Privacy Compliance Manual

HIPAAEXPRESS

PRIVACY COMPLIANCE MANUAL

Central Maryland Endoscopy, LLC

HIPAA PRIVACY COMPLIANCE MANUAL

EFFECTIVE DATE:

June 27, 2005

.

Central Maryland Endoscopy, LLC (CME)

HIPAA Compliance Manual

TABLE OF CONTENTS

OVERSIGHT RESPONSIBLITIES

Chapter I – HIPAA Background

Policy/Procedure: Designation of Privacy Officer & Complaints Contact Person

Chapter II - Procedures for Patient Privacy

Before Provision of Care – First Visit

Forms Which Patient may Utilize At Any Time During Care

Forms Which Provider Must Utilize to Respond to Specific Patient Requests or to Request Copies from Other Providers

Forms Which Provider Must Utilize Regarding Release of Medical Records

Policy/Procedure Re: Notice to Patients

Policy/Procedure Re: Consent for Release of Medical Records

Policy/Procedure Re: Amendment of Records

Policy/Procedure Re: Authorization to Obtain Medical Records

Policy/Procedure Re: Disclosure of Records

Accounting for Access

Chapter III - Business Entities/Business Associate Procedures

Chapter IV - Security & Electronic Transaction Standards

Overview of Proposed Security Standards

HIPAA Regulations Timetable

HIPAA Electronic Transaction Standards

Chapter V – HIPAA Compliance Administrative Policies

Patient Complaints Procedure

Managing a Breach in Patient Confidentiality

Maintaining & Updating Privacy Policies & Procedures

Chapter VI – HIPAA Forms

NOTICE OF PRIVACY PRACTICES

DISCLOSURE TO FAMILY/FRIENDS

RESTRICTION ON USE AND RELEASE OF MEDICAL RECORDS

SPECIFIC AUTHORIZATION FOR RELEASE OF MEDICAL RECORDS

REQUEST FOR AMENDMENT OF MEDICAL RECORD

RESPONSE TO REQUEST TO AMEND RECORDS

NOTICE OF AMENDMENT TO MEDICAL RECORD

AUTHORIZATION TO OBTAIN MEDICAL RECORDS

GRANTING OF REQUEST BY PATIENT FOR DISCLOSURE

DENIAL OF REQUEST BY PATIENT FOR DISCLOSURE

ACCOUNTING FOR ACCESS PROVIDED TO MEDICAL RECORDS

BUSINESS ASSOCIATE AGREEMENT

PRIVACY OFFICER

CONTACT PERSON IDENTIFICATION FORM

ADMINISTRATIVE COMPLAINTS FORM

HIPAA TRAINING - ATTENDANCE LOG SHEET

HIPAA ANNUAL TRAINING SCHEDULE

ELECTRONIC STANDARDS COMPLIANCE LETTER TO BILLING COMPANY

1

Central Maryland Endoscopy, LLC (CME)

HIPAA Compliance Manual

OVERSIGHT RESPONSIBLITIES

HIPAA Privacy Officer:Jean Tumbarello

HIPAA –Complaints Contact Person:Jean Tumbarello

1

HIPAA Express Privacy Compliance Manual

Copyright -Michael Steinberg & Associates, Inc.

11/05/2001

Central Maryland Endoscopy, LLC (CME)

HIPAA Compliance Manual

Chapter I – HIPAA Background

In preparation for compliance with the pertinent HIPAA regulations, and in order to meet required standards as of April, 2003, this chapter outlines the issues pertinent to HIPAA for CENTRAL MARYLAND ENDOSCOPY, LLC, and presents the appropriate procedures and forms which our practice utilizes to gain and maintain compliance with the regulations.

The Congress included provisions to address the need for standards for electronic transactions and other administrative simplification issues in the Health Insurance Portability and Accountability Act of 1996 (HIPAA), Public Law 104-191, which was enacted on August 21, 1996. Through Subtitle F of Title II of that law, the Congress added to Title XI of the Social Security Act a new Part C, entitled “Administrative simplification.” (Public Law 104-191 affects several titles in the United States Code.) The purpose of this part is to improve the Medicare program under Title XVIII of the Social Security Act and the Medicaid program under Title XIX of the Act, and to improve the efficiency and effectiveness of the health care system, by encouraging the development of an efficient and secure health information system through the establishment of standards and requirements to enable the electronic exchange of certain health information.

The effect of this monumental bureaucratic effort, albeit with the best of intentions, is a host of new rules and regulations which impact the health care provider in day-to-day information management processes for all insurance types, not just Medicare and Medical Assistance.

In general many of these rules are intended to define standards that will not only impact “how” information is shared electronically, but also creates standards for the overall management of any “privileged” patient information.

The HIPAA regulations as they affect day-to-day provider practices, fall into three categories.

1.Those forms and procedures which must be implemented with regard to management of individual, patient medical records.

2.Those forms and procedures which must be implemented with regard to business entities with whom the practice regularly shares patient information such as billing companies, electronic clearinghouses, transcription services, etc..

