HIPAA Privacy Procedure Manual Template

HIPAA PRIVACYPROCEDURE MANUAL

<Organization Name>

<Date Completed>

This document contains the procedures to be followed by all workforce members and contractors of <organization name> in order to comply with Privacy and Security provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Questions concerning the contents of this document should be referred to <individual name and contact information>.

<signature lines>

Table of Contents

Privacy Procedures

Privacy Official Job Description

Actions to be taken for the Privacy Official job description

Implementing the HIPAA records filing system

Actions to be taken for records filing

Access Request Processing

Actions To Be Taken For All Access Requests

Actions To Be Taken When An Access Request Is Accepted

Actions To Be Taken When An Access Request Is Denied

Amendment Request Processing

Actions To Be Taken For All Amendment Requests

Actions To Be Taken When the Amendment Request Is Accepted

Actions To Be Taken When An Amendment Request Is Denied

Complaint Processing

Actions To Be Taken For All Complaints

Actions To Be Taken When No Compliance Violation Is Found

Actions To Be Taken When A Compliance Violation Is Found

Actions To Be Taken For All HIPAA Investigations

Confidential Channel Communication Request Processing

Actions To Be Taken For Confidential Communication Requests

Disclosure Accounting Request Processing

Actions To Be Taken For Disclosure Accounting Requests

Individual Permission—Authorization

Actions To Be Taken When Obtaining Written Authorization

Actions To Be Taken When Obtaining Verbal Agreement

Information Disclosures--Minimum Necessary

Actions To Be Taken For All Information Disclosures

Actions To Be Taken When Making Routine Disclosures Of Information

Actions To Be Taken When Making Non-Routine Disclosures

Actions To Be Taken When Disclosing Information to Law Enforcement

Actions to Be Taken When Disclosing Information to Correctional Institutions and Other Law Enforcement Custodial Situations

Actions To Be Taken When Disclosing Information To Public Authorities

Actions To Be Taken When Disclosing Information For A Judicial Or Administrative Proceeding

Actions To Be Taken When Disclosing Information In Facility Directories

Actions To Be Taken When Disclosing Information For Research, Marketing, Or Fundraising Purposes

Fundraising Activities

Actions to be taken for Fundraising Processing

Actions To Be Taken When Disclosing Information To The Individual

Actions To Be Taken When Disclosing Information To The Department Of Health and Human Services as Part Of A Compliance Review

Actions To Be Taken When Disclosing Information About Deceased Individuals

Actions To Be Taken When Disclosing Information About Minors To Their Parents Or Guardians.

Immunization Information Disclosures

Actions to be taken for Immunization disclosures to schools:

Information Requests

Actions To Be Taken For All Information Requests

Actions To Be Taken When Making Routine Requests For Information

Actions To Be Taken When Making Non-Routine Requests

Notice and Acknowledgement

Actions To Be Taken With Respect To Publication Of The Notice

Actions To Be Taken When Gaining Acknowledgement Of The Notice

Personal Representatives

Actions To Be Taken When Dealing With Personal Representatives

Record Retention

Actions To Be Taken For Record Retention Purposes

Regulatory Currency

Actions To Be Taken To Ensure Regulatory Currency

Requesting Restrictions on Disclosures of PHI (Special Privacy Protections)

Actions To Be Taken For Special Privacy Protection Requests

Workforce Training and Awareness

Actions To Be Taken For Initially Training The Workforce

Actions To Be Taken For Training New Workforce Members

Actions To Be Taken For Additional, Initial, and Ongoing Training Of The Workforce

Actions To Be Taken For Initially Establishing HIPAA Sanctions

Actions To Be Taken For Initially Establishing Business Associate Agreements

Actions to be Taken for Ongoing Business Associate Management/ Termination of a Business Associate

[Customization Instructions: Replace any text in angle brackets (for example, “<organization name>”) with text that is appropriate to your organization. Complete any formatting (such as the inclusion of company logos) that is necessary to make this procedure document consistent with other documents used in your organization. Read the disclaimer at the top of this page, but be sure to delete it before publishing this document in its final form. (The disclaimer text is for your information only.) All text enclosed in square brackets (such as this paragraph) contains suggestions on customization options. This text should be deleted from the final form of the procedure document when your customization is complete.

