
the sites or of the materials accessible through these Web sites. Since HIPAA is multifaceted (including electronic billing requirements, technical information, security
compliance, etc.), one resource will not likely provide all the answers. We cannot vouch
for the completeness or accuracy of the information provided by each organization, nor
is this a complete list of resources available. Remember that state law and accreditation
standards will also affect your HIPAA compliance efforts and should be taken into
consideration.
November 2009
Updates to the July 2004 HIPAA Model Security Policies and
Procedures
Ongoing assessment of HIPAA Security Policies and Procedures is required in order to comply
with the HIPAA Security Rule. The Security Rule specifies that “[s]ecurity measures
implemented to comply with standards and implementation specifications…must be reviewed
and modified as needed to continue provision of reasonable and appropriate protection of
electronic protected health information.” Additionally, periodically reviewing and updating
security policies and procedures as needed, in response to environmental or operational
changes affecting the security of the electronic protected health information is a required
implementation specification under the Security Rule.
This update identifies a number of developments and changes since the Health Insurance
Portability and Accountability Act Model Security Policies and Procedures were published in
July 2004, that should be taken into consideration by practices as a part of their ongoing
Security Rule compliance risk analysis and risk management. It includes both state and federal
laws and regulations that pertain to references in the Model Security Policies and Procedures or
changes in Security Rule compliance requirements.
HIPAA breach notification requirements. On February 17, 2009, the American Recovery and
Reinvestment Act (ARRA), also known as the Stimulus Bill, was signed into law. Enacted as
part of this new federal legislation is the Health Information Technology for Economic and
Clinical Health (HITECH) Act. The HITECH Act strengthens and expands HIPAA’s current
privacy and security requirements. There are two provisions in the HITECH Act that impact
HIPAA’s security requirements: (1) the Secretary of Health and Human Services (HHS) is
required to annually issue security guidance; and (2) covered entities are required to provide
specific notification to individuals if they discover a breach of unsecured protected health
information. HHS has only issued guidance to date in connection with breach notification
requirements.
Effective September 23, 2009, HIPAA covered entities (CEs) are required to notify individuals if
they discover a breach of “unsecured PHI,” although HHS has discretion not to begin
enforcement of this new requirement until February 22, 2010. This new obligation has
significant implications for practices and will require at a minimum that they:
• Identify when PHI is unsecured (and determine whether more PHI should be secured)
• Determine what methods will be used to discover a breach
• Adopt a policy and procedure addressing breach notification
• Provide additional workforce training regarding breach discovery and notification
• Consider modifications to business associate (BA) agreements to address breach
notification
Breach determination. Not all breaches of PHI are subject to the new notification requirement.
The rule applies to the acquisition, access, use, or disclosure of PHI in a manner not permitted
under the Privacy Rule that compromises the security or privacy of the PHI (“breach”). The
phrase “compromises the security or privacy of the PHI” means it poses a significant risk of
financial, reputational, or other harm to the individual. As a result, the rule establishes a
“significant risk harm” threshold for determining whether there has been a breach that requires
notification. A CE has the burden of demonstrating that a use or disclosure of PHI in a manner
not permitted under the Privacy Rule does not pose a “significant risk” of harm to an individual.
The analysis and conclusion that there is not a significant risk of harm should be documented.
November 2009
Interim regulations issued by HHS on August 24, 2009, clarify three important exceptions to the
breach notification requirements. A breach has not occurred if:
• A workforce member or person acting under the authority of a CE or BA, unintentionally
acquires, accesses, or uses PHI, provided the acquisition, access, or use was in good
faith, within the person’s scope of authority, and does not result in further use or
disclosure in a manner not permitted under the Privacy Rule.
• A person who is authorized to access PHI at a CE or BA inadvertently discloses PHI to
another person authorized to access PHI at the same CE or BA, or organized health
care arrangement (OHCA) in which the CE participates, provided the PHI received is not
further used or disclosed in a manner not permitted under the Privacy Rule.
• A CE or BA discloses PHI to an unauthorized person, provided the CE or BA has a good
faith belief that the unauthorized person to whom the disclosure was made would not
reasonably have been able to retain such information.
Unsecured PHI. In addition to determining whether a “breach” has occurred, a CE must
determine whether the breach involves “unsecured PHI.” “Unsecured PHI” means PHI that is
not secured through a technology or methodology that HHS considers as being capable of
rendering the PHI unusable, unreadable, or indecipherable to unauthorized individuals. PHI is
rendered unusable, unreadable, or indecipherable to unauthorized individuals according to HHS
if it is:
• Encrypted as specified in the Security Rule by “the use of an algorithmic process to
transform data into a form in which there is a low probability of assigning meaning
without use of a confidential process or key and such confidential process or key that
might enable decryption has not been breached.” Certain National Institute of Standards
and Technology (NIST) standards meet the standard.
• Data at rest: NIST Special Publication 800-111 (Encryption)
• Data in motion: NIST Special Publication 800-52 (Transport Layer Security);
NIST Special Publication 800-77 and 800-113 (VPNs); and Federal Information
Processing Standards (FIPS) 140-2 validated.
• Destroyed by:
• Shredding or destroying the paper, film, or other hard copy media holding the
PHI such that the PHI cannot be read or otherwise cannot be reconstructed.
• Media sanitation through clearing, purging, or destroying consistent with NIST
Special Publication 800-88, Guidelines for Media Sanitization, such that the PHI
cannot be retrieved.
The breach notification rules are not applicable if the CE utilizes these technologies and
methodologies that HHS has prescribed to render the PHI unusable, unreadable, or
indecipherable to unauthorized individuals.1
Notification requirements. When there is a breach of “unsecured PHI” a CE must provide
notice of the breach to individuals whose PHI has been, or is reasonably believed by the CE to
have been acquired, accessed, or used as a result of the breach. Written notification must be
provided to individuals via first-class mail. If the CE does not have sufficient contact information
for 10 or more affected individuals, notification must also be made on the CE’s Web site home
page or in major print or broadcast media. If the breach involves more than 500 individuals,
notification also must be made to prominent media outlets.
Notification must be made without unreasonable delay and in no case later than 60 days
following discovery of the breach and must contain, in plain language:
November 2009
•
•
•
•
•
A brief description of what happened, including date of the breach and the date of the
discovery of the breach, if known.
A description of the types of unsecured PHI that were involved in the breach (such as
whether full name, social security number, date of birth, etc., were involved), but do not
include the actual PHI.
Any steps the individuals should take to protect themselves from potential harm resulting
from the breach.2
A brief description of what the CE is doing to investigate the breach, mitigate the harm to
individuals, and protect against further breaches.
Contact information if the individuals have questions or want to learn more—either a tollfree telephone number, an e-mail address, Web site, or postal address.
Business associates (BAs) must notify CEs of any breach of unsecured PHI and include the
identity of each affected individual.
The CE must notify HHS of all breaches of unsecured PHI. Notification must occur immediately
if the breach involves 500 or more individuals. The CE can maintain a log of breaches affecting
less than 500 individuals and submit the log annually to HHS.
Steps to take. CEs are required to address the issue of unsecured PHI and develop policies
and procedures to provide for notification of breaches. A practice’s security incident and
mitigation procedures (see, for example, Administrative Requirements—Security Incident
Procedures) must be revised to address these new breach notification requirements if the
security incident involves the breach of unsecured PHI and a significant risk of financial,
reputational, or other harm to the individual. [For a model policy and procedure for addressing
breach notification, see Notification of Breach of Unsecured Protected Health Information
(Policy & Procedures).] As a part of implementing such a policy, a practice should consider what
methods it has in place for identifying that a breach has occurred and what additional training
will be provided to employees regarding identifying and providing notice of potential breaches.
Encryption of electronic PHI. Encryption is not mandated under the Security Rule and
remains an addressable implementation specification under Technical Safeguards for Access
Control and Transmission Security. A CE is required to address whether it is reasonable and
appropriate to use encryption when PHI is sent over an “open” network such as the Internet or
when PHI is stored, particularly on a remote or portable device. A CE must document its
rationale if it concludes that encryption is not a reasonable and appropriate safeguard in its
environment. Justifying the decision not to encrypt electronic PHI that is transmitted, such as in
e-mails to patients, or that is stored on portable or remote devices, as reasonable and
appropriate is becoming increasing difficult. The breach notification regulation and the role of
encryption in “securing” PHI is only the most recent confirmation that encrypting electronic PHI
when possible or practical is a best practice.
In December 2006, in response to a number of security incidents related to the use of laptops,
home-based personal computers, PDAs, smart phones, and other portable or mobile devices
with electronic PHI, the Centers for Medicare and Medicaid Services (CMS)3 issued HIPAA
Security Guidance for Remote Use of and Access to Electronic Protected Health Information.4
As a part of the guidance, CMS recommended that CEs:
• Require that all portable or remote devices that store electronic PHI
employ encryption technologies of the appropriate strength.
November 2009
•
Deploy policies to encrypt backup and archival media, ensuring that
policies direct the use of encryption technologies of the appropriate
strength.
In a 2008 HIPAA Compliance Review Analysis published jointly by CMS and the Office of EHealth Standards and Services, CMS referred to its prior guidance and stated:
“The combination of CMS’s recommendation in the remote use
guidance, the increasing number of incidents involving lost
portable devices, and the decreasing cost of encryption solutions
has resulted in an environment where encryption may not be
optional under the mantra of reasonable and appropriate.”
CMS’s recommendations to improve Security Rule compliance regarding the addressable
implementation specification of encryption all involve the implementation of encryption.5
Additional HIPAA guidance available. In 2007, CMS issued, as part of its HIPAA Security
Series, a document entitled “Security Standards: Implementation for the Small Provider” which
can be found at:
http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/smallprovider.pdf. It provides
valuable guidance and serves to amplify, among other things, the Small Practice Security Risk
Analysis found starting at page 59 of the HIPAA Model Security Policies and Procedures.
Washington security breach notification requirements. Practices in Washington that
maintain unencrypted computerized personal information have had certain security breach
notification obligations since July 24, 2005. Any person conducting business in Washington that
owns or licenses computerized personal information is required to disclose any “breach of the
security of the system” by promptly notifying Washington residents whose unencrypted personal
information is reasonably believed to have been acquired by an unauthorized individual.6 As
with HIPAA, no notification is required if the information is encrypted.
Breach determination. A “breach of the security of the system” occurs when there is an
“unauthorized acquisition of computerized data that compromises the security, confidentiality, or
integrity of personal information.” There is a statutory exception to breach where there is “[g]ood
faith acquisition of personal information by an employee or agent of the person or business for
the purposes of the person or business when the personal information is not used or subject to
further unauthorized disclosures.” Additionally, there is no requirement to disclose a technical
breach of the security system provided that the breach “does not seem reasonably likely to
subject customers to a risk of criminal activity.”
Information triggering notification. “Personal information” is limited to an individual’s
unencrypted first name or first initial and last name in combination with any one or more of the
following unencrypted elements:
• Social security number;
• Driver’s license number or Washington identification card number; or
• Financial account or credit or debit card number in combination with any required
security code, access code, or password.
Moreover, personal information does not include publicly available information that is lawfully
made available to the general public from federal, state, or local government records.
November 2009
Notification requirements. Subject to the foregoing definitions and exceptions, if there is a
breach of a security system that either results in, or is reasonably believed to have resulted in, a
Washington resident’s personal information being acquired by an unauthorized person, notice
must be provided as expediently as possible and without unreasonable delay. Notification may
be delayed if a law enforcement agency determines that the notification will impede a criminal
investigation. The notice may be provided by one of the following methods:
• Written notice
• Electronic notice in compliance with E-Sign (15 U.S.C. Sec. 7001)
• Substitute notice by e-mail (if e-mail address is available), Web-posting, and statewide
media disclosure if the costs of notice would exceed $250,000, there are more than
500,000 intended recipients, or there is insufficient contact information.
Steps to take. Adopting and complying with the model Notification of Breach of Unsecured
Protected Health Information (Policy & Procedures) is sufficient to comply with the Washington
state security breach notification requirements for PHI maintained by the CE. Any security
breach by a CE involving PHI that requires notification under Washington law will also require
notification under HIPAA. Moreover, complying with the HIPAA breach notification requirements
will satisfy Washington breach notification requirements except in those instances where there
is insufficient or out-of date contact information. Substitute notice under Washington law
requires e-mail, Web-posting, and statewide media disclosure and does not permit notice by
telephone. As a result, if breach notification is required under HIPAA and the unsecured PHI
includes an individual’s first name or initial and last name together with one of the identifiers
noted above, the CE must provide the more extensive substitute notice provisions described
above and in the model policy.
If in addition to computerized PHI, a practice maintains unencrypted computerized personal
information, such as employee records that include employee names and social security
numbers, any security system breach involving only those records would be subject only to the
Washington notification requirements.
1
On April 17, 2009, the Secretary of HHS issued guidance which states that PHI that is secured through encryption or destruction in
accordance with specified standards, as summarized herein, is not considered “unsecured PHI.” 74 Fed. Reg. 19006 (published
April 27, 2009). Guidance will be available at the HHS Web site at http://www.hhs.gov/ocr/privacy/
2
The Federal Trade Commission Web site provides information on how to protect against identity theft and can be found at:
www.ftc.gov/bcp/edu/microsites/idtheft/consumers/defend.html
3
CMS had authority to administer and enforce the Security Rule until August 2009, when that authority was delegated by the
Secretary of HHS to the Office of Civil Rights, which already had authority to administer and enforce the Privacy Rule.
4
The CMS HIPAA Security Guidance for Remote Use of and Access to Electronic Protected Health Information can be found at:
http://www.cms.hhs.gov/securitystandard/downloads/securityguidanceforremoteusefinal122806rev.pdf
The guidance proves a review of strategies that CMS states “may be reasonable and appropriate [the standard under the Security
Rule] for covered entities to follow for offsite use of, or access to, ePHI.
5
The Compliance Review Analysis with its recommendations regarding encryption, among other topics, can be found at:
http://www.cms.hhs.gov/enforcement/downloads/hipaacompliancereviewsumtopost508.pdf
6
RCW 19.255.010.
November 2009
WASHINGTON STATE MEDICAL
ASSOCIATION
HEALTH INSURANCE PORTABILITY
AND ACCOUNTABILITY ACT
MODEL SECURITY POLICIES AND
PROCEDURES
Revised July 2004
© 2002-2004 Illinois State Medical Society/ISMIE Mutual Insurance Company
Reprinted with permission of the Illinois State Medical Society
and ISMIE Mutual Insurance Company
Forward
NOTE: The requirements of the final HIPAA Security Rule were issued last
year and are effective in 2005. It is important that you ensure your practice is
working to implement all of the required Security Rule requirements in a timely
fashion.
This document does not include any policies and procedures related to the
HIPAA Privacy Rule. It only includes policies and procedures related to the
HIPAA Security Rule. It is important that you ensure your practice is
following the HIPAA Privacy Rule requirements.
Some of your existing Privacy policy and procedures most likely address the
security of your confidential information. You may need to update those
policies and procedures to incorporate the specific provisions of the final
Security Rule.
This document has been prepared by the Illinois State Medical Society (ISMS) and ISMIE
Mutual Insurance Company to assist our members and policyholders in meeting the privacy and
security requirements of the Health Insurance Portability and Accountability Act (HIPAA)
passed by the Congress in 1996. The Washington State Medical Association (WSMA) is
reprinting this document with the permission of ISMS and ISMIE. WSMA has made changes to
the original document where Washington law differs from Illinois law so that this revised
document will reflect Washington law and can be used by the WSMA membership.
ISMS and ISMIE Mutual have attempted to compile all the basic information that physicians
need to consider as they seek to comply with the HIPAA privacy and security requirements. For
health care providers in Washington State, WSMA added to the foundation created by ISMS and
ISMIE and, in conjunction with Physicians Insurance, has created a HIPAA Privacy Manual that
supplies the provider with the information necessary to work towards HIPAA compliance with
respect to the HIPAA Privacy Rules. The HIPAA Privacy materials can be found, free of
charge, at http://www.physiciansinsurance.com/risk/hipaa.html.
