| Brevard County (Florida) |
| Administrative Procedures |
1420D - HIPAA PRIVACY PROCEDURES
Pursuant to the Health Insurance Portability and Accountability Act (HIPAA) of 1996, and its implementing regulation, the Standard for Privacy of Individually Identifiable Health Information, 65 Fed. Reg. 82,462 et seq. (December 28, 2000) the District has developed the following implementing procedures:
| A. | Purpose: | |
| The following privacy procedure has been implemented to ensure that the District complies fully with all Federal privacy protection laws and regulations. Protection of patient privacy is of paramount importance to the District. Violations of any of these provisions will result in severe disciplinary action including termination of employment and possible referral for criminal prosecution. | ||
| B. | Effective Date: | |
| This procedure is in effect as of April 14, 2003. | ||
| C. | Expiration Date: | |
| This procedure remains in effect until superceded or cancelled. |
Uses and Disclosures of Protected Health Information
This procedure specifies that protected health information may not be used or disclosed except when at least one (1) of the following conditions is true:
| A. | The individual who is the subject of the information (i.e. the "subject individual") has authorized, in writing, the use or disclosure. A properly executed, signed Form 1420D F2 - Authorization For Release Of Health Information is required for all requests to release information for purposes not covered in B through E below. | |
| B. | The individual who is the subject of the information has consented, in writing, to the use or disclosure and the use or disclosure is for treatment, payment or health care operations. | |
| C. | The individual who is the subject of the information does not object to the disclosure and the disclosure is to persons involved in the health care of the individual or for facility directory purposes. | |
| D. | The disclosure is to the individual who is the subject of the information or to the Federal Department of Health and Human Services for compliance-related purposes. | |
| E. | The use or disclosure is for one of the HIPAA "public purposes" (i.e. required by law, etc.). |
Deceased Individuals
These privacy protections extend to information concerning deceased individuals.
Notice of Privacy Practices
A Notice of Privacy Practices has been published. This notice and any subsequent revisions thereto will be provided to all subject individuals at the earliest practicable time. All uses and disclosures of protected health information shall be done in accord with this Notice of Privacy Practices. See Form 1420D F1 - Employment Confidentiality Agreement.
Restriction Requests
Serious consideration must be given to all requests for restrictions on uses and disclosures of protected health information as published in the Notice of Privacy Practices (Form 1420D F1). If a particular restriction is agreed to, then this organization is bound by that restriction. Requests for restrictions are filed with the CPO (Chief Privacy Officer) using Form 1420D F3 - Individual Request Not to Use or Disclose Health Information.
Minimum Necessary Disclosure of Protected Health Information
Except for disclosures made for treatment purposes, all disclosures of protected health information must be limited to the minimum amount of information needed to accomplish the purpose of the disclosure. All requests for protected health information (except requests made for treatment purposes) must be limited to the minimum amount of information needed to accomplish the purpose of the request.
Access to Protected Health Information
Access to protected health information must be granted to each employee or contracted vendor based on the assigned job functions of the employee or contracted vendor. Access privileges should not exceed those necessary to accomplish the assigned job function.
Access to Protected Health Information by the Subject Individual
Access to protected health information must be granted by the person who is the subject of such information, in writing, when such access is requested for uses other than treatment or payment of health care operations. Authorization must be filed with the CPO using a correctly executed Form 1420D F4 - Individual Request to Inspect Health Information. Individuals have the right to request access to their own information that is maintained in a "designated record set". A designated record set includes personally identifiable information such as medical records, billing records, enrollment, payment, claims adjudication and health plan case or medical management records systems or records used to make decisions about individuals. In response to a request to access health information, the District must respond in writing as to whether or not the request has been granted or denied. If access is denied, the reason must be stated. If access is granted, the District has up to sixty (60) days to provide access. The District's Group Health Plan's Response to Inspection Request Form follows as Form 1420D F5.
Amendment of Incomplete or Incorrect Protected Health Information
Incorrect protected health information will be corrected in a timely fashion. Notice of these corrections will be given to any organization with which the incorrect information has been shared. A request to amend Personal Health Information (PHI) must be made in writing using Form 1420D F6 - Individual Request to Correct or Amend A Record. The District must respond to such a request with sixty (60) calendar days or request an extension with good reason to do so. The District will respond in writing using Form 1420D F7 - Group Health Plan's Response to Amendment or Correction Request.
Access by Personal Representative
Access to protected health information may be granted to personal representatives of subject individuals as specified by subject individuals. The subject individual must make their designation of a personal representative in writing using Form 1420D F8 - Designation of a Personal Representative to Access Health Information.
Confidential Communications Channels
Confidential communications channels shall be used, as requested by subject individuals, to the extent possible.
Disclosure Accounting
An accounting of all disclosures of protected health information shall be given to subject individuals whenever such an accounting is requested in writing using Form 1420D F4 - Individual Request to Inspect Health Information.
Complaints
All complaints relating to the protection of health information shall be investigated and resolved in a timely fashion. Complaints must be filed with the CPO, in writing. The District will respond or request an extension of the time frame within sixty (60) calendar days of receipt of the complaint.
Prohibited Activities
No employee or contracted vendor may engage in any intimidating or retaliatory acts against persons who file complaints or otherwise exercise their rights under HIPAA regulations. It is also the policy of this organization that no employee or contractor may condition treatment, payment, enrollment, or eligibility for benefits on the provision of an authorization to disclose protected health information.
Responsibility
Responsibility for designing and implementing procedures on the privacy of Protected Health Information lies with the Chief Privacy Officer (CPO).
Verification of Identity
The identity of all persons who request access to protected health information must be verified before such access is granted. All employees who have access to Personal Health Information as part of their job description will be identified and trained in these procedures. In order to have access to PHI in the course of their job duties with the District such employees must execute Form 1420D F1 - Employee Confidentiality Agreement. Failure to do so may result in disciplinary action up to and including termination of employment.
Mitigation
The effects of any unauthorized use or disclosure of protected health information shall be mitigated to the extent possible.
Business Associates
Business associates of the District must be contractually bound to protect health information to the same degree as set forth in this procedure. A business associate is defined as:
| A. | any person or organization that performs or assists in performing a function or activity involving PHI use or disclosure on behalf of a covered entity (or an organized health care arrangement); | |
| These covered functions include: |
| 1. | claims processing or administration; | ||
| 2. | data analysis; | ||
| 3. | processing or administration; | ||
| 4. | utilization review; | ||
| 5. | quality assurance; | ||
| 6. | billing; | ||
| 7. | benefit management; | ||
| 8. | practice management; and | ||
| 9. | re-pricing. |
| B. | any person or organization that provides one (1) of the following services to or for a covered entity if the service involves a PHI disclosure from a covered entity or organized health care arrangement (or their business associate) to that person: |
| 1. | legal; | ||
| 2. | actuarial; | ||
| 3. | accounting; | ||
| 4. | consulting; | ||
| 5. | data aggregation; | ||
| 6. | management; | ||
| 7. | administrative; | ||
| 8. | accreditation; or | ||
| 9. | financial services. |
Cooperation with Privacy Oversight Authorities
Oversight agencies such as the Office for Civil Rights of the Department of Health and Human Services shall be given full support and cooperation in their efforts to ensure the protection of health information. All personnel must cooperate fully with all privacy compliance reviews and investigations.
Approved 4/03