PRIVACY

Company Name:

BRADLEY A. CONNOR, M.D., P.L.L.C.

MEDICAL ADVANCE SERVICES, P.L.L.C.

TRAVEL HEALTH MEDICAL, P.C.

Policy Name:

Accounting of Disclosures

Policy Number:

Privacy 1.0

Effective Date:

August 15th, 2018

 

Responsible for Review:

Marina Rogova, RN

Review Date:

August 15th, 2019

Synopsis of Policy: HIPAA Regulation:  Accounting for Disclosures, § 164.528(a)

 

Individuals have the right to receive an accounting of disclosures of their protected health information made by a covered entity during the six years prior to the date that the individual requests the accounting, including disclosures to or by business associates. The right to an accounting only extends to “disclosures,” i.e., sharing health information outside of the covered entity. It does not encompass “uses,” i.e., using or sharing health information within the covered entity. For example, an individual would not have a right to a list of all hospital employees who have had access to his or her health information. The accounting must include: the date of each disclosure; the name and, if known, the address of the entity or person who received the information; a description of the information disclosed; and a statement of the purpose of the disclosure. The covered entity must provide the individual with the accounting of disclosures no later than 30 days after it receives the request. The deadline may be extended up to an additional 30 days. The first accounting provided to an individual in any 12-month period is free.

 

The regulation specifically includes provisions that apply when the covered entity discloses the protected health information of 50 or more people in connection with a research project. These provisions allow the covered entity to include general information about such research-related disclosures, whether or not the protected health information of the individual who requested the accounting actually was disclosed. There are a few exceptions to the individual’s right to receive an accounting of disclosures. They are specified in the regulation. For example, the covered entity is not required to provide an accounting of disclosures that have been made to carry out treatment, payment, and health care operations. In effect, this means that patients do not have a right to know the names of everyone who has seen their records. They will not know who has seen their records in the course of providing or paying for care. The regulation also exempts from the accounting requirement disclosures made pursuant to an authorization, and disclosures that are part of a limited data set. The covered entity must also temporarily suspend the individual’s right for disclosures made to a health oversight agency or law enforcement official if the agency or official provides the covered entity with a statement indicating that providing the individual an accounting of the disclosure would be reasonably likely to impede agency activities. The statement must specify the suspension time required.

 

 

 

Full Policy Language:

 

Policy

To ensure patients can receive an accounting of disclosures of their protected health information, not including disclosures for purposes of treatment, payment, or health care operations. Disclosures to business partners must be included in the accounting.  Under the Health Insurance Portability and Accountability Act (HIPAA), BRADLEY A. CONNOR, M.D., P.L.L.C.  must give patients an accounting of disclosures, if requested. Patients may request an accounting of disclosures that were made up to six years prior to the date of request.

 

Procedures

 

  1. Maintain an accounting of disclosures of protected health information on each patient for at least six years or more if required by your individual State.

 

  1. Information that must be maintained (tracked) and included in an accounting:
  1. Date of disclosure;
  2. Name of individual or entity who received the information and their address, if known;
  3. Brief description of the protected health information disclosed;
  4. Brief statement of the purpose of the disclosure (or a copy of the individual’s written authorization) or a copy of the individual’s written request for disclosure; and
  5. Multiple disclosures to the same party for a single purpose (or pursuant to a single authorization) may have a summary entry. A summary entry includes all information (2 A–E) for the first disclosure, the frequency with which disclosures were made, and the date of the last disclosure.

 

  1. Information that is excluded from the accounting and tracking rule(s) are disclosures made:
  1. Prior to April 14, 2003 or prior to BRADLEY A. CONNOR, M.D., P.L.L.C. ’s date of compliance with the privacy standards;
  2. To law enforcement or correctional institutions, as provided in State law;
  3. For facility directories;
  4. To the individual patient;
  5. For national security or intelligence purposes;
  6. To people involved in the patient’s care;
  7. For notification purposes including identifying and locating a family member; and
  8. For treatment, payment, and healthcare operations pursuant to an individual’s authorization.

 

  1. All other disclosures of protected health information must be tracked. Disclosures are not limited to hard-copy information, but any manner that divulges information, including verbal or electronic data release.

 

  1. Disclosures may be tracked by a variety of internal processes that ensure accurate and complete accounting of disclosures, such as:
  1. Computerized tracking systems that have the ability to sort by individual and/or date;
  2. Manual logs, with one log per patient maintained in the patient’s health record; and
  3. Authorization forms maintained in the patient’s health record.

 

  1. All systems must be maintained and accessible for a period of at least six years to meet the requirement of providing an accounting of disclosures for that time period.

 

  1. Disclosures that are not accompanied by a written request must be tracked by alternative computerized or hard-copy mechanisms.

 

  1. A patient may make the request for an accounting in writing or orally. If the request is made orally, the organization should document such requests on the general “Authorization” form or a “Request for an Accounting of Disclosures” form. The organization must retain this request and a copy of the written accounting that was provided to the patient, as well as the name/departments responsible for the completion of the accounting.

 

  1. A patient may authorize in writing that the accounting of disclosures can be released to another individual or entity. The request must clearly identify all information required to carry out the request (name, address, phone number, etc.).

 

  1. Provide the individual with an accounting of disclosures within 60 days after receipt of the request.
    1. If the accounting cannot be completed within 60 days after receipt of the request, provide the individual with a written statement of the reason for the delay and the expected completion date. Only one extension of time, 30 days maximum, per request is permitted.
    2. Requests can cover a period of up to six years prior to the date of the request.

 

  1. Provide the accounting to the individual at no charge for a request made once during any twelve-month period. A reasonable fee can be charged for any additional requests made during a twelve-month period, provided that the individual is informed of the fee in advance and given an opportunity to withdraw or modify the request.

 

  1. Maintain written records of requests for an accounting and written accountings provided to an individual for at least six years from the date it was created.
    1. Maintain the titles and names of the people responsible for receiving and processing accounting requests for a period of at least six years, or as long as your state requires.

 

 

AUTHORIZED BY:

 

 

Company Name:

BRADLEY A. CONNOR, M.D., P.L.L.C.

MEDICAL ADVANCE SERVICES, P.L.L.C.

TRAVEL HEALTH MEDICAL, P.C.

Policy Name:

Right to Amend

Policy Number:

Privacy 2.0

Effective Date:

8/15/2018

 

Responsible for Review:

Marina Rogova, RN

Review Date:

8/15/2019

Synopsis of Policy:  HIPAA Regulation:  Right to Amend § 164.526(a)(1)

 

The regulation gives individuals the right to amend or supplement their own protected health information. For example, an individual who disagrees with

a medical opinion may submit a second opinion to be included in the medical record. The individual has this right for as long as the covered entity maintain

ns the information. The covered entity must act on an individual’s request for amendment no later than 60 days after it receives the request. The deadline

may be extended up to 30 days if the covered entity provides the individual with a written statement of the reasons for delay and the date by which the

covered entity will fulfill his or her request. Covered entities accepting requests for amendment (if a covered entity accepts the request) must:

(1) Make the appropriate amendment; and

(2) Inform the individual in a timely fashion that the amendment is accepted.

The covered entity must then provide the amendment to both entities identified by the individual and other entities known to have received the erroneous

information.

 

Denial of request for amendment – A covered entity may deny an individual’s request for amendment if the entity determines that the information or record:

♦ Was not created by the covered entity, unless the originator of the protected health information is no longer available to make the amendment;

♦ Is not a part of the designated record set;

♦ Would not be available for inspection (see summary of right of access above); or

♦ Is accurate and complete.

If the covered entity denies an individual’s request, it must give the individual a timely, written denial, which includes:

(1) The basis for the denial;

(2) The individual’s right to submit a written statement disagreeing with the denial and how to exercise that right;

(3) A statement that the individual can request the covered entity to include the individual’s request and the denial with any future disclosures of the

information (so long as the individual does not file a statement of disagreement); and

(4) A description of how the individual can file a complaint with the covered entity or the Secretary of HHS.

If the individual files a statement of disagreement, the covered entity can prepare a rebuttal to the individual’s statement. The entity must provide a copy of

the rebuttal to the individual.

 

 

 

Full Policy Language:

 

Policy

 

It is the policy of BRADLEY A. CONNOR, M.D., P.L.L.C.  to honor an individual’s right to request an amendment or correction to their protected health information if they feel that the information is incomplete or inaccurate.

 

The individual has the right to request an amendment of their protected health information for as long as that information is maintained in the designated record, such as a paper chart or EHR (Electronic Health Record).

 

Procedures

 

  1. Individual requests for amendment of protected health information shall be made in writing to BRADLEY A. CONNOR, M.D., P.L.L.C. and clearly identify the information to be amended, as well as the reasons for the amendment. These requirements are detailed in the Notice of Privacy Practices.

 

  1. Requests may be denied if the material requested to be amended:
    1. Was not created by BRADLEY A. CONNOR, M.D., P.L.L.C. , unless the originator is no longer available to act on the request;
    2. Is not part of the designated record set;
    3. Is not accessible to the individual because Federal and State law does not permit it; and
    4. Is accurate and complete as determined by the organization upon review.

 

  1. The organization must act on the individual’s request for amendment no later than 60 days after receipt of the amendment. BRADLEY A. CONNOR, M.D., P.L.L.C. may have a one-time extension of 30 days for processing the amendment if the individual is given a written statement of the reason for the delay, and the date by which the amendment request will be processed.
    1. If the request is granted, after review and approval by the individual responsible for the entry to be amended, BRADLEY A. CONNOR, M.D., P.L.L.C. must:
      1. Insert the amendment or provide a link within the designated record set to the amendment at the site of the information that is the subject of the request for amendment;
      2. Inform the individual that the amendment is accepted;
  • Obtain the individual’s identification of and agreement to have BRADLEY A. CONNOR, M.D., P.L.L.C. notify the relevant persons with whom the amendment needs to be shared; and
  1. Within a reasonable time frame, make reasonable efforts to provide the amendment to persons identified by the individual, and persons, including business associates, that BRADLEY A. CONNOR, M.D., P.L.L.C. knows have the protected health information that is the subject of the amendment and that may have relied on, or could foreseeably rely on the information to the detriment of the individual.

 

  1. If the request is denied, BRADLEY A. CONNOR, M.D., P.L.L.C. must provide the individual with a timely, written denial in plain language that contains:
    1. The basis for the denial (see #2 above);
    2. The individual’s right to submit a written statement disagreeing with the denial and how the individual may file such a statement;
  • A statement that if the individual does not submit a statement of disagreement, the individual may request that BRADLEY A. CONNOR, M.D., P.L.L.C. provide the individual’s request for amendment and the denial with any future disclosures of the protected health information that was the subject of the request;
  1. A description of how the individual may file a complaint with BRADLEY A. CONNOR, M.D., P.L.L.C. or the Secretary of Health and Human Services; and
  2. The name (or title) and the telephone number of the designated contact person who handles complaints for BRADLEY A. CONNOR, M.D., P.L.L.C. .

 

  1. BRADLEY A. CONNOR, M.D., P.L.L.C. must permit the individual to submit to it a written statement disagreeing with the denial of all or part of a requested amendment and the basis of such agreement. BRADLEY A. CONNOR, M.D., P.L.L.C.  may reasonably limit the length of a statement of disagreement.

 

  1. BRADLEY A. CONNOR, M.D., P.L.L.C. may prepare a written rebuttal to the individual’s statement of disagreement. Whenever such a rebuttal is prepared, BRADLEY A. CONNOR, M.D., P.L.L.C.  must provide a copy to the individual who submitted the statement of disagreement.

 

  1. BRADLEY A. CONNOR, M.D., P.L.L.C. must, as appropriate, identify the record of protected health information that is the subject of the disputed amendment and append or otherwise link in the designated record set: the individual’s request for amendment; BRADLEY A. CONNOR, M.D., P.L.L.C. ‘s denial of the request; the individual’s statement of disagreement, if any’ and BRADLEY A. CONNOR, M.D., P.L.L.C. ‘s rebuttal, if any.

 

  1. If the individual submits the statement of disagreement, BRADLEY A. CONNOR, M.D., P.L.L.C. must include the material appended or an accurate summary of such information with any subsequent disclosure of the protected health information to which the disagreement relates.

 

  1. If the individual has not submitted a written statement of disagreement, BRADLEY A. CONNOR, M.D., P.L.L.C. must include the individual’s request for amendment and its denial, or an accurate summary of such information, with any subsequent disclosure of protected health information only if the individual has requested such action.

 

  1. When a subsequent disclosure is made using a standard transaction that does not permit the additional material to be included, BRADLEY A. CONNOR, M.D., P.L.L.C. must separately transmit the material required.

 

  1. BRADLEY A. CONNOR, M.D., P.L.L.C. must document the titles for the persons or offices responsible for receiving and processing requests for amendments.
  2. It may be determined that a further review of the patient’s request for amendment requires the participation of an uninvolved third party. For purposes of this policy, an uninvolved third party will be defined as an individual who has not been involved in the original review of the request. This individual should be in a leadership position and could be, but is not limited to: risk management, local integrity officer/team members, medical staff leadership, administration, or appropriate management staff.

 

Additional Considerations of Amendments from Other Covered Entities

 

  1. When BRADLEY A. CONNOR, M.D., P.L.L.C. receives notification from another covered entity that an individual’s protected health information has been amended, BRADLEY A. CONNOR, M.D., P.L.L.C. :
  2. Must ensure that the amendment is appended to the individual’s designated record; and
  3. Will inform its business associates that may use or rely on the individual’s designated record set of the amendment (as agreed to in the business associate contract), so that they may make the necessary revisions based on the amendment.

 

 

AUTHORIZED BY:

 

Company Name:

BRADLEY A. CONNOR, M.D., P.L.L.C.

MEDICAL ADVANCE SERVICES, P.L.L.C.

TRAVEL HEALTH MEDICAL, P.C.

Policy Name:

Business Associates

Policy Number:

Privacy 3.0

Effective Date:

08/15/2018

 

Responsible for Review:

Marina Rogova, RN

Review Date:

08/15/2019

Synopsis of Policy:  HIPAA Regulation: Business Associates: §160.103 Definitions; §164.502(e) Uses and Disclosures;

§164.504(e)(1) Business Associate Contracts; §164.504(e)(2) Uses and Disclosures

 

Health plans and providers routinely hire other companies and consultants to perform a wide variety of functions for them.

Health plans and providers, for example, may work with outside attorneys, bill collectors, computer specialists, or

accreditation organizations. All of these entities need access to some patient information, but these persons are not directly subject to

the privacy regulation. To allow information to be shared with these “business associates” and to protect the information that is disclosed to them, the regulation sets specific conditions on when and how covered entities may share information with these entities.

A business associate is a person or entity who:

♦ On behalf of a covered entity performs or assists in the performance of a function or activity involving the use or disclosure

of individually identifiable health information, such as claims processing or administration, data analysis, utilization review,

quality assurance, billing, or practice management; or

♦ Provides legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial

services to or for a covered entity.

A business associate does not include a member of the covered entity’s workforce. Neither does it include the circumstance where

two covered entities participate in an organized health care arrangement, such as a hospital where a doctor has privileges

(See later discussion of “Organized Health Care Arrangement” for more information). Furthermore, the rule is not intended to

cover anyone who merely acts as a conduit for protected health information, such as the U.S. Postal Service. A covered entity is permit

ted to disclose protected health information to a business associate or to allow the business associate to create or receive protected

health information on its behalf if the covered entity obtains satisfactory assurance that the business associate will appropriately

safeguard the information. Generally, this safeguard will take the form of a written contract which, among other things, requires

the business associate not to use or disclose the information other than as permitted or required by the contract or as required by law, and to implement appropriate safeguards to prevent inappropriate uses and disclosures. A contract is not required in certain circumstances where the covered entity and the business associate both are governmental agencies or where the business associate is required by law to perform a function.

 

 

Full Policy Language:

 

Policy Purpose:

 

This policy is to establish guidelines for BRADLEY A. CONNOR, M.D., P.L.L.C.  to identify those vendor/business relationships, which meet the HIPAA definition of a “business associate” and provide direction in establishing formalized business associate agreements.

 

BRADLEY A. CONNOR, M.D., P.L.L.C.  shall implement the required procedures and ensure documentation to establish satisfactory assurance of compliance. HIPAA requirements for business associates are addressed in the following standards:

 

  • 45 CFR § 164.308(b)(1) – HIPAA Security Rule, Administrative Safeguards Business Associate Contracts and Other Arrangements
  • 45 CFR §164.314 – HIPAA Security Rule Organizational, Requirements Business Associate Contracts or Other Arrangements
  • 45 CFR § 164.502(e)(1) – HIPAA Privacy Rule, Uses and Disclosures of Protected Health Information: General Rules–Disclosures to Business Associates
  • 45 CFR §164.504 – HIPAA Privacy Rule, Uses and Disclosures: Organizational Requirements

 

These standards define the concept of a business associate relationship and outline the required elements to be addressed in a business associate agreement (as addressed in this policy).

 

Responsible for Implementation:

 

  • Privacy & Security Officers
  • Administration

 

Applicable To:

 

  • BRADLEY A. CONNOR, M.D., P.L.L.C.  and all Involved with External Business Associates

 

Key Definitions:

 

Business Associate (BA):  Under the HIPAA Privacy and Security Rules, a person (or entity) who is not a member of the covered entity’s workforce and performs any function or activity involving the use or disclosure of individually identifiable health information, or who provides services to a covered entity that involves the disclosure of individually identifiable health information, such as legal, accounting, consulting, data aggregation, management, accreditation, etc.

 

Business Associate Agreement (BAA):  Under the HIPAA Privacy and Security Rules, a legally binding agreement entered into by a covered entity and BA that establishes permitted and required uses and disclosures of PHI, provides obligations for the BA to safeguard the information and to report any uses or disclosures not provided for in the agreement, and requires the termination of the agreement if there is a material violation.  Refer to 45 CFR § 164.502(e)(1) to determine when the standard is not applicable.

 

Electronic Protected Health Information (ePHI):  Any individually identifiable health information protected by HIPAA that is transmitted by or stored in electronic media.

 

Protected Health Information (PHI).  Individually identifiable health information that is created by or received by the organization, including demographic information, that identifies an individual, or provides a reasonable basis to believe the information can be used to identify an individual, and relates to:

  • Past, present, or future physical or mental health or condition of an individual;
  • The provision of health care to an individual; or
  • The past, present, or future payment for the provision of health care to an individual.

 

Procedures:

 

  • BRADLEY A. CONNOR, M.D., P.L.L.C. shall determine responsible oversight for the management of BA relationships and agreements.  Responsibility may be delegated to the:
    1. Privacy Officer;
    2. Security Officer; or
    3. HIPAA Privacy & Security Team.

 

  • BRADLEY A. CONNOR, M.D., P.L.L.C. ‘s departments/business units are responsible for facilitating the assessment of both existing and future vendor/business relationships to determine whether the relationship meets the criteria for a HIPAA BAA. The following criteria defines a business associate under HIPAA regulation:
    1. The vendor/business’ staff members are not members of BRADLEY A. CONNOR, M.D., P.L.L.C. ‘s workforce;
    2. The vendor/business is doing something on behalf of BRADLEY A. CONNOR, M.D., P.L.L.C. ;
    3. The vendor/business is doing something that involves the use and/or disclosure of PHI; and
    4. Note that there are certain disclosures to vendors/businesses that do not require establishment of a BAA (see 45 CFR § 164.502(e)(1)). These disclosures include:
      1. Disclosures by a covered entity to a health care provider concerning the treatment of the individual;
      2. Disclosures by a group health plan or a health insurance issuer or HMO with respect to a group health plan to the plan sponsor, to the extent that the requirements of § 164.504(f) apply and are met; and
  • Uses or disclosures by a health plan that is a government program providing public benefits if eligibility for, or enrollment in, the health plan is determined by an agency other than the agency administering the health plan, or if the PHI used to determine enrollment or eligibility in the health plan is collected by an agency other than the agency administering the health plan, and such activity is authorized by law, with respect to the collection and sharing of individually identifiable health information for the performance of such functions by the health plan and the agency other than the agency administering the health plan.

 

  • BRADLEY A. CONNOR, M.D., P.L.L.C. may determine the need for BAAs through:
    1. Mapping the flow of PHI and identifying where PHI is used, disclosed, or created by external entities;
    2. Reviewing contract management documents/software and identifying where PHI is disclosed to external entities;
    3. Reviewing 1099 tax forms to identify vendors and then identify vendors with business arrangements where PHI is disclosed to external entities or used internally by vendors; and
    4. Assessing new vendor/business arrangements to determine if PHI will be used and/or disclosed.

 

  • When it has been determined that a BA arrangement exists, the BRADLEY A. CONNOR, M.D., P.L.L.C. ‘s leader shall contact the responsible individual/team to initiate a BAA document. The BRADLEY A. CONNOR, M.D., P.L.L.C. ‘s leader shall provide the following information to “customize” the BAA:
    1. The name and contact information of the BA;
    2. A general description of the type of service being provided by the BA;
    3. Permitted uses and disclosures as applicable to the arrangement (See 6 a);
    4. The name of the organization’s department/business unit and leader who established the BAA;
    5. Date of establishment of the BA relationship and BAA;
    6. Name/signature line for the department/business unit leader or Privacy Officer; and
    7. Name/signature line for the BA contact.

 

  • If a vendor/business relationship requiring a BA agreement/addendum is in the process of contract negotiation and development, the provisions of the BAA may be incorporated into the contract as an option (a separate BAA would not be required).