3.The procedures which must be implemented with regard to security standards for the electronic maintenance and transmission of individual health information.

Policy/Procedure: Designation of Privacy Officer & ComplaintsContact Person

To comply with HIPAA, CME will designate an individual as the “Privacy Officer” who will be responsible for the development and implementation of the privacy policies and procedures. The Privacy Officer may be a licensed health care practitioner or a member of the management staff. The Privacy Officer is to be responsible for the following:

1. Arranging for training for all employees and contractors working in the practice. The training should explain the policies and procedures regarding patient privacy compliance, and the training sessions should be documented in a log, to contain dates, times, attendees, and subject.
2. Providing that no person is intimidated, coerced, or retaliated against for asserting privacy rights or reporting possible privacy right violations.
3. Providing that employees or contractors who violate patients’ privacy rights are appropriately disciplined or that such relationships are terminated.
4. Initiating changes to the practice’s policies and procedures when changes in the law require amendments.
5. Arranging for the maintenance of records relating to patient privacy compliance for a minimum of 6 years.

CME will also designate a contact person who is responsible for receiving complaints regarding the practice’s HIPAA compliance. This person’s name and phone number should be placed on the “Notice” provided to all new patients. The contact person should maintain a log indicating complaints received and date received, as well as actions taken to resolve the complaints, with a close-out date.

CME will use the Forms entitled “Privacy Officer” (Form 14) and “Contact Person” (Form 15) to designate the persons performing the “Privacy Officer” and “contact person” functions and they are listed as well in the introductory chapter to this manual. The same person may hold both offices. Whenever the individual responsible for either position changes, CME will complete new forms and date them with the effective date for the change. After completion these forms should be placed in the personnel file of designated individual(s) as documentation that the individual understands their commitment to these responsibilities as a part of their job description/responsibilities.

Chapter II - Procedures for Patient Privacy

Background – Patient Confidentiality

Patients have always been entitled to rely upon the confidentiality of their medical records and the information contained therein. In general, access may be provided only to the extent authorized by the patient, or permitted or required by law. Those who do not have authorization should not be allowed access to confidential patient information. The policies and forms contained herein are intended to assist providers in meeting the requirements of the law, but provider staff should be made aware that these issues require general vigilance. For example, patient records should not be left lying around where unauthorized persons may view them, and patient concerns should not be discussed in public places (such as elevators or restrooms) where others may overhear.]

Before Provision of Care – First Visit

Under HIPAA Regulations the provider is required to obtain specific authorizations from the patient regarding release of certain privileged medical information and is also required to notify the patient how their information may be used and disclosed in the course of general business. This notification also summarizes the patient’s rights with regard to release of this information.

At or before the first visit, the following forms must be given to the patient (or patient’s legal guardian) for signature:

1.“Notice of Privacy Practices”

In the event that the patient indicates they wish to specify any restrictions to this authorization, then patient should be provided with the following form, immediately:

1. “Restriction on Use and Release of Medical Records” (FORM 4)

In the event the patient indicates they want to specify who we share information with, they should be given “Disclosure to Family/Friends” (Form 3) to fill out.

It is our policy to place a warning label on the outside of our patients’ medical record to call attention to the fact that there are specific medical record release restrictions, any time the chart is pulled to respond to a request for records. (See separate label file on this CD)

Note: Remember the provider has the option to refuse to accept the restriction, in which case the patient may choose to be seen elsewhere. If the provider accepts the restrictions, the practice must and will adhere to those restrictions.

Forms Which Patient may Utilize At Any Time During Care

1.Specific Authorization for Release of Medical Records (FORM 5)

2.Request for Amendment of Medical Record (FORM 6)

Forms Which Provider Must Utilize to Respond to Specific Patient Requests or to Request Copies from Other Providers

1.“Response to Request to Amend Records” (FORM 7)

2.“Notice of Amendment to Medical Record” (FORM 8)

3.“Authorization to Obtain Medical Records” (FORM 9)

It is CME’s policy to request that a new patient sign the “Authorization to Obtain Medical Records” when it is necessary to obtain records from another physician/ofice.

Forms Which Provider Must Utilize Regarding Release of Medical Records

1.“Granting of Request by Patient for Disclosure” (FORM 10)

2.“Denial of Request by Patient for Disclosure” (FORM 11)

3.“Accounting for Access Provided to Medical Records” (FORM 12)

All Forms are found in the appendix at the back of this chapter.

The following procedures clarify the context and functional application in usage of the Patient Related Forms in accordance with HIPAA regulations.

Policy/Procedure Re: Notice to Patients

HIPAA requires health care providers to give patients a written notice containing a variety of required information. (45 CFR § 164.520) Use the form “Notice of Privacy Practices” to meet this requirement.

Prior to provision of services the “Notice” must be given to the patient. This is for the patient to keep. A notation on the informed consent acknowledges the receipt of the “Notice” by the patient.

