POLICY STATEMENT
HIPAA CONFIDENTIALITY AGREEMENT AND TRAINING ATTESTATION
Please sign and return this form once you have read the four page training guide
Please note: The following HIPAA CONFIDENTIALITY AGREEMENT AND TRAINING ATTESTATION can be used for clerical and clinical staff. Make two copies of the 4 page training booklet and signature sheet so that you can keep a copy of the staff member can keep a copy
HIPAA PROTOCAL AND PROCEDURES
Staff members affiliated with ______have access to confidential information, both written and oral, in the course of their employment, affiliation and job responsibilities. It is imperative that this information not be disclosed to any unauthorized individuals to maintain the integrity of the patient information. An unauthorized individual would be any person that is not currently an employee of ______and/or any individual who is an employee of the company but has no business use for such information. Any other disclosures may only occur at the direction of the Privacy Officer ______or by patient authorization.
I have read and understand the company’s policy with regard to privacy and security of personal health information. I agree to maintain confidentiality of all information obtained in the course of my employment/affiliation including but not limited to, financial, technical, or proprietary information of the company and personal and sensitive information regarding patients, employees, independent contractors and vendors. I understand that inappropriate disclose or release of patient information is grounds for termination.
Signed:
______
______
(print name)
______
Date
POLICY STATEMENT HIPAA Protocol and Procedures
This practice is committed to maintaining the strictest privacy and confidentiality standards in the use and handling of any and all medical information we have access to.
To improve the efficiency and effectiveness of the health care system, the Federal Government enacted an Administrative Simplification provision of a 1996 law that required Health and Hospital Services to adopt national standards for electronic health care transactions. At the same time, Congress recognized that the growth of the electronic technology sector could potentially seriously invade the privacy of health information. As a result for the first time, the government established Federal protections for individual health information which is effective April 14, 2003. This rule does not replace Federal, State or other laws that provide for even stricter privacy protection in some instances.
The law is the Health Insurance Portability and Accountability Act, simply known as HIPAA. The part of the law that concerns us is the Privacy Rule. The Office of Civil Rights is charged with the responsibility for the Privacy Rule part of the law.
Because information is so readily available by e-mail, fax, internet, electronic records it can easily be obtained by people that do not need tom know the information and could potentially misuse the information. HIPAA’s privacy rule addresses the following:
1. Greater Restrictions for the use and disclosure of personnel health information.
2. Patients have more access to , and control and protection of their health information.
3. Establishes appropriate safeguards that healthcare providers must achieve to protect the privacy of health information
4. Holds violators accountable with criminal and civil penalties that can be imposed if they violate patient’s privacy rights.
5. Balances public responsibility to disclose some forms of data to protect public health
All employees of this practice are considered a “covered” entity, that is a person or organization that has access to protected health information and shares that information electronically. As such they are required to follow the HIPAA Privacy Rule. Each employee is given in-service training specifically about what is considered Protected Health Information (PHI), Rules for the Use and Disclosure of PHI, Guidelines to Protect the Privacy of Health Information: How To Protect Patient Privacy, What to do if You think someone’s privacy rights have been violated, and what the consequences are for breaking the rules. Each patient on program is presented with a Notice of Privacy Practices .
As an employee of ______you are what is considered a “covered” entity, that is a person or organization that has access to protected health information and shares that information electronically. As such you are required to follow the HIPAA Privacy Rule.
Protected Health Information (PHI)
You need to know what information is covered under the rule and the types of information you are legally able to access and use. One common term is individually identifiable health information and protected health information or simply PHI. Both phrases are essentially the same and refer to health information or patient/client information that the patient/client shares with a health care entity.
Some information may not be considered PHI alone, but with other information it may be like pieces to a puzzle that could lead to the identification of patient/client. For example, a zip code is not normally a piece of information that can identify a patient, but together with a Medicare card and a telephone number, it is possible to identify that person as a patient. If the information can reasonably be connected to the person’s identity, then it is considered PHI in that instance.
All health information that identifies an individual is considered PHI. It doe not matter if we are responsible for creating the information or we receive it from another source such as a hospital, nursing home or DME company. Under the HIPAA law, it is treated the same, as confidential information. PHI can be oral, written or electronic information. A simple conversation between a nurse and an aide about a patient/client and the diagnosis is considered the same as written information or electronically communicated PHI.
In general, ask the questions “Do I need to know this information in order to do my job?” If the answer is no, then you should not access the information. You have authorization to access and use certain types of information as a “need to know” under particular circumstances, and conditions. Prior approval is required to have access to any other patient information.