 

  • Obligations and activities which must be addressed in the BAA document include:

 

Privacy Rule Provisions (45 CFR § 164.504(e)(2)):

  1. Stated Purposes for Which BA May Use or Disclose PHI: BA is permitted to use and disclose PHI it creates or receives for or from BRADLEY A. CONNOR, M.D., P.L.L.C. as expressly permitted by the BAA. BA may also use the PHI it creates or receives for or from BRADLEY A. CONNOR, M.D., P.L.L.C.  as minimally necessary for BA’s proper management and administration, or to carry out BA’s legal responsibilities.
  2. Limitations on Use and Disclosure of Protected Health Information: BA agrees it shall not use or disclose, and shall ensure that its directors, officers, employees, contractors, and agents do not use or disclose, Protected Health Information for any purpose other than as expressly permitted by the BAA, or required by law, or in any manner that would constitute a violation of the Privacy Standards if used by BRADLEY A. CONNOR, M.D., P.L.L.C. .
    1. The BAA may permit the BA to use and disclose protected health information for the proper management and administration of the BA; and
    2. The BAA may permit the BA to provide data aggregation services relating to the health care operations of BRADLEY A. CONNOR, M.D., P.L.L.C. .
  3. Disclosure by Others: To the extent that the BA is authorized by this Agreement to disclose Protected Health Information to a third party, BA must obtain, prior to making any such disclosure, reasonable assurances from the third party that the Protected Health Information will be held confidential as provided pursuant to the Agreement and only disclosed as required by law or for the purposes for which it was disclosed to such third party. BA must obtain an agreement from the third party to immediately notify BA of any breaches of confidentiality of the PHI, to the extent it has obtained knowledge of such breach.
  4. Minimum Necessary: BA shall disclose to its subcontractors, agents, or other third parties (and request from BRADLEY A. CONNOR, M.D., P.L.L.C. ) only the minimum PHI necessary to performing or fulfilling a specific required or permitted function.
  5. Safeguards Against Misuse of Information: BA will establish and maintain all appropriate safeguards to prevent any use or disclosure of PHI other than pursuant to the terms and conditions of the Agreement.
  6. Reporting of Disclosures of PHI: BA shall, within twenty [20] days of discovery of any use or disclosure of PHI in violation of the Agreement, report any such use or disclosure to BRADLEY A. CONNOR, M.D., P.L.L.C. .
  7. Agreements by Third Parties: BA shall enter into an agreement with any agent or subcontractor that will have access to PHI that is received from, or created or received by BA on behalf of, BRADLEY A. CONNOR, M.D., P.L.L.C. pursuant to which such agent or subcontractor agrees to be bound by the same restrictions, terms, and conditions that apply to BA pursuant to the Agreement with respect to PHI.
  8. Access to Information: Within thirty [30] days of a request by BRADLEY A. CONNOR, M.D., P.L.L.C. for access to PHI about an individual contained in a Designated Record Set, BA shall make available to BRADLEY A. CONNOR, M.D., P.L.L.C.  the PHI it requests so long as that information is maintained in the Designated Record Set.  If any individual requests access to PHI about the individual directly from BA, BA shall make available and provide a right of access to the PHI to the individual at the times and in the manner required by the Privacy Standards (see 45 C.F.R. § 164.524, or its successor as it may be amended from time to time).  After receiving the request, BA shall notify BRADLEY A. CONNOR, M.D., P.L.L.C.  within thirty [30] days of such request.
  9. Availability of PHI for Amendment: BA agrees to make PHI available for amendment and to incorporate any such amendments in the PHI, at the times and in the manner required by the Privacy Standards (see 45 C.F.R. § 164.526 or its successor as it may be amended from time to time).
  10. Accounting of Disclosures: Within thirty [30] days of notice by BRADLEY A. CONNOR, M.D., P.L.L.C. to BA that it has received a request for an accounting of disclosures of PHI regarding an individual during the six years prior to the date on which the accounting was requested, BA shall make available to BRADLEY A. CONNOR, M.D., P.L.L.C.  such information that is in BA’s possession and is required for BRADLEY A. CONNOR, M.D., P.L.L.C.  to make the accounting required by the Privacy Standards (see 45 C.F.R. § 164.528, or its successor as it may be amended from time to time). At a minimum, BA shall provide BRADLEY A. CONNOR, M.D., P.L.L.C.  with the following information: the date of the disclosure; the name of the entity or person who received the PHI, and, if known, the address of such entity or person; a brief description of the PHI disclosed; and a brief statement of the purpose of the disclosure which includes an explanation of the basis for the disclosure. If the request for an accounting is delivered directly to BA, BA shall within zero [0] days forward the request to BRADLEY A. CONNOR, M.D., P.L.L.C. . BRADLEY A. CONNOR, M.D., P.L.L.C.  is responsible for preparing and delivering the accounting requested. BA agrees to implement an appropriate record keeping process to enable it to comply with the requirements of this Section.
  11. Availability of Books and Records: BA agrees to make its internal practices, books, and records relating to the use and disclosure of PHI received from, created, or received by BA on behalf of BRADLEY A. CONNOR, M.D., P.L.L.C. available to the Secretary for purposes of determining BRADLEY A. CONNOR, M.D., P.L.L.C. ‘s and BA’s compliance with the Privacy Standards.
  12. If BRADLEY A. CONNOR, M.D., P.L.L.C. (covered entity) and the BA are both governmental entities, additional implementation specifications must be addressed (see 45 CFR § 164.504(e)(3)).

 

Security Rule Provisions (45 CFR § 164.314):

  1. Implementation of Safeguards: BA agrees to implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the ePHI that it creates, receives, maintains, and transmits on behalf of BRADLEY A. CONNOR, M.D., P.L.L.C. .
  2. Agents and Subcontractors: BA agrees that any agent, including a subcontractor, to which the BA provides ePHI, agrees to implement reasonable and appropriate safeguards to protect the ePHI.
  3. Security Incidents: BA agrees to report to BRADLEY A. CONNOR, M.D., P.L.L.C. any security incident of which it becomes aware.
  4. Termination: BA agreement authorizes termination of the contract by BRADLEY A. CONNOR, M.D., P.L.L.C. if BRADLEY A. CONNOR, M.D., P.L.L.C.  determines that the BA has violated a material term of the contract.

Other Provisions:

  1. BRADLEY A. CONNOR, M.D., P.L.L.C. may want to seek guidance by legal counsel prior to entering into a BAA that includes language addressing:
    1. Insurance responsibilities; and
    2. Indemnification requirements.

 

  1. If BRADLEY A. CONNOR, M.D., P.L.L.C. chooses to terminate the arrangement with the BA or the BA chooses to terminate the arrangement with BRADLEY A. CONNOR, M.D., P.L.L.C. , the agreement must be terminated as outlined in the provisions of the BAA/addendum or

 

  1. Upon termination or expiration of the business arrangement between the BA and BRADLEY A. CONNOR, M.D., P.L.L.C. , the BA shall either return or destroy all PHI received from BRADLEY A. CONNOR, M.D., P.L.L.C. or created or received by BA on behalf of BRADLEY A. CONNOR, M.D., P.L.L.C.  that the BA still maintains in any form as outlined in the provisions of the BAA/addendum or contract.

 

  • BRADLEY A. CONNOR, M.D., P.L.L.C. does not have a statutory obligation to monitor the activities of its BAs, but does have a statutory responsibility to gain knowledge and assurances of the BAs compliance with the HIPAA Security Rule. However, BRADLEY A. CONNOR, M.D., P.L.L.C.  must respond to reported privacy breaches and security incident events, should they occur, and take reasonable steps to cure any potential breach or end the violation.

 

  • BRADLEY A. CONNOR, M.D., P.L.L.C. may serve as a BA to another covered entity and may be asked to review and sign that covered entity’s external BA agreement/addendum or contract.  As a BA, BRADLEY A. CONNOR, M.D., P.L.L.C.  should:
    1. Forward the external information to the Privacy Officer to review the submitted BA agreement to ensure that the provisions outlined are consistent with those set forth in this policy or as documented on the attached; and
    2. If the BA agreement is not consistent with this policy or contains additional provisions or provisions that are inconsistent with the privacy regulation, the Privacy Officer may recommend to the following alternatives:
      • Agree to the additional provisions and sign the agreement;
      • Refer the agreement to legal counsel to determine appropriateness before signing; and
      • Refuse to agree to the provisions and notify the covered entity to establish a resolution.

 

  • To meet the documentation requirements of the Security Rule, the responsible individual/team shall maintain a file or electronic spreadsheet of BAAs/addendums/contracts. This file shall include the following information, and shall be available for review as needed:
    1. Date that the need for the BAA is identified/received by responsible individual/team;
    2. Name of the individual/organization which forwarded the agreement/identified need;
    3. Name of the organization for which BAA is needed;
    4. Description of BRADLEY A. CONNOR, M.D., P.L.L.C. ‘s operations that the BA is involved with;
    5. Initiation date of original contract (if applicable);
    6. Term of contract;
    7. Date the BAA signed by responsible individual;
    8. Location of BAA; and
    9. Any additional notes.

 

  • All BAA documentation shall be maintained for a period of six years beyond the date of when the BAA relationship is terminated.

 

  • The BAA shall be effective for the length of the relationship between the BA and the organization, unless otherwise terminated under the provisions outlined in the agreement.

 

 

Applicable Standards/Regulations:

 

  • 45 CFR § 164.308(b)(1) – HIPAA Security Rule, Administrative Safeguards Business Associate Contracts and Other Arrangements
  • 45 CFR §164.314 – HIPAA Security Rule Organizational, Requirements Business Associate Contracts or Other Arrangements
  • 45 CFR § 164.502(e)(1) – HIPAA Privacy Rule, Uses and Disclosures of Protected Health Information: General Rules–Disclosures to Business Associates
  • 45 CFR §164.504 – HIPAA Privacy Rule, Uses and Disclosures: Organizational Requirements

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

APPENDIX 1: Examples of Business Associates

 

 

EXAMPLES OF BUSINESS ARRANGEMENTS THAT MAY INVOLVE DISCLOSURE OF PHI & REQUIRE BA AGREEMENTS/ADDENDUMS OR CONTRACT PROVISONS

 

 

Accrediting/Licensing Agencies (JCAHO)

Accounting Consultants/Vendors

Actuarial Consultants/Vendors

Agents/Contractors Accessing PHI (Consultants)

Application Service Providers (i.e., prescription mgmt.)

Attorneys/Legal Counsel

Auditors

Benchmarking Organizations

Benefit Management Organizations

Claims Processing/Clearinghouse Agency Contracts    Coding Vendor Contracts

Collection Agency Contracts

Computer Hardware Contracts

Computer Software Contracts

Consultants/Consulting Firms

Data Analysis Consultants/Vendors

Data Warehouse Contracts

Emergency Physician Services Contracts

Hospitalist Contracts

Insurance Contracts (Coverage for Risk, Malpractice, etc.)

Interpreter Services Contracts

IT/IS Vendors

Legal Services Contracts

Medical Staff Credentialing Software Contracts

Microfilming Vendor Contracts

Optical Disc Conversion Contracts

 

 

Pathology Services Contracts

Paper Recycling Contracts

Patient Satisfaction Survey Contracts

Payer-Provider Contracts (Provider for Health Plan)

Physician Billing Services

Physician Contracts

Practice Management Consultants/Vendors

Professional Services Contracts

Quality Assurance Consultants/Vendors

Radiology Services Contracts

Record Copying Service Vendor Contracts

Record Storage Vendors

Release of Information Service Vendor Contracts

Repair Contractors of Devices Containing PHI

Revenue Enhancement/DRG Optimization Contracts

Risk Management Consulting Vendor Contracts

Shared Service/Joint Venture Contracts with Other

Healthcare Organizations

Statement Outsource Vendors

Telemedicine Program Contracts

Third Party Administrators

Transcription Vendor Contracts

Waste Disposal Contracts (Hauling, Shredding)

Health Plan Relationships:

Pharmaceutical Benefits Management Contracts

Preauthorization Management Contracts

Case Management Contracts

Third Party Administrator (TPA) Contracts

Wellness Promotion Contracts

 

 

 

AUTHORIZED BY:

 

Company Name:

BRADLEY A. CONNOR, M.D., P.L.L.C.

MEDICAL ADVANCE SERVICES, P.L.L.C.

TRAVEL HEALTH MEDICAL, P.C.

Policy Name:

Charging for Copies of ePHI

Policy Number:

Privacy 4.0

Effective Date:

08/15/2018

 

Responsible for Review:

Marina Rogova, RN

Review Date:

08/15/2019

Synopsis of Policy: HIPAA Regulation: § 164.524(a) Right to Inspect and Copy

 

The regulation establishes a new federal legal right for individuals to see and obtain a copy of their own protected health information in a designated record set for as long as the information is maintained. It also establishes deadlines for BRADLEY A. CONNOR, M.D., P.L.L.C.  to respond to requests for access and creates procedures for reviewing denials of those requests.

 

Provision of Access: In general, BRADLEY A. CONNOR, M.D., P.L.L.C.  must allow the individual to inspect or obtain a copy of the protected health information in the form or format requested by the individual no later than 30 days after receiving the request (60 days if the information is not maintained or accessible to the covered entity on-site). The deadline may be extended up to 30 days if BRADLEY A. CONNOR, M.D., P.L.L.C.  provides the individual with a written statement of the reasons for delay and the date by which BRADLEY A. CONNOR, M.D., P.L.L.C.  will fulfill his or her request. BRADLEY A. CONNOR, M.D., P.L.L.C.  can provide the individual with an explanation or summary of the requested protected health information, if the individual agrees in advance to the arrangement and the fees imposed. BRADLEY A. CONNOR, M.D., P.L.L.C.  can impose “reasonable,” cost-based fees for providing the individual a copy, explanation, or summary of his or her protected health information. If BRADLEY A. CONNOR, M.D., P.L.L.C.  does not maintain the individual’s protected health information, but knows where the requested information is kept, the entity must let the individual know where to direct his or her request for access.

 

 

 

 

 

 

 

 

 

Full Policy Language:

 

Background:

 

The Health Insurance Portability & Accountability Act (HIPAA) of 1996 permits a covered entity to impose reasonable, cost-based fees for responding to requests made by an individual (patient or legal representative) for copies of Protected Health Information (PHI). The regulations limit the types of costs that may be imposed for providing access to PHI. Additionally, the inclusion of a copying fee is not intended to impede the ability of individuals to obtain copies of their PHI. If the patient has agreed to receive a summary or explanation of his or her PHI, the covered entity may also charge a fee for preparation of the summary or explanation.  The fee may not include costs associated with searching for and retrieving the requested information.

 

General Statements Covering Individual/Patient Requests:

 

  1. If an individual requests a copy of PHI, BRADLEY A. CONNOR, M.D., P.L.L.C.  may charge a reasonable, cost-based fee for the copying, including the labor and supply costs of copying.
  1. If hard copies are made, this would include the cost of paper.
  2. If electronic copies are made to a CD, this would include the cost of the CD.

 

  1. BRADLEY A. CONNOR, M.D., P.L.L.C.  may not charge any fees for retrieving, handling the information, or for processing the request.

 

  1. If an individual requests that the information be mailed, the fee may include the cost of postage.

 

  1. If an individual requests an explanation or summary of the information provided, and agrees in advance to any associated fees, BRADLEY A. CONNOR, M.D., P.L.L.C.  may charge for preparing the explanation or summary.

 

  1. If an individual requests an “accounting of disclosures” to identify what PHI has been disclosed to others, BRADLEY A. CONNOR, M.D., P.L.L.C.  must provide the first accounting free in any 12-month period. Subsequent requests made during the 12-month period can include a reasonable fee based on costs to BRADLEY A. CONNOR, M.D., P.L.L.C.  for providing an accounting. Before charging the fee, BRADLEY A. CONNOR, M.D., P.L.L.C.  must inform the patient and allow them the opportunity to withdraw or modify the request to avoid or reduce the fee.

 

General Statements Covering Provider Requests:

 

  1. As a courtesy, health care providers may waive copy charges for the disclosure of PHI between providers. This practice is at the discretion of the provider.

 

 

Factors That May Impact the Cost of Responding to Release of Information Requests:

  1. Costs of providing copies of PHI may be impacted by a variety of factors. Charges may differ depending upon the party making the request. HIPAA does allow BRADLEY A. CONNOR, M.D., P.L.L.C. to charge a reasonable, cost-based fee for copying PHI for the patient/legal guardian, including labor and supply costs; however, BRADLEY A. CONNOR, M.D., P.L.L.C.  may not charge patients/legal guardians any fees for retrieving or handling the information or for processing the request. The following factors may impact the charges BRADLEY A. CONNOR, M.D., P.L.L.C.  may include for copies of PHI:

Labor costs involved with ensuring authorization appropriateness:

  1. Labor costs and software associated with logging of requests to a database;
  2. Labor costs involved in physically retrieving the health information;
  3. Labor costs associated with filing retrieved health information;
  4. Labor costs associated with the physical copying of health information;
  5. Expense costs for paper, toner, and equipment maintenance involved in copying;
  6. Capital costs associated with acquiring copying equipment;
  7. Handling expense involved in preparing a document for mailing;
  8. Postal expense for mailing;
  9. Expense associated with invoicing for copies;
  10. Bad debt “write-off” expense;
  11. “Non-billable” request expense; and
  12. Real estate costs of storage space and copier workspace.

 

AUTHORIZED BY: ____________________________________

 

 

BRADLEY A. CONNOR, M.D., P.L.L.C.

MEDICAL ADVANCE SERVICES, P.L.L.C.

TRAVEL HEALTH MEDICAL, P.C.

110 East 55th Street, 16th Floor

New York, NY 10022

 

Company Name:

BRADLEY A. CONNOR, M.D., P.L.L.C.

MEDICAL ADVANCE SERVICES, P.L.L.C.

TRAVEL HEALTH MEDICAL, P.C.

Policy Name:

Communication of PHI

Policy Number:

Privacy 5.0

Effective Date:

08/15/2018

 

Responsible for Review:

Marina Rogova, RN

Review Date:

08/15/2019

Synopsis of Policy: HIPAA Regulation: Communication of PHI: §164.530(c)(1) Administrative Requirements; §164.306(a) Security Standards

 

The purpose of the Communications Policy is to provide policies and procedures to safeguard and protect the privacy of Protected Health Information (PHI) while using various communications mediums. This policy has generalized guidelines and procedures that can be associated with all communications mediums, and also contains specific procedures due to the different handling of the mediums within a “Communication Matrix.” This is an all-inclusive overview of general communication practices that may need to be broken down into separate policies, based on organizational needs.

 

 

 

 

 

 

 

 

 

 

 

 

Full Policy Language:

 

Purpose

 

The purpose of the Communications Policy is to provide policies and procedures to safeguard and protect the privacy of Protected Health Information (PHI) while using various communications mediums. This policy has generalized guidelines and procedures that can be associated with all communications mediums, and also contains specific procedures due to the different handling of the mediums within a “Communication Matrix.” This is an all-inclusive overview of general communication practices that may need to be broken down into separate policies, based on organizational needs.

 

Policy

 

  1. PHI can be communicated through various mediums. To comply with the HIPAA Privacy Rule §164.530 (c)(1) regarding safeguards, and the HIPAA Security Rule §164.306(a) requiring the safeguarding of the confidentiality, integrity, and availability of Electronic PHI (ePHI) an organization creates, receives, maintains, or transmits; BRADLEY A. CONNOR, M.D., P.L.L.C. must have in place appropriate administrative, technical, and physical safeguards to protect PHI.
  2. It is the policy of BRADLEY A. CONNOR, M.D., P.L.L.C. to ensure that PHI is protected from misuse, loss, tampering, or use by unauthorized persons. This policy addresses the safeguarding of PHI received, created, used, maintained, and/or transmitted via the communication mediums listed using minimum necessary requirements for disclosures of PHI to personnel, patients and their personal representatives, other covered entities, public health officials, business associates, etc. set forth by federal, state, and local laws (refer to BRADLEY A. CONNOR, M.D., P.L.L.C.  Uses and Disclosures Policy 19.0).
  3. Verification of identity is attained in accordance with Identity Verification Policy 9.0 prior to release of PHI. Accounting of disclosures of PHI is maintained in compliance with BRADLEY A. CONNOR, M.D., P.L.L.C. Transmission of ePHI over BRADLEY A. CONNOR, M.D., P.L.L.C. ‘s own network is managed with internal controls such as unique User ID and Password authentication (refer to Security Policy 2.0, User Access Management).

 

Definitions

 

Encryption: the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key.

 

Protected Health Information (PHI):  Individually identifiable health information that is created or received by the organization, including demographic information, which identifies an individual, or provides a reasonable basis to believe the information can be used to identify an individual, and relates to:

  1. Past, present, or future physical or mental health or condition of an individual.
  2. The provision of health care to an individual.
  3. The past, present, or future payment for the provision of health care to an individual.

 

Content

 

  1. Communication will be clear, concise, and professional. Emotional content, such as anger, sarcasm, harsh criticism, irony, incriminating remarks, and libelous references to third parties is not allowed. Employees should not expect communications they send to be private. Any material sent via BRADLEY A. CONNOR, M.D., P.L.L.C. ‘s equipment is the property of BRADLEY A. CONNOR, M.D., P.L.L.C. . Any violations of this policy will be referred to human resources for disciplinary action.

 

Classification of Information for BRADLEY A. CONNOR, M.D., P.L.L.C.

 

General Public Information:

  1. Defined as any information that can be given to the general public and can be distributed outside of BRADLEY A. CONNOR, M.D., P.L.L.C. without any risk through the various mediums discussed above. This is often general information about BRADLEY A. CONNOR, M.D., P.L.L.C.  for marketing or product purposes.

 

Internal Information Within BRADLEY A. CONNOR, M.D., P.L.L.C. :

  1. Internal Information that will not seriously impact or adversely affect BRADLEY A. CONNOR, M.D., P.L.L.C. if disclosed about patients, employees, or business associates may be distributed without proper consent or unauthorized disclosure. This may be information such as directories with phone listings, policy manuals that do not disclose PHI of individual patients, and patient educational information.

 

Non-sensitive and/or Non-urgent PHI:

  1. Defined as PHI that can be given by various media (refer to BRADLEY A. CONNOR, M.D., P.L.L.C. Policy 19.0 Uses and Disclosures Policy). This information may be used internally within BRADLEY A. CONNOR, M.D., P.L.L.C.  and received by the patient, guardian, and/or authorized personal representatives (refer to BRADLEY A. CONNOR, M.D., P.L.L.C.  Uses and Disclosures for appropriate release processes). Unauthorized disclosure could adversely impact BRADLEY A. CONNOR, M.D., P.L.L.C. , patients, employees, and business associates. The following are examples:
  2. Prescription refills;
  3. Instructions on how to take medications or apply dressings;
  4. Appointment scheduling;
  5. Appointment reminders;
  6. Normal test results (other than HIV test results) with interpretation and advice;
  7. Care and treatment recommendations;
  8. Pre/postoperative instructions;
  9. Insurance and billing questions; and
  10. As a secondary means of attempting to have patients call the provider to discuss important test results and/or prognosis of a condition.