While customizing these procedures, it is a good idea to gain the input of the management of your organization. You may also want to confer with legal counsel with respect to procedural restrictions imposed by your state and local laws. The <physician in charge> (medical director, or similar Official) should review any procedures that have the potential to impact treatment before the procedure is finalized. If you are not a health care provider, consider review by senior management, in house counsel, or other appropriate individuals.

IMPORTANT NOTE: Your professional liability policies may require that certain procedures be followed for your coverage to be valid. It is extremely important to review any guidance provided by your liability carrier and to ensure that your procedures comply with this guidance.

THROUGHOUT THIS DOCUMENT WE REFERENCE PROCEDURES THAT A TYPICAL PHYSICIAN OR HEALTH CARE PROVIDER PRACTICE MIGHT USE. PLEASE CUSTOMIZE THESE FOR YOUR ORGANIZATION. AS TEMPLATES THEY ARE APPLICABLE TO ANY KIND OF COVERED ENTITY OR BUSINESS ASSOCIATE.]

Privacy Procedures

PrivacyOfficial Job Description

HIPAA Regulation: 45 CFR §164.530(a)(1)(i)

[The procedure steps and job description below are those that a typical provider might follow to complete a job description for the PrivacyOfficial.

The PrivacyOfficial job description steps for your organization might be quite different from these, based on the specific circumstances in which your business operates. Please modify the suggested steps wherever necessary to accommodate the particular needs of your organization.]

Actions to be taken for the PrivacyOfficial job description

  1. <Name or title> has been appointed as the <organization name> "Privacy Official". The Privacy Official and the <insert name of management> will be responsible for completing the job description for the PrivacyOfficial. [You may choose to customize this step by naming the person in your organization who has been designated as the Privacy Official. Alternatively, you could specify this person by title only to avoid the need to modify this procedure in the event of a personnel change.]
  1. The Privacy Official has met with the <insert name of management> to review the HIPAA Privacy rule and to determine the responsibilities of the Privacy Official.
  1. The <insert name of management> has agreed to the following job description.

PRIVACYOFFICIAL JOB DESCRIPTION

[Note: This is a sample job description for the Privacy Official. Please modify to fit your circumstances.]

Job Title:

PrivacyOfficial

Job-Sharing? Yes-this job is performed by the Office Manager. [Edit or erase this section based on your organizations specific situation.]

Job Description:

The PrivacyOfficial is responsible for implementing and maintaining <organization name> HIPAA Privacy requirements.

Reporting structure:

The Privacy Official reports directly to the <physician in charge>.

Job Duties:

  1. Develop, implement and maintain <organization name> HIPAA Privacy policies.
  2. Periodically review and audit <organization name> HIPAA Privacy policies and procedures updating these where appropriate to respond to patient complaints or changes affecting the implementation of Privacy policies and procedures.
  3. Develop, implement and maintain <organization> HIPAA Privacy-procedures and forms.
  4. Develop and implement <organization> HIPAA records filing system.
  5. Handle all patient Privacy complaints in accordance with <organization> complaint procedure.
  6. Mitigate the effects of any unauthorized use or disclosure of PHI or other Privacy and security violations.
  7. Implement appropriate safeguards for protection from intentional or unintentional unauthorized uses and disclosures of PHI.
  8. Handle all patient requests for access to their PHI in accordance with <organization name> access procedure, including requests for access to psychotherapy notes as well as requests for information related to minors and requests from minors.
  9. Handle all patient requests for amendment to their PHI in accordance with <organization> amendment procedure.
  10. Handle all patient requests for alternate confidential communication channels in accordance with <organization> confidential communication channel procedures.
  11. Handle obtaining individual permission from patients, or their personal representatives, including oral permission and authorizations in accordance with <organization> individual permission procedure.
  12. Handle requests for special Privacy protections in accordance with <organization> special Privacy protection procedures.
  13. Handle the publishing and maintenance of <organization> Notice of Privacy Practices in accordance with <organization> procedure for Notice.
  14. Handle obtaining written acknowledgements of receipt of <organization> Notice of Privacy Practices in accordance with <organization> acknowledgement procedure.
  15. Handle review and response to requests for an accounting of disclosures in accordance with <organization’s> procedure for disclosure accounting.
  16. Handle access requests by law enforcement, subpoenas, court orders, and public purpose entities in accordance with <organization> procedures for this access.
  17. Handle patient requests to designate a personal representative in accordance with <organization> personal representative procedure.
  18. Handle requests for access, amendment, confidential channels, obtaining acknowledgement, special Privacy protections, and other requests from the patient’s personal representative in accordance with the relevant procedure for these requests.
  19. Handle requests for access to PHI related to deceased individuals in accordance with <organization> procedure on deceased individuals.
  20. Ensure the minimum necessary rule is applied to access, request and disclosure events within <organization>, in accordance with <organization’s> minimum necessary procedure.
  21. Ensure regulatory currency for <organization> in accordance with <organization> regulatory currency procedure.
  22. Ensure that records are retained in accordance with <organization> records retention procedure.
  23. Handle all workforce training and awareness programs in HIPAA Privacy and Security requirements in accordance with <organization> workforce training procedure.
  24. Handle all workforce sanctions where any member of <organization> workforce intentionally or unintentionally violates any of <organization>Privacy or Security policies.
  25. Ensure all business associates are identified and have signed business associate agreements in accordance with <organization> business associate policy.
  26. Cooperate with any Privacy investigation by the Department of Health and Human Services.
  27. Handle any other Privacy and Security procedure as defined in <organization> Notice of Privacy Practices.