Does HIPAA Apply to You?
HIPAA applies to payers, institutions, health care professionals and providers, from the largest
multi-state integrated delivery networks to solo practice professionals who engage in any of the
“standard electronic transmissions.” Most physicians do at least some of their business
electronically, so HIPAA applies to them. Many submit claims electronically, either directly
from their offices or through a billing service. Others receive electronic payment and remittance
information from health plans.
If your practice does any of the following electronically, either directly or through a billing
service or other vendor, then HIPAA applies to you:
© 2002-2004 ISMS/ISMIE Mutual Insurance Co.
Forward • i
•
•
•
•
•
•
•
•
submit claims;
receive claim payment and remittance information;
query insurance companies about the status of a claim;
receive information about the status of a claim;
query insurance companies about the eligibility of a patient to be covered for services;
receive information about patient eligibility;
send referral authorizations; or
receive referral authorizations.
If your practice does not do any of the above electronically, either directly or through a billing
service or other vendor, then HIPAA does not apply to you.
NOTE: In order to bill Medicare after October 16, 2003, practices with 10 or
more full time workforce members including the physicians must bill Medicare
electronically and, as a result, will be subject to the HIPAA requirements.
Document Organization
The document is divided into two general areas. The first deals with security policies and
procedures and the second deals with administrative policies and procedures.
Each topic area begins with a background and is followed by a model policy and a procedure.
Each model policy is a general statement about the way a practice might want to approach each
topic area. Each model procedure provides specific examples of how the practice might want to
implement that general policy.
Notes
NOTE: The model policies and procedures must be reviewed by each practice
and modified as necessary. You must determine if and how these model policies
and procedures apply to your practice, modify them so they do reflect your
practice, and make any necessary changes to ensure your practice is in
compliance with the HIPAA Security Rule.
NOTE: These model policies and procedures are copyright by ISMS/ISMIE
Mutual Insurance Co. Permission is granted to ISMS members and ISMIE
Mutual Co. policyholders to use and modify these model policies and procedures
so that they can bring their practices into compliance with HIPAA.
Permission also is granted to members of the Washington State Medical
Association to use and modify these model policies and procedures so that they
can bring their practices into compliance with HIPAA.
Other individuals and groups wishing to use or modify these model policies and
procedures must seek written permission from ISMS/ISMIE Mutual Insurance
Co. and pay a royalty to ISMS/ISMIE Mutual Insurance Co.
© 2002-2004 ISMS/ISMIE Mutual Insurance Co.
Forward • ii
NOTE: This document does not constitute legal advice. You are urged to seek
legal advice if you have any questions regarding how HIPAA applies to your
practice.
Questions
If you have questions about HIPAA, you can contact the Risk Management Department at
Physicians Insurance A Mutual Company at 206-343-7300, or 1-800-962-1399, or
[email protected].
© 2002-2004 ISMS/ISMIE Mutual Insurance Co.
Forward • iii
Table of Contents
Organizational Overview ..................................................................1
Privacy Policies and Procedures.......................................................2
Security Policies and Procedures......................................................8
Administrative Safeguards ................................................................... 10
Administrative Safeguards – Risk Analysis, Risk Management and
Ongoing Risk Evaluation...........................................................................11
Administrative Safeguards – Contingency Planning .......................................12
“PHI” Software Log...............................................................................................15
Backup Log............................................................................................................16
Administrative Safeguards – Physical Controls for Visitor Access ................17
Physical Safeguards ............................................................................... 18
Physical Safeguards – Access Control.............................................................19
Physical Safeguards – Records Processing – Receiving, Sending, and
Disposing of PHI........................................................................................24
Physical Safeguards – Computer Workstation Use and Security ....................29
Physical Safeguards – Device and Media Controls .........................................31
Device and Media Controls Log ............................................................................33
Technical Safeguards ............................................................................ 34
Technical Safeguards – Personal or “Entity” Authentication..........................35
Technical Safeguards – Security Configuration – Documentation, Testing,
Inventory, Virus Control............................................................................37
Technical Safeguards – Audit Controls and Integrity......................................39
Technical Safeguards – Transmission Security ...............................................40
Administrative Security Policies and Procedures.........................41
Administrative Requirements – Security Officer ............................................41
Administrative Requirements – Information Access Management .................42
Administrative Requirements – Security Incident Procedures ........................43
© 2002-2004 ISMS/ISMIE Mutual Insurance Co.
Table of Contents • iv
Security Incident Log.............................................................................................44
Administrative Requirements – Awareness and Training For Staff................45
Training Log ..........................................................................................................47
Model Acknowledgment of Training.....................................................................48
Administrative Requirements – Workforce Sanctions ....................................49
Administrative Requirements – Documentation..............................................52
HIPAA Security Readiness Checklist ............................................55
Small Practice Security Risk Analysis ...........................................59
© 2002-2004 ISMS/ISMIE Mutual Insurance Co.
Table of Contents • v
Organizational Overview
Background
There are a variety of provisions in the Privacy Rule related to organizational requirements. In
general, a covered entity – including a physician – must determine the type of organization in
which they operate. For small practices, this is a fairly straightforward task. Small practices
usually are not complex organizations.
Small practices:
•
•
•
•
•
•
•
provide health care services;
usually do not provide multiple covered functions;
usually are owned by some or all of the physicians;
are not business associates;
do not have “affiliates” (affiliates are separate legal entities with common ownership);
are not “hybrid entities” (a hybrid entity is defined in a complex manner as “a single legal
entity that is a covered entity and whose covered functions are not its primary
functions”); and
are not “organized health care arrangements” (separate covered entities that are integrated
clinically or operationally are considered an organized health care arrangement if
protected health information must be shared among the covered entities for the joint
management and operations of the arrangement). NOTE: You may be an “organized
health care arrangement” if you have a number of different independent physicians or
other providers practicing in your office.
NOTE: This section should be rewritten to talk about your organizational
structure. Be sure to include the name, address, and telephone number of your
practice, a brief description of the practice, and any other information that helps
to define the organizational structure.
NOTE: Most physicians will be involved in an organized health care entity
such as a hospital or ambulatory surgical treatment center. Physicians involved
in such an entity should be aware of the entity’s HIPAA policies and
procedures. The entity’s policies and procedures, not yours, will most likely
apply when you provide services in those settings.
© 2002-2004 ISMS/ISMIE Mutual Insurance Co.
0BOrganizational Overview • 1
Privacy Policies and Procedures
The Privacy Final Rule was issued December 28, 2000. The Privacy Final Rule was modified by
the Privacy Modification Final Rule issued August 14, 2002. The Final Rule has subsequently
been clarified through guidance issued by the government. All covered entities – including
physician practices that engage in one of the standard HIPAA transactions, either directly or
through a third party such as a billing service – are required to be in compliance with the rules.
ISMS and ISMIE Mutual have developed model policies and procedures to assist our members
and policyholders, particularly small practices, with HIPAA Privacy Rule compliance. These
policies and procedures are not included in this document. Omitted Privacy Policies and
Procedures, forms, and logs, include the following:
Individual Rights
Notice of Privacy Practices: One section of the Privacy Rule addresses the Notice of Privacy
Practices. 1 In general, a covered entity – including a physician – is required to provide every
direct care patient with a copy of the covered entity’s Notice of Privacy Practices. In addition,
covered entities are required to request and make a good-faith effort to obtain a written patient
acknowledgment that they received the Notice of Privacy Practices. The covered entity should
document that the Notice was received or document why the acknowledgment could not be
signed by the patient. Associated documents include a “Model Receipt of Notice of Privacy
Practices Form” and a “Model Consent for Release and Use of Confidential Information and
Receipt of Notice of Privacy Practices Form.”
Accounting for Disclosures of PHI: Four sections of the Privacy Rule address the tracking of
disclosures and the right of individuals to receive an accounting for disclosures. 2 In general, a
covered entity – including a physician – is required to keep a history of when and with whom
disclosures are made of protected health information (PHI) – confidential information.
Physicians do not have to track disclosures in certain circumstances. Associated documents
include a “Disclosures of PHI Tracking Log” and a “Requests for Accounting of Disclosures
Log.”
Inspect and Copy PHI: One section of the Privacy Rule addresses the right of individuals to
inspect and copy PHI. 3 In general, a covered entity – including a physician – is required to allow
an individual access to inspect and obtain a copy of protected health information (PHI) about the
individual for as long as the information is maintained. The information must be maintained in a
“designated record set.” This right does not extend to certain records. In addition, a covered
entity may also deny access for several specific reasons listed in the Privacy Rule (see below).
Associated documents include an “Inspection and Copying Request Log,” a “Model Request for
1
§ 164.520 – Notice of Privacy Practices for PHI.
§ 164.508 – Uses and Disclosures for which Authorization is Required; § 164.512 – Uses and Disclosures for Which
Consent, an Opportunity to Agree or Object is Not Required; § 164.528 – Accounting of Disclosures of Protected Health
Information; and § 164.530 (j) – Documentation Requirements.
3
§ 164.524 – Access of Individuals to Protected Health Information.
2
© 2002-2004 ISMS/ISMIE Mutual Insurance Co.
1BPrivacy Policies and Procedures • 2
Medical Records Acceptance Form Letter,” and a “Model Request For Inspection or Copying of
Confidential Information Denial Form Letter.”
Request Amendment to PHI: Two sections of the Privacy Rule address the right of individuals
to request an amendment to PHI. 4 In general, a covered entity – including a physician – is
required to amend PHI or a record about the individual in a “designated record set” for as long as
the PHI is maintained in the “designated record set.” A covered entity may deny a request for
amendment under certain circumstances. Associated documents include an “Amendment
Request Log,” a “Model Acceptance of Request to Amend Medical or Billing Records Form
Letter,” and a “Model Denial of Request to Amend Medical or Billing Records Form Letter.”
Request Confidential Communications: Two sections of the Privacy Rule address the right of
an individual to request confidential communications. 5 In general, a covered entity – including a
physician – is required to accommodate all reasonable requests to keep communications
confidential. Associated documents include a “Model Request for Confidential Communication”
and a “Request for Confidential Communications Log.”
Request Restriction of Disclosures: One section of the Privacy Rule addresses the right of
individuals to request a restriction on disclosures. 6 In general, a covered entity – including a
physician – is required to have a policy with respect to allowing individuals to request a
restriction in the use and disclosure of their PHI. A covered entity is not required to agree to any
restriction. Associated documents include a “Disclosure Restriction Log.”
Authorizations: Nine sections of the Privacy Rule address patient authorizations. 7 In general, a
covered entity – including a physician – is required to obtain an authorization for the use or
release of information for other than treatment, payment, or health care operations, unless state
or federal law requires such disclosure. Associated documents include a “Model Authorization
Form for Release of Confidential Health Information.”
Waiver of Rights: One section of the Privacy Rule addresses the waiver of individual rights. 8 In
general, a covered entity – including a physician – may not require individuals to waive any of
their individual rights as a condition of the provision of treatment, payment, enrollment in a
health plan, or eligibility for benefits.
4
§ 164.526 – Amendment of Protected Health Information; and § 164.524(a)(2)&(3) – Unreviewable and Reviewable
Grounds for Denial.
5
§ 164.522(b) – Rights to Request Privacy Protection for Protected Health Information – Standard – Confidential
Communications Requirements; and § 164.502(h) – Uses and Disclosures of Protected Health Information – General Rules –
Standard – Confidential Communications.
6
§ 164.522(a) – Rights to Request Privacy Protection for Protected Health Information – Standard – Right of an Individual
to Request Restriction of Uses and Disclosures.
7
§ 164.506(a) – Standards for Consents and How Consents Differ from Authorizations; § 164.508(a) – Standard for
Requirements and Exceptions for Authorizations; § 164.508(b) – Implementation Specifications for Authorizations; § 164.508(c)
– Core elements and requirements; § 164.508(d) – Specifications for an Entity’s Own Uses and Disclosure; § 164.508(e) –
Specifications for an Entity’s Disclosure to Others; § 164.508(f) – Specifications for Research and Treatment; § 164.520 –
Requirements for Plain English Language; and § 164.512 – Uses and Disclosures for which Consent, an Authorization, or
Opportunity to Agree or Object is Not Required.
8
§ 164.530(b) – Administrative Requirements – Standard – Waiver of Rights.
© 2002-2004 ISMS/ISMIE Mutual Insurance Co.
1BPrivacy Policies and Procedures • 3
Uses and Disclosures of Protected Health Information
Verification of Identity: Five sections of the regulations address the release of PHI to
appropriate individuals. 9 A covered entity – including a physician – must reasonably ensure that
PHI is only used by and released to appropriate individuals. This requires verification of the
identity of the individual using or receiving the information.
Personal Representatives: Four sections of the regulations address the release of PHI to
personal representatives. 10 In general, a covered entity – including a physician – must, with two
exceptions, treat a personal representative as the individual. The final rule gives specific
guidelines for personal representatives, adults and emancipated minors, unemancipated minors,
deceased individuals, and abuse, neglect, and endangerment situations.
Not Requiring Authorization: Several policies and procedures are addressed under this
heading.
•
Disclosure to Those Involved in Individual’s Care: One section of the regulations
addresses the disclosure of PHI to those involved in an individual’s care. 11 Generally, a
covered entity – including a physician – is required to disclose PHI to family members,
close friends, or other persons assisting in an individual’s care, as well as government
agencies and disaster relief organizations conducting disaster relief activities. The
disclosure may result from an oral agreement, without written authorization, so long as
the covered entity informs individuals in advance of such use or release and provides a
meaningful opportunity for the individual to prevent or restrict the disclosure.
•
Uses and Disclosures Required by Law: Five sections of the regulations address the
provision of PHI as required by law. 12 Generally, a covered entity – including a
physician – is required to use and disclose PHI as required by federal, state, and local
laws.
9
§ 164.514(h) – Other Procedural Requirements Relating to Uses and Disclosures of Protected Health Information –
Standard – Verification Requirements; § 164.512(a) – Uses and Disclosures for which Consent, an Authorization or Opportunity
to Objection is Not Required – Standard – Uses and Disclosures Required by Law; § 164.512(f) – Uses and Disclosures for
which Consent, an Authorization, or Opportunity to Agree or Object is Not Required – Standard – Disclosures for Law
Enforcement Purposes; § 164.502(f) – Uses and Disclosures of Protected Health Information – General Rules – Standard –
Deceased Individuals; and § 164.510(b) – Uses and Disclosures Requiring an Opportunity for the Individual to Agree or to
Object – Standard – Uses and Disclosures for Involvement in the Individual’s Care and Notification Purposes.
10
§ 164.502(g) – Uses and Disclosures of Protected Health Information – General Rules – Standard – Personal
Representatives; § 164.524 – Access of Individuals to Protected Health Information; § 164.528 – Accounting of Disclosures of
Protected Health Information; and § 164.510(b) – Uses and Disclosures Requiring an Opportunity for the Individual to Agree or
to Object – Standard – Uses and Disclosures for Involvement in the Individual’s Care and Notification Purposes.
11
§ 164.510(b) – Uses and Disclosures for Involvement in the Individual’s Care and Notification Purposes – Standard.
12
§ 164.501 – Definitions – Required by Law; § 164.512 – Uses and Disclosures for which Consent, an Authorization, or
Opportunity to Agree or Object is Not Required; § 164.502(b)(2)(iv) – Standard – Minimum Necessary Does Not Apply;
§ 164.514(d)(3)(iii)(A) – Implementation Specification – Minimum Necessary Disclosures of Protected Health Information; and
§ 164.514(h)(1) – Verification Requirements.
© 2002-2004 ISMS/ISMIE Mutual Insurance Co.
1BPrivacy Policies and Procedures • 4
•
Uses and Disclosures in Emergency Situations: Six sections of the regulations address
the provision of PHI in emergency situations. 13 Generally, a covered entity – including a
physician – is allowed to use and disclose PHI in emergency situations without providing
the covered entity’s Notice of Privacy Practices to the individual. As soon as possible
after the use or disclosure of PHI in emergency situations, the covered entity should
provide the Notice to direct treatment patients.