 

Sensitive and/or Urgent Confidential PHI:

  1. Sensitive and/or urgent confidential PHI is intended strictly for use within BRADLEY A. CONNOR, M.D., P.L.L.C. and may be disclosed only to patients or other entities as required by law (refer to BRADLEY A. CONNOR, M.D., P.L.L.C.  Release of Information Policy). Unauthorized disclosure could seriously and adversely impact BRADLEY A. CONNOR, M.D., P.L.L.C. , patients, employees, and business associates. Obtain an appropriate authorization for disclosures of PHI in this capacity. The following are examples:
  2. STD and HIV test results and/or treatment;
  3. First means of notification for confusing or abnormal diagnostic results;
  4. Mental health issues;
  5. Drug and alcohol abuse and/or treatment;
  6. Child abuse and/or neglect;
  7. Domestic abuse;
  8. Peer review or risk management information; and
  9. For marketing and fundraising purposes except when allowed by law (refer to BRADLEY A. CONNOR, M.D., P.L.L.C. Marketing and PHI policy 11.0), and exercise caution for urgent/time sensitive matters.

 

Procedures

The following Communication Matrix shows specific procedures in handling the various mediums of communicating information.

 

 

 

 

AUTHORIZED BY: __________________________________

 

CLASSIFICATION OF INFORMATION FOR BRADLEY A. CONNOR, M.D., P.L.L.C.
General Public Information Internal Information Non-sensitive and/or

Non-urgent PHI

·         Active measures taken to prevent the unauthorized disclosure of information from being released

·         If patient has notified BRADLEY A. CONNOR, M.D., P.L.L.C.  by which means to give PHI, must be noted in their medical record and adhered to

·         Verification of identity must be attained in accordance with the Identity Verification Policy

·         Document the release in accordance with the Accounting of Disclosures Policy

Sensitive and/or Urgent Confidential PHI

·         This information may not be released without a separate signed authorization for releasing this specific information

·         If patient has notified BRADLEY A. CONNOR, M.D., P.L.L.C.  by which means to give PHI, must be noted in their medical record and adhered to

·         Verification of identity must be attained in accordance with the Identity Verification Policy

·         Document the release in accordance with the Accounting of Disclosures Policy

Risk Impact ·         None ·         No serious or adverse affect ·         Could result in adverse impact or have possible penalties applied ·         Likely have a serious adverse impact. Penalties very likely to occur and could result in loss of business
1.  Oral Mediums of Communication

a.       Conversations

b.      Telephone

c.       Cell Phone

d.      Answering Machines

e.       Overhead Pages

f.        Lobby Announcements

 

 

·         No specific precautions ·         Reasonable measures should be taken ·         Conduct PHI in private settings and use lowered voices, avoiding public areas whenever possible.

·         If a patient name is needed, first name only basis (when possible)

·         Do not use a speakerphone for discussion of PHI nor retrieval of voice mail (unless in a private, closed office)

·         Limit discussions of PHI using a cell phone. Consider that older cell phones are not secure.

·         Pages and announcements are used only to call the operator back

·         Discuss PHI in a controlled manner to limit being overheard, such as in an enclosed area

·         If a patient name is needed, first name only basis (when possible)

·         Do not use a speakerphone for discussion of PHI nor retrieval of voice mail (unless in a private, closed office)

·         Limit discussions of PHI using a cell phone. Consider that older cell phones are not secure.

·         Pages and announcements are used only to call the operator back

 

General Public Info. Internal Information Non-sensitive and/or

Non-urgent PHI

Sensitive and/or Urgent Confidential PHI
2.      Mail

a.       Internal

b.      External

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

·         No specific precautions ·         Information of this nature should be out of the general public areas and not accessible by anyone else but employees ·         Information being sent meets the minimum necessary requirement for disclosure

·         Authorized, trained personnel should handle all mail

·         Clearly label with recipient’s name and address information is correct

·         Mailing item is labeled with “Confidential”

·         Tracking mechanism is recommended for external mail

·         Store all unattended mail in a closed, secure area

·         Place all types of media containing any form of PHI in secured, confidential envelopes and/or containers (internal & external)

·         Return address on external mail consists of BRADLEY A. CONNOR, M.D., P.L.L.C.  name only. Envelope will not contain the department’s name, provider’s name (unless this is the name of the BRADLEY A. CONNOR, M.D., P.L.L.C. ), or the identity of the enclosed information. For tracking purposes, internal codes may be included on envelopes as long as it does not in any way relinquish the identity of the department and/or provider to anyone outside of BRADLEY A. CONNOR, M.D., P.L.L.C. .

·         Information being sent meets the minimum necessary requirement for disclosure

·         Authorized, trained personnel should handle all mail

·         Clearly label with recipient’s name and address information is correct

·         Mailing item is labeled with “Restricted Confidential”

·         If external, delivery of information and tracking mechanisms is required (FEDEX, messenger, certified, etc.)

·         Store all unattended mail in a closed, secure area

·         Place all types of media containing any form of PHI in secured, confidential envelopes and/or containers (internal & external)

·         Return address on external mail consists of BRADLEY A. CONNOR, M.D., P.L.L.C.  name only. Envelope will not contain the department’s name, provider’s name (unless this is the name of the BRADLEY A. CONNOR, M.D., P.L.L.C. ), or the identity of the enclosed information. For tracking purposes, internal codes may be included on envelopes as long as it does not in any way relinquish the identity of the department and/or provider to anyone outside of BRADLEY A. CONNOR, M.D., P.L.L.C. .

3.      Faxes

 

 

 

·  Located in a secure area not accessible by the general public

·  Use a coversheet with confidentiality statement

·  Use reasonable efforts to dial correct number

·  When using a means to store fax numbers, verify the number with the receiver

·         Located in a secure area not accessible by the general public

·         Use a coversheet with confidentiality statement

·         Use reasonable efforts to dial correct number

·         When using a means to store fax numbers, verify the number with the receiver

·         Located in an area not accessible by the public

·         Coversheet with confidentiality statement used

·         Use reasonable efforts in dialing correct number (i.e., testing number before sending PHI), preference to using pre-programmed, labeled numbers

·         When using a means to store fax numbers, verify the number with the receiver

·         Only personnel with access to restricted area may access these faxes (review BRADLEY A. CONNOR, M.D., P.L.L.C. ‘s Minimum Necessary Policy). Trained workforce member routinely checks fax machine and distributes to appropriate personnel

·         Faxes transmitted in error: contact person who received the fax to verify destruction of the fax and notated in patient’s medical record.  Report the breach to the Privacy Officer

·         Utilize a mechanism to ensure that the transmission went to the intended recipient (fax logs, verification by phone, etc.)

·         If you receive a fax in error, immediately inform the sender and destroy the information received

·         Consider storing faxes in a queue until staffed

 

·  Located in an area not accessible by the public

·  Coversheet with confidentiality statement used

·  Use reasonable efforts in dialing correct number (i.e., testing number before sending PHI), preference to using pre-programmed, labeled numbers

·  When using a means to store fax numbers, verify the number with the receiver

·  Call prior to faxing to notify recipient of expected confidential fax

·  Information is immediately routed to appropriate personnel

·  Only personnel with access to restricted area may access these faxes (review BRADLEY A. CONNOR, M.D., P.L.L.C. ‘s Minimum Necessary Policy). Trained workforce member routinely checks fax machine and distributes to authorized personnel

·  Faxes transmitted in error: contact person who received the fax to verify destruction of the fax and notated in patient’s medical record. Report the breach to the Privacy Officer.

·  Utilize a mechanism to ensure that the transmission went to the intended recipient (fax logs, verification by phone, etc.)

·  If you receive a fax in error, immediately inform the sender and destroy the information received

·  Consider storing faxes in a queue until staffed.

4.      E-mail

 

 

 

 

 

 

 

 

 

 

 

 

 

·  E-mails may be used for business purposes only

·  Confidentiality statement attached to every e-mail

·  Out-of-office replies are activated during absences of more than 48 hours

·         E-mails may be used for business purposes only

·         Information of this nature should be out of the general public areas and not accessible by anyone else but employees

·         Confidentiality statement attached to every e-mail

·         Out-of-office replies are activated during absences of more than 48 hours

·         If the information is time-sensitive, verify receipt of e-mail

·         Prior to sending an e-mail to a patient, a signed patient E-mail Informed Consent Form is received and filed in patient’s medical record.

·         Utilize BRADLEY A. CONNOR, M.D., P.L.L.C. ‘s email application at all times

·         128 bit encryption [§164.312(a)(2)(iv) & §164.312(e)(2)(ii)]

·         Utilize only pre-stored addresses

·         Verify e-mail address prior to storing the address

·         Use discrete, generic subject headers.  Do not include the patient’s name in the subject header

·         List sender’s name, title, e-mail address, telephone number, and party who patient may contact with further questions

·         Attach the confidentiality statement to every e-mail

·         Group e-mails will only be sent in the following situations when utilizing the bcc function: impending shutdown for network maintenance, technical difficulties, recent mail blackouts, new services, change of address and/or telephone number and change in hours

·         If the information is time-sensitive, verify receipt of e-mail.

·         Workforce member routinely checks e-mails and replies to messages within 48 hours of receipt

·         Copy of the e-mail, including replies and receipt confirmations are filed in patient’s medical records

·         Out-of-office replies with instructions on whom to contact for immediate assistance are activated during absences of more than 48 hours

·         If PHI was sent to wrong recipient, notate and document this in the patient’s medical record. Report the breach to the Privacy Officer

·         Prior to sending an e-mail to a patient a signed patient E-mail Informed Consent Form is received, and filed in patient’s medical record.

·         Utilize BRADLEY A. CONNOR, M.D., P.L.L.C. ‘s e-mail application at all times

·         128 bit encryption [§164.312(a)(2)(iv) & §164.312(e)(2)(ii)]

·         Utilize only pre-stored addresses

·         Verify e-mail address prior to storing the address

·         Use discrete, generic subject headers. Do not include the patient’s name in the subject header

·         List sender’s name, title, e-mail address, telephone number, and party who patient may contact with further questions

·         Attach the Confidentiality statement to every e-mail

·         Group e-mails will only be sent in the following situations when utilizing the BCC function: impending shutdown for network maintenance, technical difficulties, recent mail blackouts, new services, change of address, and/or telephone number, and change in hours

·         If the information is time-sensitive, verify receipt of e-mail

·         Workforce member routinely checks e-mails and replies to messages within 48 hours of receipt

·         Copy of the e-mail, including replies and receipt confirmations are filed in patient’s medical records

·         Out-of-office replies with instructions on whom to contact for immediate assistance are activated during absences of more than 48 hours

·         If PHI was sent to wrong recipient, notate and document this in the patient’s medical record. Report the breach to the Privacy Officer

5.      PDAs

 

 

·         No specific precautions ·         Information of this nature should be out of the general public areas and not accessible by anyone else, but employees ·         Password protection required, limit number of login attempts

·         128 bit encryption [§164.312(a)(2)(iv) & §164.312(e)(2)(ii)]

·         Antivirus software should be in place

·         Training to staff member with possession of PDA on situations that PDA is lost or stolen

·         Provide disaster recovery mechanisms

·         If information is not required to travel offsite or not used, then store PDA in a locked area that is out of site

·         Information contained in BRADLEY A. CONNOR, M.D., P.L.L.C. ‘s system may only be downloaded onto a PDA owned by BRADLEY A. CONNOR, M.D., P.L.L.C. , not onto a user’s personal PDA

 

 

 

 

 

 

 

 

·         Password protection required, limit number of login attempts

·         128 bit encryption [§164.312(a)(2)(iv) & §164.312(e)(2)(ii)]

·         Antivirus software should be in place

·         Training to staff member with possession of PDA on situations that PDA is lost or stolen

·         Provide disaster recovery mechanisms

·         If information is not required to travel offsite or not used, then store PDA in a locked area that is out of site

·         Information contained in BRADLEY A. CONNOR, M.D., P.L.L.C. ‘s system may only be downloaded onto a PDA owned by BRADLEY A. CONNOR, M.D., P.L.L.C. , not onto a user’s personal PDA

6.      Transporting Medical Records

 

 

 

 

 

 

 

 

 

 

 

 

·         No specific precautions

 

 

 

 

 

 

 

 

 

 

 

 

 

 

·         Information of this nature should be out of the general public areas and not accessible by anyone else, but employees

 

 

 

 

 

·         Utilize courier bags with a closure mechanism (i.e., Velcro, taped, tote with a lid, etc.)

·         Documentation (sign out sheet or tracking sheet) for all medical records that leave the facility. Date, who took the medical record, destination location, who received the medical record, and a return date should be on this form.

·         Medical records are to be promptly returned upon completion of use.

·         Utilize BRADLEY A. CONNOR, M.D., P.L.L.C. ‘s courier service whenever possible. Cab or delivery service is only used as a last resort. If cab or delivery service is used, place the medical record in a sealed envelope or container. Request the receiver to contact the sender as soon as the chart arrives at the proper destination

·         Utilize courier bags with a closure mechanism (i.e., Velcro, taped, tote with a lid, etc.)

·         Documentation (Sign out sheet or tracking sheet) for all medical records that leave the facility. Date, who took the medical record, destination location, who received the medical record and a return date, should be on this form.

·         Medical records are to be promptly returned upon completion of use.

·         Utilize BRADLEY A. CONNOR, M.D., P.L.L.C. ‘s courier service whenever possible. Cab or delivery service is only used as a last resort. If cab or delivery service is used, then place the medical record in a sealed envelope. Request the receiver to contact the sender as soon as the chart arrives at the proper destination

 

References

 

  • 45 CFR §164.306
  • 45 CFR §164.312(a)(2)(iv)
  • 45 CFR §164.312(e)(2)(ii)
  • 45 CFR §164.501
  • 45 CFR §164.502
  • 45 CFR §164.508
  • 45 CFR §164.514 (d-f, h)
  • 45 CFR §164.520(b)(1)(iii)(A)
  • 45 CFR §164.522(a-b)
  • 45 CFR §164.528
  • 45 CFR §164.530(c)(1)

 

 

 

 

 

Company Name:

BRADLEY A. CONNOR, M.D., P.L.L.C.

MEDICAL ADVANCE SERVICES, P.L.L.C.

TRAVEL HEALTH MEDICAL, P.C.

Policy Name:

Fundraising and PHI

Policy Number:

Privacy 6.0

Effective Date:

08/15/2018

 

Responsible for Review:

Marina Rogova, RN

Review Date:

08/15/2019

Synopsis of Policy:  HIPAA Regulation: §164.514(f)(1) Fundraising and PHI

 

A covered entity may use and disclose protected health information of an individual without the individual’s authorization to raise funds for its own benefit if it meets certain criteria:

♦ The information used or disclosed must be limited to demographic information related to an individual and the dates of health care provided to an individual;

♦ If the institution is not doing the fundraising in-house, it can only disclose the information to a business associate or an institutionally-related foundation;

♦ The covered entity must specifically note that it uses information for fundraising purposes in its notice of privacy practices;

♦ Any fundraising materials must include a description of how the individual can opt-out of future fundraising communications; and

♦ The covered entity must make reasonable efforts to ensure that an individual who has exercised his or her opt-out rights does not receive further fundraising materials.

Because fundraising is included in the definition of “health care operations,” an individual has the right to request in advance that a covered entity restrict uses and disclosures for such purposes. However, the covered entity is under no obligation to agree to such a restriction.

 

 

 

 

 

 

 

 

 

Full Policy Language:

 

[ORGANIZATION] will comply with state and federal privacy laws while conducting fundraising activities. “Fundraising” encompasses the activities specified in 45 CFR §164.514(f)(1).

 

[ORGANIZATION]’s fundraising activities protect the privacy of Protected Health Information (PHI) and will include obtaining a written authorization to use or disclose PHI when required by state or federal law. [ORGANIZATION] will include in any fundraising materials it sends to patients a description of how to opt-out of receiving further fundraising communications.

 

Procedures

 

  1. [ORGANIZATION] will obtain an authorization from the patient to use or disclose PHI for fundraising activities required by state or federal privacy laws. However, limited PHI (including a patient’s demographic information and dates of service) may be used or disclosed to accomplish limited fundraising activities (including uses or disclosures to a business associate or to an institutionally-related foundation for the purpose of raising funds for [ORGANIZATION]) without patient authorization. Fundraising activities constitute “health care operations.” Under HIPAA, disclosures for health care operations are permitted without patient authorization.

 

  1. [ORGANIZATION]’s Notice of Privacy Practices will include a statement that the patient’s PHI will not be used for fundraising activities unless the patient provides an authorization for the fundraising activity.

 

  1. Even when an authorization has been obtained for fundraising activities, [ORGANIZATION]’s fundraising communication must include a statement informing the recipient that he or she may opt out of future fundraising communications or revoke the authorization relating to these activities and a description of how to do so.

 

  1. [ORGANIZATION]’s Fundraising Department will maintain a log of all patients and others who have revoked the fundraising authorization or opted-out of receiving future fundraising communications.

 

  1. [ORGANIZATION] will not send any further fundraising information upon receipt in writing or other written notification that the patient’s fundraising authorization has been revoked.

 

  1. [ORGANIZATION] will make reasonable efforts to ensure that individuals who decide to opt out of receiving future fundraising communications are not sent any further fundraising communications.

 

Applicable Regulations:

  • 45 CFR § 164.514(f)(1)
  • 45 CFR §164.501, Section 6(v) of the Definition

 

 

AUTHORIZED BY: ____________________________________

 

 

 

 

Company Name:

BRADLEY A. CONNOR, M.D., P.L.L.C.

MEDICAL ADVANCE SERVICES, P.L.L.C.

TRAVEL HEALTH MEDICAL, P.C.

Policy Name:

Patient Right to Request Confidential Communications

Policy Number:

Privacy 7.0

Effective Date:

08/15/2018

 

Responsible for Review:

Marina Rogova, RN

Review Date:

08/15/2019

Synopsis of Policy:  HIPAA Regulation: §164.502(c), §164.502(h), §164.522(a), §164.522(b) Rights to Request Restrictions on Information and Confidential Communications

 

 

An individual may request that BRADLEY A. CONNOR, M.D., P.L.L.C.  restrict its uses and disclosures of PHI to carry out treatment, payment, or health care operations. BRADLEY A. CONNOR, M.D., P.L.L.C.  is not required to agree to this restriction. If, however, BRADLEY A. CONNOR, M.D., P.L.L.C.  does agree to the restriction, it is bound by its agreement.

 

BRADLEY A. CONNOR, M.D., P.L.L.C.  must accommodate reasonable requests by individuals to receive communications of PHI by alternative means or at an alternative location. A health plan must accommodate such reasonable requests if the individual clearly states that disclosure of all or part of the PHI would endanger the individual.

 

 

 

 

 

 

Full Policy Language:

 

Patients/Individuals have the right to request restrictions on how and where their Protected Health Information (PHI) is communicated. To comply with HIPAA Privacy Rule §164.502 and §164.522(b) regarding confidential communications, BRADLEY A. CONNOR, M.D., P.L.L.C.  must permit patients/individuals to request to receive communications of PHI by alternative means or at alternative locations.

 

Procedures

 

  1. BRADLEY A. CONNOR, M.D., P.L.L.C. may require that patient/individual requests to receive communications of PHI by alternative means or at alternative locations be made in writing.  Writing requirements are detailed in the Notice of Privacy Practices.

 

  1. Patients/Individuals may request to receive communications of PHI by alternative means or at alternative locations at the time of admission, visit or at any time during the course of their care.

 

  1. Patient/Individual requests may be made to any member of BRADLEY A. CONNOR, M.D., P.L.L.C. ‘s staff.

 

  1. When patients/individuals make a request, either formally or informally, the staff member receiving the request should document it in writing.

 

  1. BRADLEY A. CONNOR, M.D., P.L.L.C. must accommodate patient/individual requests that are reasonable.

 

  1. BRADLEY A. CONNOR, M.D., P.L.L.C. must accommodate patient/individual requests that are reasonable, if the patient/individual states that the disclosure of PHI could endanger him or her.

 

  1. BRADLEY A. CONNOR, M.D., P.L.L.C. determines whether a request is “reasonable” based solely on the administrative difficulty of accommodating the request.  BRADLEY A. CONNOR, M.D., P.L.L.C.  should establish policies and procedures to determine whether a request is “reasonable.”

 

  1. BRADLEY A. CONNOR, M.D., P.L.L.C. may not require that patients/individuals provide a reason for their request.

 

  1. BRADLEY A. CONNOR, M.D., P.L.L.C. may require that requests contain a statement that disclosure of PHI could endanger the patient/individual. (The statement can be oral or written. Staff could ask patients/individuals if disclosure of PHI could put them in danger, or patients/individuals could fill out a request form that contains a checkbox question about possible endangerment due to PHI disclosure.)

 

  1. BRADLEY A. CONNOR, M.D., P.L.L.C. may not deny requests based on its perception of whether patients/individuals have a good reason for making the request. A patient’s/individual’s reason for making a request cannot be used to determine whether the request is reasonable.

 

  1. BRADLEY A. CONNOR, M.D., P.L.L.C. may deny patient/individual requests if:
    1. The patient/individual does not specify an alternative address or other method of contact; and
    2. The patient/individual does not provide information as to how payment, if applicable, will be handled.

 

  1. If BRADLEY A. CONNOR, M.D., P.L.L.C. grants a patient’s/individual’s request, the decision must be documented by maintaining a written or electronic record of the action taken.

 

  1. If BRADLEY A. CONNOR, M.D., P.L.L.C. grants a patient’s/individual’s request, it provides appropriate staff with the communication requirements and requires staff to adhere to them.

 

 

 

AUTHORIZED BY:

 

 

Company Name:

BRADLEY A. CONNOR, M.D., P.L.L.C.

MEDICAL ADVANCE SERVICES, P.L.L.C.