Implementing the HIPAA records filing system

HIPAA Regulation: 45 CFR §164.530(j)(1)(ii), 164.530(j)(1)(iii), 164.530(j)(2)

[Note: HIPAA does not require any specific filing system or procedure for maintaining documents, other than the requirement that certain documents be retained. The procedure steps suggested below are those that a typical provider might follow to create an efficient filing system for HIPAA records.

The records filing steps for your organization might be quite different from these, based on the specific circumstances in which your business operates. Please modify the suggested steps wherever necessary to accommodate the particular needs of your organization.]

Actions to be taken for records filing

  1. <Name or title> has been appointed as the <organization name> "PrivacyOfficial". The PrivacyOfficial will be responsible for developing and maintaining a HIPAA records filing system. [You may choose to customize this step by naming the person in your organization who has been designated as the PrivacyOfficial. Alternatively, you could specify this person by title only to avoid the need to modify this procedure in the event of a personnel change. NOTE: It is not a HIPAA requirement that a records filing system be developed, or that it be handled by the PrivacyOfficial. Make the appropriate changes to this procedure if someone other than the PrivacyOfficial is designated to handle access in your organization.]
  1. The PrivacyOfficial has met with the physician in charge to review the filing system procedures.
  1. The PrivacyOfficial has reviewed our professional liability carrier’s guidance regarding HIPAA records retention and appropriate filing systems.
  1. Modify our patient medical record to include a new tab for HIPAA forms related to amendment, alternate communication channels and personal representatives as well as other relevant or related forms.
  1. In collaboration with the <physician in charge, implement a separate medical record for psychotherapy notes.
  1. Establish a locked file in your office for all HIPAA records.
  1. Establish an alphabetical filing system with separate files for each HIPAA Privacy form we use. As request, response and tracking forms are replaced from medical records (where appropriate) ensure they are filed in the central file.
  1. File all complaint forms and subsequent tracking or response in a separate file in the locked file titled “complaint forms”.
  1. File the business associate agreement log in the locked file in a separate file titled “business associate agreement log”.
  1. File the Workforce Training Log and any other training logs or questionnaires in a separate file titled “HIPAA training”.

Access Request Processing

HIPAA Regulation: 45 CFR § 164.524(a)(1) & (4), 164.524(b)(2)(i), 164.524(c)(1) & (c)(2)(i) & (c)(4), 164.524(d)(1) & (d)(2) & (d)(3), 164.524(e)(1) & (e)(2)

[The procedure steps suggested below are those that a typical provider might follow to respond to or allow access to protected health information that pertains to an individual.
The access request processing steps for your organization might be quite different from these, based on the specific circumstances in which your business operates. Please modify the suggested steps wherever necessary to accommodate the particular needs of your organization.