•
Marketing Purposes: Three sections of the regulations address the use and disclosure of
PHI for marketing purposes. 14 Generally, a covered entity – including a physician – must
limit the use and disclosure of PHI for marketing purposes, unless the patient signs an
authorization allowing such use and disclosure.
•
De-Identification of PHI: Four sections of the regulations deal with the provision of
“de-identified” PHI. 15 Generally, a covered entity – including a physician – may disclose
“de-identified” PHI, so long as the covered entity meets the requirements for deidentifying PHI as outlined in the Privacy Rule which requires in part that PHI be
stripped of 18 data elements. The process of de-identifying information is very complex
and most physician practices have no need to release de-identified information.
•
Deceased Individual’s PHI: Three sections of the regulations address the provision of
PHI of deceased individuals. 16 In general, a covered entity – including a physician –
must protect the PHI of a deceased individual for as long as the covered entity maintains
the PHI. The covered entity may disclose a decedent’s PHI to coroners, medical
examiners, and funeral directors as required by law. In addition, the covered entity must
treat individuals lawfully representing decedents as if the deceased individuals were still
alive.
Do Not Apply to Practice: Several policies and procedures are addressed under this heading.
•
Research Activities: PHI created for research is subject to the Privacy Rule
requirements. 17 This is a particularly complex area of the regulations. To simplify these
13
§ 164.506(a) Standard – Consent Requirement; § 164.506 (a)(3)(i)(A) – Consent During Emergency Treatment Situations
§164.510(b)(3) – Limited Uses and Disclosures When the Individual is Not Present; § 164.512(f)(3) – Permitted Disclosure –
Victims of a Crime; § 164.512(f)(6) – Permitted Disclosure – Reporting Crime in Emergencies; § 164.512(j) – Permitted
Disclosure – To Avert a Serious Threat to Health or Safety; and § 164.522(a)(1) – Standard – Right of an Individual to Request
Restriction of Uses and Disclosures.
14
§ 164.501 – Definitions – Marketing; § 164.508(a) – Uses and Disclosures for Which Authorization is Required –
Standard – General Rules; and § 164.508(b) – Implementation Specifications for Authorizations.
15
§ 164.502(d) – Uses and Disclosures of Protected Health Information – Standard – Uses and Disclosures of De-identified
Protected Health Information; § 164.514(a) – Other Requirements Relating to Uses and Disclosures of Protected Health
Information – Standard – De-identification of Protected Health Information; § 164.514(b) – Other Requirements Relating to Uses
and Disclosures of Protected Health Information – Implementation Specifications – Requirements for De-identification of
Protected Health Information.; and § 164.514(c) – Re-identification of Information.
16
§ 164.502(f) – Uses and Disclosures of Protected Health Information – General Rules – Standard – Deceased Individuals;
§ 164.502(g)(4) – Uses and Disclosures of Protected Health Information – General Rules – Standard – Personal Representatives –
Implementation Specification – Deceased Individuals; and § 164.512(g) – Uses and Disclosures for which Consent, an
Authorization, or Opportunity to Agree or Object is Not Required – Standard – Uses and Disclosures About Decedents.
17
§ 164.506 – Consent for Uses or Disclosures to Carry Out Treatment, Payment, or Health Care Operations; § 164.508 –
Uses and Disclosures for which an Authorization is Required; § 164.512(i) – Uses and Disclosures for which Consent, an
© 2002-2004 ISMS/ISMIE Mutual Insurance Co.
1BPrivacy Policies and Procedures • 5
model policies and procedures, it is recommended that physicians at this time not
participate in any research studies that involve PHI.
•
Other Uses and Disclosures: Several other uses and disclosures in the Privacy Rule
generally do not apply to provider practices. These include: disclosure to an employer or
health plan sponsor 18 ; use and disclosure for underwriting and related purposes 19 ; use and
disclosure for facility directories 20 ; use and disclosure to brokers and agents 21 ; and use for
fundraising. 22
Minimum Necessary: Two sections of the regulations address the minimum necessary
requirements. 23 As stated in the Privacy Rule: “When using or disclosing protected health
information or when requesting protected health information from another covered entity, a
covered entity must make reasonable efforts to limit protected health information to the
minimum necessary to accomplish the intended purpose of the use, disclosure, or request.”
Business Associates: Three sections of the Privacy Rule and three sections of the Security Rule
address the release of PHI to business associates. 24 In general, a covered entity – including a
physician – must enter into a Business Associate Agreement with any person who acts in a
capacity other than as a member of the workforce of a covered entity to perform or assist in the
performance of a function or activity on behalf of the covered entity involving the use or
disclosure of PHI or any other function or activity otherwise governed by the Privacy Rule.
Administrative Privacy Policies and Procedures
Privacy Officer: Two sections of the Privacy Rule address the need to appoint a Privacy Officer
and a contact person for all issues related to the Privacy Rule. 25 In general, a covered entity –
including a physician – is required to have a Privacy Officer and a contact person.
Authorization, or Opportunity to Agree or Object is Not Required Including the Standards for Uses and Disclosures for Research
Purposes; § 164.524 – Access of Individuals to Protected Health Information; and § 164.532 – Transition Provisions.
18
§ 164.504 – Uses and Disclosures: Organizational Requirements.
19
§ 164.508(a) – Uses and Disclosures for which Authorization is Required – Standard – General Rules; § 164.508(b)(4)(A)
and (B) – Prohibition on Conditioning of Authorizations (exceptions); § 164.514(g) – Other Requirements Relating to Uses and
Disclosures of Protected Health Information – Standard – Uses and Disclosures for Underwriting and Related Purposes; §
164.504(f) – Uses and Disclosures: Organizational Requirements (standard requirements for group health plans); and § 164.528
– Accounting of Disclosures of Protected Health Information.
20
§ 164.510(a) – Use and Disclosure for Facility Directories – Standard.
21
§ 164.504(f) – Requirements for Group Health Plans; § 164.510(b)(2) – Uses and Disclosures with the -Individual
Present; and § 164.510 – Uses and Disclosures for which an Authorization is Required.
22
§ 164.508(a) – Uses and Disclosures for which Authorization is Required – Standard – General Rules; § 164.508(b) –
Implementation Specifications for Authorizations; § 164.514(e) – Standard – Uses and Disclosures of Protected Health
Information for Marketing; and § 164.514(f) – Standard: Uses and Disclosures of Protected Health Information for Fundraising.
23
§ 164.502(b) – Uses and Disclosures of Protected Health Information: General Rules – Standard – Minimum Necessary;
and § 164.514(d) – Other Requirements Relating to Uses and Disclosures of Protected Health Information – Standard –
Minimum Necessary Requirements.
24
§ 160.103 – Definitions – Business Associates; § 164.308(b)(1) – Standard – Business Associate Contracts; § 164.314(a)
– Standard and Implementation Specification – Business Associate Contracts and Other Arrangements; § 164.316 – Policies and
Procedures and Documentation Requirements; § 164.502(e) – Uses and Disclosures of Protected Health Information – General
Rules – Standard – Disclosures to Business Associates; and § 164.504(e) – Uses and Disclosures – Organizational Requirements
– Standard: Business Associate Contracts.
25
§ 164.530(a) – Administration Requirements – Designation of a Privacy Official and Contact Person; and §
164.526(d)(1)(iv) – Administration Requirements – Amendment of Protected Health Information.
© 2002-2004 ISMS/ISMIE Mutual Insurance Co.
1BPrivacy Policies and Procedures • 6
Changes in Law: Two sections of the Privacy Rule address changes in law. 26 In general, a
covered entity – including a physician – is required to change the covered entity’s policies and
procedures whenever a change in law necessitates such a change. In addition, the covered entity
must promptly revise and distribute its Notice of Privacy Practices whenever there is a material
change to the uses or disclosures of information, the individual’s rights, the covered entity’s legal
duties, or other privacy practices stated in the notice. Keep in mind that the practice also must
comply with all state and federal laws related to security.
Complaint Process: Nine sections of the Privacy Rule address the complaint process. 27 In
general, a covered entity – including a physician – is required to have a process for individuals to
file complaints with the covered entity and with the Secretary.
Mitigation of Privacy Breaches: One section of the Privacy Rule addresses the requirement for
mitigation. 28 In general, a covered entity – including a physician – is required to take action to
mitigate breaches in the use or disclosure of PHI. A breach occurs whenever PHI is used or
disclosed in violation of the covered entity’s policies and or procedures. In addition, a business
associate must be terminated when possible after a material breach that has not been resolved. If
the agreement cannot be terminated, then the practice must inform the Secretary of the situation.
Whistleblowers/Crime Victims: Two sections of the Privacy Rule address whistleblowers and
the reporting of violations. 29 In general, a covered entity – including a physician – is required to
use and disclose PHI in whistleblower and crime victim cases without an authorization.
26
§ 164.530 (i)(3) – Changes in Law – Implementation Specification – Standard – Policies and Procedures; and § 164.520
(b)(3) – Revision to Notice – Implementation Specification – Content of Notice – Standard – Notice of Privacy Practices.
27
§ 160.306 – Complaints to the Secretary; § 160.310(b) – Responsibilities of Covered Entities to Cooperate With
Complaint Investigations and Compliance Review; § 160.312 – Secretarial Action Regarding Complaints and Compliance
Reviews; § 164.530(a)(1)(ii) – Administrative Requirements – Standard – Personnel Designations; § 164.530(d) –
Administrative Requirements – Standard – Complaints to the Covered Entity; § 164.530(g) – Administrative Requirements –
Standard – Refraining from Intimidating or Retaliatory Action; § 164.520(B)(vi) – Notice of Privacy Practices – Complaints;
§ 164.524(d)(2)(iii) – Access of Individuals to Protected Health Information – Implementation Specifications – Denial of
Access; and § 164.526(d)(iv) – Amendment of Protected Health Information – Implementation Specifications – Denial of
Amendment.
28
§ 164.530(f) – Administrative Requirements – Mitigation.
29
§ 164.502(j) – Standard – Disclosures by Whistleblowers and Workforce Member Crime Victims; and § 164.512(f)(2)(i)
– Listing of the Protected Health Information that May Be Disclosed by a Workforce Member Who is a Victim of a Crime.
© 2002-2004 ISMS/ISMIE Mutual Insurance Co.
1BPrivacy Policies and Procedures • 7
Security Policies and Procedures
The Security Proposed Rule was issued in 1999. The Security Final Rule was issued February
20, 2003, and its compliance date is April 2005. It applies to the security of electronic
information.
The Final Privacy Rule includes ' 164.530(c)(1) – Administrative requirements; Standard:
safeguards. This provision states that “[a] covered entity must have in place appropriate
administrative, technical, and physical safeguards to protect the privacy of protected health
information.” In addition, it adds “[a] covered entity must reasonably safeguard protected health
information from any intentional or unintentional use or disclosure that is in violation of the
standards, implementation specifications or other requirements of this subpart.”
In other words, even though the Security Final Rule does not have to be complied with until
April 2005, a practice must implement security policies and procedures now to safeguard its
protected health information – both paper and electronic – to comply with the Privacy Rule.
This section presents model security policies and procedures. ISMS and ISMIE Mutual have
developed these model policies and procedures to enable our members and policyholders,
particularly small practices, to come into compliance with the HIPAA Privacy Rule. For the
State of Washington, WSMA has amended the ISMS and ISMIE Mutual materials to address
legal issues that are specific to Washington State or where the laws of the States of Washington
and Illinois differ.
These model policies and procedures reflect the requirements in the Security Rule.
requirements are placed in three categories:
•
•
•
The
administrative safeguards addressing the administrative policies and procedures that need
to be developed and implemented;
physical safeguards addressing the physical aspects of security that need to be addressed;
and
technical safeguards addressing the computer programs and other processes that need to
be implemented.
In each of these areas there are a number of requirements. In addition, some of the requirements
overlap, e.g., the assignment and use of passwords is an administrative safeguard that is
implemented using a software program (technical safeguard). Where possible, requirements that
overlap are consolidated.
NOTE: The model policies and procedures must be reviewed by each practice
and modified as necessary. You must determine if and how these model policies
and procedures apply to your practice, modify them so they do reflect your
practice, and make any necessary changes to ensure your practice is in
compliance with the HIPAA Security Rules.
© 2002-2004 ISMS/ISMIE Mutual Insurance Co.
2BSecurity Policies and Procedures • 8
You must meet the requirements of the Security Final Rule by April 2005. The
model policies and procedures in this document are consistent with the final rule
and implement the requirements of the final rule.
NOTE: These model policies and procedures are copyright by ISMS/ISMIE
Mutual Insurance Co. Permission is granted to ISMS members and ISMIE
Mutual Co. policyholders to use and modify these model policies and procedures
so that they can bring their practices into compliance with HIPAA.
Permission also is granted to members of the Washington State Medical
Association to use and modify these model policies and procedures so that they
can bring their practices into compliance with HIPAA.
Other individuals and groups wishing to use or modify these model policies and
procedures must seek written permission from ISMS/ISMIE Mutual Insurance
Co. and pay a royalty to ISMS/ISMIE Mutual Insurance Co.
NOTE: This document does not constitute legal advice. You are urged to seek
legal advice if you have any questions regarding how HIPAA applies to your
practice.
© 2002-2004 ISMS/ISMIE Mutual Insurance Co.
2BSecurity Policies and Procedures • 9
Administrative Safeguards
Numerous sections of the final Security Rule address administrative safeguards. The rule defines
administrative safeguards as “actions, and policies and procedures, to manage the selection,
development, implementation, and maintenance of security measures to protect electronic
protected health information and to manage the conduct of the covered entity’s workforce in
relation to the protection of that information.”
Small practices are required to implement appropriate policies and procedures to protect their
protected health information (PHI) – confidential information – and ensure that it remains secure.
Recall that the Security Rule only covers electronic information. The Privacy Rule also
addresses confidential information kept in paper and other forms. In order to meet the Privacy
Rule requirements, the practice also must protect paper-based information.
The following portions of this document address the administrative safeguard policies and
procedures that practices need to consider when implementing HIPAA privacy and security.
Several of the Security Rule administrative requirements are included in these Model Policies
and Procedures under the heading of “Administrative Security Policies and Procedures” (see
page 41).
© 2002-2004 ISMS/ISMIE Mutual Insurance Co.
2BSecurity Policies and Procedures • 10
Administrative Safeguards – Risk Analysis, Risk
Management and Ongoing Risk Evaluation
Background
Three sections of the Security Rule address risk analysis, risk management and evaluation. 30 In
general, a covered entity – including a physician – must conduct a risk analysis and ongoing
evaluations to identify potential security risks and to determine how to address significant risks.
Model Policy
The practice has undertaken an initial risk analysis and ongoing evaluations to identify potential
risks and to identify how to manage significant risks.
Model Procedures
NOTE: This section is written on the assumption that you have completed the
Small Practice Security Risk Analysis, page 59.
Risk Assessment: The practice has completed an initial risk analysis (Small Practice Security
Risk Analysis, page 59). As required by the final rule, this risk analysis provided an “accurate
and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity,
and availability of electronic protected health information held by the” practice. Recognizing
that the Privacy Rule requires the practice to protect paper and oral PHI as well as electronic, this
risk assessment addressed the full range of PHI held by the practice.
Evaluation: The practice undertakes an evaluation of its security annually. This evaluation
involves updating the risk analysis to ensure that all potential risks are identified and to identify
any new or evolving risks that need to be managed.
In addition to the periodic scheduled evaluations, the practice completes an evaluation wherever
there is a significant change to any of its systems, e.g., new programs or hardware are
implemented, physical plant, e.g., space is added or modified, or administrative operations, e.g.,
the flow of information in the office is modified.
Risk Management: On the basis of the risk assessment and the ongoing evaluations, the practice
adequately manages its risks. The policies and procedures included in this manual reflect the
actions taken by the practice to manage its risk.
30
§ 164.308(a)(8) – Standard – Evaluation; § 164.316(a)(2)(i) – Implementation Specification – Risk Analysis; and §
164.316(a)(2)(ii) – Implementation Specification – Risk Management.