TRAVEL HEALTH MEDICAL, P.C.

Policy Name:

Incident Response and Reporting

Policy Number:

Privacy 8.0

Effective Date:

08/15/2018

 

Responsible for Review:

Marina Rogova, RN

Review Date:

08/15/2019

Synopsis of Policy: HIPAA Regulation: §164.308(a)(6)(i) Security incident procedures;  §164.308(a)(6)(ii) Response and reporting

 

The purpose of this policy is to formalize the response to, and reporting of, security incidents. This includes identification and response to suspected or known security incidents, the mitigation of the harmful effects of known or suspected security incidents to the extent possible, and the documentation of security incidents along with their outcomes. It is imperative that a formal reporting and response policy be followed when responding to security incidents.

 

 

 

 

 

 

 

 

 

 

Full Policy Language:

 

Policy Description:

 

BRADLEY A. CONNOR, M.D., P.L.L.C.  shall employ tools and techniques to monitor events, detect attacks, and provide identification of unauthorized use of the systems that contain Electronic Protected Health Information (ePHI).

 

Reporting

  1. All security incidents, threats, or violations that affect or may affect the confidentiality, integrity, or availability of ePHI shall be reported and responded to promptly.

 

  1. Incidents that shall be reported include, but are not limited to:
  2. Virus, worm or other malicious code attacks;
  3. Network or system intrusions;
  4. Persistent intrusion attempts from a particular entity;
  5. Unauthorized access to ePHI, an ePHI-based system, or an ePHI-based network;
  6. ePHI data loss due to disaster, failure, error, or theft;
  7. Loss of any electronic media that contains ePHI;
  8. Loss of the integrity of ePHI; and
  9. Unauthorized person found in BRADLEY A. CONNOR, M.D., P.L.L.C. ‘s facility.

 

  1. The [ORGANIZTION]’s Compliance Officers shall be notified immediately of any suspected or real security incident. If it is unclear as to whether a situation is a security incident, the Compliance Officers shall be contacted to evaluate the situation.

 

Response and Resolution

  1. The Compliance Officers shall track the incident. The Compliance Officers shall determine if a report of the incident shall be forwarded to the Department of Health and Human Services (HHS). Compliance Officers are the only employees that can resolve an incident. The Compliance Officers shall evaluate the report to determine if an investigation of the incident is necessary. The Compliance Officers shall determine if Counsel, Law Enforcement, Human Resources, or BRADLEY A. CONNOR, M.D., P.L.L.C. ‘s Communication and Media Office is to be contacted regarding the incident.

 

Logging

  1. All HIPAA security-related incidents and their outcomes shall be logged and documented by the Compliance Officers. The Compliance Officers shall document and log incidents and outcomes.

 

  1. All incidents will be reviewed and investigated. If the breached PHI has been compromised (unauthorized individuals have received and viewed the PHI), the breach will be reported to HHS at this site http://ocrnotifications.hhs.gov/. BRADLEY A. CONNOR, M.D., P.L.L.C.  and its Compliance Officers will record all the incidents and retain these incident reports for six years.

 

  1. BRADLEY A. CONNOR, M.D., P.L.L.C. shall train personnel in their incident response roles and responsibilities and provide refresher training as needed. BRADLEY A. CONNOR, M.D., P.L.L.C.  shall test the incident response capability at least annually using tests and exercises to determine the effectiveness.

 

Policy Responsibilities:

 

Report violations of this policy to BRADLEY A. CONNOR, M.D., P.L.L.C.  Compliance Officers.

 

Workforce Members

  1. Workforce members are responsible for promptly reporting any security-related incidents to the IT help desk.

 

IT Help Desk

  1. The IT Help Desk documents all security incidents.

 

Compliance Officers

  1. The Compliance Officers that are responsible to determine if the incident requires further investigation are [Insert Compliance Officers’ Names]. BRADLEY A. CONNOR, M.D., P.L.L.C. ‘s Security Officer, and BRADLEY A. CONNOR, M.D., P.L.L.C. ‘s Privacy Officer shall determine if corrective actions should be implemented. The Compliance Officers are responsible for documenting the investigations and any corrective actions. The Compliance Officers are responsible for maintaining all documentation of security breaches for six years.

 

Procedures

 

  1. BRADLEY A. CONNOR, M.D., P.L.L.C. shall submit all new and revised procedures to the Compliance Officers for approval and ongoing evaluation. Any procedures developed by BRADLEY A. CONNOR, M.D., P.L.L.C.  shall be consistent with BRADLEY A. CONNOR, M.D., P.L.L.C.  HIPAA policies and not deviate from the BRADLEY A. CONNOR, M.D., P.L.L.C.

 

Definitions

 

Covered Entity: A health plan, a health care clearinghouse, or a health care provider who transmits any health information in electronic form in connection with a HIPAA transaction.

 

Business Associate:  Any entity that uses or discloses protected health information (PHI) on behalf of a covered entity (e.g. group health plan, hospital, etc.). Furthermore, it is any person or organization who, on behalf of a covered entity, performs (or assists in the performance of) a function or activity involving the use or disclosure of PHI.

ePHI: Electronic Protected Health Information means individually identifiable health information:

  • Transmitted by electronic media;
  • Maintained in electronic media; or
  • Transmitted or maintained in any other form or medium.

 

 

 

AUTHORIZED BY:

 

Company Name:

BRADLEY A. CONNOR, M.D., P.L.L.C.

MEDICAL ADVANCE SERVICES, P.L.L.C.

TRAVEL HEALTH MEDICAL, P.C.

Policy Name:

Identity Verification

Policy Number:

Privacy 9.0

Effective Date:

08/15/2018

 

Responsible for Review:

Marina Rogova, RN

Review Date:

08/15/2019

Synopsis of Policy: HIPAA Regulation: §164.514(h) (1) Identity Verification Requirements

 

Prior to any disclosure of protected health information (PHI) permitted by state or federal law, BRADLEY A. CONNOR, M.D., P.L.L.C.  will verify the identity of a requesting party and the authority of any such party to have access to said information. BRADLEY A. CONNOR, M.D., P.L.L.C.  will obtain proper identification of all individuals, including patients, prior to allowing access to protected health information.

 

BRADLEY A. CONNOR, M.D., P.L.L.C.  will maintain patient confidentiality by obtaining identity verification of persons requesting the use and/or disclosure of protected health information as per the HIPAA standard §164.514(h) (1).

 

 

 

 

 

 

 

 

 

 

 

 

Full Policy Language:

 

Policy

 

BRADLEY A. CONNOR, M.D., P.L.L.C.  will maintain patient confidentiality by obtaining identity verification of persons requesting the use and/or disclosure of protected health information as per the HIPAA standard §164.514(h)(1).

 

Procedures

 

  • Verification of Identity:
  1. BRADLEY A. CONNOR, M.D., P.L.L.C. will verify the identity of a person requesting protected health information and the authority of the person to have access if the identity or authority is not known to BRADLEY A. CONNOR, M.D., P.L.L.C. . Although HIPAA does not require verification of individuals in instances where the patient provides access to others by agreement, good policy would dictate a simplified verification of identity.
  2. Verification of identity and authority will include obtaining documentation, statements, or representations, either oral or written from the requester.
  • Verify the identity of persons requesting any protected health information prior to allowing access to it by following one of the verification steps outlined below. Note these are only guidelines for verification and do not represent guidelines related to the documentation required by the requester to access the information (e.g. authorization required/not required). Also, although telephone verification is included as a category and guidelines for verification relating to this type of request are included, verification by phone is difficult and may present risk for unauthorized disclosure.
  • After verifying the identity and authority of the person, refer to the Access Policies to determine access rights to the requested protected health information.
  • Consult BRADLEY A. CONNOR, M.D., P.L.L.C. ‘s Privacy Officer before making any disclosure if uncertain whether or not sufficient verification has been obtained.

 

 

 

 

 

 

 

 

 

 

 

Person to Identify In-Person

Encounter

Telephone

Encounter

Request in

Writing (Fax, mail, hand-delivered)

Attorney §  Presents with business card and photo identification (i.e. drivers license or organization ID badge).

 

§  It would be difficult to verify identity and authority by phone. Verification in person or in writing may be required. §  Supplies business card, photo identification (i.e. drivers license or organization ID badge), or letterhead. A confirmatory phone call regarding the requester may be required.
Patient §  Patient provides name, address, and date of birth and/or social security number; or

§  Acquainted with patient.

§  Patient provides name, address, and date of birth and/or social security number; or

§  Acquainted with patient.

§  Patient provides name, address, and date of birth and/or social security number.  Next, verify the patient’s signature with signature on file or on driver’s license.
Personal Representative

(Legal Guardian) for the Patient

§  Personal Representative provides patient’s name, address, and date of birth and/or social security number, and verifies (via appropriate legal documentation) own relationship to patient; or

§  Acquainted with personal representative as being such.

§  Personal Representative provides patient’s name, address, and date of birth and/or social security number, and verifies (via appropriate legal documentation) own relationship to patient; or

§  Acquainted with personal representative as being such.

§  Personal Representative provides patient’s name, address, and date of birth and/or social security number. Next, verify the personal representative’s signature with signature on file or on driver’s license.

 

The included grid is provided as a guideline for establishing a verification procedure in a variety of scenarios. There is no statutory requirement for how verification must be accomplished. It is at the discretion of the covered entity to determine how the requirement of verification of identity and authority may best be met. It is important to implement procedures that prevent unauthorized access.

 

References:

  • 45 CFR §164.512(h).

 

 

 

AUTHORIZED BY:

 

 

 

 

Company Name:

BRADLEY A. CONNOR, M.D., P.L.L.C.

MEDICAL ADVANCE SERVICES, P.L.L.C.

TRAVEL HEALTH MEDICAL, P.C.

110 East 55th Street, 16th Floor

New York, NY 10022

 

 

Policy Name:

Judicial and Administrative Proceedings

Policy Number:

Privacy 10.0

Effective Date:

08/15/2018

 

Responsible for Review:

Marina Rogova, RN

Review Date:

08/15/2019

Synopsis of Policy: HIPAA Regulation: §164.512(e) Use and Disclosure of PHI for Judicial and Administrative Proceedings

 

To ensure that BRADLEY A. CONNOR, M.D., P.L.L.C ‘s employees understand when and how to disclose a patient’s personal health information (PHI) in relation to judicial and administrative proceedings.

 

There may be instances where a patient is involved with a legal proceeding, either conducted by a court of law, such as a state trial or federal district court, or a government agency such as the Department of Health and Family Services or the federal Centers for Medicare & Medicaid Services.

 

In these legal proceedings, lawyers, judges, and others involved with the proceeding may contact the BRADLEY A. CONNOR, M.D., P.L.L.C.  to access the patient’s PHI. Examples of health information these proceedings may require include information about a certain medical procedure the patient underwent to determine whether the procedure is covered under a health plan or the outcome of that procedure, results of blood or genetic tests in child custody or similar proceedings, medical records that document disabling conditions in discrimination cases, or health information that documents serious illnesses for conflicts pertaining to medical leave. These are only some examples of cases where health information may be sought in judicial or administrative proceedings; there are likely many more situations where PHI may be requested to be released.

 

 

 

 

 

 

 

 

 

 

Full Policy Language:

 

BRADLEY A. CONNOR, M.D., P.L.L.C.  may disclose PHI in the course of any judicial or administrative proceeding:

  1. In response to an order from a court or administrative tribunal; and
  2. In response to a subpoena, discovery request, or other lawful process that is not accompanied by an order of a court or administrative tribunal.

 

Procedure for disclosing PHI in response to a court/administrative order:

 

If BRADLEY A. CONNOR, M.D., P.L.L.C.  receives an order from a court or administrative judge, then release only the PHI which the order expressly authorized to be disclosed.

 

Procedure for disclosing PHI in response to a subpoena, discovery request or other lawful process (other than a court order):

 

BRADLEY A. CONNOR, M.D., P.L.L.C.  may only release PHI in such instances if at least one of the following three events has occurred:

  1. BRADLEY A. CONNOR, M.D., P.L.L.C. may release PHI if it receives written “satisfactory assurance” from the party requesting the information that reasonable efforts have been made by such party to ensure that the patient who is the subject of the PHI has been given notice of the request.
    1. “Satisfactory assurance” that the requesting party has tried to notify the patient of the PHI request means the following:
  1. The requesting party has given BRADLEY A. CONNOR, M.D., P.L.L.C. a written statement and accompanying documentation demonstrating that:
    1. The requesting party has made a good faith attempt to provide written notice to the patient (if the patient’s location is unknown, documentation showing that a notice was mailed to the patient’s last known address);
    2. The notice provided by the requesting party to the patient contained enough information to allow the patient to make an informed objection to the court or administrative tribunal regarding the release of the patient’s PHI; and
    3. The time for the patient to raise objections to the court or administrative tribunal has passed and either no objections were filed, or all objections filed by the patient have been resolved and the disclosures being sought are consistent with the court’s resolution.
  1. BRADLEY A. CONNOR, M.D., P.L.L.C.  may also release PHI to a requesting party if it receives written satisfactory assurance from the requesting party that reasonable efforts have been made by such party to secure a qualified protective order. A qualified protective order is an order of a court or administrative tribunal or a stipulation by the parties to the proceeding that prohibits the parties from using or disclosing PHI for any purpose other than the proceeding for which the information was requested and requires the parties to return the PHI (including all copies made) to the BRADLEY A. CONNOR, M.D., P.L.L.C.  at the end of the proceeding.
    1. “Satisfactory assurance” in this instance means that BRADLEY A. CONNOR, M.D., P.L.L.C.  has received from the requesting party a written statement and accompanying documentation demonstrating that:
  1. The parties to the dispute giving rise to the request for PHI have agreed to a qualified protective order and have presented it to a court or administrative tribunal with jurisdiction over the dispute; or
  2. The requesting party has asked for a qualified protective order from such court or administrative tribunal.
  1. We may release PHI to a requesting party even without satisfactory assurance from that party if we, the BRADLEY A. CONNOR, M.D., P.L.L.C. , either:
    1. Make reasonable efforts to provide notice to the patient about releasing his or her PHI, so long as the notice meets all of the following requirements:
  1. The notice is written and given to the patient (if the patient’s location is unknown, we should establish documentation showing that a notice was mailed to the patient’s last known address);
  2. The notice contained enough information to allow the patient to make an informed objection to the court or administrative tribunal regarding the release of the patient’s PHI; and
  • The time for the patient to raise objections to the court or administrative tribunal has lapsed and either no objections were filed, or all objections filed by the patient have been resolved and the disclosures being sought are consistent with the court’s resolution; or
  1. Seek a qualified protective order from the court or administrative tribunal or convince the parties to stipulate to such order.

 

References:

 

  • 45 CFR §164.512(e)

 

 

 

 

AUTHORIZED BY:

 

 

BRADLEY A. CONNOR, M.D., P.L.L.C.

MEDICAL ADVANCE SERVICES, P.L.L.C.

TRAVEL HEALTH MEDICAL, P.C.

110 East 55th Street, 16th Floor

New York, NY 10022

 

 

Company Name:

BRADLEY A. CONNOR, M.D., P.L.L.C.

MEDICAL ADVANCE SERVICES, P.L.L.C.

TRAVEL HEALTH MEDICAL, P.C.

Policy Name:

Use and Disclosures for Marketing

Policy Number:

Privacy 11.0

Effective Date:

08/15/2018

 

Responsible for Review:

Marina Rogova, RN

Review Date:

08/15/2019

Synopsis of Policy: HIPAA Regulation: §164.514 (e)(3) Use and Disclosures for Marketing

 

It is the policy of BRADLEY A. CONNOR, M.D., P.L.L.C.  to secure an authorization to use or disclose protected health information (PHI) for marketing purposes in compliance with the Privacy Rule of the Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996, §164.514 (e)(3).

 

 

 

 

 

 

 

 

 

 

Full Policy Language:

 

It is the policy of BRADLEY A. CONNOR, M.D., P.L.L.C.  to secure an authorization to use or disclose protected health information (PHI) for marketing purposes in compliance with the Privacy Rule of the Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996, §164.514 (e)(3).

 

Definition:

  1. Per §164.501, marketing is defined as:
  2. To make a communication about a product or service that encourages the recipients of the communication to purchase or use the product or service; or
  3. An arrangement involving a covered entity whereby PHI is disclosed by the covered entity in exchange for direct or indirect remuneration, so that the other entity or affiliate can make a communication that encourages the purchase or use of its own product or service.

 

  1. The following are examples of situations that do not meet the definition of marketing:
  2. Communications that are merely promoting good health and not about a specific product or service does not meet the definition of “marketing.” Examples include: mailings reminding women to get an annual mammogram; information about how to lower cholesterol; mailing about new developments in health care; new diagnostic tools; or upcoming health or “wellness” classes, support groups, and health These are permitted and are not considered marketing.
  3. Communications about government-sponsored programs do not fall within the definition of marketing. There is no commercial component to communications about benefits available through public programs. BRADLEY A. CONNOR, M.D., P.L.L.C. is permitted to use/disclose PHI to communicate about eligibility for Medicare supplement benefits or SCHIP.
  4. BRADLEY A. CONNOR, M.D., P.L.L.C. may make communications in newsletter format without authorization so long as the content of such does not fit the definition of “marketing.”

 

Exceptions to the Scope of Marketing Activities Where Authorization is Not Needed:

 

  1. Marketing does not include:
  2. Oral or written communications that describe BRADLEY A. CONNOR, M.D., P.L.L.C. ‘s network or covered services;
  3. Communications about treatment for the patient; or
  4. Communications about case management or care coordination, or recommendations of treatment alternatives and care options, including health care providers or settings of care.

 

  1. The following are examples of these exceptions:
  2. BRADLEY A. CONNOR, M.D., P.L.L.C. can convey information to beneficiaries and members about health insurance products offered by BRADLEY A. CONNOR, M.D., P.L.L.C.  that could enhance or substitute for existing health plan coverage. For example, if a child is about to age-out of coverage under a family’s policy, this provision will allow the plan to send the family information about continuation coverage for the child. This does NOT extend to excepted benefits such as accident-only policies or to other lines of insurance.
  3. Doctors can write a prescription or refer an individual to a specialist for follow-up tests because these are communications about treatment.

 

Procedure for Authorization to Use or Disclose PHI for Marketing Purposes:

 

  1. BRADLEY A. CONNOR, M.D., P.L.L.C. will obtain an authorization for any use or disclosure of PHI for marketing, except if the communication is in the form of:
  2. Face-to-face communication with the patient; or
  3. A promotional gift of nominal value provided by BRADLEY A. CONNOR, M.D., P.L.L.C. .

 

  1. If the marketing involves BRADLEY A. CONNOR, M.D., P.L.L.C. receiving direct or indirect remuneration by a third party, the authorization will state that such remuneration is involved.

 

  1. The following is an explanation of situations that require authorization:
  2. Notice of Proposed Rule Making (NPRM) clearly states that nothing in the Final Rule will permit BRADLEY A. CONNOR, M.D., P.L.L.C. to sell lists of patients or enrollees to third parties, or to disclose PHI to a third party for the independent marketing activities of the third party. For example, a pharmaceutical company cannot pay a provider for a list of patients with a particular condition, or taking a particular medication and then use that list to market its own drug products directly to patients.

 

 

References:

 

  • 45 CFR §164.501 and §164.508(a)(3)

 

 

 

AUTHORIZED BY:

 

BRADLEY A. CONNOR, M.D., P.L.L.C.

MEDICAL ADVANCE SERVICES, P.L.L.C.

TRAVEL HEALTH MEDICAL, P.C.

110 East 55th Street, 16th Floor

New York, NY 10022

 

 

Company Name:

BRADLEY A. CONNOR, M.D., P.L.L.C.

MEDICAL ADVANCE SERVICES, P.L.L.C.

TRAVEL HEALTH MEDICAL, P.C.

Policy Name:

Minimum Necessary

Policy Number:

Privacy 12.0

Effective Date:

08/15/2018

 

Responsible for Review:

Marina Rogova, RN

Review Date:

08/15/2019

Synopsis of Policy: HIPAA Regulation: §164.502(b)(1), §164.514(d)(3), §164.524(a) Minimum Necessary

 

The purpose of the Minimum Necessary Policy is to provide on the “minimum necessary” standard of Protected Health Information (PHI), which may be disseminated as required by the HIPAA Privacy Regulations. Minimum necessary is the practice of only releasing the information that is requested or necessary to fulfill a request.

 

This Policy establishes guidelines to implement the minimum necessary standard and to determine how the standard impacts the use, disclosure, and request of PHI. This policy and procedures will have generalized practices that can be associated with organizations. For some of those organizations that have only a small number of employees disclosing or handling the PHI, some of the policies and procedures in this document may not be necessary.

 

 

 

 

 

 

 

 

 

 

Full Policy Language:

 

Definition

 

“Minimum Necessary” is the process that is defined in HIPAA regulation as: When using or disclosing protected health information or when requesting protected health information from another covered entity, a covered entity must make reasonable efforts to limit protected health information to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request.

 

Policy

 

It is BRADLEY A. CONNOR, M.D., P.L.L.C. ‘s policy to ensure the privacy and security of Protected Health Information (PHI) by limiting the use and disclosure of PHI to what is minimum or reasonably necessary to accomplish the intended purpose in the following three areas:

  1. Uses and disclosures of PHI by BRADLEY A. CONNOR, M.D., P.L.L.C. workforce/staff;
  2. Uses and disclosures made in response to requests for PHI from other organizations; and
  3. Uses and disclosures when requesting PHI from other organizations.

This standard applies to all PHI, regardless of its form, character, or medium, including but not limited to electronic, digital, film, tape, paper, or verbal.