Rules for the Use and Disclosure of PHI
To use PHI means to access, view, examine, analyze and share information. To disclose PHI means to release to, transfer to and or make information available to someone outside ARS. We use and disclose PHI for the following purposes:
1. Treatment, payment, and healthcare operations without any additional consent.
2. As authorized in writing by the patient.
3. For disclosure to the individual patient
Routine and Non Routine Requests Not Related to Treatment
If information is directly related to the job responsibilities that you must do, generally it can be disclosed. If the information is not within your job responsibility then you must go to the designated person responsible for requests and disclosures at your assigned facility and advise that individual of that request.
Guidelines to Protect the Privacy of Health Information: How You Can Protect Patient Privacy
There are many challenges to protecting patient health information because of the number of people, department, vendors, physicians and other professionals that may be directly or indirectly involved in a patient’s care. Here are some general guidelines and safeguards that would apply to any office, acute, sub-acute, home care or long term care situation:
1. Keep patient records in a designated area, refrain from leaving it accessible to unauthorized individuals, and protect it from the casual observer to view.
2. Refrain from discussing any and all patient information in any public places, and make sure all formal and information patient conferences are held in areas that have limited access to unauthorized individuals.
3. Remember to log off computer terminals so that confidential information cannot be viewed by on lookers.
4. Refrain from leaving papers around; all reports should be filed immediately upon creation or receipt as appropriate.
5. Utilize designated fax or copier machines for faxing or copying patient information. If no machine is specifically designated, fax or copy information in an area that has limited or no access to unauthorized individuals.
Authorization
Because the law says it is appropriate for you to access and use information identified by the hospital leaders to complete your job responsibilities, written authorization is not required. Instances other than treatment, payment and health care operations that require access to patient information require a written authorization from the patient or authorized representative.
Privacy Officer
HIPAA requires each organization that uses protected health information to appoint a Privacy Officer to facilitate the implementation of these privacy rules. The Privacy Officer may designate a person to be responsible for implementing and maintaining most of these processes and the Privacy Officer retains oversight and responsibility for the entire program. It is your responsibility to know the names and contact numbers of the designated individuals that have been assigned responsibility for complaints and other requests related to patient privacy. The privacy officer for this practice is:
Notice of Privacy Practices
Each hospital, nursing home, private practice , HHA etc must have privacy practices designated to protect the privacy and confidentiality of patient protected health information. The Federal Government requires that each organization provides each patient a “Notice of Privacy Practice”. This is developed by the organization that defines policies as to how the organization may use and disclose patient personal health information. Privacy notices are distributed to patients only once and usually upon admission and upon request to any member of the public. Copies of the receipt for the Notice of Privacy Practices will be kept on file for a period of 6 years. Notice of Privacy Practice is given at the first time of the patient encounter. Parents have access to the files of their children under the age of 18.
Patient Privacy Rights
The patient also has the following rights regarding the use and disclosure of his or her protected health information without fear of retaliation. In addition, patients cannot be asked to waive their rights as a condition of treatment and payment.
1. A patient has the right to receive the Privacy Notice at the time of first service.
2. A patient has the right to request restrictions or limitations on how their protected health information is used or disclosed for treatment, payment or healthcare operations.
You may not grant or deny a patient’s request for restrictions. That request must be forwarded to the person responsible to approve or deny restrictions.
3. Health care organizations will choose a method of identifying a record containing restricted information. A notation is made in the patient’s medical record indicating that restrictions to the use and/or disclosure of protected health information is in force. For example, a brightly colored sticker can be used to indicate there are restrictions contained in the medical record.
4. The patient has the right to identify alternative means of communication and alternative locations that they wish to have their protected health information communicated for the purpose of maintaining confidentiality. This alternative method is different than the usual practice that the facility would use. This can include but not be limited to sending bills to a PO BOX as opposed to a home address, sending medical information via certified, not regular mail etc.
5. The patient has the right to request access to their health information for inspection and/or copying. This request is made in writing. Additionally, the patient may request to amend or change his or her health information by requesting to do so in writing.
6. The patient has the right to request in writing, an accounting of disclosures of health care information other than treatment, payment or health care operations.
Consequences for Breaking the Rules
There are penalties if you violate the HIPAA Privacy Rule intentionally. You can be subject to possible penalties by the Office of Civil Rights including civil and criminal penalties. Termination by this practice is also possible. Criminal penalties can include rather hefty monetary penalties and or jail time. Examples of criminal actions include knowingly releasing information in violation of the law, or selling the information. If you see someone breaking the rules intentionally, it is your duty to report violations to the administrator of this practice.