© 2002-2004 ISMS/ISMIE Mutual Insurance Co.
2BSecurity Policies and Procedures • 11
Administrative Safeguards – Contingency Planning
Background
Eight sections of the Security Rule address contingency planning. 31 In general, a covered entity
– including a physician – must have in place contingency plans to ensure mission critical
electronic-based information is available in a timely fashion.
Model Policy
The practice has in place appropriate contingency plans so that it can continue to provide critical
functions if it is faced with a loss of access to electronic-based protected health information
(PHI).
Model Procedures
Criticality Analysis: The practice keeps logs of its devices and media (Device and Media
Controls Log, page 33) and the software on each of its devices that may contain PHI (see “PHI”
Software Log, page 15). These logs note which systems contain PHI and specifically which files
contain PHI so that those files can be backed up and are maintained by the Security Officer.
The practice does not store its medical records electronically [or keeps paper copies of all
medical records]. Accordingly, the recovery of lost electronic-based PHI is not time-critical to
patient care.
NOTE: If a practice has electronic medical records and does not keep paper
copies of those medical records, this section will have to be expanded. The
criticality analysis will have to document which systems are necessary to ensure
timely patient care.
Data Backup Plan: The practice backs up all PHI maintained on its computer systems. The
information is backed up on a weekly basis to a [insert media type, e.g., diskettes, Zip Drive,
CD]. The information is password protected. Two copies are made. One copy is stored at the
practice and the second copy is stored offsite. In an emergency, the information is backed up as
soon as possible and removed offsite. In addition, PHI is backed up prior to moving any
computer or modifying any software containing PHI. Backups are recorded on the Backup Log,
page 16.
31
§ 164.308(a)(7)(i) – Administrative Safeguards – Standard: Contingency Plan; § 164.308(a)(7)(ii)(A) – Administrative
Safeguards – Implementation Specifications – Data Backup Plan; § 164.308(a)(7)(ii)(B) – Administrative Safeguards –
Implementation Specifications – Disaster Recovery Plan; § 164.308(a)(7)(ii)(C) – Administrative Safeguards – Implementation
Specifications – Emergency Mode Operation Plan; § 164.308(a)(7)(ii)(D) – Administrative Safeguards – Implementation
Specifications – Testing and Revision Procedures; § 164.308(a)(7)(ii)(E) – Administrative Safeguards – Implementation
Specifications – Applications and Data Criticality Analysis; § 164.316(a) – Standard – Policies and Procedures; and § 164.316(b)
– Standard – Documentation.
© 2002-2004 ISMS/ISMIE Mutual Insurance Co.
2BSecurity Policies and Procedures • 12
Copies are retained by 4 weeks and then destroyed or recycled. (See Physical Safeguards –
Device and Media Controls, page 31.)
NOTE: The practice will have to determine where to store the back up media. If
you have two practice sites, consider storing the information at the second site.
Perhaps you can store the information in a safe deposit box, or make
arrangements to store it at one of your Business Associates, e.g., an attorney,
accountant, or billing service. Make sure the backup is stored at a site where it is
secure and protects the privacy of the information on the backup media.
The Security Officer or another workforce member authorized in writing by the Security Officer
may retrieve the backup as required.
The practice does not store its medical records electronically [or keeps paper copies of all
medical records]. Accordingly, the recovery of lost electronic-based PHI is not time-critical to
patient care.
NOTE: If you keep medical records electronically, you will have to modify this
language accordingly. In this case, recovery of electronic PHI may be critical to
patient care.
Testing Restoration: Once a year, when critical new software is installed, and when new
devices are installed, the practice checks to make sure it can recover lost data from its backup.
Specifically, the practice reviews the back up files and compares them to the files on its
computers. This is accomplished by comparing the size and dates of the files to ensure they are
identical.
Disaster Recovery Plan: The practice does not store its medical records electronically [or keeps
paper copies of all medical records]. Accordingly, the recovery of lost electronic-based PHI is
not time-critical to patient care.
When a disaster has occurred – when electronic information is lost for whatever reason – the
practice’s Security Officer implements the disaster recovery plan. The specific plan depends on
the type and scope of the disaster:
•
•
•
If PHI has been lost and the computer systems still function, the practice will attempt to
restore the information from backup media.
If PHI has been lost and some portion of the computer systems still function, the practice
will attempt to restore the information from backup media to that portion of the computer
system.
If PHI has been lost and:
• the computer systems still function, but the practice is unable to restore the
information from backup media;
© 2002-2004 ISMS/ISMIE Mutual Insurance Co.
2BSecurity Policies and Procedures • 13
•
•
some portion of the computer systems still function, but the practice is unable to
restore the information from backup media to that portion of the computer system;
or
the entire computer system has failed, the practice will obtain new computer
equipment, install appropriate software, and restore the PHI in a timely fashion.
NOTE: If a practice has two locations, it may be able to restore the PHI at its
second site. This would be an acceptable short-term solution.
NOTE: If a practice has electronic medical records and does not keep paper
copies of those medical records, this section will have to be expanded.
Restoration of the PHI becomes critical to the treatment of patients and must be
accessible in a timely fashion.
Emergency Mode Operation: The practice does not need its electronic-based PHI to operate in
emergency situations. All PHI needed in emergency situations is stored in paper format (paper
medical records). Accordingly, the practice does not need any computer systems emergency
mode operation plan.
NOTE: If a practice has electronic medical records and does not keep paper
copies of those medical records, this section will have to be expanded.
Restoration and emergency mode operation become critical to the treatment of
patients and must be accessible in a timely fashion.
Education: The practice trains all workforce members regarding its contingency plans. The
Security Officer is responsible for ensuring that back ups are made and stored offsite as required
by these procedures.
NOTE: If a practice has electronic medical records and does not keep paper
copies of those medical records, this section will have to be expanded. It will
have to include more training to ensure that workforce members understand how
to restore PHI and operate in emergency mode.
© 2002-2004 ISMS/ISMIE Mutual Insurance Co.
2BSecurity Policies and Procedures • 14
“PHI” Software Log
Date
Description of Software
© 2002-2004 ISMS/ISMIE Mutual Insurance Co.
Action
Location of PHI
2BSecurity Policies and Procedures • 15
Backup Log
Date
2 Copies
Made
Backups
Made By
Date Backup
Sent Offsite
© 2002-2004 ISMS/ISMIE Mutual Insurance Co.
Confirm Backup
Received Offsite
Date Backup Media
Destroyed/Resued
2BSecurity Policies and Procedures • 16
Administrative Safeguards – Physical Controls for
Visitor Access
Background
One section of the Security Rule addresses physical controls for visitors. 32 In general, a covered
entity – including a physician – must ensure that visitors do not have inappropriate or
unauthorized access to PHI.
Model Policy
The practice ensures that visitors do not have inappropriate and unauthorized access to protected
health information (PHI).
Model Procedures
The practice minimizes the presence of visitors in the office.
All visitors, including salespeople and pharmaceutical representatives, must sign in. Patients
(and those accompanying patients) do not need to sign in as their presence is automatically
documented by the practice.
If appropriate, the practice provides visitors an escort to ensure they do not have inappropriate or
unauthorized access to PHI.
32
§ 164.310(a)(2)(iii) – Physical Safeguards – Implementation Specifications – Access Control and Validation Procedures.
© 2002-2004 ISMS/ISMIE Mutual Insurance Co.
2BSecurity Policies and Procedures • 17
Physical Safeguards
Numerous sections of the final Security Rule address physical safeguards. 33 The rule defines
physical safeguards as “physical measures, policies and procedures to protect a covered entity’s
electronic information systems and related buildings and equipment, from natural and
environmental hazards, and unauthorized intrusion.”
Small practices are required to implement appropriate policies and procedures to protect their
protected health information (PHI) – confidential information – and ensure that it remains secure.
Recall that the Security Rule only covers electronic information. The Privacy Rule also
addresses confidential information kept in paper and other forms. In order to meet the Privacy
Rule requirements, the practice also must protect paper-based information.
The following portions of this document address the physical safeguard policies and procedures
that practices need to consider when implementing HIPAA privacy and security.
33
§ 164.304 – Definition – Physical safeguards; § 164.310 – Physical Safeguards; § 164.310(a)(1) – Standard – Facility
Access Controls; § 164.310(a)(2)(i) – Contingency Operations; § 164.310(a)(2)(ii) – Facility Security Plan; § 164.310(a)(2)(iii) –
Access Control and Validation Procedures; § 164.310(a)(2)(iv) – Maintenance Records; § 164.310(b) – Standard – Workstation
Use; § 164.310(c) – Standard – Workstation Security; § 164.310(d)(1) – Standard – Device and Media Controls;
§ 164.310(d)(2)(i) – Implementation Specification – Disposal; § 164.310(d)(2)(ii) – Implementation Specification – Media Reuse; § 164.310(d)(2)(iii) – Implementation Specification – Accountability; and § 164.310(d)(2)(iv) – Implementation
Specification – Data Backup and Storage.
© 2002-2004 ISMS/ISMIE Mutual Insurance Co.
2BSecurity Policies and Procedures • 18
Physical Safeguards – Access Control
Background
One key section of the Privacy Rule and numerous sections of the final Security Rule address
access controls. 34 In general, a covered entity – including a physician – must have access control
procedures to protect against unauthorized access to any PHI, paper or electronic.
Model Policy
The practice has appropriate access controls in place to ensure that only authorized persons have
access to protected health information (PHI) on an appropriate basis.
Model Procedures
Facility Maintenance: The facility documents all facility repairs and modifications to the
physical components of a facility, including maintenance, that impacts security, such as repairs
to walls, adding or removing locks, doors, or hardware.
Personnel Security: The practice ensures that only authorized workforce members or business
associates have access to PHI. All workforce members have access to PHI, as needed, to ensure
the efficient operation of the practice. In addition, given the size and configuration of the
practice, all workforce members have access to all computer terminals in the office, all programs
on those computers, and all PHI used in those programs on an as needed basis. The practice
assesses annually whether the duties of any workforce member have changed such that their
current access is no longer appropriate.
NOTE: You will have to change this procedure if you limit access to computer
programs or computers to specific personnel.
Termination: The practice terminates a workforce member’s access to all PHI when the
workforce member is terminated. The terminated workforce member is required to turn in any
keys or other access devices that may have been issued by the practice and all passwords are
deactivated.
34
§ 164.530(c)(1) – Administrative Requirements – Standard – Safeguards; § 164.530(c)(2) Administrative Requirements
– Implementation Specification – Safeguards; § 164.308(a)(1)(ii)(D) – Administrative Safeguards – Implementation
Specifications – Risk Analysis – Information System Activity Review; § 164.308(a)(ii)(D)(3)(I) – Administrative Safeguards –
Implementation Specifications – Standard: Workforce Security; § 164.308(a)(ii)(D)(3)(ii)(A) – Administrative Safeguards –
Implementation Specifications – Authorization and/or Supervision; § 164.308(a)(ii)(D)(3)(ii)(B) – Administrative Safeguards –
Implementation Specifications – Workforce Clearance Procedure; § 164.308(a)(ii)(D)(3)(ii)(C) – Administrative Safeguards –
Implementation Specifications – Termination Procedures; § 164.308(a)(ii)(D)(4)(ii)(B) – Administrative Safeguards – Standard:
Information Access Management – Implementation Specification: Access Authorization; § 164.308(a)(ii)(D)(3)(ii)(C) –
Administrative Safeguards – Standard – Information Access Management – Access Establishment and Modification; §
164.312(a)(1) – Technical Safeguards – Standard – Access Control; § 164.312(d) – Technical Safeguards – Standard – Person or
Entity Authentication; and § 164.312(e)(1) – Technical Safeguards – Standard – Transmission Security.
© 2002-2004 ISMS/ISMIE Mutual Insurance Co.
2BSecurity Policies and Procedures • 19
Physical Safeguards: The practice ensures that paper-based and electronic-media based PHI –
PHI that is in physical formats and access to electronic-based PHI – is safeguarded.
Paper Records Management: The practice maintains paper medical and billing records. Each
medical record and billing record contains PHI. The practice manages the medical records to
ensure the privacy of the PHI in the medical records.
•
•
•
•
•
Medical records are removed from the medical record files only for review by a
workforce member for treatment, payment, or health care operations, to release records
pursuant to an authorization, or as otherwise authorized by law.
• When a medical record is removed from the medical record files for other than
treatment, the medical record remains in the staff office and is not allowed to leave
that area. When finished using the medical records, the record will be refiled.
• When a medical record is removed from the medical record files for treatment
purposes, the medical record either remains in the staff office (and is used and refiled)
or is hand delivered by a workforce member to a physician’s office for review.
• When a medical record is in a physician’s office, the medical record is kept
behind the physician’s desk and away from the reach of any patient who may be
in the physician’s office for a consultation. In addition, the medical record is kept
in a folder so that any visitors to the physician’s office cannot see any PHI,
including the patient’s name, which may reside on the cover of the medical
record. When the physician is done using the medical record, it is hand delivered
by a workforce member to the staff office for appropriate use and refiling.
The practice places medical records in the door outside exam rooms when a patient is in
the exam room awaiting the physician. The medical record is placed such that no PHI is
visible to anyone walking by the exam room.
When a physician and patient leave the exam room, the medical record is taken from the
exam room and handed to another workforce member for processing and filing or placed
in the physician’s office for further review.
The medical records do not reside in cabinets that lock; however, the practice does lock
the office at night thereby securing the medical records.
The doors to the practice are locked whenever the practice is closed and no one is present
to monitor the practice and protect access to the medical records.
NOTE: If your medical records reside in locking cabinets, you will need to
change these procedures. It is recommended that you have locking cabinets. In
lieu of such cabinets, make sure the medical records room can be locked. You
may have to lock the entire practice to secure the medical records. This is a
minimally secure way of restricting access to your medical records.
NOTE: You need to review these procedures in detail to ensure they reflect your
practice. Make whatever changes are necessary to ensure the procedures match
your practice.
The practice manages the billing records to ensure the privacy of the PHI in the billing records.
© 2002-2004 ISMS/ISMIE Mutual Insurance Co.
2BSecurity Policies and Procedures • 20
•
•
•
Billing records are removed from the billing record files only for review by a workforce
member for payment, health care operations, or as otherwise allowed by law. In such
cases, the billing record remains in the staff office and is not allowed to leave that area.
When finished using the billing records, they will be refiled.
The billing records reside in cabinets that do not lock; however, the office is locked at
night.
The doors to the practice are locked whenever the practice is closed and no one is present
to monitor the practice and protect access to the billing records.
NOTE: If your billing records reside in locking cabinets, you will need to change
these procedures. It is recommended that you have locking cabinets. In lieu of
such cabinets, make sure the billing records room can be locked. You may have
to lock the entire practice to secure the billing records. This is a minimally secure
way of restricting access to your billing records.
NOTE: You need to review these procedures in detail to ensure they reflect your
practice. Make whatever changes are necessary to ensure the procedures match
your practice.
Posting of PHI: The practice does not post any PHI, including schedules, where it could be
viewed by visitors or patients. Schedules and other PHI needed for the functioning of the
practice is kept in places not accessible by patients and referred to as needed by workforce
personnel.
Conversations Including PHI: The practice is careful to restrict conversations containing PHI.
•
•
•
•
Conversations with a patient present occur in an exam room or a physician’s office with
the doors closed. Conversations in hallways or the reception area are avoided unless
specifically initiated by the patient.
Conversations in the hallway, especially near the reception area or other areas where
patients may overhear the conversations are avoided whenever possible.
Workforce members, including a physician, do not take patient telephone calls in an
exam room or in their office when another patient is present.
The staff office is next to the reception area. Precautions are taken to minimize the PHI
disclosed in telephone calls and other discussions that occur in the staff office. Whenever
possible those discussions occur in the back of the staff office farthest away from the
reception area.
NOTE: This is a very sensitive portion of the regulations. Patients will be in the
reception area and will be aware of conversations occurring in the staff office that
they can overhear. You need to evaluate your practice to ensure that your office
is organized in a manner that minimizes the release of PHI.