 

The HIPAA minimum necessary standard does not apply to the following five circumstances:

 

Disclosure to requests by a health care provider for treatment:

  1. Uses or disclosure made to the individual, as permitted in the HIPAA regulations:
    1. An individual has a right of access to inspect and obtain a copy of protected health information about the individual in a designated record set, for as long as the protected health information is maintained in the designated record set (see policy and procedure regarding Designated Record Sets), except for:
  1. Psychotherapy notes;
  2. Information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding; and
  • Protected health information maintained by BRADLEY A. CONNOR, M.D., P.L.L.C. that is:
    1. Subject to the Clinical Laboratory Improvements Amendments of 1988, 42 U.S.C. 263a, to the extent the provision of access to the individual would be prohibited by law; or
    2. Exempt from the Clinical Laboratory Improvements Amendments of 1988, pursuant to 42 CFR 493.3(a)(2).
  1. Uses or disclosures made pursuant to an authorization;
  2. Disclosures made to the Secretary of the Department of Health and Human Services (HHS);
  3. Uses or disclosures as required by law, as outlined in §164.512(a, c, e, & f); and
  4. Uses or disclosures that are required for compliance with this rule.

 

Procedures

 

  1. Routine and Non-routine Disclosures and Requests: BRADLEY A. CONNOR, M.D., P.L.L.C. must distinguish routine or recurring disclosures and requests from non-routine or non-recurring disclosures and requests:
    1. Routine Disclosures: These are disclosures of PHI made to another entity or requests for PHI made by BRADLEY A. CONNOR, M.D., P.L.L.C. on a routine or reoccurring basis. For such disclosures or requests:
      1. BRADLEY A. CONNOR, M.D., P.L.L.C. must implement policies and procedures that limit the amount of PHI disclosed or requested to the amount reasonably necessary to achieve the purpose of the disclosure or request.
      2. BRADLEY A. CONNOR, M.D., P.L.L.C. should consider discussing the minimum necessary standard with the organization responsible for major requests or disclosures to negotiate mutually agreeable disclosures.  In this regard, the organizations involved should address:
        1. The types of protected health information to be disclosed;
        2. The types of persons who would receive the protected health information; and
        3. The conditions that would apply to such access.
        4. Standards for disclosures to routinely hired types of business associates (e.g., for medical transcription).
      3. Non-routine Disclosures: These are disclosures made occasionally. BRADLEY A. CONNOR, M.D., P.L.L.C. needs to determine criteria to limit PHI to what is reasonably necessary to accomplish the purpose of the disclosure. Non-routine requests are evaluated on a case-by-case basis in accordance with the criteria developed by BRADLEY A. CONNOR, M.D., P.L.L.C.  to ensure minimum necessary.
        1. Develop reasonable criteria to limit the amount of information disclosed to the minimum necessary to accomplish the purpose of the disclosure; and
        2. Use these criteria to review these disclosures on an individual basis.
      4. Applying the Minimum Necessary Standard to PHI from Other Organizations: BRADLEY A. CONNOR, M.D., P.L.L.C.  may rely on the judgment of the party requesting the disclosure as to the minimum necessary amount of information needed when the request is made by:
      5. A public official or agency for which a disclosure is permitted under §164.512 of the Privacy Rule (uses and disclosures for which consent, authorization, or opportunity to agree or object is not required);
      6. Another covered entity (e.g., health care provider, clinic, health plan, etc.);
      7. A professional who is a workforce member or business associate of BRADLEY A. CONNOR, M.D., P.L.L.C. , if the professional states that the amount requested is the minimum necessary; or
      8. A researcher with appropriate documentation from an institutional review board or privacy boards.

A party requesting the “entire medical record,” must specifically justify the request as the minimum or reasonable amount necessary to meet the needs of the request (e.g., transfer of care, medical history of longstanding condition, etc.) before BRADLEY A. CONNOR, M.D., P.L.L.C.  will disclose the PHI.

  1. Applying the Minimum Necessary Standard When Requesting PHI from Other Organizations: BRADLEY A. CONNOR, M.D., P.L.L.C. must limit its requests for PHI to the minimum or reasonable amount necessary to accomplish the purpose of the request.

Upon issuing a request for the “entire medical record,” BRADLEY A. CONNOR, M.D., P.L.L.C.  must specifically justify the request as the minimum or reasonable amount necessary to accomplish the purpose of the request (e.g., transfer of care, medical history of longstanding condition, etc.).

  1. Applying the Minimum Necessary Standard to BRADLEY A. CONNOR, M.D., P.L.L.C. /Workforce:
    1. For uses of PHI that require access by BRADLEY A. CONNOR, M.D., P.L.L.C. /workforce, BRADLEY A. CONNOR, M.D., P.L.L.C. must identify:
      1. The person or classes of persons in the workforce who need access to PHI;
      2. The category or categories of PHI to which access is needed; and
  • Any conditions appropriate to such access.

 

  1. BRADLEY A. CONNOR, M.D., P.L.L.C. must have in place a process to determine the appropriate scope of the individual’s access to PHI, which includes:
    1. An assessment of the individual’s appropriate access to PHI performed by the responsible department director/supervisor and based on:
      1. Job description/position scope;
      2. Need to know;
      3. Patient care needs; and
      4. Administrative needs.
    2. Completion of access request form and/or agreement form by the individual and the individual’s director/supervisor.
  • Education and review conducted by the individual’s director/supervisor, which covers the individual’s responsibilities related to access and includes the minimum necessary standard, confidentiality, security, and the consequences of inappropriate access to PHI or breach of patient confidentiality.

 

  1. BRADLEY A. CONNOR, M.D., P.L.L.C. should carry out periodic reviews of access levels to determine (if BRADLEY A. CONNOR, M.D., P.L.L.C.  is a small organization, this may not be necessary due to small staff):
    1. Changes in staff member position or scope of responsibilities; and
    2. Changes in information available through information components.

 

  1. BRADLEY A. CONNOR, M.D., P.L.L.C. must make reasonable efforts to limit the individual’s access to PHI that is necessary to carry out their duties or on a “need-to-know” basis. Individuals with unrestricted access to PHI are limited to accessing information for which they are responsible for providing treatment or carrying out related operational duties (e.g., quality audits, infection control monitoring, risk management activities, utilization review, etc.).

 

  1. Requests for access to PHI not routinely covered in the scope of the individual’s position shall be reviewed by leadership (e.g., privacy officer, administration, HIM/IT director, etc.) to determine the nature of the request and the benefit of access. Access may be granted on a limited basis and time frame to accommodate the duration of the project. Examples of special requests might include:
    1. Research projects;
    2. Grant applications;
  • Needs assessments;
  1. Staff performance appraisal and monitoring; or
  2. JCAHO monitoring and evaluation.
  1. BRADLEY A. CONNOR, M.D., P.L.L.C. should periodically monitor access to determine appropriateness of staff review of PHI. Tracking incidents of unauthorized access will increase the security of patients’ health information and decrease the risk of privacy violations. Methods for auditing access might include:
    1. Conducting random spot-checks of patients to determine appropriateness of access;
    2. Using exception reports to determine time of access, length of access, access to “confidential” or “VIP” patient PHI;
  • Reviewing “role-based” access by position and unit of assignment within BRADLEY A. CONNOR, M.D., P.L.L.C. ; or
  1. Reviewing requests for and access to “hard copy” patient records.

 

  1. Departments that are responsible for the administration of department-specific modules or information systems such as medication administration or dictation access must also periodically monitor access to determine appropriateness of staff access to PHI.
  2. Position transfers that may involve different levels of access to PHI must be reviewed to determine the appropriate new scope of access. This review should be carried out by the Security Officer.
  1. Corrective Action: Upon determination of inappropriate or unauthorized access to PHI by a staff member, BRADLEY A. CONNOR, M.D., P.L.L.C.  must determine the appropriate corrective action for the misconduct. Please refer to BRADLEY A. CONNOR, M.D., P.L.L.C. ‘s policy regarding failure to comply with privacy practices.

 

The following is a chart of methods for creating minimum necessary PHI:

 

Method of Handling PHI How to create minimum necessary:
Electronic Create security mechanisms to monitor and limit access to PHI based on the criteria listed under Uses and Disclosures of PHI within the Workforce/Staff Section 1.
Paper Black out any information not required by the disclosure request.
Verbal Only disclose the information needed by the request made.

 

References

 

  • 45 CFR §164.502(b)
  • 45 CFR §164.514(d)
  • 45 CFR §164.524(a)(1)

 

AUTHORIZED BY:

 

Company Name:

BRADLEY A. CONNOR, M.D., P.L.L.C.

MEDICAL ADVANCE SERVICES, P.L.L.C.

TRAVEL HEALTH MEDICAL, P.C.

Policy Name:

Minors Rights

Policy Number:

Privacy 13.0

Effective Date:

08/15/2018

 

Responsible for Review:

Marina Rogova

Review Date:

08/15/2019

Synopsis of Policy: HIPAA Regulation: §164.524 Minors Privacy Rights

Additional information by State can be found here: https://www.guttmacher.org/state-policy/explore/overview-minors-consent-law

 

Generally, the age in most states at which a minor obtains the right of access to their healthcare information is 18 because at that age the individual is no longer deemed a minor. Most state laws grant a minor the right of access to their healthcare information and this right often directs a minor’s statutory right to consent to treatment; however, there are exceptions.

The federal Privacy Rule also grants a minor access to their healthcare information but as a standard, only through the consent of a legally authorized representative. The federal law does not provide for direct access by a minor under the age of majority. The federal Privacy Law delineates a process for interfacing the federal and state law when they are different. The federal law allows the state law to preempt and control when state law provides a greater right of access to the individual in relation to their healthcare information. Therefore, if your state has a law on Minority Access, that law will control when a minor is provided a greater right of access.

 

Federal law requires that healthcare providers have in place and implement policies and procedures to ensure patients’ rights to access, inspect, and copy protected health information (§164.524). Under the federal Privacy Rule, an individual has the right to access their information in all but a limited number of situations. When federal law limits the right of access interface with state law is required and the law that provides the individual the greater right of access controls. For instance, the Privacy Rule allows denial of access to specific types of healthcare information with or without a review of denial. When a state law provides access to a minor or legally authorized individual and the Privacy Rule does not, state law will stand.

 

The Privacy Rule defers to state law for the definition of a legal representative. State law generally recognizes the minor’s parent, guardian, or legal custodian as the legally authorized representative. However, a termination of parental rights or a denial of physical placement by a court of law will affect the status of a parent in relation to a minor. Therefore, it will be necessary to determine what law is controlling to determine who may be the legally authorized representative for a minor regarding access.

 

 

Full Policy Language:

 

Policy:

It is the policy of BRADLEY A. CONNOR, M.D., P.L.L.C.  to recognize the rights of minors and their parents, legal guardian, or other legally authorized representative to access, inspect, and receive copies of their protected health information in compliance with state and federal regulations. In most states, minors have many rights with regard to consent to their own care in certain situations. However, it is important to understand that these rights may not extend to their ability to control access to their protected health information.

 

Definitions:

Minor: A minor is a person under the age of 18 years and reliant upon parental support and control. Generally, minors do not have the authority to grant consent or refuse care, with the exceptions outlined below.

 

Emancipated Minor: In many states, lawful marriage is the only circumstance that is statutorily recognized, as a general matter, as grounds for emancipation of a minor. Once emancipated, the minor obtains the legal capacity of an adult. The burden should be placed on the minor to show emancipation. If doubt exists regarding emancipation, parental consent should be secured in addition to the consent of the minor.

 

Policy Statements:

 

Minor Access:

A minor or legally authorized representative must make a request to a covered entity to access and inspect their protected health information. Whenever possible, this request shall be made in writing. The federal Privacy Rule allows the requirement of a written request for access as long as the individual has received notice of the written requirement in the “Notice of Privacy practices.” The request for access may be documented on either the “Authorization for Disclosure” form or in the notes of the patient’s health record. The minor’s rights to access should be determined based on the following statutory information and whether or not they are authorized to make the written request without parental/guardian consent.

 

Mitigating Circumstances:

The law of release of minor records is a matter of some ambiguity and controversy, particularly regarding the circumstances justifying allowing a minor to make decisions about disclosure of protected health information in the absence of parental consent, or to deny parental access to minor records. While the general rule is that parental consent is required until the patient is 18 years of age, there may be extenuating circumstances justifying a variance from this rule. Legal counsel should be contacted for case-by-case determination of whether such circumstances are present.

 

 

 

Parental, Legal Guardian or Other Legally Authorized Representative Access:

 

  1. A parent, legal guardian, or other legally authorized representative has the right to access a minor’s protected health information on behalf of the minor, unless:
    1. The statutes provide protection from access to the minor’s protected health information;
    2. The parent has been denied periods of physical placement with the minor; or
    3. In the case of minors age 14 or older, the minor requests no disclosure of their mental health records.

 

  1. A parent, legal guardian, or other legally authorized representative has the right to access a minor’s protected health information on behalf of the minor, even where the parent or guardian’s consent was not required for treatment, unless:
    1. The statutes provide protection from access to the minor’s protected health information;
    2. The parent has been denied periods of physical placement with the minor; or
    3. In the case of minors age 14 or older, the minor requests no disclosure of their mental health records.

 

  1. A healthcare provider reserves the right to limit disclosure of protected health information to a minor’s parent or guardian if, in the provider’s professional judgment, they believe the minor would be in imminent danger if the information was released.

 

  1. The parent’s right of access terminates when the minor becomes emancipated or reaches the age of majority. If doubt exists regarding emancipation, parental authorization should be secured in addition to the authorization of the minor. Once a minor becomes emancipated or reaches the age of majority, the individual has the right to access and authorize the disclosure of protected health information. This includes access to and disclosure of information created while the individual was a minor.

 

Other Minors Issues:

 

  1. The PHI of minors prior to an adoption process is not available for disclosure by the healthcare provider. Requests for access to the PHI of a minor prior to an adoption shall be referred to the state law on adoption. Requests for PHI post-adoption shall be processed in accordance with the organization’s disclosure of PHI policies.

 

  1. A healthcare provider may disclose a minor’s/student’s immunization information to a school or daycare upon written or verbal request. Parental or student permission is not required for disclosure. Immunization information may be provided between vaccine providers, including the local health department, without the consent of the parent or student.

 

  1. Documentation of disclosure to the individual is required under some state laws. To maintain consistency and compliance in practice, it is recommended that the following be documented when disclosing healthcare information to the patient: the time and date of request, the name of the inspecting person, and the identity of the records released.

 

Federal Privacy Rule – Access and Denial of Access

An individual has the right to access their information in all but a limited number of situations, which include:

  1. Psychotherapy notes;
  2. Information compiled in anticipation of or use in a civil, criminal, or administrative action or proceeding;
  3. Protected health information subject to the Clinical Laboratory Improvements Amendment (CLIA) of 1988; and
  4. Protected health information exempt from CLIA, pursuant to 42 CFR 493.3(a)(2). In other words, protected health information generated by: 1) facilities or facility components that perform testing for forensic purposes; 2) research laboratories that test human specimens but do not report patient-specific results for diagnosis, prevention, treatment, or the assessment of the health of individual patients; or 3) laboratories certified by the National Institutes on Drug Abuse (NIDA) in which drug testing is performed that meets NIDA guidelines and regulations.

 

In the situations above, the covered entity may deny the individual access without providing an opportunity for review.

 

A covered entity may also deny an individual access without providing an opportunity for review when:

  1. The covered entity is a correctional institution or a healthcare provider acting under the direction of the correctional institution and an inmate’s request to obtain a copy of protected health information would jeopardize the individual, other inmates, or the safety of any officer, employee, or other person at the correctional institution, or a person responsible for transporting the inmate;
  2. The individual, when consenting to participate in research that includes treatment, agreed to temporary denial of access to protected health information created or obtained by a healthcare provider in the course of research, and the research is not yet complete;
  3. The records are subject to the Privacy Act of 1974 and the denial of access meets the requirement of that law; and
  4. The protected health information was obtained from someone other than a healthcare provider under a promise of confidentiality and access would likely reveal the source of the information.

 

A covered entity may also deny an individual access under the following circumstances, provided that the individual is given a right to have such denials reviewed:

 

  1. A licensed healthcare professional has determined that the access is likely to endanger the life or physical safety of the individual or another person;
  2. The protected health information makes reference to another person who is not a healthcare provider, and a licensed healthcare professional has determined that the access request is reasonably likely to cause substantial harm to such other person; and
  3. The request for access is made by the individual’s personal representative and a licensed healthcare professional has determined that access is reasonably likely to cause substantial harm to the individual or another person.

 

Detailed requirements for denial review are outlined in Section 45 CFR, §164.524.

 

 

AUTHORIZED BY:

 

Company Name:

BRADLEY A. CONNOR, M.D., P.L.L.C.

MEDICAL ADVANCE SERVICES, P.L.L.C.

TRAVEL HEALTH MEDICAL, P.C.

Policy Name:

Patient Right to Request Restrictions

Policy Number:

Privacy 14.0

Effective Date:

08/15/2018

 

Responsible for Review:

Marina Rogova, RN

Review Date:

08/15/2019

Synopsis of Policy: HIPAA Regulation: §164.522(a) Patient Right to Request Restrictions

 

It is the policy of BRADLEY A. CONNOR, M.D., P.L.L.C.  to honor a patient or a patient’s legal representative right to request restrictions on how his or her protected health information (PHI) is used and/or disclosed for the purposes of treatment, payment, and/or healthcare operations and for disclosures permitted under §164.522(a).

 

 

 

 

 

 

 

 

 

 

 

Full Policy Language:

 

Policy:

 

It is the policy of BRADLEY A. CONNOR, M.D., P.L.L.C.  to honor a patient or a patient’s legal representative right to request restrictions on how his or her protected health information (PHI) is used and/or disclosed for the purposes of treatment, payment, and/or healthcare operations and for disclosures permitted under §164.522(a).

 

NOTE: Although not required by law, some organizations may wish to implement a formal denial process. The final rule requires all covered entities to permit individuals to make the request but does not require a covered entity to agree to a restriction.

 

Procedures:

 

General:

 

  1. BRADLEY A. CONNOR, M.D., P.L.L.C.  will inform patients of their right to request restrictions on how their PHI is used and/or disclosed for treatment, payment, and healthcare operations in their published, “Notice of Privacy Practices.”

 

  1. The patient has the right to request restrictions. BRADLEY A. CONNOR, M.D., P.L.L.C.  may require the request to be in writing. BRADLEY A. CONNOR, M.D., P.L.L.C. ‘s Privacy Officer (or designee) reviews each request and makes a determination of final actions. Effective September 23rd 2013, the American Recovery and Reinvestment Act (ARRA) allows a patient the right to request that a healthcare provider must comply with the patient’s request for restriction of disclosure to a health plan for purposes of payment or healthcare operations when the patient health information pertains to a service for which the healthcare provider has been paid in full by the patient “out of pocket.”

 

  1. BRADLEY A. CONNOR, M.D., P.L.L.C.  may agree to a patient’s request for restrictions on the use and disclosure of their PHI if the request is determined to be reasonable and in the patient’s best interests.

 

When a Request for Restriction(s) Is Accepted:

 

  1. BRADLEY A. CONNOR, M.D., P.L.L.C.  will notify the patient of the approval of the request.

 

  1. BRADLEY A. CONNOR, M.D., P.L.L.C.  will inform the patient of any potential consequences of the restriction.

 

  1. BRADLEY A. CONNOR, M.D., P.L.L.C.  will inform the patient that BRADLEY A. CONNOR, M.D., P.L.L.C.  will comply with the agreed restriction with the following exceptions:

 

  1. In an emergency treatment situation where BRADLEY A. CONNOR, M.D., P.L.L.C.  may use or disclose information to a health care provider for providing treatment.  BRADLEY A. CONNOR, M.D., P.L.L.C.  will request the emergency treatment provider not further use or disclose the information;
  2. The restrictions are terminated by either BRADLEY A. CONNOR, M.D., P.L.L.C. or the patient; and
  3. If restrictions prevent uses or disclosures permitted or required under §164.502(a)(2)(ii), §164.510(a) or §164.512.

 

  1. If the agreed upon restriction hampers treatment, BRADLEY A. CONNOR, M.D., P.L.L.C.  may ask the patient to modify or revoke the restriction. BRADLEY A. CONNOR, M.D., P.L.L.C.  may require written agreement to the modification/revocation or document the patient’s oral agreement.

 

  1. A notice of restriction will be made in writing in the patient’s medical record and/or identified in an appropriate field in the computerized patient information system.

 

  1. BRADLEY A. CONNOR, M.D., P.L.L.C.  will notify separately any other departments to which the restriction may apply (e.g., marketing, public relations, administration, foundation, etc.) and if necessary, ensure that the patient’s name is removed from all applicable mailing lists.

 

  1. BRADLEY A. CONNOR, M.D., P.L.L.C.  will notify separately any other business associates to which the restriction may apply.

 

  1. BRADLEY A. CONNOR, M.D., P.L.L.C.  will not use or disclose PHI inconsistent with the agreed upon restriction, nor will its business associates, until the restriction is terminated either by BRADLEY A. CONNOR, M.D., P.L.L.C.  or the individual.

 

  1. BRADLEY A. CONNOR, M.D., P.L.L.C.  will restrict use and/or disclosure of PHI consistent with the status of the restriction in effect on the date it is used or disclosed.

 

When a Request for Restriction Is Denied:

 

  1. If the request for restriction is denied, BRADLEY A. CONNOR, M.D., P.L.L.C. must notify the patient.

 

Termination:

 

  1. The patient must request in writing to terminate the restriction.

 

  1. If BRADLEY A. CONNOR, M.D., P.L.L.C. wants to terminate the agreement, the patient must agree to the termination in writing or an oral agreement must be documented. The termination will be effective with respect to PHI created or received after the patient was notified by BRADLEY A. CONNOR, M.D., P.L.L.C. .

 

Record Retention:

 

  1. All documentation associated with this procedure will be maintained in writing or in electronic format for at least six (6) years from the date of its creation or the date when it was last in effect, whichever is later.

 

AUTHORIZED BY:

 

Company Name:

BRADLEY A. CONNOR, M.D., P.L.L.C.

MEDICAL ADVANCE SERVICES, P.L.L.C.

TRAVEL HEALTH MEDICAL, P.C.

Policy Name:

Patient Right to Access, Inspect, and Copy Medical Records

Policy Number:

Privacy 15.0

Effective Date:

08/15/2018

 

Responsible for Review:

Marina Rogova, RN

Review Date:

08/5/2019

Synopsis of Policy: HIPAA Regulation: §164.524(a) Patient Right to Access, Inspect, and Copy Medical Records

 

In compliance with the Privacy Rule of the Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), providers must have implemented policies and procedures in place to ensure patients’ right to access, inspect, and copy protected health information (§164.524(a)).