Procedures that involve provision of access to patient medical records should be subject to clinical judgment and oversight. The <physician in charge> should review this procedure, as well as any procedure that has the potential to impact treatment, before the procedure finalized.]

Actions To Be Taken For All Access Requests

  1. FOLLOW THIS PROCEDURE EXACTLY AS IT IS WRITTEN. <name of PrivacyOfficial> HAS REVIEWED THIS PROCEDURE TO ENSURE THAT IT CONFORMS TO THE GUIDANCE PROVIDED BY OUR PROFESSIONAL LIABILITY INSURANCE CARRIER. IF, FOR ANY REASON, YOU CANNOT PERFORM EACH OF THESE STEPS AS DIRECTED, CONTACT <name of PrivacyOfficial> BEFORE CONTINUING.
  1. Forward all requests for access or copying of protected health information to <name or title>, the <organization name>'s "PrivacyOfficial." [You may choose to customize this step by naming the person in your organization who has been designated as the PrivacyOfficial. Alternatively, you could specify this person by title only, to avoid the need to modify this procedure in the event of a personnel change. NOTE: It is not a HIPAA requirement that requests for access or copies be handled by the PrivacyOfficial. Make the appropriate changes to this procedure if someone other than the PrivacyOfficial is designated to handle access requests in your organization.]
  1. (Note: This step and all subsequent steps in this procedure are to be performed by the PrivacyOfficial or someone designated to act in that capacity.) During the initial contact (or as soon as possible after the initial contact), inform the patient or their personal representative that <organization> requires that the request be submitted using our Request for Access to Protected Health Information form. Provide the patient with a copy of this form either in person or by mail or fax. If the patient expresses concernsabout completing a form, invite them to visit so you can assist them in completing the form.
  1. Contact the patient (or his or her representative) within <number of days> of receiving the written request. This contact will be used to verify receipt of the request and it will be done in person or by telephone. [Note: There is no HIPAA requirement that you notify the patient of receipt of the request. You will probably want to do so as soon as possible in the interest of good patient relations. There is a HIPAA requirement that you act on the request (provide access or inform the requestor that the request was denied) within 30 days.]
  1. Track the status of the request on the submitted Request for Patient Access to Protected Health Information form.
  1. Review the request form as soon as it has been received. This review will determine:
  • The exact amount and nature of information requested, and where that information is kept.
  • Whether the requestor requires access, copies of the information, or a summary of the information or some combination.
  • The format of the requested records.
  • The format of the requested copies, if any.
  • Determine if the request is for access to one or more records held in an electronic designated record set.

Complete the review within <number of days> working days of receipt of the request form.

  1. If the information requested is not kept by organization but you can determine where the information is kept, direct the individual to the appropriate organization.
  1. [Note: There is no HIPAA requirement that the patient's physician or other provider review the request. However, since providing this access may affect the patient's treatment, you may want to give serious consideration to including a physician review step in this procedure.] Review the access request and determine if the request will be granted or denied. Document the grant or denial of access in the evaluation section of the Request for Access to Protected Health Information form. Send a copy of the evaluation section to the requestor by certified (receipt) mail. A request for access may only be denied for the following reasons:
  • The requested information includes psychotherapy notes ("process notes not included in the medical record"). (non-reviewable).
  • The requested information was compiled in anticipation of or for use in a civil, criminal, or administrative proceeding. (non-reviewable).
  • An organization that is a correctional institution or is functioning on their behalf may deny access to inmates. (non-reviewable).
  • The information was obtained in the course of research that is in progress. (non-reviewable).
  • The records are subject to the Privacy Act (see your PrivacyOfficial if you have questions). (non-reviewable).
  • The information was obtained by someone other than a health care provider under a promise of confidentiality and releasing it may reveal the source. (non-reviewable).
  • A licensed health care professional has determined, in the exercise of professional judgment, that the access may endanger the individual or someone else. (reviewable).
  • The information refers to another person (other than a licensed health care provider) and the provider has determined in professional judgment that the other person may be substantially harmed. (reviewable).
  • A personal representative made the request and a licensed health care provider has determined in the exercise of professional judgment that the provision of access is reasonably likely to cause substantial harm to the individual or someone else. (reviewable).
  1. If the decision is made to grant the request, proceed to the "Actions to be Taken When an Access Request is Granted" procedure, below.