FAXes: The receipt and sending of FAXes is addressed under Physical Safeguards – Records
Processing – Receiving, Sending, and Disposing of PHI, page 24.
© 2002-2004 ISMS/ISMIE Mutual Insurance Co.
2BSecurity Policies and Procedures • 21
Access to Computers: Access to computers is addressed under Administrative Safeguards –
Physical Controls for Visitor Access, page 17, Physical Safeguards – Computer Workstation Use
and Security, page 29, and Technical Safeguards – Personal or “Entity” Authentication, page 35.
Need-to-Know: The practice recognizes that each workforce member should have access only to
the PHI they need to perform his or her particular job functions. Workforce members are not
allowed access to PHI beyond the scope of their current job functions. This principle is closely
related to the minimum necessary standards for use, disclosure or request of PHI.
Uses of PHI: The practice has a very small workforce. Everyone in the office is responsible for
every task from time to time. Accordingly, everyone in the office may have a need to review all
PHI. The practice allows all members of its workforce to have access to all PHI, as necessary for
them to carry out their job functions. The practice limits access to PHI to that information
necessary for a member of its workforce to carry out his or her job functions. The amount and
type of PHI necessary to carry out job functions varies depending on the specific tasks assigned
to the member of the workforce each day depending on the needs of the practice.
Disclosures of PHI: The practice limits the PHI it discloses to that necessary to meet the purpose
of the disclosure. For disclosures for:
•
•
payment, the practice releases the information required to file a claim and, if requested,
additional information requested by a health plan to adjudicate the claim (psychotherapy
notes are not released without patient authorization for payment purposes); and
health care operations, the practice releases the specific information required by the entity
engaging in the health care operation, e.g., utilization review, quality assurance.
NOTE: The practice should list additional routine disclosures that it makes. For
example, if the practice discloses information to a transcription service,
accountant, or practice management company, it should specify the kinds of
information disclosed.
The practice reviews such routine requests to ensure that they are reasonable and do not seek PHI
beyond that reasonably required by the requestor to complete the purpose of the request. If, in
the opinion of the practice, the requestor has requested more information than necessary, the
practice so notifies the requestor and seeks clarification regarding what PHI they actually need.
The practice relies on a request for disclosure as being for the necessary amount of information
if:
•
•
•
the disclosure is to a public official and the public official represents that the request is
for the minimum necessary information;
the request is from another covered entity; or
the request is from a business associate in order to provide a professional service to the
practice and the professional represents that the request is for the minimum necessary
information.
© 2002-2004 ISMS/ISMIE Mutual Insurance Co.
2BSecurity Policies and Procedures • 22
Requests for PHI: The practice sometimes has a need to request PHI from other entities,
particularly other health care providers. In such instances, the practice will limit its request to
that information that is “reasonably necessary” to accomplish the purpose of the request. For
routine, recurring requests, the practice will describe the information being requested and
purpose for the request.
Most often the practice requests information related to the treatment of a patient. The minimum
necessary requirements do not apply when the request is for purposes of treatment of a patient.
Use and Disclosure of Medical Record: The practice limits the use, disclosure, or request for a
medical record to what is specifically needed in the professional judgment of the practice. For
example, if there is a question regarding payment for a practice service, only the portion of the
medical record related to that service is released.
The practice does not routinely use or disclose the entire medical record, unless such use or
disclosure is necessary, authorized by the patient, or allowed by law. If requested by a health
care provider, the entire medical record will be made available to those involved in the treatment
of the patient.
© 2002-2004 ISMS/ISMIE Mutual Insurance Co.
2BSecurity Policies and Procedures • 23
Physical Safeguards – Records Processing – Receiving,
Sending, and Disposing of PHI
Background
One key section of the Privacy Rule and one section of the Security Rule address records
processing. 35 In general, a covered entity – including a physician – must ensure that PHI sent,
received or disposed of by the practice is secure.
Model Policy
The practice has procedures to ensure that protected health information (PHI) sent, received and
disposed of by the practice is secure.
Model Procedures
Receipt of PHI From Outside the Practice
The practice often receives PHI from outside the practice. PHI is received in three general
formats: paper-based or electronic-media based (e.g., CD and diskette), FAX, and electronic
transmission.
Paper-Based or Electronic Media-Based PHI: The practice often has PHI delivered to the
practice in a physical format, e.g., paper records, CD, or diskette. When the practice receives
such PHI, it immediately treats the PHI in the same manner as other PHI in the practice. Often
the information is entered into the medical record, e.g., paper medical records and reports from
other health care providers, or the practice’s computer system, e.g., a remittance advice or
explanation of benefits.
The practice handles the delivered PHI in the same manner as other PHI in the practice when the
PHI is delivered via:
•
•
the mail:
• when the mail is initially reviewed and sorted
• if the envelop indicates it contains confidential information or PHI; or
• if the envelop is from a source that commonly sends PHI to the practice, e.g., a
laboratory or health plan; or
• when the mail is opened and read and it becomes clear it contains PHI;
a delivery or messenger service:
• when the practice initially receives and signs for or receives the letter or package
• if the envelop indicates it contains confidential information of PHI; or
35
§ 164.530(c)(1) – Administrative Requirements –Standard – Safeguards; § 164.530(c) – Administrative Requirements –
Implementation Specification – Safeguards; and §164.312(e)(1) – Technical Safeguards – Transmission Security.
© 2002-2004 ISMS/ISMIE Mutual Insurance Co.
2BSecurity Policies and Procedures • 24
•
•
if the envelope is from a source that commonly sends PHI to the practice, e.g., a
laboratory or health plan; or
• when the letter or package is opened and read and it becomes clear it contains PHI; or
a patient:
• when the patient indicates the delivery includes PHI or
• when the practice reviews the delivery and becomes aware the delivery includes PHI.
FAXed PHI: The practice receives PHI via the FAX. The FAX machine is kept in the
_____________ area of the office. When the office is open, the FAX is monitored at all times by
the practice’s workforce, and visitors are restricted from accessing the FAX machine. After
hours, a FAX may be received. The same access controls apply to the FAX machine as apply to
other paper-based records in the practice (see Physical Safeguards – Access Control, page 19).
Electronic PHI: The practice controls access to all computers through its policies and
procedures, including Physical Safeguards – Access Control, page 19, Technical Safeguards –
Personal or “Entity” Authentication, page 35, and Physical Safeguards – Device and Media
Controls, page 31. Any PHI received electronically is sent to one of the practice’s computers
and is secured in accordance with the practice’s policies and procedures governing electronic
PHI as soon as it is received.
Sending PHI Outside the Practice
The practice sends PHI outside the practice. PHI is sent in two general formats: paper-based or
electronic-media based (e.g., CD and diskette) and FAX.
Paper-Based or Electronic Media-Based PHI: The practice sends paper-based or, on occasion,
electronic-media based PHI, outside the practice. The practice stamps all packages and
envelopes containing such PHI as “CONFIDENTIAL: PROTECTED HEALTH
INFORMATION ENCLOSED” or alternatively “CONFIDENTIAL.”
The practice charges reasonable fees based on actual cost of fulfilling requests for records. The
practice determines the appropriate charge for providing the requested records and informs the
requestor in advance of providing the records. If the requestor agrees to pay the fee in advance,
the records will be provided. Otherwise, the records will not be provided, unless the Privacy
Officer determines that the charge is burdensome to the requestor.
Washington law allows a health care provider to charge fees for searching and duplicating
medical records. The fees a health care provider may charge cannot exceed eighty-eight cents
per page for the first thirty pages and sixty-seven cents for all other pages beyond the first
thirty. 36 Additionally, Washington law allows a health care provider to charge a twenty dollar
clerical fee for searching and handling records. 37 While Washington State law permits the
36 WAC 246-08-400, effective 7/01/03 through 6/30/05. This regulation is amended and updated every
two years, at a minimum.
37 Even though Washington law allows a health care provider to charge twenty dollars for a clerical fee
for searching and handling records, HIPAA specifically does not allow for the charging of “handling
fees,” “chart pulling fees,” or per page fees in excess of the direct cost of supplies and labor necessary for
© 2002-2004 ISMS/ISMIE Mutual Insurance Co.
2BSecurity Policies and Procedures • 25
charging of a twenty dollar “handling fee”, HIPAA regulations prohibit charging this fee to the
patient or their representative. Review thoroughly the text found in footnotes 36 and 37. If the
health care provider personally edits confidential information from the medical record as
required by statute, the health care provider can also charge the usual fee for a basic office visit.
The practice limits charges to the amount allowed by Washington law unless preempted by
HIPAA.
The packages and envelopes are sent:
•
•
via mail [or registered mail or return receipt only or deliver to addressee only]; or
via messenger or delivery service (e.g., United Parcel Service and FEDEX), deliver to
addressee only.
FAXed PHI: The practice sends PHI via FAX, especially when the PHI is needed in a timely
basis. Prior to sending PHI via FAX to a FAX number used on a regular basis, the practice
initially confirms the FAX number as follows. The practice programs the FAX number into its
FAX machine. It then autodials the FAX number and sends a test FAX containing no PHI.
Finally, the practice calls the location to which the FAX is being sent to confirm that the FAX
was received.
For all other FAX numbers, the practice calls the location to which the PHI is being sent. The
practice verifies the FAX number, that someone is present to receive the PHI, and that the PHI
will be handled appropriately. The practice then sends the FAX. A FAX confirmation sheet is
printed by the FAX machine and placed in the patient medical record.
FAXes are sent with a cover sheet. The cover sheet reads, in part:
IMPORTANT: THIS FAX IS INTENDED ONLY FOR THE INDIVIDUAL
OR ENTITY TO WHICH IT IS ADDRESSED, AND MAY CONTAIN
INFORMATION THAT IS PRIVILEGED, CONFIDENTIAL AND
EXEMPT FROM DISCLOSURE UNDER APPLICABLE LAW. IF THE
READER OF THIS MESSAGE IS NOT THE INTENDED RECIPIENT, OR
THE EMPLOYEE OR AGENT RESPONSIBLE FOR DELIVERING THE
MESSAGE TO THE INTENDED RECIPIENT, YOU ARE HEREBY
INFORMED THAT ANY USE, DISCLOSURE, DISTRIBUTION OR
COPYING OF THIS COMMUNICATION IS STRICTLY PROHIBITED.
IF YOU HAVE RECEIVED THIS COMMUNICATION IN ERROR,
PLEASE NOTIFY US IMMEDIATELY BY TELEPHONE AND RETURN
copying the protected health information requested by the individual. 45 C.F.R. §164.524. Therefore, to
the extent that Washington law allows the health care provider to charge more than what is allowed by
HIPAA, Washington law is preempted by HIPAA and HIPAA should be followed. It is important to keep
in mind that the HIPAA preemption forbidding the provider from charging a chart pulling fee or the like
applies only if the requestor is the patient or the personal representative of the patient. For requestors
other than the patient or the personal representative of the patient, such as third parties who present a
valid authorization, the provider may charge the chart pulling fee.
© 2002-2004 ISMS/ISMIE Mutual Insurance Co.
2BSecurity Policies and Procedures • 26
THE ORIGINAL MESSAGE TO US AT THE ABOVE ADDRESS VIA
THE UNITED STATE POSTAL SERVICE. THANK YOU.
NOTE: These model policies and procedures assume you are not sending PHI
electronically, including confidential communications with your patients via email. If you send PHI electronically via the Internet or using an “Intranet,”
additional procedures will need to be added to ensure the security of that PHI,
including the appropriate encryption and/or password protection of the
communications.
Disposal of PHI
The practice often has to dispose of PHI. Most often the PHI is in paper form, and includes
notes, including telephone notes, duplicate copies of tests, and old medical records. The practice
also has to dispose of PHI on electronic media, e.g., old computer file backups, and from time to
time the electronic PHI itself.
Record Retention: The practice recognizes the need to establish a record retention policy. In
general, WSMA recommends the following minimum record retention policy (based upon
current Washington State and federal law):
•
•
•
•
•
•
•
•
10 years from the date of the patient’s last visit, prescription refill, telephone contact, test,
or other patient contact;
5 years from the date of the patient’s death;
21 years from the date of a minor patient’s birth;
10 years after the last date a claim is paid for a Medicare patient;
6 years after the last date a claim is paid for a Medicaid patient; 38
6 years for any documentation required by HIPAA; 39
indefinitely for childhood immunizations;
indefinitely if the patient is incompetent or if the physician is aware of any problems with
a patient’s care or has any reason to believe that the patient may sue.
To be absolutely safe, a physician should, if at all possible, retain patients’ medical records
indefinitely.
NOTE: Many practices adopt a policy of 10 years after the last patient encounter or, in the case
of a minor, three years following the minor’s 18th birthday, or 10 years following the minor’s
most recent discharge, whichever is longer, because Washington law requires hospitals to
maintain medical records for these time periods. RCW 70.41.190. Any policy should not be less
than the recommendations set forth above.
38 WAC 388-502-0020(c).
39 45 C.F.R. §164.528.
© 2002-2004 ISMS/ISMIE Mutual Insurance Co.
2BSecurity Policies and Procedures • 27
Paper-Based PHI: The practice disposes of paper-based or electronic media-based PHI as
follows:
•
Day-to-day paper containing PHI is not thrown out with the rest of the trash. It is
collected and shredded by the practice. This includes telephone notes, draft letters,
copies of memos, tests and other items that no longer are needed, and information that is
printed out for viewing and is maintained permanently electronically.
NOTE: If you intend to dispose of “day to day” paper in another manner, you
must change this procedure accordingly. You may want to consider the use of
locked “Shred-It” bins that can be emptied and shredded as needed. That avoids
having to shred paper everyday.
•
From time to time the practice cleans out old medical records and other files that may
contain PHI. Such PHI is boxed and marked “CONFIDENTIAL: CONTAINS
PROTECTED HEALTH INFORMATION” or simply “CONFIDENTIAL.” A
company that shreds the PHI for the practice then picks it up. The shredding company is
a Business Associate and maintains the privacy of the PHI until it is shredded and
appropriately disposed of.
FAXed PHI: FAXed PHI is disposed of in the same manner as paper-based PHI.
Electronic or Electronic Media-Based PHI: The practice disposes of electronic PHI in a
manner that ensures that no trace of the PHI remains and that the PHI cannot be restored using
commonly available commercial programs (see Physical Safeguards – Device and Media
Controls, page 31).
© 2002-2004 ISMS/ISMIE Mutual Insurance Co.
2BSecurity Policies and Procedures • 28
Physical Safeguards – Computer Workstation Use and
Security
Background
Four sections of the Security Rule address computer workstations. 40 In general, a covered entity
– including a physician – must ensure that computer workstations are secure and cannot be used
by unauthorized individuals or in an unauthorized manner.
Model Policy
The practice ensures that computer workstations and other devices are secure and protected, and
are used appropriately only by authorized individuals.
Model Procedures
The practice has a limited number of workforce members and, in generally, each member is
entitled to access all the protected health information (PHI) on each computer. When a
workforce member logs onto a computer, they are entitled to view all the PHI accessible from
that computer.
Each workforce member has his or her personal password and computers have passwordprotected screen savers (see Technical Safeguards – Personal or “Entity” Authentication, page
35). Each workforce member logs off their computer when they are finished for the day or when
they are away from their computer for longer than 1 hour.
The computers in the practice are located in _____________________. These locations are
locked when the practice is closed. In addition, computers are secured at their locations using
computer locks. Electronic media are protected in the same manner as paper-based PHI (see
Physical Safeguards – Access Control, page 19).
The computer screens are positioned in such a manner as to minimize the ability of unauthorized
individuals to view information on the screens. Individuals are not allowed in areas of the office
where they will be able to view screens, except in passing.
NOTE: If the practice keeps PHI on mobile devices, you must include language
regarding how you secure the PHI on those devices.
The practice protects PHI on mobile devices, including laptop computers, PDAs and cell phones.
40
§ 164.304 – Definitions – Workstation; § 164.304 – Definitions – Security or Security Measures; § 164.310(b) –Standard
– Workstation use; and § 164.310(c) – Standard – Workstation security.
© 2002-2004 ISMS/ISMIE Mutual Insurance Co.