 

It is the policy of BRADLEY A. CONNOR, M.D., P.L.L.C.  to honor a patient’s right of access to inspect and obtain a copy of their protected health information (PHI) in BRADLEY A. CONNOR, M.D., P.L.L.C.  designated record set, for as long as the PHI is maintained in compliance with HIPAA and BRADLEY A. CONNOR, M.D., P.L.L.C. ‘s retention policy.

 

 

 

 

 

 

 

 

 

 

Full Policy Language:

 

Background

 

In compliance with the Privacy Rule of the Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), providers must have implemented policies and procedures in place to ensure patients’ rights to access, inspect, and copy protected health information (§164.524(a)).

 

Policy

 

It is the policy of BRADLEY A. CONNOR, M.D., P.L.L.C.  to honor a patient’s right of access to inspect and obtain a copy of their protected health information (PHI) in BRADLEY A. CONNOR, M.D., P.L.L.C. ‘s designated record set, for as long as the PHI is maintained in compliance with HIPAA and BRADLEY A. CONNOR, M.D., P.L.L.C. ‘s retention policy.

 

Procedures

 

  1. A patient must make a request to a staff member to access and inspect their protected health information. Whenever possible, this request shall be made in writing and documented on either the “Authorization for Disclosure” form or in the notes of the patient’s health record.

 

  1. Determination of accessibility of the information shall be based on:
    1. Availability of protected patient information (i.e., final completion of information, long term storage, retention practices, etc.).

 

  1. BRADLEY A. CONNOR, M.D., P.L.L.C. must take action within a reasonable period of time or within 30 days after receipt of the request when the PHI is on-site, and within 60 days when the PHI is off-site. One 30-day extension is permitted, if BRADLEY A. CONNOR, M.D., P.L.L.C.  provides the patient with a written statement of the reasons for the delay and the date by which the access request will be processed.

 

  1. BRADLEY A. CONNOR, M.D., P.L.L.C. must document and retain the designated record sets subject to access and the titles of persons or offices responsible for receiving and processing requests for access.

 

 

Access, Inspection and/or Copy Request is Granted

 

  1. The patient and BRADLEY A. CONNOR, M.D., P.L.L.C. will arrange a mutually convenient time and place for the patient to inspect and/or obtain a copy of the requested PHI.  Inspection and/or copying of PHI will be carried out within BRADLEY A. CONNOR, M.D., P.L.L.C.  with staff assistance.

 

  1. The patient may choose to inspect the PHI, copy it, or both in the form or format requested. If the PHI is not readily producible in the requested form or format, BRADLEY A. CONNOR, M.D., P.L.L.C. must provide the patient with a readable hard copy form, or other form as agreed to by the organization and the patient.
  2. If the patient chooses to receive a copy of the PHI, BRADLEY A. CONNOR, M.D., P.L.L.C. may offer to provide copying services. The patient may request that this copy be mailed.
  3. If the patient chooses to copy their own information, BRADLEY A. CONNOR, M.D., P.L.L.C. may supervise the process to ensure that the integrity of the patient record is maintained.

 

  1. Upon prior approval by the patient, BRADLEY A. CONNOR, M.D., P.L.L.C. may provide a summary of the requested PHI.

 

  1. BRADLEY A. CONNOR, M.D., P.L.L.C. may charge a reasonable fee for the production of copies or a summary of PHI if the patient has been informed of such charge and is willing to pay the charge.

 

  1. If, upon inspection of the PHI, the patient feels it is inaccurate or incomplete, the patient has the right to request an amendment to the PHI. BRADLEY A. CONNOR, M.D., P.L.L.C. shall process requests for amendment as outlined in additional organizational policy/procedures addressing this patient right.

 

Access, Inspection, and/or Copy Request is Denied in Whole or in Part

 

  1. BRADLEY A. CONNOR, M.D., P.L.L.C.  must provide a written denial to the patient. The denial must be in plain language and must contain:
  1. The basis for the denial;
  2. A statement, if applicable, of the patient’s review rights; and
  3. A description of how the patient may complain to BRADLEY A. CONNOR, M.D., P.L.L.C. or to the Secretary of Health and Human Services (HHS).

 

  1. If access is denied because BRADLEY A. CONNOR, M.D., P.L.L.C.  does not maintain the PHI that is the subject of the request, and BRADLEY A. CONNOR, M.D., P.L.L.C.  knows where that PHI is maintained, BRADLEY A. CONNOR, M.D., P.L.L.C.  must inform the patient where to direct the request for access.

 

  1. BRADLEY A. CONNOR, M.D., P.L.L.C.  must, to the extent possible, give the patient access to any other PHI requested, after excluding the PHI as to which BRADLEY A. CONNOR, M.D., P.L.L.C.  has grounds to deny access.

 

  1. If access is denied as permitted under §164.524, the individual has the right to have the denial reviewed by a licensed health care professional who is designated by BRADLEY A. CONNOR, M.D., P.L.L.C.  to act as a reviewing official and who did not participate in the original decision to deny.

 

  1. The patient must initiate the review of a denial by making a request for review to BRADLEY A. CONNOR, M.D., P.L.L.C. . If the patient has requested a review, BRADLEY A. CONNOR, M.D., P.L.L.C.  must provide or deny access in accordance with the determination of the reviewing professional, who will make the determination within a reasonable period of time.

 

  1. BRADLEY A. CONNOR, M.D., P.L.L.C.  must promptly provide written notice to the patient of the determination of the reviewing professional. See paragraph 10 above for denial requirements.

 

 

AUTHORIZED BY:

 

Company Name:

BRADLEY A. CONNOR, M.D., P.L.L.C.

MEDICAL ADVANCE SERVICES, P.L.L.C.

TRAVEL HEALTH MEDICAL, P.C.

Policy Name:

16.0 Psychotherapy Notes

Policy Number:

Privacy 16.0

Effective Date:

08/15/2018

 

Responsible for Review:

Marina Rogova, RN 16.0

Review Date:

08/15/2019

Synopsis of Policy: HIPAA Regulation: §164.508(a)(2) Psychotherapy Notes; §164.512(c) Victims of Abuse, Neglect, or Domestic Violence; §164.501

 

To ensure that BRADLEY A. CONNOR, M.D., P.L.L.C.  employees understand when and how they can release psychotherapy notes and mental health treatment records to requesting parties.

 

Under the Privacy Rule of the Health Insurance Portability and Accountability Act (HIPAA), psychotherapy notes means notes recorded (in any medium) by a health care provider who is a mental health professional documenting or analyzing the contents of a conversation during a private counseling session or a group, joint, or family counseling session and that are separated from the rest of the individual’s medical record.

 

Psychotherapy notes exclude medication prescription and monitoring, counseling session start and stop times, the modalities and frequencies of treatment furnished, results for clinical tests, and any summary of the following items: diagnosis, functional status, the treatment plan, symptoms, prognosis, and progress to date.

 

HIPAA concentrates on psychotherapy notes, which addresses mental health treatment records. HIPAA defines “psychotherapy notes” as described above. There is no mention about those notes being available to others, though if the notes are separate from the medical record, one might assume that HIPAA’s definition of psychotherapy notes is similar to the notes described in, and excluded from, treatment records. Providers should follow HIPAA guidelines for disclosure.

 

 

 

 

 

 

 

 

 

Full Policy Language:

 

Purpose

 

To ensure that BRADLEY A. CONNOR, M.D., P.L.L.C. ‘s employees understand when and how they can release psychotherapy notes and mental health treatment records to requesting parties.

 

Definition:

 

Under the Privacy Rule of the Health Insurance Portability and Accountability Act (HIPAA), psychotherapy notes means notes recorded (in any medium) by a health care provider who is a mental health professional documenting or analyzing the contents of a conversation during a private counseling session or a group, joint, or family counseling session and that are separated from the rest of the individual’s medical record.

 

Psychotherapy notes exclude medication prescription and monitoring, counseling session start and stop times, the modalities and frequencies of treatment furnished, results of clinical tests, and any summary of the following items: diagnosis, functional status, the treatment plan, symptoms, prognosis, and progress to date.

 

Background:

 

HIPAA concentrates on psychotherapy notes, which addresses mental health treatment records. HIPAA defines “psychotherapy notes” as described above. There is no mention about those notes being available to others, though if the notes are separate from the medical record, one might assume that HIPAA’s definition of psychotherapy notes is similar to the notes described in, and excluded from, treatment records. Providers should follow HIPAA guidelines for disclosure.

 

Policy:

 

  1. Patient Access to Psychotherapy Notes: Even though the patient has a right to access most health information, the patient does not have a right to access psychotherapy notes. Therefore, BRADLEY A. CONNOR, M.D., P.L.L.C.  is not required to fulfill a patient’s request for access to psychotherapy notes. However, BRADLEY A. CONNOR, M.D., P.L.L.C.  should inform the patient of this limitation on access if the request will not be fulfilled.

 

  1. Patient Authorization Required: In most circumstances, BRADLEY A. CONNOR, M.D., P.L.L.C. ‘s employees must obtain a patient’s written authorization for any use or disclosure of psychotherapy notes. BRADLEY A. CONNOR, M.D., P.L.L.C.  is not required, however, to disclose any health information, including psychotherapy notes, pursuant to an authorization. Especially with on-going authorizations, if there is a concern that a request for disclosure is unnecessary or excessive, BRADLEY A. CONNOR, M.D., P.L.L.C.  may ask the patient if the authorization for disclosure is consistent with his or her wishes.

 

For specific requirements of authorizations involving psychotherapy notes, see BRADLEY A. CONNOR, M.D., P.L.L.C.  policy on Patient Authorizations.

 

  1. Patient Authorization Not Required: BRADLEY A. CONNOR, M.D., P.L.L.C.  is not required to obtain an authorization for the following uses or disclosures of psychotherapy notes:

 

  1. To carry out the following treatment, payment, or health care operations:
    1. Use by the originator of the psychotherapy notes for treatment;
    2. Use by BRADLEY A. CONNOR, M.D., P.L.L.C. for its own training programs in which students, trainees, or practitioners in mental health learn under supervision to practice or improve their skills in group, joint, family, or individual counseling; or
  • Use by BRADLEY A. CONNOR, M.D., P.L.L.C. to defend itself in a legal action or other proceeding brought by the patient.
  1. To respond to the federal Department of Health and Human Services (HHS) to determine BRADLEY A. CONNOR, M.D., P.L.L.C. ‘s compliance with HIPAA privacy rules;
  2. To comply with the law;
  3. To assist in oversight of the originator of the psychotherapy notes;
  4. To help coroners/medical examiners in the examination of deceased persons;
  5. To address serious public health or safety concerns. Special restrictions apply to disclosures made to law enforcement to identify or apprehend an individual who has admitted participation in a crime that BRADLEY A. CONNOR, M.D., P.L.L.C. reasonably believes may have caused serious harm to the victim. Specifically, BRADLEY A. CONNOR, M.D., P.L.L.C.  may not disclose health information, including psychotherapy notes, if BRADLEY A. CONNOR, M.D., P.L.L.C.  learned of the individual’s participation when he or she requested or received treatment, counseling, or therapy to affect the propensity to commit such a crime.

 

 

AUTHORIZED BY:

 

Company Name:

BRADLEY A. CONNOR, M.D., P.L.L.C.

MEDICAL ADVANCE SERVICES, P.L.L.C.

TRAVEL HEALTH MEDICAL, P.C.

Policy Name:

Uses and Disclosures for which an Authorization is Required

Policy Number:

Privacy 17.0

Effective Date:

08/15/2018

 

Responsible for Review:

Marina Rogova, RN

Review Date:

08/15/2019

Synopsis of Policy: HIPAA Regulation: Uses and Disclosures for which an Authorization is Required: §164.508(a), §164.508(b), §164.508(c); Uses and disclosures requiring an opportunity for the individual to agree or to object: §164.510(a), §164.510(b)

 

To define the circumstances under which an authorization is necessary prior to use or disclosure of an individual’s Protected Health Information (PHI) by BRADLEY A. CONNOR, M.D., P.L.L.C.  and the requirements of a valid authorization.

 

 

 

 

 

 

 

 

 

 

Full Policy Language:

 

Policy Purpose:

To define the circumstances under which an authorization is necessary prior to use or disclosure of an individual’s Protected Health Information (PHI) by BRADLEY A. CONNOR, M.D., P.L.L.C.  and the requirements of a valid authorization.

 

Policy Description:

 

Authorizations for Uses and Disclosures:

  1. BRADLEY A. CONNOR, M.D., P.L.L.C. may not use or disclose PHI without an authorization that is valid. When BRADLEY A. CONNOR, M.D., P.L.L.C.  obtains or receives a valid authorization for its use or disclosure of PHI, such use or disclosure must be consistent with the authorization.
  2. BRADLEY A. CONNOR, M.D., P.L.L.C. must obtain an authorization for any use or disclosure of psychotherapy notes, except:
  3. To carry out the following treatment, payment, or healthcare operations:
  4. Use by the originator of the psychotherapy notes for treatment;
  5. Use or disclosure by BRADLEY A. CONNOR, M.D., P.L.L.C. for its own training programs in which students, trainees, or practitioners in mental health learn under supervision to practice or improve their skills in group, joint, family, or individual counseling; and
  • Use or disclosure by BRADLEY A. CONNOR, M.D., P.L.L.C. to defend itself in a legal action or other proceeding brought by the individual.
  1. A use or disclosure that is required by Privacy policy number 17 Uses and Disclosure for which an Authorization is Required.
  2. Authorization required: Marketing
  3. Notwithstanding any provision of this policy, other than the transition provisions in policy number 20 Uses and Disclosures or Workers Comp. BRADLEY A. CONNOR, M.D., P.L.L.C. must obtain an authorization for any use or disclosure of PHI for marketing, except if the communication is in the form of:
  4. A face-to-face communication made by a covered entity to an individual; and
  5. A promotional gift of nominal value provided by BRADLEY A. CONNOR, M.D., P.L.L.C. .
  6. If the marketing involves direct or indirect remuneration to BRADLEY A. CONNOR, M.D., P.L.L.C. from a third party, the authorization must state that such remuneration is involved.

 

 

 

General Requirements.

  1. Valid authorizations
  2. A valid authorization is a document that meets the requirements of this policy, as applicable.
  3. A valid authorization may contain elements or information in addition to the elements required by this policy, provided that such additional elements or information are not inconsistent with the elements required by this policy.
  4. An authorization is not valid if the document submitted has any of the following defects:
  5. The expiration date has passed or the expiration event is known by BRADLEY A. CONNOR, M.D., P.L.L.C. to have occurred;
  6. The authorization has not been filled out completely, with respect to an element described by this policy, if applicable;
  7. The authorization is known by BRADLEY A. CONNOR, M.D., P.L.L.C. to have been revoked;
  8. The authorization violates this paragraph, or paragraphs below, if applicable; and
  9. Any material information in the authorization is known by BRADLEY A. CONNOR, M.D., P.L.L.C. to be false.
  10. An authorization for use or disclosure of PHI may not be combined with any other document to create a compound authorization, except as follows:
  11. An authorization for the use or disclosure of PHI for a research study may be combined with any other type of written permission for the same research study, including another authorization for the use or disclosure of PHI for such research or a consent to participate in such research;
  12. An authorization for a use or disclosure of psychotherapy notes may only be combined with another authorization for a use or disclosure of psychotherapy notes; and
  13. An authorization under this policy, other than an authorization for a use or disclosure of psychotherapy notes, may be combined with any other such authorization under this section, except when BRADLEY A. CONNOR, M.D., P.L.L.C. has conditioned the provision of treatment, payment, enrollment in the health plan, or eligibility for benefits on the provision of one of the authorizations.
  14. BRADLEY A. CONNOR, M.D., P.L.L.C. may not condition the provision to an individual of treatment, payment, enrollment in the health plan, or eligibility for benefits on the provision of an authorization, except:
  15. BRADLEY A. CONNOR, M.D., P.L.L.C. may condition the provision of research-related treatment on provision of an authorization for the use or disclosure of PHI for such research under this policy;
  16. BRADLEY A. CONNOR, M.D., P.L.L.C. may condition enrollment in the health plan or eligibility for benefits on provision of an authorization requested by the health plan prior to an individual’s enrollment in the health plan, if:
  17. The authorization sought is for the health plan’s eligibility or enrollment determinations relating to the individual, or for its underwriting or risk rating determinations; or
  18. The authorization is not for a use or disclosure of psychotherapy notes; and
  19. BRADLEY A. CONNOR, M.D., P.L.L.C. may condition the provision of health care that is solely for the purpose of creating PHI for disclosure to a third party on provision of an authorization for the disclosure of the PHI to such third party.
  20. An individual may revoke an authorization provided under this policy at any time, provided that the revocation is in writing, except to the extent that:
  21. BRADLEY A. CONNOR, M.D., P.L.L.C. has taken action in reliance thereon; and
  22. The authorization was obtained as a condition of obtaining insurance coverage and other laws provide the insurer with the right to contest a claim under the policy, or the policy itself.
  23. BRADLEY A. CONNOR, M.D., P.L.L.C. must document and retain any signed authorization under this section as required by Privacy policy 18.

 

Core Elements and Requirements

  1. Core elements. A valid authorization under this section must contain at least the following elements:
  2. A description of the information to be used or disclosed that identifies the information in a specific and meaningful fashion;
  3. The name or other specific identification of the person(s), or class of persons, authorized to make the requested use or disclosure;
  4. The name or other specific identification of the person(s), or class of persons, to whom BRADLEY A. CONNOR, M.D., P.L.L.C. may make the requested use or disclosure;
  5. A description of each purpose of the requested use or disclosure. The statement “at the request of the individual” is a sufficient description of the purpose when an individual initiates the authorization and does not, or elects not to, provide a statement of the purpose;
  6. An expiration date or an expiration event that relates to the individual or the purpose of the use or disclosure. The statement “end of the research study,” “none,” or similar language is sufficient if the authorization is for a use or disclosure of PHI for research, including for the creation and maintenance of a research database or research repository; and
  7. Signature of the individual and date. If the authorization is signed by a personal representative of the individual, a description of such representative’s authority to act for the individual must also be provided.
  8. In addition to the core elements, the authorization must contain statements adequate to place the individual on notice of all of the following:
  9. The individual’s right to revoke the authorization in writing, and either:
  10. The exceptions to the right to revoke and a description of how the individual may revoke the authorization; or
  11. To the extent that the information in this paragraph is included in the notice of privacy practices;
  12. The ability or inability to condition treatment, payment, enrollment, or eligibility for benefits on the authorization by stating either:
  13. BRADLEY A. CONNOR, M.D., P.L.L.C. may not condition treatment, payment, enrollment, or eligibility for benefits on whether the individual signs the authorization when the prohibition on conditioning of authorizations in this policy applies; or
  14. The consequences to the individual of a refusal to sign the authorization when, in accordance with this policy, BRADLEY A. CONNOR, M.D., P.L.L.C. can condition treatment, enrollment in the health plan, or eligibility for benefits on failure to obtain such authorization; and
  15. The potential for information disclosed pursuant to the authorization to be subject to re-disclosure by the recipient and no longer be protected by HIPAA Privacy standards.
  16. The authorization must be written in plain language.
  17. If BRADLEY A. CONNOR, M.D., P.L.L.C. seeks an authorization from an individual for a use or disclosure of PHI, BRADLEY A. CONNOR, M.D., P.L.L.C.  must provide the individual with a copy of the signed authorization.

 

Uses and disclosures requiring an opportunity for the individual to agree or to object.

  1. BRADLEY A. CONNOR, M.D., P.L.L.C. may use or disclose protected health information, provided that the individual is informed in advance of the use or disclosure and has the opportunity to agree to, or prohibit/restrict the use or disclosure, in accordance with the applicable requirements of this section. The BRADLEY A. CONNOR, M.D., P.L.L.C.  may orally inform the individual of and obtain the individual’s oral agreement or objection to a use or disclosure permitted by this section.

 

Use and disclosure for facility directories.

  1. Permitted uses and disclosure.Except when an objection is expressed in accordance with this section, BRADLEY A. CONNOR, M.D., P.L.L.C.  may:
  2. Use the following protected health information to maintain a directory of individuals in its facility:
  3. The individual’s name;
  4. The individual’s location in BRADLEY A. CONNOR, M.D., P.L.L.C. ‘s facility;
  • The individual’s condition described in general terms that does not communicate specific medical information about the individual; and
  1. The individual’s religious affiliation; and
  2. Use or disclose for directory purposes such information:
  3. To members of the clergy; or
  4. Except for religious affiliation, to other persons who ask for the individual by name.
  5. Opportunity to object.BRADLEY A. CONNOR, M.D., P.L.L.C.  must inform an individual of the protected health information that it may include in a directory and the persons to whom it may disclose such information (including disclosures to clergy of information regarding religious affiliation) and provide the individual with the opportunity to restrict or prohibit some or all of the uses or disclosures permitted by this section.

 

  1. Emergency circumstances.
  2. If the opportunity to object to uses or disclosures required by this section cannot be provided in a practical manner because of the individual’s incapacity or an emergency treatment circumstance, BRADLEY A. CONNOR, M.D., P.L.L.C. may use or disclose some or all of the protected health information permitted by this section for the facility’s directory, if such disclosure is:
  3. Consistent with a prior expressed preference of the individual, if any, that is known to the covered health care provider; and
  4. In the individual’s best interest as determined by the covered health care provider, in the exercise of professional judgment; and
  5. BRADLEY A. CONNOR, M.D., P.L.L.C. must inform the individual and provide an opportunity to object to uses or disclosures for directory purposes as required by this section when it becomes practical to do so.

 

Uses and disclosures for involvement in the individual’s care and notification purposes.