It is the general requirement of our practice that the “Notice”is given to the patient on or before the first date of service. A copy of the notice is posted in a clear and prominent location in every office where services are delivered. The preferred locations are at the Front Desk where patients check in and the desk where patients check out.

An “indirect” care provider does not have to provide the “Notice to Patients” prior to initiating treatment. An “indirect” care provider is one who provides ancillary care upon the orders of another health care provider, and who reports the diagnosis or results associated with the services directly to the provider ordering the service. If an “indirect” care provider later provides services directly to a patient, the notice rules will then apply.

Policy/Procedure Re: Consent for Release of Medical Records

The General Authorization is included in the “Notice” allowingCME to release medical records/information, without specific consent. The following reasons are stated on the form:

1.For the purpose of providing treatment;

2.For the purpose of arranging for payment for treatment; and

3.For the purpose of Provider’s “health care operations.” This includes such things as internal quality assessment activities, contacting other health care providers regarding treatment alternatives, evaluating provider performance, training providers of care, legal and medical review of care provided, business planning and management, customer service, resolution of internal grievances and the provision of legal and auditing services.

4.For the purpose of other health care providers’ “health care operations” to the extent that they have a treatment relationship with the patient.

The “Notice” notifies the Patient that he/she may seek to restrict how the Provider utilizes the Patient’s medical information. If the patient so indicates, provide the Patient with the form entitled “Restriction on Use and Release of Medical Records” (FORM 4). The patient will fill out the form, indicating any desired restriction of the use of his/her records. The patient’s Provider at CME must then indicate on the form whether the requested restriction is acceptable, returning the completed form to the Patient. If the request is not agreed to, the Provider may refuse care, and, of course, the Patient may wish to seek treatment elsewhere. If the Provider accepts limitations, CME must follow them throughout the course of care for the patient.

If thepatient expresses a wish to disclose information to other persons, give him the form entitled “Disclosure to Family/Friends” (FORM 3). This form allows the Patient to indicate whether or not he/she wishes to allow family or friends access to confidential information. The persons, as well as the nature of the information, can be specified. CME treats a failure to fill out the form as we would an express decision to limit access to those with legal authority. In other words, if patient has not specified family or friends with specific rights of access to the record, then family/friends in fact have NO rights of access, unless they can demonstrate that they are the legally authorized representative of the patient.

In order to obtain approval for the release of medical records/information in cases not covered by the terms of the “the Notice,” use the form entitled “Specific Authorization for Release of Medical Records”(FORM 5). This form is person- or organization-specific, in that it can be filled out only when Provider is aware of the identity of the person or entity to whom release is to be authorized. The form also requires a description of the information that may be

released. This form can be filled out anytime that the need occurs. Note that there is a space on the form for the Patient to indicate any limitations that he/she wishes to place on release of information, and the purpose of the authorization.

Anytime that a patient signs a FORM 5, the patient must be given a copy of the signed form.

Note that all authorizations may be revoked in writing by the Patient. CME will immediately cease utilizing an authorization once it has been revoked and the original authorization will be clearly marked “Revoked” as well as stapling the written revocation to it top and bottom to prevent an error in assuming it to be still active.

Policy/Procedure Re: Amendment of Records

Under both HIPAA and Maryland law, patients have the right to seek amendment of their medical records if they believe that the information contained in the records is incomplete or incorrect. Patients are advised of this right in the Notice to Patients.

If a patient of CME expresses a desire to amend his or her records, the patient should be provided with the form entitled “Request for Amendment of Medical Record” (FORM 6). Once a completed form is filed with the CME, the request must be evaluated, and a response provided within 60 days.

CME staff will use the form “Response to Request to Amend Records” (FORM 7) to reply to all amendment requests. Per the form, if the request is accepted, provide the patient a copy of the amendment, with the response form. In the future, consider the amendment to be part of the patient’s medical record. If the patient returns the signed form, mail copies of the amendment to those known to you to have previously received copies of the patient’s medical record, who are impacted by the amendment now on record. Use the form “Notice of Amendment to Medical Record” (FORM 8) to accomplish this.

If some or all of the requested amendment is being denied, use the form to briefly explain the reason for the denial. If the patient responds to the denial by forwarding a written statement of disagreement, include that statement in the patient’s medical record.

Policy/Procedure Re: Authorization to Obtain Medical Records

If CME wishes to obtain medical records/information regarding the Patient from another source (e.g., another health care provider), the form entitled “Authorization to Obtain Medical Records” (FORM 9) should be filled out.

The form requires the identification of the person/entity to whom the request for records will be made, and allows the Patient to place restrictions on the request. The restrictions could relate to time period of care, or nature of service, for example. A completed form is to be sent to the person/entity to whom the request for information will be made. A copy is to be retained in the Patient’s file. It is CME’s policy to request that the patient complete and sign this form at or before their first visit, to facilitate our ability to obtain records from other providers which may be needed for our providers to properly assess and review patient’s previous care.