2BSecurity Policies and Procedures • 29
•
Laptop computers are logged in and out of the practice. The computers are password
protected and the screen savers set to password protect the computers after 10 minutes of
inactivity. Laptops also are backed up in a timely fashion (see Administrative Safeguards
– Contingency Planning, page 12). The practice maintains the following laptops:
o LIST SPECIFIC LAPTOP
o LIST SPECIFIC LAPTOP
•
PDAs commonly include patient schedule information and notes. The PDAs are
password protected and synchronized with the computer workstations regularly to ensure
timely backup (see Administrative Safeguards – Contingency Planning, page 12). The
practice maintains the following PDAs:
o LIST SPECIFIC PDA
o LIST SPECIFIC PDA
•
Cell phones contain phone numbers and, often, names of patients. They may also include
text messaging, notes, and e-mail. Cell phones are password protected to limit
inappropriate access. In addition, the call lists are periodically reviewed and unneeded
telephone numbers deleted. The practice maintains the following cell phones:
o LIST SPECIFIC CELL PHONE
o LIST SPECIFIC CELL PHONE
NOTE: If the practice keeps PHI on other devices, such as testing equipment
with electronic memory capabilities (including sonogram or audiology
equipment) you must include language on how you secure these devices. If these
devices do not contain patient-identifying information, they do not contain
PHI.
The practice maintains PHI on a number of medical devices. The practice daily copies this
information from the devices and places the information in the appropriate patient’s medical
record, and then deletes this information from the devices. In addition, the devices are locked up
at night to ensure that they are not removed from the office. The practice maintains the
following devices that contain or may contain PHI:
•
•
LIST SPECIFIC DEVICE
LIST SPECIFIC DEVICE
© 2002-2004 ISMS/ISMIE Mutual Insurance Co.
2BSecurity Policies and Procedures • 30
Physical Safeguards – Device and Media Controls
Background
Six sections of the Security Rule address device and media controls. 41 In general, a covered
entity – including a physician – must ensure that PHI is appropriately protected when computer
hardware (including electronic media, e.g., diskettes, tapes, CDs) and software are received,
transported, or removed.
Model Policy
The practice ensures protected health information (PHI) is appropriately protected when
computer hardware and software and computer devices are received by the practice, transported
by the practice or moved within the practice, or removed from the practice.
Model Procedures
Accountability: The practice maintains a record of all computer hardware and electronic media
that store PHI (see Device and Media Controls Log, page 33). This log indicates which
workforce members are authorized to access PHI on each computer and electronic media and
when the computer or media is removed from the practice location. This log is a integral part of
the practice’s risk assessment and ongoing evaluation. (See Administrative Safeguards – Risk
Analysis, Risk Management and Ongoing Risk Evaluation, page 11).
The practice records all devices and media that may contain PHI. This includes computers and
related devices as well as other equipment, e.g., cell phones, personal digital assistants (PDAs),
clinical devices that store patient-specific information, fax machines, and duplicating machines
and printers that may store images.
Media Re-Use: Media may be reused only when all electronic PHI previously stored on the
media is removed and unrecoverable. The practice only reuses media internally. Such media are
always maintained securely and considered to contain PHI, even when they have been “cleaned.”
This procedure is used due to the difficultly of completely destroying all traces of information on
any electronic media to ensure that “cleaned” media cannot be recovered using a variety of
techniques. Media are not “cleaned” for reuse and then sent out of the practice to be used by
others. Rather, media are disposed of as discussed below.
Disposal of Devices and Media: The practice disposes of devices and media in a fashion that
prevents the disclosure of PHI.
41
§ 164.103 – Definitions – Physical Safeguards, Electronic Media, and Facility; § 164.310(d)(1) – Physical Safeguards –
Standard – Device and Media Controls; § 164.310(d)(2)(i) – Physical Safeguards – Implementation Specifications – Disposal; §
164.310(d)(2)(ii) – Physical Safeguards – Implementation Specifications – Media Reuse; § 164.310(d)(2)(iii) – Physical
Safeguards – Implementation Specifications – Accountability; and § 164.310(d)(2)(iii) – Physical safeguards – Implementation
specifications – Data backup and storage.
© 2002-2004 ISMS/ISMIE Mutual Insurance Co.
2BSecurity Policies and Procedures • 31
•
•
Devices: PHI stored on devices is stored in a variety of different media. Computer
information is stored on a hard drive and possibly diskettes, CDs, and DVDs. Cell
phones, PDAs, and clinical devices also have storage devices that must be “cleaned”
prior to disposal.
Media: The practice stores information on diskettes, CDs, and DVDs. The practice
recognizes that simply deleting files does not remove the PHI from the media.
o Whenever possible the practice overwrites the media completely using a
commercially available program. The media is overwritten three times to ensure
all PHI is destroyed. This includes data drives.
o When data cannot be overwritten, e.g., on a CD or DVD that cannot be
overwritten, the practice first makes a series of deep scratches on the media and
then breaks the media in two pieces.
NOTE: If you do not store information on CDs or DVDs, you have to edit the
above language. If you use other storage devices, e.g., memory sticks, Zip drives
and digital cameras, you will have to expand this language.
Data Backup and Storage: An important aspect of controlling PHI on devices and media is
ensuring PHI is appropriately backup up and securely stored. In addition, it is vital to backup
PHI prior to movement of equipment and media. Note that data backup also is addressed under
Administrative Safeguards – Contingency Planning (page 12). Data backups are recorded as
discussed under Contingency Planning.
Removal of Devices and Media: The practice may remove devices and media from the practice
site, e.g., a portable computer or a PDA. In such instances, the practice will treat the device or
media in the same fashion that it treats paper medical records. (See Physical Safeguards – Access
Control, page 19.) Removed devices and media are documented on the Device and Media
Controls Log, page 33.
© 2002-2004 ISMS/ISMIE Mutual Insurance Co.
2BSecurity Policies and Procedures • 32
Device and Media Controls Log
Date
Description of Device or Media
© 2002-2004 ISMS/ISMIE Mutual Insurance Co.
Action
Access
Limited?
2BSecurity Policies and Procedures • 33
Technical Safeguards
Numerous sections of the final Security Rule address technical safeguards. 42 The rule defines
technical safeguards as “the technology and the policy and procedures for its use that protect
electronic protected health information and control access to it.”
Small practices are required to implement appropriate policies and procedures to protect their
protected health information (PHI) – confidential information – and ensure that it remains secure.
Recall that the Security Rule only covers electronic information. The Privacy Rule also
addresses confidential information kept in paper and other forms. In order to meet the Privacy
Rule requirements, the practice also must protect paper-based information.
The following portions of this document address the technical safeguard policies and procedures
that practices need to consider when implementing HIPAA privacy and security.
42
§ 164.312 Technical Safeguards.
© 2002-2004 ISMS/ISMIE Mutual Insurance Co.
2BSecurity Policies and Procedures • 34
Technical Safeguards – Personal or “Entity”
Authentication
Background
Five sections of the Security Rule address personal or entity authentication. 43 As used here,
authentication is the means of establishing the validity of the identity of a user of the system. In
general, a covered entity – including a physician – must have systems in place to ensure that only
authorized users have access to PHI.
Model Policy
The practice ensures that only appropriate individuals can access protected health information
(PHI) and has appropriate security mechanisms in place.
Model Procedures
Identification and Authentication: The practice issues each member of the workforce a unique
user name and an initial password. Passwords must be changed at least once every 90 days. The
Security Officer can override all workforce member passwords on an as needed basis and will
ensure that new passwords are issued when such an override is necessary. The practice uses the
standard password protection programs to access the computer and the programs in which it
stores PHI, including Word, ______________________________________.
NOTE: The practice should list the specific programs in which it stores PHI and
password protects that information, including any practice management system,
electronic health record, word processing, and data base management programs.
Workforce members are educated regarding the appropriate choice of passwords (e.g., no names)
and the need to keep passwords confidential. Workforce members do not keep passwords in
written or electronic form in the practice and do not share passwords.
Automatic Logoff: The practice requires that all computers “lock up” and require an individual
to sign on after a 15-minute period of not being used. Specifically, if a workforce member does
not use his or her computer for 15 minutes, the system invokes a screen saver (so no one can
view the information on the screen) and the workforce member has to reenter his or her password
prior to continuing to work on the computer.
43
§ 164.308(a)(5)(ii)(D) – Administrative Safeguards – Implementation Specifications – Password Management;
§ 164.312(a)(1) – Standard – Access Control; § 164.312(a)(2)(i) – Implementation Specification – Unique User Identification;
§ 164.312(a)(2)(iii) – Technical Specifications – Implementation Specifications – Automatic Logoff; and § 164.312(d) –
Technical Specifications – Standard – Persons or Entity Authentication.
© 2002-2004 ISMS/ISMIE Mutual Insurance Co.
2BSecurity Policies and Procedures • 35
Another individual is not able to access the computer until the first individual reenters their
password and then logs off the system.
Password Deletion: The Security Officer deletes passwords when a workforce member is
terminated or no longer has rights to access a particular system or computer.
© 2002-2004 ISMS/ISMIE Mutual Insurance Co.
2BSecurity Policies and Procedures • 36
Technical Safeguards – Security Configuration –
Documentation, Testing, Inventory, Virus Control
Background
Three sections of the Security Rule address security configuration. 44 In general, a covered entity
– including a physician – must have in place measures to ensure electronic-based PHI is not
compromised as a result of software or hardware changes.
Model Policy
The practice has in place procedures to manage the integrity of its electronic-based protected
health information (PHI) to ensure that system security is not compromised as a result of
hardware or software changes.
Model Procedures
Documentation: The practice documents measures put in place to control access to data. This is
addressed in other sections of these policies and procedures, including Physical Safeguards –
Access Control, page 19, Technical Safeguards – Personal or “Entity” Authentication, page 35,
and Physical Safeguards – Device and Media Controls, page 31.
Testing: The practice tests all hardware and software to ensure it meets the practice’s security
policies and procedures. This testing occurs when the hardware or software is installed and not
less often than once a year thereafter.
Inventory: The practice has in an inventory of all hardware and software used by the practice.
This inventory lists each computer and its hardware configuration, as well as the software
running on each computer. (See Device and Media Controls Log, page 33, and “PHI” Software
Log, page 15.)
Virus Detection: The practice has in place a virus detection program to protect the practice’s
data. The practice uses a commercially available program and updates it as recommended by the
vendor. The practice runs a virus scan on each of its computers daily. The practice educates its
workforce concerning virus protection, including how to prevent infections and the potential
harm that can be caused by them, what to do if a virus is suspected, Trojan horse programs
(password stealing), worms, and virus transport via various media types (e.g., diskettes and
CDs).
44
§ 164.308(a)(5)(ii)(B) – Administrative Safeguards – Implementation Specifications – Protection from Malicious
Software; § 164.308(a)(7)(ii)(D) – Administrative Safeguards – Implementation Specifications – Testing and Revision
Procedures; and § 164.316 – Policies and Procedures and Documentation Requirements.
© 2002-2004 ISMS/ISMIE Mutual Insurance Co.
2BSecurity Policies and Procedures • 37
Firewall: The practice has in place a firewall program to protect the practice’s data. The
practice uses a commercially available program and updates it as recommended by the vendor.
The practice educates its workforce concerning the firewall and how to respond to firewall alerts
to maximize protection of its computers.
Windows Update: The practice uses the Windows operating system. The practice checks at
least once a week (every Monday morning) for critical updates by running the “Windows
Update.” Any critical updates are installed on all of the practice’s computers. This helps to
ensure that appropriate security “patches” are installed in a timely fashion.
NOTE: If the practice does not use the Windows operating system, then the
previous paragraph needs to be changed to reflect how the practice’s operating
system is updated in accordance with the system vendor’s recommendations.
© 2002-2004 ISMS/ISMIE Mutual Insurance Co.
2BSecurity Policies and Procedures • 38
Technical Safeguards – Audit Controls and Integrity
Background
Four sections of the Security Rule address audit controls and monitoring of internal system
activity. 45 These provisions are complex to implement for small practices. In general, a covered
entity – including a physician – must have in place measures to audit access to and use of
protected health information to ensure that the PHI only is accessed and used appropriately and
to ensure the integrity of the PHI.
Model Policy
The practice has in place procedures to audit access to and use of its protected health information
(PHI) and to ensure the integrity of its electronic-based PHI.
Model Procedures
The practice audits use of its PHI – both paper and electronic. This is done through monitoring
and controlling access to its computers and paper records as discussed above (see Physical
Safeguards – Access Control, page 19, Administrative Safeguards – Physical Controls for Visitor
Access, page 17, Physical Safeguards – Computer Workstation Use and Security, page 29, and
Technical Safeguards – Personal or “Entity” Authentication, page 35). The practice also
conducts periodic walkthroughs of its facility to ensure appropriate placement of FAX machines,
medical records and other PHI.
Given appropriate access controls, the PHI should not be changed inappropriately, thereby
ensuring the integrity of the PHI. If the practice has any reason to believe the PHI has been
inappropriately changed, the practice will compare the PHI to the latest backup (see
Administrative Safeguards – Contingency Planning, page 12).
45
§ 164.308(a)(2)(D) – Administrative Safeguards – Implementation Specifications – Information System Activity Review;
§ 164.312(b) – Technical Safeguards – Standard – Audit Controls; § 164.312(c)(1) – Technical Safeguards – Standard –
Integrity; and § 164.312(c)(2) – Technical Safeguards – Implementation Specifications – Mechanism to Authenticate Electronic
Protected Health Information.
© 2002-2004 ISMS/ISMIE Mutual Insurance Co.
2BSecurity Policies and Procedures • 39
Technical Safeguards – Transmission Security
NOTE: The model policies and procedures included above assume that you are
not sending or receiving PHI electronically, e.g., via e-mail or over the Internet.
If you do send any PHI electronically, the practice must ensure the “transmission
security” of the PHI.
Please fill in the blanks and select the options below as appropriate.
Background
Three sections of the Security Rule address transmission security.46 In general, a covered entity
– including a physician – must have in place measures to ensure transmission security when PHI
is electronically transmitted. Transmission security will ensure the integrity of PHI in transit.
Model Policy
The practice has in place procedures to secure protected health information (PHI) sent
electronically.
Model Procedures
The practices uses [program name] to protect PHI sent electronically. Specifically, the practice
locks all data files using [a secure password] and/or [an encryption methodology]. [Passwords]
and/or [encryption keys] are sent to the receiving party in a separate secure transaction [or are
incorporated into the software or use public-private key encryption].
46
§ 164.312(e)(1) – Standard – Transmission security; § 164.312(e)(2)(i) – Implementation specification – Integrity
controls; and § 164.312(e)(1) – Implementation specification – Encryption.
© 2002-2004 ISMS/ISMIE Mutual Insurance Co.
2BSecurity Policies and Procedures • 40
Administrative Security Policies and
Procedures
Administrative Requirements – Security Officer
Background
Three sections of the Security Rule address the need to appoint a Security Officer and a contact
person for all issues related to the Security Rule. 47 In general, a covered entity – including a
physician – is required to have a Security Officer and a contact person.
Model Policy
The practice has a Security Officer that serves as the contact person for all issues related to the
Security Rule.
Model Procedure
The practice designates as its Security Officer _[FILL IN NAME OR TITLE OF PERSON].
This person serves as the practice’s contact person for all issues related to the Security Rule and
works closely with the Privacy Officer.
NOTE: The practice should consider whether the Privacy Officer and Security
Officer should be the same person. In smaller practices this probably makes
sense. Privacy issues will in many instances result from security breaches, and
security breaches almost always result in privacy violations.
Documentation
The practice keeps a written record of the names of each Security Officer. This information is
maintained for a period of six years from the date of its creation.
47
§ 164.306 – Standard – General Rules – Maintenance; § 164.308(a)(2) – Standard – Assigned Security Responsibility;
§ 164.316(b) – Standard – Documentation.
© 2002-2004 ISMS/ISMIE Mutual Insurance Co.