  1. Permitted uses and disclosures.
  2. BRADLEY A. CONNOR, M.D., P.L.L.C. may, in accordance with this section, disclose to a family member, other relative, or a close personal friend of the individual, or any other person identified by the individual, the protected health information directly relevant to such person’s involvement with the individual’s health care or payment related to the individual’s health care.
  3. BRADLEY A. CONNOR, M.D., P.L.L.C. may use or disclose protected health information to notify, or assist in the notification of (including identifying or locating), a family member, a personal representative of the individual, or another person responsible for the care of the individual of the individual’s location, general condition, or death. Any such use or disclosure of protected health information for such notification purposes must be in accordance with this section, as applicable.
  4. Uses and disclosures with the individual present.If the individual is present for, or otherwise available prior to, a use or disclosure permitted by this section and has the capacity to make health care decisions, BRADLEY A. CONNOR, M.D., P.L.L.C.  may use or disclose the protected health information if it:
  5. Obtains the individual’s agreement;
  6. Provides the individual with the opportunity to object to the disclosure, and the individual does not express an objection; or
  7. Reasonably infers from the circumstances based on the exercise of professional judgment that the individual does not object to the disclosure.
  8. Limited uses and disclosures when the individual is not present.If the individual is not present, or the opportunity to agree or object to the use or disclosure cannot be provided in a practical manenr because of the individual’s incapacity or an emergency circumstance, BRADLEY A. CONNOR, M.D., P.L.L.C.  may, in the exercise of professional judgment, determine whether the disclosure is in the best interests of the individual and, if so, disclose only the protected health information that is directly relevant to the person’s involvement with the individual’s care or payment related to the individual’s health care or needed for notification purposes. BRADLEY A. CONNOR, M.D., P.L.L.C.  may use professional judgment and its experience with common practice to make reasonable inferences of the individual’s best interest in allowing a person to act on behalf of the individual to pick up filled prescriptions, medical supplies, X-rays, or other similar forms of protected health information.
  9. Uses and disclosures for disaster relief purposes.BRADLEY A. CONNOR, M.D., P.L.L.C.  may use or disclose protected health information to a public or private entity authorized by law or by its charter to assist in disaster relief efforts for the purpose of coordinating with such entities the uses or disclosures permitted by this section. The requirements in this section apply to such uses and disclosures to the extent that BRADLEY A. CONNOR, M.D., P.L.L.C. , in the exercise of professional judgment, determines that the requirements do not interfere with the ability to respond to the emergency circumstances.
  10. Uses and disclosures when the individual is deceased.If the individual is deceased, BRADLEY A. CONNOR, M.D., P.L.L.C.  may disclose to a family member, or other persons identified in this section who were involved in the individual’s care or payment for health care prior to the individual’s death, protected health information of the individual that is relevant to such person’s involvement unless doing so is inconsistent with any prior expressed preference of the individual that is known to BRADLEY A. CONNOR, M.D., P.L.L.C. .

 

Definitions:

  • Covered Entity: A health plan, a health care clearinghouse, or a health care provider who transmits any health information in electronic form in connection with a HIPAA transaction.

 

  • ePHI: Electronic/Protected Health Information means individually identifiable health information:
  1. Transmitted by electronic media;
  2. Maintained in electronic media; or
  3. Transmitted or maintained in any other form or medium.

 

 

AUTHORIZED BY:

 

Company Name:

BRADLEY A. CONNOR, M.D., P.L.L.C.

MEDICAL ADVANCE SERVICES, P.L.L.C.

TRAVEL HEALTH MEDICAL, P.C.

Policy Name:

Uses and Disclosures, No Authorization Required

Policy Number:

Privacy 18.0

Effective Date:

08/15/2018

 

Responsible for Review:

Marina Rogova, RN

Review Date:

08/15/2019

Synopsis of Policy: HIPAA Regulation: §164.501 Uses and Disclosures for Health Care Operations

 

Under certain situations, BRADLEY A. CONNOR, M.D., P.L.L.C.  may use and disclose Protected Health Information (PHI) when an authorization or opportunity to agree or object is not required. Additionally, BRADLEY A. CONNOR, M.D., P.L.L.C.  may use or disclose PHI without the written authorization of the individual, or the opportunity for the individual to agree or object in the situations covered by this policy.

 

 

 

 

 

 

 

 

 

Full Policy Language:

 

Policy Purpose:

Under certain situations, BRADLEY A. CONNOR, M.D., P.L.L.C.  may use and disclose Protected Health Information (PHI) when an authorization or opportunity to agree or object is not required. Additionally, BRADLEY A. CONNOR, M.D., P.L.L.C.  may use or disclose PHI without the written authorization of the individual, or the opportunity for the individual to agree or object in the situations covered by this policy.

 

Policy Description:

 

Uses and disclosures required by law:

  1. BRADLEY A. CONNOR, M.D., P.L.L.C. may use or disclose PHI to the extent that such use or disclosure is required by law and the use or disclosure complies with and is limited to the relevant requirements of such law.
  2. BRADLEY A. CONNOR, M.D., P.L.L.C. must meet the following requirements for uses or disclosures required by law:
    1. Disclosures about victims of abuse, neglect, or domestic violence;
    2. Disclosures for judicial and administrative proceedings (see policy number 10 Judicial and Administrative Proceedings); or
    3. Victims of a crime.

 

Uses and disclosures for public health activities.

  1. BRADLEY A. CONNOR, M.D., P.L.L.C. may disclose PHI for the public health activities and purposes described in this paragraph to:
    1. A public health authority that is authorized by law to collect or receive such information for the purpose of preventing or controlling disease, injury, or disability, including but not limited to the reporting of disease, injury, vital events such as birth or death, and the conduct of public health surveillance, public health investigations, and public health interventions; or, at the direction of a public health authority to an official of a foreign government agency that is acting in collaboration with a public health authority; and
    2. A public health authority or other appropriate government authority authorized by law to receive reports of child abuse or neglect.
  2. A person subject to the jurisdiction of the Food and Drug Administration (FDA) with respect to an FDA-regulated product or activity for which that person has responsibility, for the purpose of activities related to the quality, safety, or effectiveness of such FDA-regulated product or activity. Such purposes include:
    1. To collect or report adverse events (or similar activities with respect to food or dietary supplements), product defects or problems (including problems with the use or labeling of a product), or biological product deviations;
    2. To track FDA-regulated products;
    3. To enable product recalls, repairs, replacement, or lookback (including locating and notifying individuals who have received products that have been recalled, withdrawn, or are the subject of lookback); or
    4. To conduct post-marketing surveillance.
  3. A person who may have been exposed to a communicable disease or may otherwise be at risk of contracting or spreading a disease or condition, if the covered entity or public health authority is authorized by law to notify such person as necessary in the conduct of a public health intervention or investigation.
  4. An employer, about an individual who is a member of the workforce of the employer, if:
  5. The covered entity is a covered health care provider who is a member of the workforce of such employer or who provides health care to the individual at the request of the employer:
    1. To conduct an evaluation relating to medical surveillance of the workplace; or
    2. To evaluate whether the individual has a work-related illness or injury.
  6. The PHI that is disclosed consists of findings concerning a work-related illness or injury or a workplace-related medical surveillance;
  7. The employer needs such findings in order to comply with its obligations under 29 CFR parts 1904 through 1928, 30 CFR parts 50 through 90, or under State law having a similar purpose to record such illness or injury, or to carry out responsibilities for workplace medical surveillance; or
  8. The covered health care provider provides written notice to the individual that PHI relating to the medical surveillance of the workplace and work-related illnesses and injuries is disclosed to the employer:
    1. By giving a copy of the notice to the individual at the time the health care is provided; or
    2. If the health care is provided on the work site of the employer by posting the notice in a prominent place at the location where the health care is provided.
  9. If BRADLEY A. CONNOR, M.D., P.L.L.C. also is a public health authority, the covered entity is permitted to use PHI in all cases in which it is permitted to disclose such information for public health activities.

 

Disclosures about victims of abuse, neglect, or domestic violence.

  1. Permitted disclosures. Except for reports of child abuse or neglect BRADLEY A. CONNOR, M.D., P.L.L.C. may disclose PHI about an individual whom BRADLEY A. CONNOR, M.D., P.L.L.C.  reasonably believes to be a victim of abuse, neglect, or domestic violence to a government authority, including a social service or protective services agency authorized by law to receive reports of such abuse, neglect, or domestic violence:
    1. To the extent the disclosure is required by law and the disclosure complies with and is limited to the relevant requirements of such law;
    2. If the individual agrees to the disclosure;
    3. To the extent the disclosure is expressly authorized by statute or regulation, and:
      1. The covered entity, in the exercise of professional judgment, believes the disclosure is necessary to prevent serious harm to the individual or other potential victims; or
      2. If the individual is unable to agree because of incapacity, a law enforcement or other public official authorized to receive the report represents that the PHI for which disclosure is sought is not intended to be used against the individual and that an immediate enforcement activity that depends upon the disclosure would be materially and adversely affected by waiting until the individual is able to agree to the disclosure.
    4. When a disclosure permitted by the above paragraph is made, BRADLEY A. CONNOR, M.D., P.L.L.C. must promptly inform the individual that such a report has been or will be made, except if:
      1. BRADLEY A. CONNOR, M.D., P.L.L.C. , in the exercise of professional judgment, believes that informing the individual would place the individual at risk of serious harm; or
      2. BRADLEY A. CONNOR, M.D., P.L.L.C. would be informing a personal representative and BRADLEY A. CONNOR, M.D., P.L.L.C.  reasonably believes the personal representative is responsible for the abuse, neglect, or other injury and that informing such person would not be in the best interests of the individual as determined by BRADLEY A. CONNOR, M.D., P.L.L.C. , in the exercise of professional judgment.

 

Uses and disclosures for health oversight activities.

  1. BRADLEY A. CONNOR, M.D., P.L.L.C. may disclose PHI to a health oversight agency for oversight activities authorized by law, including: audits; civil, administrative, or criminal investigations; inspections; licensure or disciplinary actions; civil, administrative, or criminal proceedings or actions; or other activities necessary for appropriate oversight of:
    1. The health care system;
    2. Government benefits programs for which health information is relevant to beneficiary eligibility;
    3. Entities subject to government regulatory programs for which health information is necessary for determining compliance with program standards; or
    4. Entities subject to civil rights laws for which health information is necessary for determining compliance.
  2. For the purpose of the disclosures permitted by the above paragraph, a health oversight activity does not include an investigation or other activity in which the individual is the subject of the investigation or activity and such investigation or other activity does not arise out of and is not directly related to:
    1. The receipt of health care;
    2. A claim for public benefits related to health; or
    3. Qualification for or receipt of public benefits or services when a patient’s health is integral to the claim for public benefits or services.
  3. Notwithstanding the above paragraph, if a health oversight activity or investigation is conducted in conjunction with an oversight activity or investigation relating to a claim for public benefits not related to health, the joint activity or investigation is considered a health oversight activity for purposes of this policy.
  4. If BRADLEY A. CONNOR, M.D., P.L.L.C. also is a health oversight agency, the covered entity may use PHI for health oversight activities as permitted by this policy.

 

Disclosures for judicial and administrative proceedings (see Policy 10 Judicial and Administrative Proceedings).

 

Disclosures for law enforcement purposes (see Policy 10 Judicial and Administrative Proceedings).

 

Uses and disclosures about decedents.

  1. Coroners and medical examiners: BRADLEY A. CONNOR, M.D., P.L.L.C. may disclose PHI to a coroner or medical examiner for the purpose of identifying a deceased person, determining a cause of death, or other duties as authorized by law. A covered entity that also performs the duties of a coroner or medical examiner may use PHI for the purposes described in this paragraph.
  2. BRADLEY A. CONNOR, M.D., P.L.L.C. may disclose PHI to funeral directors, consistent with applicable law, as necessary to carry out their duties with respect to the decedent. If necessary for funeral directors to carry out their duties, the covered entity may disclose the PHI prior to, and in reasonable anticipation of, the individual’s death.
  3. BRADLEY A. CONNOR, M.D., P.L.L.C. may use or disclose PHI to organ procurement organizations or other entities engaged in the procurement, banking, or transplantation of cadaveric organs, eyes, or tissue for the purpose of facilitating organ, eye, or tissue donation and transplantation.

 

Uses and disclosures for research purposes.

  1. BRADLEY A. CONNOR, M.D., P.L.L.C. may use or disclose PHI for research, regardless of the source of funding of the research, provided that:
    1. Board approval of a waiver of authorization is made available;
    2. BRADLEY A. CONNOR, M.D., P.L.L.C. obtains documentation that an alteration to or waiver, in whole or in part, of the individual authorization for use or disclosure of PHI has been approved by either:
  2. An Institutional Review Board (IRB); or
  3. A privacy board that:
  4. Has members with varying backgrounds and appropriate professional competency as necessary to review the effect of the research protocol on the individual’s privacy rights and related interests;
  5. Includes at least one member who is not affiliated with the covered entity, not affiliated with any entity conducting or sponsoring the research, and not related to any person who is affiliated with any of such entities; and
  6. Does not have any member participating in a review of any project in which the member has a conflict of interest.
    1. Reviews preparatory to research. BRADLEY A. CONNOR, M.D., P.L.L.C. obtains from the researcher representations that:
  7. Use or disclosure is sought solely to review PHI as necessary to prepare a research protocol or for similar purposes preparatory to research;
  8. No PHI is to be removed from BRADLEY A. CONNOR, M.D., P.L.L.C. by the researcher in the course of the review; and
  • The PHI for which use or access is sought is necessary for the research purposes.
    1. Research on decedent’s information. BRADLEY A. CONNOR, M.D., P.L.L.C. obtains from the researcher:
  1. Representation that the use or disclosure sought is solely for research on the PHI of decedents;
  2. Documentation, at the request of BRADLEY A. CONNOR, M.D., P.L.L.C. , of the death of such individuals; and
  3. Representation that the PHI for which use or disclosure is sought is necessary for the research purposes.
    1. For a use or disclosure to be permitted based on documentation of approval of an alteration or waiver, the documentation must include all of the following:
      1. A statement identifying the IRB or privacy board and the date on which the alteration or waiver of authorization was approved;
      2. A statement that the IRB or privacy board has determined that the alteration or waiver, in whole or in part, of authorization satisfies the following criteria:
        1. The use or disclosure of PHI involves no more than a minimal risk to the privacy of individuals based on, at least, the presence of the following elements:
      3. An adequate plan to protect the identifiers from improper use and disclosure;
      4. An adequate plan to destroy the identifiers at the earliest opportunity consistent with conduct of the research, unless there is a health or research justification for retaining the identifiers or such retention is otherwise required by law; and
      5. Adequate written assurances that the PHI will not be reused or disclosed to any other person or entity, except as required by law, for authorized oversight of the research study, or for other research for which the use or disclosure of PHI is needed;
        • The research could not practically be conducted without the waiver or alteration; and
  1. The research could not practically be conducted without access to and use of the PHI;
  1. A brief description of the PHI for which use or access has been determined to be necessary by the IRB or privacy board, as determined pursuant to the above paragraph;
  2. A statement that the alteration or waiver of authorization has been reviewed and approved under either normal or expedited review procedures, as follows:
  1. An Internal Review Board must follow the requirements of the HIPAA Rules, including the normal review procedures or the expedited review procedures;
  2. A Privacy Board must review the proposed research at convened meetings at which a majority of the privacy board members are present, including at least one member who satisfies the Privacy Officer or Compliance Officer title, and the alteration or waiver of authorization must be approved by the majority of the privacy board members present at the meeting, unless the privacy board elects to use an expedited review procedure in accordance with the below paragraph; and
  • A privacy board may use an expedited review procedure if the research involves no more than minimal risk to the privacy of the individuals who are the subject of the PHI for which use or disclosure is being sought. If the privacy board elects to use an expedited review procedure, the review and approval of the alteration or waiver of authorization may be carried out by the chair of the privacy board, or by one or more members of the privacy board as designated by the chair; and
    1. The documentation of the alteration or waiver of authorization must be signed by the chair or other member, as designated by the chair of the IRB or the privacy board, as applicable.

 

Uses and disclosures to avert a serious threat to health or safety.

  1. BRADLEY A. CONNOR, M.D., P.L.L.C. may, consistent with applicable law and standards of ethical conduct, use or disclose PHI if the covered entity in good faith believes that the use or disclosure:
  2. Is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public;
  3. Is to a person or persons reasonably able to prevent or lessen the threat, including the target of the threat;
    1. Is necessary for law enforcement authorities to identify or apprehend an individual:
  4. Because of a statement by an individual admitting participation in a violent crime that BRADLEY A. CONNOR, M.D., P.L.L.C. reasonably believes may have caused serious physical harm to the victim; and
  5. Where it appears from all the circumstances that the individual has escaped from a correctional institution or from lawful custody.
  6. A use or disclosure pursuant to this policy may not be made if the information described is learned by BRADLEY A. CONNOR, M.D., P.L.L.C. :
  7. Over the course of treatment, counseling, or therapy to affect the propensity to commit the criminal conduct that is the basis for the disclosure under this policy; or
  8. Through a request by the individual to initiate or to be referred for treatment, counseling, or therapy described in the above paragraph;
  9. A disclosure made pursuant to this policy shall contain only the information that is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public and the PHI described in policy number 10 Judicial and Administrative Proceedings; and
  10. BRADLEY A. CONNOR, M.D., P.L.L.C. , when using or disclosing PHI pursuant to this section, is presumed to have acted in good faith if the belief is based upon BRADLEY A. CONNOR, M.D., P.L.L.C. ‘s actual knowledge or in reliance on a credible representation by a person with apparent knowledge or authority.

 

Uses and disclosures for specialized government functions, 10 Judicial and Administrative Proceedings.

  1. BRADLEY A. CONNOR, M.D., P.L.L.C. may disclose PHI as authorized by and to the extent necessary to comply with laws relating to workers’ compensation or other similar programs established by law that provide benefits for work-related injuries or illness without regard to fault.

 

Use and disclosure for facility directories.

  1. Uses and disclosures requiring an opportunity for the individual to agree or to object. BRADLEY A. CONNOR, M.D., P.L.L.C. may use or disclose protected health information, provided that the individual is informed in advance of the use or disclosure and has the opportunity to agree to or prohibit or restrict the use or disclosure, in accordance with the applicable requirements of this section.  BRADLEY A. CONNOR, M.D., P.L.L.C.  may orally inform the individual of and obtain the individual’s oral agreement or objection to a use or disclosure permitted by this section.
  2. Permitted uses and disclosures. Except when an objection is expressed in accordance with this section, BRADLEY A. CONNOR, M.D., P.L.L.C. may:
  3. Use the following PHI to maintain a directory of individuals in its facility:
  4. The individual’s name;
  5. The individual’s location in BRADLEY A. CONNOR, M.D., P.L.L.C. ‘s facility;
  6. The individual’s condition described in general terms that does not communicate specific medical information about the individual; and
  7. The individual’s religious affiliation; and
  8. Disclose for directory purposes such information:
  9. To members of the clergy; or
  10. Except for religious affiliation, to other persons who ask for the individual by name.
  11. Opportunity to object. BRADLEY A. CONNOR, M.D., P.L.L.C. must inform an individual of the PHI that it may include in a directory and the persons to whom it may disclose such information (including disclosures to clergy of information regarding religious affiliation) and provide the individual with the opportunity to restrict or prohibit some or all of the uses or disclosures permitted by this section.
  12. Emergency circumstances.
  13. If the opportunity to object to uses or disclosures required by this section cannot practically be provided because of the individual’s incapacity or an emergency treatment circumstance, BRADLEY A. CONNOR, M.D., P.L.L.C. may use or disclose some or all of the PHI permitted by this section for the facility’s directory, if such disclosure is:
  14. Consistent with a prior expressed preference of the individual, if any, that is known to BRADLEY A. CONNOR, M.D., P.L.L.C. ; and
  15. In the individual’s best interest as determined by BRADLEY A. CONNOR, M.D., P.L.L.C. in the exercise of professional judgment; and
  16. BRADLEY A. CONNOR, M.D., P.L.L.C. must inform the individual and provide an opportunity to object to uses or disclosures for directory purposes as required by this section when it becomes practicable to do so.

 

Definitions

  • Covered Entity: A health plan, a health care clearinghouse, or a health care provider who transmits any health information in electronic form in connection with a HIPAA transaction.
  • Business Associate: Any entity that uses or discloses protected health information (PHI) on behalf of a covered entity (e.g. group health plan, hospital, etc.). Furthermore, it is any person or organization who, on behalf of a covered entity, performs (or assists in the performance of) a function or activity involving the use or disclosure of PHI.
  • Disclosure: The release, transfer, provision of access to, or divulging in any manner of information outside of BRADLEY A. CONNOR, M.D., P.L.L.C. . [45 CFR §164.501]
  • ePHI: Electronic/Protected Health Information means individually identifiable health information:
  1. Transmitted by electronic media;
  2. Maintained in electronic media; or
  3. Transmitted or maintained in any other form or medium.

 

AUTHORIZED BY:

 

Company Name:

BRADLEY A. CONNOR, M.D., P.L.L.C.

MEDICAL ADVANCE SERVICES, P.L.L.C.

TRAVEL HEALTH MEDICAL, P.C.

Policy Name:

Uses and Disclosures (General Rule)

Policy Number:

Privacy 19.0

Effective Date:

08/15/2018

 

Responsible for Review:

Marina Rogova, RN

Review Date:

08/15/2019

Synopsis of Policy: HIPAA Regulation: §164.502 Uses and Disclosures (General Rule)

 

This policy is a combination of policy 17 and 18 and covers the full rule on uses and disclosures of ePHI.

 

 

 

 

 

Full Policy Language:

 

HIPAA Regulation:

 

  • § 164.502(a) – § 164.502(j)

 

Policy Purpose:

 

This policy is a combination of policy 17 and 18 and covers the full rule on uses and disclosures of ePHI.