3BAdministrative Security Policies and Procedures • 41
Administrative Requirements – Information Access
Management
Background
Seven sections of the Security Rule address the requirement for information access
management. 48 In general, a covered entity – including a physician – must: (1) authorize who
can have access to what specific confidential information, system by system; (2) establish and
modify access on an as needed basis; (3) supervise the workforce to ensure that only appropriate
access is occurring; and (4) terminate access when required.
Model Policy
The practice only authorizes workforce members access to protected health information (PHI) on
an as needed basis.
Model Procedure
Authorization: The practice authorizes all workforce members to have access to all PHI in the
practice. The practice has a very small workforce. Everyone in the office is responsible for
every task from time to time. Accordingly, everyone in the office has a need to review all PHI.
The practice allows all members of its workforce to have access to all PHI, as necessary for them
to carry out their job functions and support the efficient operation of the practice. The practice
limits access to PHI to that information necessary for a member of its workforce to carry out his
or her job functions. The amount and type of PHI necessary to carry out job functions varies
depending on the specific tasks assigned to the member of the workforce each day depending on
the needs of the practice. Access is only terminated when a workforce member leaves the
practice.
Supervision: The Privacy Officer and the Security Office monitor the practice’s operations to
ensure that all workforce members are accessing PHI appropriately. Ongoing training and
education about the need to access only that PHI required for each specific job task is a key part
of the supervision.
Termination: As discussed under Physical Safeguards – Access Control, page 19), the practice
terminates a workforce member’s access to all PHI when the workforce member is terminated.
The terminated workforce member is required to turn in any keys or other access devices that
may have been issued by the practice and all passwords are deactivated.
48
§ 164.308(a) Standard – Workforce Security; § 164.308(a)(3)(ii)(A) – Implementation Specification – Authorization
and/or Supervision; § 164.308(a)(3)(ii)(B) – Implementation Specification – Workforce Clearance Procedures;
§ 164.308(a)(ii)(C) Implementation Specification – Termination Procedures; § 164.308(a)(4)(i) Standard – Information Access
Management; § 164.308(a)(4)(ii)(B) Implementation Specification – Access Authorization; and § 164.308(a)(4)(ii)(C)
Implementation Specification – Access Establishment and Modification.
© 2002-2004 ISMS/ISMIE Mutual Insurance Co.
3BAdministrative Security Policies and Procedures • 42
Administrative Requirements – Security Incident
Procedures
Background
Six sections of the Security Rule address security incident procedures. 49 In general, a covered
entity – including a physician – must record and address security incidents – “the attempted or
successful unauthorized access, use, disclosure, modification, or destruction” of electronic
protected health information.
Model Policy
The practice monitors, records, and responds to all security incidents in a timely fashion.
Model Procedures
The practice monitors information system activity to detect security incidents – “the attempted or
successful unauthorized access, use, disclosure, modification, or destruction” of electronic
protected health information. The practice records and follows up when it determines: someone
or some program has entered its computer system from outside the practice, e.g., a virus or
worm, or someone inside the practice accesses, uses, or changes PHI in an unauthorized manner.
In the event of a security incident, the practice documents the occurrence on the Security
Incident Log, page 44. The Security Officer determines if there have been any harmful effects
as a result of the incident. If there have been harmful effects, the Security Officer takes steps to
mitigate those harmful effects.
If specific individual PHI has been disclosed, the Privacy Officer records this information on the
Mitigation Log and the practice’s mitigation procedures followed (see Mitigation of Privacy
Breaches, page 7).
The practice trains the workforce to deal with security incidents and minimize harmful effects of
security incidents.
NOTE: A “virus” is computer code that can damage your software, hardware or
files and is designed to travel from computer to computer. A “worm” is like a
virus, but it travels from computer to computer on its own by using e-mail or a
similar system.
49
§ 164.304 – Definition of Security Incident; § 164.308(a)(1)(ii)(D) – Implementation Specification – Security Incident
Tracking Reports as a Part of Information System Activity Review; § 164.308(a)(6)(i) – Standard – Security Incident Procedures;
§ 164.308(a)(6)(ii) – Implementation Specification – Response and Reporting; § 164.314(a)(2)(i)(C) – Implementation
Specification – Obligation of Business Associates, Created by Business Associate Contracts, to Report Security Incidents to
Covered Entities; and § 164.314(a)(2)(iv) – Implementation Specification – Obligation of Plan Sponsors, Created by Plan
Document Amendment, to Report Security Incidents to the Group Health Plan.
© 2002-2004 ISMS/ISMIE Mutual Insurance Co.
3BAdministrative Security Policies and Procedures • 43
Security Incident Log
Date
Description of Incident
© 2002-2004 ISMS/ISMIE Mutual Insurance Co.
Record on
Mitigation Log?
Steps Taken to Mitigate Any
Harmful Effects
3BAdministrative Security Policies and Procedures • 44
Administrative Requirements – Awareness and
Training For Staff
Background
One section of the Privacy Rule and five sections of the Security Rule address the requirements
for training staff. 50 In general, a covered entity – including a physician – is required to ensure its
workforce is trained with respect to the covered entity’s privacy and related security policies and
procedures. All workforce members who have access to PHI in any way must be trained.
Model Policy
The practice trains its workforce on all aspects of its privacy and related security policies and
procedures.
Model Procedure
The practice provides training to its workforce with respect to the privacy and security of
protected health information (PHI). Specifically, the practice:
•
•
•
•
provided each member of its workforce initial training no later than April 14, 2003, or
within the first 30 days of work at the practice, if that date is on or after April 14, 2003;
provides additional training to each member of its workforce when there is a material
change in the practice’s policies and procedures prior to the effective date of those
changes (unless the change is required by law and occurs prior to changes being made to
the policies and procedures, in which case the training occurs as soon as possible after the
practice becomes aware of the required change);
documents on its Training Log that the training has been provided; and
requires each workforce member to sign a statement (attached) that the workforce
member has been trained and understands the practice’s policies and procedures
regarding PHI.
The practice initially educates workforce members by reviewing the practice’s privacy and
related security policies and procedures as contained in this document, including protection from
malicious software (see Technical Safeguards – Security Configuration – Documentation,
Testing, Inventory, Virus Control, page 37) and proper use of passwords (see Technical
Safeguards – Personal or “Entity” Authentication page 35). The Privacy Officer and Security
Officer then work with each workforce member to ensure they are implementing the policies and
procedures as required.
50
§ 164.308(a)(5)(ii)(A) – Implementation Specification – Security Reminders; § 164.308(a)(5)(ii)(B) – Implementation
Specification – Protection from Malicious Software; § 164.308(a)(5)(ii)(C) – Implementation Specification – Log-in Monitoring;
§ 164.308(a)(5)(ii)(D) – Implementation Specification – Password Management; § 164.530 (b) – Administrative Requirements –
Standard – Training; and § 164.308(a)(5)(i) – Administrative Safeguards – Standard – Security Awareness and Training.
© 2002-2004 ISMS/ISMIE Mutual Insurance Co.
3BAdministrative Security Policies and Procedures • 45
The practice provides periodic education to workforce members. At least once a year, or
whenever specific issues are identified, the practice provides additional training to ensure that all
workforce members follow the practice’s privacy and security policies and procedures. In
addition, the practice reviews specific privacy and security issues at its monthly staff meetings.
Documentation
The practice documents all workforce training on its Training Log, page 47. The practice
records the date of the training, the workforce members trained, and the material covered in the
training session. The practice also requires each workforce member to sign a statement that they
have been trained and understand the practice’s policies and procedures (see Model
Acknowledgment of Training, page 48). The practice maintains this information for a period of
six years from the date of its creation.
© 2002-2004 ISMS/ISMIE Mutual Insurance Co.
3BAdministrative Security Policies and Procedures • 46
Training Log
Workforce
Member
Name
Date of
Training
© 2002-2004 ISMS/ISMIE Mutual Insurance Co.
Description of Training
3BAdministrative Security Policies and Procedures • 47
Model Acknowledgment of Training
(ON PRACTICE LETTERHEAD)
I, ___________________ , acknowledge that I have been trained in the Health Insurance
(Print name of Workforce Member)
Portability and Accountability Act (HIPAA) privacy and security policies and procedures of
[FILL IN NAME OF THE PRACTICE]. I understand that I must keep private and secure the
protected health information of the practice.
I understand and agree to adhere to all of these policies and procedures. Further, I
understand that I am subject to sanctions, up to and including, termination, for violation of the
practice’s policies and procedures.
Signature: ___________________________________________ Date: ___________________
© 2002-2004 ISMS/ISMIE Mutual Insurance Co.
3BAdministrative Security Policies and Procedures • 48
Administrative Requirements – Workforce Sanctions
Background
Six sections of the Privacy Rule and one section of the Security Rule address sanctions against
members of a covered entity’s workforce. 51 In general, a covered entity – including a physician
– is required to sanction members of its workforce who do not comply with the covered entity’s
policies and procedures.
Model Policy
The practice sanctions workforce members who use or disclose protected health information
(PHI) in violation of the practice’s policies and procedures.
Model Procedure
The practice applies appropriate sanctions against workforce members who fail to comply with
the practice’s privacy and security policies and procedures. The particular sanction depends on
the harm created by the unauthorized use or disclosure of PHI, whether the use or disclosure was
intentional or unintentional, and whether or not the workforce member has previously used or
disclosed PHI in violation of the practice’s privacy policies and procedures.
Generally sanctions will be imposed as follows:
•
For an initial violation by a member of the practice’s workforce of the practice’s policies and
procedures that occurs:
• unintentionally, the workforce member receives a warning. In addition, the practice
requires the workforce member clearly to understand how the unintentional use or
disclosure occurred and how to avoid future such uses or disclosures.
• intentionally and causes:
• no or minimal harm to the subject of the PHI or to other individuals, the workforce
member receives a warning. In addition, the practice requires the workforce member
clearly to understand the need not to use or disclose PHI in violation of the practice’s
policies and procedures.
• significant harm to the subject of the PHI or to other individuals, the workforce
member is given time off without pay. The amount of time off will range from 1 to 3
days and will depend on the harm caused. In addition, the practice requires the
workforce member clearly to understand the need not to use or disclose PHI in
violation of the practice’s policies and procedures.
51
§ 164.308(a)(3)(ii)(C) – Implementation Specification – Termination Procedures; § 164.502(j)(1) – Disclosures by
Whistleblowers; § 164.502(j)(2) – Disclosures by Workforce Members who are Victims of a Crime; § 164.530(e)(1) – Standard –
Sanctions; § 164.530(e)(2) – Implementation Specifications – Documentation; § 164.530(g) – Standard – Refraining from
Intimidating or Retaliatory Acts; and § 164.530(j) – Standard – Documentation.
© 2002-2004 ISMS/ISMIE Mutual Insurance Co.
3BAdministrative Security Policies and Procedures • 49
•
For a repeat violation by a member of the practice’s workforce of the practice’s policies and
procedures that occurs:
• unintentionally, the workforce member will receive time off without pay. The time off
will range from 1 to 3 days and will depend on how much harm, if any, was caused to the
subject of the PHI or to other individuals. In addition, the practice requires the workforce
member clearly to understand how the unintentional use or disclosure occurred and how
to avoid future such uses or disclosures.
• intentionally and causes:
• no or minimal harm to the subject of the PHI or to other individuals, the workforce
member receives time off without pay. The time off will range from 3 to 5 days and
will depend on how much PHI was used or disclosed and for what purpose. In
addition, the practice requires the workforce member clearly to understand the need
not to use or disclose PHI in violation of the practice’s policies and procedures.
• significant harm to the subject of the PHI or to other individuals, the workforce
member is given time off without pay. The amount of time off will range from 3-7
days depending on how much harm was caused to the subject of the PHI or to other
individuals. In addition, the practice requires the workforce member clearly to
understand the need not to use or disclose PHI in violation of the practice’s policies
and procedures.
•
If a workforce member intentionally uses or discloses PHI four or more times, the workforce
member will be terminated.
Exceptions to Applying Sanctions to Workforce Members
There are three exceptions to workforce sanctions: the whistleblower exception, the crime victim
exception, and the complaints, investigations, and opposition exception.
Whistleblower Exception: The practice will not impose sanctions against a workforce member
for the use or disclosure of PHI made in accordance with the whistleblower provisions.
Crime Victim Exception: The practice will not impose sanctions against a workforce member
for the use or disclosure of PHI made in accordance with the crime victim provisions.
Complaints, Investigations and Opposition Exceptions: The practice does not intimidate,
threaten, coerce, discriminate against, or take other retaliatory action against workforce members
and others who:
•
•
•
file a complaint with the secretary of DHHS;
testify, assist, or participate in an investigation, compliance review, proceeding, or
hearing under Part C of Title XI – utilization and peer review programs for Medicare and
Medicaid; or
oppose any act or practice made unlawful by the Privacy Rules, provided the workforce
member or business associate has a good faith belief that the practice is unlawful, and the
manner of the opposition is reasonable and does not involve disclosure of PHI.
© 2002-2004 ISMS/ISMIE Mutual Insurance Co.
3BAdministrative Security Policies and Procedures • 50
Documentation
The practice will document all sanctions taken against workforce members in its personnel files.
The practice maintains this information for a period of six years from the date of its creation.
© 2002-2004 ISMS/ISMIE Mutual Insurance Co.
3BAdministrative Security Policies and Procedures • 51
Administrative Requirements – Documentation
Background
Eight sections of the Privacy Rule and five sections of the Security Rule address the need for
documentation. 52 In general, a covered entity – including a physician – is required to document
when PHI is released for other than payment, treatment, or health care operations, when an
individual makes a request of the practice and the response of the practice, a disclosure is made
pursuant to an authorization, and when information is used for research purposes. Additionally,
under Washington law, a health care provider must chart all disclosures, except to third-party
payors, of health care information, such chartings to become part of the patient’s health care
information. 53
Model Policy
The practice maintains all documentation as required by the Privacy and Security Rules and
discussed throughout this policy and procedures manual.
NOTE: Only Security Rule documentation is included below. The Privacy Rule
requires additional documentation that should be addressed in Privacy Policies
and Procedures.
Model Procedure
Document Retention: All documentation is maintained for a period of six years.
Documentation of Security Requirements
Risk Analysis: The practice has completed a risk analysis (see Small Practice Security Risk
Analysis, page 59).
Evaluation: The practice updates its risk analysis on an annual basis (see Administrative
Safeguards – Risk Analysis, Risk Management and Ongoing Risk Evaluation, page 11).
52
§ 164.316(a) – Standard – Policies and Procedures; § 164.314(b) – Standard – Documentation; § 164.316(b)(2)(i) –
Implementation specification – Time Limits; § 164.316(b)(2)(ii) – Implementation specification – Availability;
§ 164.316(b)(2)(iii) – Implementation specification – Updates; § 164.508 – Uses and Disclosures for which an Authorization is
Required; § 164.512(i) – Uses and Disclosures for Research Purposes – Documentation Requirements of IRB; § 164.520(e) –
Notice of Privacy Practices for Protected Health Information – Implementation Specifications – Documentation; § 164.522 –
Rights to Request Privacy Protection for Protected Health Information; § 164.524(e) – Access of Individuals to Protected Health
Information – Implementation Specification – Documentation; § 164.526(f) – Amendment of Protected Health Information –
Implementation Specification – Documentation; § 164.528(d) – Accounting of Disclosures of Protected Health Information –
Implementation Specification: Documentation; and § 164.530(j) – Administrative Requirements – Standard – Documentation.
53 RCW 70.02.020.
© 2002-2004 ISMS/ISMIE Mutual Insurance Co.
3BAdministrative Security Policies and Procedures • 52
PHI Software Log: The practice maintains a log of all software containing or using PHI (see
“PHI” Software Log, page 15).
PHI Backup Log: The practice maintains a log of all its PHI data backups (see Backup Log,
page 16).
Device and Media Controls Log: The practice keeps a log of all computer devices and
electronic media (see Device and Media Controls Log, page 33).
Documentation of Administrative Requirements
Security Officer: The practice documents the name and title of its Security Officer (see page
41).
Security Incidents: The practice documents all security incidents (see Security Incident Log,
page 44).
Training: The practice documents the training provided to each workforce member (see
Training Log, page 47).
Workforce Sanctions:
members (see page 51).
The practice documents all sanctions it takes against workforce
© 2002-2004 ISMS/ISMIE Mutual Insurance Co.
3BAdministrative Security Policies and Procedures • 53
HIPAA Security Readiness Checklist
SECURITY POLICIES AND PROCEDURES
Topic
Policy
Procedure Procedure Need to
Policy
Procedure
Developed Developed
Tested
Modify? Finalized Finalized
SECURITY – ADMINISTRATIVE SAFEGUARDS
Risk Analysis, Risk Management, and Ongoing
Risk Evaluation
Yes
No
Contingency Planning
Yes
No
Physical Controls for Visitor Access
Yes
No
SECURITY – PHYSICAL SAFEGUARDS
Access Control
Yes
No
Records Processing – Receiving, Sending, and
Disposing of PHI
Yes
No
Computer Workstation Use and Security
Yes
No
Device and Media Controls
Yes
No
© 2002-2004 ISMS/ISMIE Mutual Insurance Co.
4BHIPAA Security Readiness Checklist • 55
SECURITY POLICIES AND PROCEDURES
Topic
Policy
Procedure Procedure Need to
Policy
Procedure
Developed Developed
Tested
Modify? Finalized Finalized
SECURITY – TECHNICAL SAFEGUARDS
Personal or “Entity” Authentication
Yes
No
Security Configuration – Documentation, Testing,
Inventory, Virus Control
Yes
No
Audit Controls and Integrity
Yes
No
Transmission Security
Yes
No
SECURITY ADMINISTRATIVE REQUIREMENTS
Security Officer
Yes
No
Information Access Management
Yes
No
Security Incident Procedures
Yes
No
Awareness and Training for Staff
Yes
No
Workforce Sanctions
Yes
No
© 2002-2004 ISMS/ISMIE Mutual Insurance Co.
4BHIPAA Security Readiness Checklist • 56
SECURITY POLICIES AND PROCEDURES
Topic
Documentation
© 2002-2004 ISMS/ISMIE Mutual Insurance Co.
Policy
Procedure Procedure Need to
Policy
Procedure
Developed Developed
Tested
Modify? Finalized Finalized
Yes
No
4BHIPAA Security Readiness Checklist • 57
RECOMMENDED SECURITY
TRACKING LOGS
Developed
Incorporated
into Procedures
“PHI” Software Log
Backup Log
Device and Media Controls Log
Complaint Log
Mitigation Log
Security Incident Log
Training Log
OTHER SECURITY FORMS
Developed
Incorporated
into Procedures
Acknowledgment of Training Form
© 2002-2004 ISMS/ISMIE Mutual Insurance Co.
HIPAA Privacy and Security Readiness Checklist• 58
Small Practice Security Risk Analysis
This risk analysis follows the ISMS and ISMIE Mutual Insurance Company Model Security Policies and
Procedures. If you answer “YES” to all the questions in this risk analysis, then your practice is on the
way to meeting the HIPAA Security Rule requirements as reflected in those model policies and
procedures. The policies and procedures list more specific implementation specifications and need to
be reviewed in detail to ensure that they reflect the actual procedures in your office. Keep in mind that
some items may appear in several places in the model policies and procedures. In most instances, those
items are addressed only once in this risk analysis.
If you answer “NO” to any of the questions in the risk analysis, you need to evaluate your practice to
determine if you need to alter your current policies and procedures to ensure compliance with the HIPAA
Security Rule. In addition, the model policies and procedures will need to be modified if you decide that
it is reasonable for your practice to answer “NO” to any of the questions.
Please file your completed risk analysis with your other HIPAA documentation. This is an important
piece in documenting that you are complying with the HIPAA Security Rule.
This risk analysis should be reviewed and updated once a year or more frequently as required by your
policies and procedures.
Administrative Safeguards
Contingency Planning
“Criticality” Analysis: Does the practice keep a log of its devices and
media and a log of the software on each of its devices that may contain
confidential information?
Yes
No
Yes
No
Yes
Yes
Yes
No
No
No
NOTE: If a practice has electronic medical records and does not keep
paper copies of those medical records, this section will have to be
expanded. The analysis will have to document which systems are
necessary – critical – to ensure timely patient care.
Data Backup Plan
Does the practice backup all protected health information (PHI) –
confidential information – maintained on its computer systems on at
least a weekly basis?
Is the backup password protected?
Are two copies made and one stored at a secure off-site location?
Are backups logged?
© 2002-2004 ISMS/ISMIE Mutual Insurance Co.
Small Practice HIPAA Readiness Analysis • 59
Are copies retained for four weeks and then destroyed or recycled?
Is the Security Officer or another authorized workforce member able to
retrieve the backup as required?
Testing Restoration: Once every six months, when new software is
installed, and when new devices are installed, does the practice check to
make sure it can recover lost data from its backup?
Disaster Recovery Plan
Does the practice have a disaster recovery plan that depends on the type
and scope of the disaster, e.g., PHI has been lost and the computer
systems still function or only some portion of the computer systems still
function?
When a disaster has occurred – when electronic information is lost for
whatever reason – does the practice’s Security Officer implement the
disaster recovery plan?
Yes
Yes
No
No
Yes
No
Yes
No
Yes
No
NOTE: If a practice has electronic medical records and does not
keep paper copies of those medical records, this section will have
to be expanded. Restoration of PHI becomes critical to the
treatment of patients and must be accessible in a timely fashion.
Emergency Mode Operation: The practice does not need its electronic- Not Applicable
based PHI to operate in emergency situations.
NOTE: If a practice has electronic medical records and does not keep
paper copies of those medical records, this section will have to be
expanded. Restoration and emergency mode operation become critical
to the treatment of patients and must be accessible in a timely fashion.
Physical Controls for Visitor Access
Does the practice minimizes the presence of visitors in the office?
Does the practice require all visitors (not patients) to sign in?
If appropriate, does the practice will provide visitors an escort to
ensure they do not have inappropriate or unauthorized access to PHI?
Yes
Yes
Yes
No
No
No
Yes
No
Yes
No
Yes
No
Yes
No
Physical Safeguards
Access Control
Personnel Security
Does the practice ensure that only authorized workforce members have
access to PHI?
Given the size and configuration of the practice, do all workforce
members have access to all computer terminals in the office, all
programs on those computers, and all PHI used in those programs on an
as needed basis?
Termination
Does the practice terminate a workforce member’s access to all PHI
when the workforce member is terminated?
Does the practice require the terminated workforce member to turn in
any keys or other access devices that may have been issued by the
practice?
© 2002-2004 ISMS/ISMIE Mutual Insurance Co.
Small Practice HIPAA Readiness Analysis • 60
Does the practice deactivate all passwords of the terminated workforce
member?
© 2002-2004 ISMS/ISMIE Mutual Insurance Co.
Yes
No
Small Practice HIPAA Readiness Analysis • 61
Physical Safeguards
Does the practice ensure that paper-based and electronic-media based
PHI are safeguarded?
Does the practice manage medical records to ensure the privacy of the
PHI in the medical records?
Does the practice manage the billing records to ensure the privacy of the
PHI in the billing records?
Is the careful not to post any PHI, including schedules?
Is the practice careful to restrict conversations containing PHI?
Need-to-Know
Does the practice recognize that each workforce member only has access
to the PHI he or she needs to perform his or her particular job functions?
Does the practice limit the PHI it discloses to that necessary to meet the
purpose of the disclosure, including for payment and health care
operations?
Does the practice limit its requests for PHI to information that is
“reasonably necessary” to accomplish the purpose of the request, and for
routine, recurring requests, have in place a description of the information
being requested and the purpose for the request?
Yes
No
Yes
No
Yes
No
Yes
Yes
No
No
Yes
No
Yes
No
Yes
No
Yes
No
Yes
No
Yes
No
Yes
No
Yes
No
Yes
No
Yes
No
Yes
No
Yes
No
Records Processing – Receiving, Sending, and Disposing of PHI
Receiving PHI
Does the practice handle PHI delivered from outside the practice
(electronic media or paper records) in the same manner as other PHI in
the practice when the PHI is delivered via the mail or by a patient?
If the practice receives PHI via fax, is the fax machine kept in a secure
area of the office?
When the office is open, is the fax monitored at all times by the
practice’s workforce and are visitors restricted from accessing the fax
machine?
Is any PHI received electronically sent to one of the practice’s
computers and secured in accordance with the practice’s policies and
procedures governing electronic PHI?
Sending PHI
When the practice sends PHI outside the practice, does it stamp all
packages and envelopes containing such PHI as “CONFIDENTIAL:
PROTECTED HEALTH INFORMATION ENCLOSED” or simply
“CONFIDENTIAL”?
Prior to sending PHI via fax to a fax number used on a regular basis,
does the practice initially confirm the fax number by actually sending a
fax and confirming its receipt?
Are all faxes sent with a cover sheet that indicates the confidential nature
of the fax and how to proceed if the fax was received in error?
Disposal of Paper-Based PHI: Does the practice collect and shred paperbased PHI, including telephone notes, draft letters, copies of memos, tests
and other items that no longer are needed, and information that is printed out
for viewing and is maintained permanently electronically?
Computer Workstation Use and Security
Does each workforce member have his or her personal password?
© 2002-2004 ISMS/ISMIE Mutual Insurance Co.
Small Practice HIPAA Readiness Analysis • 62
Do the practice’s computers have password-protected screen savers?
Does each workforce member log off his or her computer when he or she is
finished for the day or when away from their computer for longer than one
hour?
Are the locations that contain the computers locked when the practice is
closed?
Are the computers secured at their locations using computer locks?
Are electronic media protected in the same manner as paper-based PHI?
Are the computer screens positioned in such a manner as to minimize the
ability of unauthorized individuals to view information on the screens?
Are individuals not allowed in areas of the office where they will be able to
view screens, except in passing?
Yes
Yes
No
No
Yes
No
Yes
Yes
Yes
No
No
No
Yes
No
NOTE: If the practice keeps PHI on mobile devices, you must include
language regarding how you secure the PHI on those devices.
Yes
No
Yes
No
Yes
No
Yes
No
Yes
No
Yes
No
Yes
No
Does the practice protect PHI on mobile devices, including laptop
computers, personal digital assistants (PDAs) and cell phones?
NOTE: If the practice keeps PHI on other devices, such as testing
equipment, you must include language on how you secure these devices.
If these devices do not contain patient-identifying information, they do
not contain PHI.
Device and Media Controls
Accountability
Does the practice maintain a record of all computer hardware and
electronic media that store PHI, and does this log indicate (1) which
workforce members are authorized to access PHI on each computer and
electronic media and (2) when the computer or media is removed from
the practice location?
Does the practice record all devices and media that may contain PHI,
including computers and related devices as well as other equipment, e.g.,
cell phones, PDAs, clinical devices that store patient-specific
information, fax machines, and duplicating machines and printers that
may store images?
Media Re-Use: Does the practice reuse media only when all electronic PHI
previously stored on the media is removed and unrecoverable?
Disposal of Devices and Media: Does the practice dispose of devices and
media in a fashion that prevents the disclosure of PHI?
Removal of Devices and Media: When the practice removes devices and
media from the practice site, e.g., a portable computer or a PDA, does the
practice treat the device or media in the same fashion that it treats paper
medical records?
Technical Safeguards
Personal or “Entity” Authentication
Identification and Authentication
Does the practice issue each member of the workforce a unique user
name and an initial password?
© 2002-2004 ISMS/ISMIE Mutual Insurance Co.
Small Practice HIPAA Readiness Analysis • 63
Are passwords changed at least once every 90 days?
Does the practice use the standard password protection programs for log
on and in each of the programs in which it stores PHI?
Are workforce members educated regarding the appropriate choice of
passwords (e.g., no names) and the need to keep passwords confidential?
Are workforce members educated to not keep passwords in written or
electronic form in the practice and to not share passwords?
Automatic Logoff
Does the practice require that all computers “lock up” and require an
individual to sign on after a 15-minute period of not being used?
Does the practice configure its computers such that another individual is
not able to access the computer until the first individual re-enters his or
her password and then logs off the system?
Password Deletion: Does the Security Officer delete passwords when a
workforce member is terminated or no longer has rights to access a
particular system or computer?
Documentation, Testing, Inventory, Virus Control
Testing: Does the practice periodically test all hardware and software to
ensure it meets the practice’s security policies and procedures?
Inventory: Does the practice have an inventory of all hardware and software
used by the practice?
Virus Detection: Does the practice have in place a virus detection program
to protect the practice’s data, run a virus scan on each of its computers daily,
and update the virus protection on a regular basis?
Firewall: Does the practice have in place an up-to-date firewall program to
protect the practice’s data?
Windows Update: Does the practice use the Windows operating system and
check at least once a week for critical updates by running the “Windows
Update”?
Yes
Yes
No
No
Yes
No
Yes
No
Yes
No
Yes
No
Yes
No
Yes
No
Yes
No
Yes
No
Yes
No
Yes
No
Yes
No
NOTE: If the practice does not use the Windows operating system, then
the previous paragraph needs to be changed to reflect how the practice’s
operating system is updated in accordance with the system vendor’s
recommendations.
Transmission Security
NOTE: The model policies and procedures included above assume that
you are not sending or receiving PHI electronically, e.g., via e-mail or
over the Internet. If you do send any PHI electronically, the practice
must ensure the “transmission security” of the PHI.
Does the practice use a program to protect PHI sent electronically, e.g.,
locking all data files?
Other Administrative Policies and Procedures
Security Officer
Does the practice have a Security Officer?
Does the practice document who is the Security Officer and maintain that
document for six years?
© 2002-2004 ISMS/ISMIE Mutual Insurance Co.
Yes
Yes
No
No
Small Practice HIPAA Readiness Analysis • 64
Information Access Management
Does the practice allow all members of its workforce to have access to all
PHI as necessary for them to carry out their job functions and support the
efficient operation of the practice?
Does the practice limit access to PHI to that information necessary for a
member of its workforce to carry out his or her job functions?
Does the Security Officer monitor the practice’s operations to ensure that all
workforce members are accessing PHI appropriately?
Yes
No
Yes
No
Yes
No
Yes
No
Yes
No
Yes
No
Yes
No
Yes
No
Yes
No
Yes
No
Yes
No
Yes
No
Security Incident Procedures
Does the practice monitor information system activity to detect security
incidents?
Does the practice record and follow up when it determines someone or some
program has entered its computer system from outside the practice or
someone inside the practice accesses, uses, or changes PHI in an
unauthorized manner?
If there have been harmful effects, does the Security Officer take steps to
mitigate those harmful effects?
Does the practice train the workforce to deal with security incidents and
minimize harmful effects of security incidents?
Awareness and Training for Staff
Does the practice provide training to its workforce with respect to the
security of protected health information (PHI), have ongoing training and
periodic training updates, and document that each member of the workforce
is trained?
Workforce Sanctions
Does the practice apply appropriate sanctions against workforce members
who fail to comply with the practice’s security policies and procedures?
Is the particular sanction dependent on the harm created by the unauthorized
use or disclosure of PHI, whether the use or disclosure was intentional or
unintentional, and whether or not the workforce member has previously used
or disclosed PHI in violation of the practice’s policies and procedures?
Does the practice have in place exceptions to applying the sanctions to
workforce members in the case of a “whistleblower,” crime victim, and
complaints and investigations?
Does the practice document all sanctions taken against workforce members
in its personnel files and maintain this information for a period of six years
from the date of its creation?
Risk Analysis, Risk Management, and Ongoing Risk
Evaluation
Risk Analysis: Has the practice completed this risk analysis?
Risk Management: Has the practice addressed any item for which you
answered “No” on this risk analysis? If not, now is the time to do such to
ensure your practice meets the requirements of the Security Rule.
Ongoing Evaluation: Is the practice planning to update this risk analysis on
an ongoing basis?
© 2002-2004 ISMS/ISMIE Mutual Insurance Co.
Yes
Yes
No
No
Yes
No
Small Practice HIPAA Readiness Analysis • 65