 

Policy Description:

  1. BRADLEY A. CONNOR, M.D., P.L.L.C. may not use or disclose protected health information, except as permitted by this policy.
  2. BRADLEY A. CONNOR, M.D., P.L.L.C. is permitted to use or disclose protected health information to the individual:
  3. For treatment, payment, or health care operations, as permitted by and in compliance with privacy policy number 17;
  4. Incident to a use or disclosure otherwise permitted or required, provided that BRADLEY A. CONNOR, M.D., P.L.L.C. has complied with the applicable requirements of this policy and privacy policies numbers 5 and 18, relating to Minimum Necessary Standards and De-Identification of PHI;
  • Pursuant to, and in compliance with, an authorization that complies with privacy policy number 15;
  1. Pursuant to an agreement under, or as otherwise permitted by, privacy policy number 14; and
  2. As permitted by and in compliance with this section or privacy policies 5, 8, or 19.
  3. BRADLEY A. CONNOR, M.D., P.L.L.C. is required to disclose protected health information:
  4. To an individual, when requested under and as required by privacy policies 3 and 4; and
  5. When required by the Secretary to investigate or determine BRADLEY A. CONNOR, M.D., P.L.L.C. ‘s compliance with this policy.

 

  1. Minimum Necessary Standard.
  2. Minimum necessary standard applies when using or disclosing PHI or when requesting PHI from another covered entity, such that a covered entity must make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request.
  3. Minimum necessary does not apply to:
  4. Disclosures to or requests by a health care provider for treatment;
  5. Uses or disclosures made to the individual as permitted under this policy identified above;
  • Uses or disclosures made pursuant to an authorization under privacy policy 15;
  1. Disclosures made to the Secretary; and
  2. Uses or disclosures that are required for compliance with applicable requirements of this policy.

 

  1. Uses and disclosures of protected health information subject to an agreed-upon restriction. BRADLEY A. CONNOR, M.D., P.L.L.C. may not use or disclose the protected health information covered by a restriction in violation of such restriction, except as otherwise provided in privacy policy 10.

 

  1. Standard: Uses and disclosures of de-identified protected health information.
  2. Uses and disclosures to create de-identified information. A covered entity may use protected health information to create information that is not individually identifiable health information or disclose protected health information only to a business associate for such purpose, whether or not the de-identified information is to be used by the covered entity.
  3. BRADLEY A. CONNOR, M.D., P.L.L.C. may assign a code or other means of record identification to allow information that is de-identified in accordance with this policy to be re-identified by BRADLEY A. CONNOR, M.D., P.L.L.C. , provided that:
    1. Derivation – The code or other means of record identification is not derived from or related to information about the individual and is not otherwise capable of being translated so as to identify the individual;
    2. Security – BRADLEY A. CONNOR, M.D., P.L.L.C. :
  4. Safeguards the code or other means of record identification, treating it as PHI in accordance with Administrative Policy 18;
  5. Does not use or disclose the code or other means of record identification for any other purpose; and
  6. Does not disclose the mechanism for re-identification.

 

  1. Disclosures to business associates.
  2. BRADLEY A. CONNOR, M.D., P.L.L.C. may disclose protected health information to a business associate and may allow a business associate to create or receive protected health information on its behalf if BRADLEY A. CONNOR, M.D., P.L.L.C.  obtains satisfactory assurance that the business associate will appropriately safeguard the information. This standard does not apply:
  3. With respect to disclosures by a covered entity to a health care provider concerning the treatment of the individual;
  4. With respect to disclosures by a group health plan, a health insurance issuer or HMO with respect to a group health plan to the plan sponsor;
  • With respect to uses or disclosures by a health plan that is a government program providing public benefits, if eligibility for or enrollment in the health plan is determined by an agency other than the agency administering the health plan, or if the protected health information used to determine enrollment or eligibility in the health plan is collected by an agency other than the agency administering the health plan, and such activity is authorized by law, with respect to the collection and sharing of individually identifiable health information for the performance of such functions by the health plan and the agency, other than the agency administering the health plan; and
  1. Failure of a business associate or subcontractor of a business associate to comply with the terms of BRADLEY A. CONNOR, M.D., P.L.L.C. ‘s business associate policies and privacy practices will result in the termination of the business associate agreement and will report such activity to the Secretary.
  2. BRADLEY A. CONNOR, M.D., P.L.L.C. must document the satisfactory assurances required by the above paragraphs through a written contract or other written agreement or arrangement with the business associate.

 

  1. BRADLEY A. CONNOR, M.D., P.L.L.C. must comply with all of the requirements relative to the protected health information of a deceased individual with the exception that:
  2. Deceased Adult – An executor, administrator, or other person with authority to act on behalf of a deceased patient or of the patient’s estate may access or authorize the use/disclosure of the deceased patient’s protected health information. See privacy policy 6.

 

  1. As specified in this paragraph, a covered entity must treat a personal representative as the individual:
  2. If under applicable law a person has authority to act on behalf of an individual who is an adult or an emancipated minor in making decisions related to health care, a covered entity must treat such person as a personal representative under this subchapter, with respect to protected health information relevant to such personal representation;
  3. If under applicable law a parent, guardian, or other person acting in loco parentis has authority to act on behalf of an individual who is an unemancipated minor in making decisions related to health care, a covered entity must treat such person as a personal representative under this subchapter, with respect to protected health information relevant to such personal representation, except that such person may not be a personal representative of an unemancipated minor, and the minor has the authority to act as an individual, with respect to protected health information pertaining to a health care service, if:
  4. The minor consents to such health care service; no other consent to such health care service is required by law, regardless of whether the consent of another person has also been obtained; and the minor has not requested that such person be treated as their personal representative;
  5. The minor may lawfully obtain such health care service without the consent of a parent, guardian, or other person acting in loco parentis, and the minor, a court, or another person authorized by law consents to such health care service; and
  • A parent, guardian, or other person acting in loco parentis assents to an agreement of confidentiality between a covered health care provider and the minor with respect to such health care service.
  1. Notwithstanding the provisions of the above paragraph:
  2. If, and to the extent permitted or required by an applicable provision of State or other law, including applicable case law, BRADLEY A. CONNOR, M.D., P.L.L.C. may disclose, or provide access in accordance to, PHI about an unemancipated minor to a parent, guardian, or other person acting in loco parentis;
  3. If, and to the extent prohibited by an applicable provision of State or other law, including applicable case law, BRADLEY A. CONNOR, M.D., P.L.L.C. may not disclose protected health information about an unemancipated minor to a parent, guardian, or other person acting in loco parentis; and
  • Where the parent, guardian, or other person acting in loco parentis, is not the personal representative under the situations listed in this document and where there is no applicable access provision under State or other law, including case law, BRADLEY A. CONNOR, M.D., P.L.L.C. may provide or deny access to a parent, guardian, or other person acting in loco parentis, if such action is consistent with State or other applicable law, provided that such decision must be made by a licensed health care professional in the exercise of professional judgment.
  1. If, under applicable law, an executor, administrator, or other person has authority to act on behalf of a deceased individual or of the individual’s estate, a covered entity must treat such person as a personal representative under this subchapter, with respect to protected health information relevant to such personal representation.
  2. Notwithstanding a State law or any requirement of this policy to the contrary, BRADLEY A. CONNOR, M.D., P.L.L.C. may elect not to treat a person as the personal representative of an individual if:
  3. BRADLEY A. CONNOR, M.D., P.L.L.C. has a reasonable belief that:
  4. The individual has been or may be subjected to domestic violence, abuse, or neglect by such person; or
  5. Treating such person as the personal representative could endanger the individual; and
  6. BRADLEY A. CONNOR, M.D., P.L.L.C. , in the exercise of professional judgment, decides that it is not in the best interest of the individual to treat the person as the individual’s personal representative.

 

  1. BRADLEY A. CONNOR, M.D., P.L.L.C.  or health plan must comply with the applicable requirements regarding confidential communications when communicating PHI. See privacy policy 10.
  2. BRADLEY A. CONNOR, M.D., P.L.L.C. is required to have a notice of privacy practices and may not use or disclose protected health information in a manner inconsistent with the notice. BRADLEY A. CONNOR, M.D., P.L.L.C.  is required to include a specific statement in its notice if it intends to engage in an activity, and may not use or disclose protected health information for such activities unless the required statement is included in the notice.
  3. BRADLEY A. CONNOR, M.D., P.L.L.C. is not considered to have violated the privacy rules if a member of its workforce or a business associate discloses protected health information, provided that:
  4. The workforce member or business associate believes in good faith that BRADLEY A. CONNOR, M.D., P.L.L.C. has engaged in conduct that is unlawful or otherwise violates professional or clinical standards, or that the care, services, or conditions provided by the covered entity potentially endangers one or more patients, workers, or the public;
  5. The disclosure is to:
  6. A health oversight agency or public health authority authorized by law to investigate or otherwise oversee the relevant conduct or conditions of the covered entity or to an appropriate health care accreditation organization for the purpose of reporting the allegation of failure to meet professional standards or misconduct by the covered entity; and
  7. An attorney retained by or on behalf of the workforce member or business associate for the purpose of determining the legal options of the workforce member or business associate with regard to the conduct described in this policy.
  8. BRADLEY A. CONNOR, M.D., P.L.L.C. is not considered to have violated the privacy rules if a member of its workforce who is the victim of a criminal act discloses protected health information to a law enforcement official, provided that:
  9. The protected health information disclosed is about the suspected perpetrator of the criminal act; and
  10. The protected health information disclosed is limited to law enforcement requirements and the information listed in privacy policy 12.

 

Definitions:

  • Business associate: A person or entity that, on behalf of a covered entity or an organized health care arrangement, performs or assists in the performance of:
    1. A function or activity involving the use or disclosure of individually identifiable health information, including claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, billing, benefit management, practice; and
    2. Provides legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services for such covered entity or organized health care arrangement.

 

  • Covered Entity: A health plan, a health care clearinghouse, or a health care provider who transmits any health information in electronic form in connection with a HIPAA transaction.

 

  • De-Identify: The Privacy Rule allows a covered entity to de-identify data by removing 18 specific elements that could be used to identify the individual or the individual’s relatives, employers, or household members; these elements are enumerated in the Privacy Rule. The covered entity also must have no actual knowledge that the remaining information could be used alone or in combination with other information to identify the individual who is the subject of the information.

 

  • ePHI: Electronic/Protected health information means individually identifiable health information:
  1. Transmitted by electronic media;
  2. Maintained in electronic media; and
  3. Transmitted or maintained in any other form or medium.

 

  • Minimum Necessary: When using or disclosing protected health information (PHI), or when requesting PHI from others, the HIPAA Privacy Rule requires that a covered entity make reasonable efforts to limit itself to “the minimum necessary to accomplish the intended purpose of the use, disclosure, or request.”

 

 

 

 

AUTHORIZED BY:

 

 

Company Name:

BRADLEY A. CONNOR, M.D., P.L.L.C.

MEDICAL ADVANCE SERVICES, P.L.L.C.

TRAVEL HEALTH MEDICAL, P.C.

Policy Name:

Uses and Disclosures of Workers Compensation Information

Policy Number:

Privacy 20.0

Effective Date:

08/15/2018

 

Responsible for Review:

Marina Rogova, RN

Review Date:

08/15/2019

Synopsis of Policy:  HIPAA Regulation: §164.512 Consent or Authorization Not Required

 

This policy is designed to explain the rights BRADLEY A. CONNOR, M.D., P.L.L.C.  has in order to be able to release information to Workers Compensation, insurance or state programs without a release of information from the patient. Workers Compensation does not fall under the HIPAA rules.

 

 

 

 

 

 

 

 

 

Full Policy Language:

 

Background:

 

In compliance with the Privacy Rule of the Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), BRADLEY A. CONNOR, M.D., P.L.L.C.  may disclose Protected Health Information (PHI) to Workers Compensation or other similar programs, established by law, that provide benefits for work-related injuries or illness without regard to fault. However, the health information disclosed must be limited to the minimum amount necessary to carry out the purpose of the disclosure.

 

An employee filing a claim for Workers Compensation due to an on-the-job injury consents to certain conditions. One of those conditions is, at the employer’s request, they will submit to an examination to determine the validity of their claim. This information is then available, with certain restrictions, to the employee, employer, Department of Workforce Development, or representative of any of these to assist in resolving the claim.

 

Employees filing a Workers Compensation claim waive all provider-patient privilege of information or results regarding any condition or complaint reasonably related to the condition that they are claiming compensation for.

 

Procedures:

 

  1. Copies of medical records or verbal communications, reasonably related to a work injury, should be released within a reasonable amount of time after receipt of written request to the employee, employer, and Workers Compensation insurance carrier for the employer, Department of Workforce Development, or its representative.

 

  1. Requests for copies of medical records, which extend beyond the scope of the work-related injury, need to be accompanied by a written authorization from the patient/employee.

 

  1. Providers furnish legible duplicates of written material requested. Certified copies are furnished upon request. Refusal to provide the requested copies can result in the provider being liable for all costs of preparing the records and attorney’s fees incurred while attempting to get the requested copies.

 

  1. Fees for copies are set by state statute, with a limit of the greater of $7.50 per request or $.45 per page plus the actual postage cost.

 

  1. Records of the Department of Workforce Development which identify an employee filing a Workers Compensation claim are confidential and not subject to inspection or copying under §19.35(1). This includes the following:
  1. Identity of the employee;
  2. Nature of the claimed injury;
  3. Past or present medical condition;
  4. Extent of disability;
  5. Amount, type, duration, or any benefits provided to the employee; and
  6. Financial information provided to the department by self-insured employer or person applying for exemption.

 

 

 

 

 

AUTHORIZED BY:

 

 

 

Company Name:

BRADLEY A. CONNOR, M.D., P.L.L.C.

MEDICAL ADVANCE SERVICES, P.L.L.C.

TRAVEL HEALTH MEDICAL, P.C.

Policy Name:

Breach Notification

Policy Number:

Privacy 21.0

Effective Date:

08/15/2018

 

Responsible for Review:

Marina Rogova, RN

Review Date:

08/15/2019

Synopsis of Policy: HIPAA Regulation: §164.404-§164.414 Breach Notification

 

This policy provides guidance for breach notification by BRADLEY A. CONNOR, M.D., P.L.L.C.  when impermissible or unauthorized access, acquisition, use, and/or disclosure of BRADLEY A. CONNOR, M.D., P.L.L.C. ‘s patients’ Protected Health Information (PHI) occurs. Breach notification will be carried out in compliance with the American Recovery and Reinvestment Act (ARRA)/Health Information Technology for Economic and Clinical Health Act (HITECH), Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules under the Health Information Technology for Economic and Clinical Health Act (HITECH, Omnibus Rule), as well as any other federal or state notification law.

 

The full policy, of which this serves as an executive summary, details and defines all aspects of inappropriate, wrongful, accidental, or willful breaches of protected health information (PHI). The complete policy also identifies required procedures to alert those who have been the subject of a breach and additional notification requirements (governmental agencies, law enforcement, etc.).

 

Any BRADLEY A. CONNOR, M.D., P.L.L.C.  workforce member coming in contact with PHI in their regular duties must read the complete policy and attest to having read and understood it.

 

 

 

 

 

 

 

 

 

 

Full Policy Language:

 

Purpose:

 

To provide guidance for breach notification by covered entities when impermissible or unauthorized access, acquisition, use, and/or disclosure of BRADLEY A. CONNOR, M.D., P.L.L.C. ‘s patients’ protected health information occurs. Breach notification will be carried out in compliance with the American Recovery and Reinvestment Act (ARRA)/Health Information Technology for Economic and Clinical Health Act (HITECH), Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules under the Health Information Technology for Economic and Clinical Health Act (HITECH, Omnibus Rule), as well as any other federal or state notification law.

 

The Federal Trade Commission (FTC) has published breach notification rules for vendors of personal health records as required by ARRA/HITECH. The FTC rule applies to entities not covered by HIPAA, primarily vendors of personal health records. The rule was effective September 24, 2009 with full compliance required by February 22, 2010.

 

Background:

 

The American Recovery and Reinvestment Act of 2009 (ARRA) was signed into law on February 17, 2009. Title XIII of ARRA is the Health Information Technology for Economic and Clinical Health Act (HITECH). HITECH significantly impacted the Health Insurance Portability and Accountability (HIPAA) Privacy and Security Rules.  While HIPAA did not require notification when patient protected health information (PHI) was inappropriately disclosed, covered entities may have chosen to include notification as part of the mitigation process. HITECH required notification of certain breaches of unsecured PHI to the following: individuals, Secretary of the Department of Health and Human Services (HHS), and the media. The effective implementation date for these provisions was September 23, 2009.

 

In January of 2013, the “Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules” (Omnibus Rule) modified the HITECH definition of a breach to eliminate the previous “harm” standard and was effective September 23, 2013. It states that an “acquisition, access, use, or disclosure in a manner not permitted is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised based on a risk assessment” of at least the following factors:

  1. The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;
  2. The unauthorized person who used the protected health information or to whom the disclosure was made;
  3. Whether the protected health information was actually acquired or viewed; and
  4. The extent to which the risk to the protected health information has been mitigated.

 

Definitions:

 

Access: The ability or the means necessary to read, write, modify, or communicate data/information or otherwise use any system resource.

 

Agent: An agent of BRADLEY A. CONNOR, M.D., P.L.L.C.  is determined in accordance with federal common law of agency. BRADLEY A. CONNOR, M.D., P.L.L.C.  is liable for the acts of its agents. An agency relationship exists if BRADLEY A. CONNOR, M.D., P.L.L.C.  has the right or authority of BRADLEY A. CONNOR, M.D., P.L.L.C.  to control the agent’s conduct in the course of performing a service on behalf of BRADLEY A. CONNOR, M.D., P.L.L.C.  (i.e. give interim instructions, direct the performance of the service).

 

Breach: The acquisition, access, use, or disclosure of protected health information (PHI) in a manner not permitted under the Privacy Rule, which compromises the security or privacy of the PHI and is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the PHI has been compromised based on a risk assessment of at least the following factors:

  1. The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;
  2. The unauthorized person who used the protected health information or to whom the disclosure was made;
  3. Whether the protected health information was actually acquired or viewed; and
  4. The extent to which the risk to the protected health information has been mitigated.

 

Breach excludes:

  1. Any unintentional acquisition, access, or use of PHI by a workforce member or person acting under the authority of a Covered Entity (CE) or Business Associate (BA) if such acquisition, access, or use was made in good faith and within the scope of authority and does not result in further use or disclosure in a manner not permitted under the Privacy Rule;
  2. Any inadvertent disclosure by a person who is authorized to access PHI at a CE or BA to another person authorized to access PHI at the same CE or BA, or organized health care arrangement in which the CE participates, and the information received as a result of such disclosure is not further used or disclosed in a manner not permitted under the Privacy Rule; and
  3. A disclosure of PHI where a CE or BA has a good faith belief that an unauthorized person to whom the disclosure was made would not reasonably have been able to retain such information.

 

Covered Entity: A health plan, health care clearinghouse, or a healthcare provider who transmits any health information in electronic form. Disclosure: The release, transfer, provision of, access to, or divulging in any manner of information outside the entity holding the information. Individually Identifiable Health Information: Information that is a subset of health information, including demographic information collected from an individual, and is created or received by a health care provider, health plan, employer, or health care clearinghouse; relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual; and identifies the individual, or with respect to which there is a reasonable basis to believe the information can be used to identify the individual. Law Enforcement Official: Any officer or employee of an agency or authority of the United States, a state, a territory, a political subdivision of a state or territory, or an Indian tribe who is empowered by law to investigate or conduct an official inquiry into a potential violation of law, or prosecute or otherwise conduct a criminal, civil, or administrative proceeding arising from an alleged violation of law. 

Organization: For the purposes of this policy, the term “organization” shall mean the covered entity to which the policy and breach notification apply.

 

Protected Health Information (PHI): Protected health information means individually identifiable health information that is transmitted by electronic media, maintained in electronic media, or transmitted or maintained in any other form or medium (see regulations for complete definition and exclusions).

 

Unsecured Protected Health Information: PHI that is not rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of technology or methodology specified by the Secretary in the guidance issued under § 13402(h)(2) of Pub. L.111-5 on the HHS website:

  1. Electronic PHI (ePHI) has been encrypted as specified in the HIPAA Security rule by the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without the use of a confidential process or key and such confidential process or key that might enable decryption has not been breached. To avoid a breach of the confidential process or key, these decryption tools should be stored on a device or at a location separate from the data they are used to encrypt or decrypt. The following encryption processes meet this standard:
    1. Valid encryption processes for data at rest (i.e. data that resides in databases, file systems, and other structured storage systems) are consistent with NIST Special Publication 800-111, Guide to Storage Encryption Technologies for End User Devices; and
    2. Valid encryption processes for data in motion (i.e. data that is moving through a network, including wireless transmission) are those that comply, as appropriate, with NIST Special Publications 800-52, Guidelines for the Selection and Use of Transport Layer Security (TLS) Implementations; 800-77, Guide to IPsec VPNs; or 800-113, Guide to SSL VPNs; and may include others which are Federal Information Processing Standards FIPS 140-2 validated.
  2. The media on which the PHI is stored or recorded has been destroyed in the following ways:
    1. Paper, film, or other hard copy media have been shredded or destroyed such that the PHI cannot be read or otherwise cannot be reconstructed. Redaction is specifically excluded as a means of data destruction; and
    2. Electronic media have been cleared, purged, or destroyed consistent with NIST Special Publications 800-88, Guidelines for Media Sanitization, such that the PHI cannot be retrieved.

 

Workforce: Workforce means employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a covered entity or business associate, is under the direct control of such entity, whether or not they are paid by the covered entity or business associate.

 

Policy:

 

  1. Discovery of Breach: A breach of PHI shall be treated as “discovered” as of the first day on which an incident that may have resulted in a breach is known to BRADLEY A. CONNOR, M.D., P.L.L.C. , or, by exercising reasonable diligence would have been known to BRADLEY A. CONNOR, M.D., P.L.L.C.  (includes breaches by BRADLEY A. CONNOR, M.D., P.L.L.C. ‘s business associates). BRADLEY A. CONNOR, M.D., P.L.L.C.  shall be deemed to have knowledge of a breach if such breach is known or by exercising reasonable diligence would have been known to any person other than the person committing the breach who is a workforce member or agent (e.g. a business associate acting as an agent of the organization) of BRADLEY A. CONNOR, M.D., P.L.L.C.  (see attachment for examples of breach of unsecured PHI). Following the discovery of a potential breach, BRADLEY A. CONNOR, M.D., P.L.L.C.  shall begin an investigation (see organizational policies for security incident response and/or risk management incident response), conduct a risk assessment, and based on the results of the risk assessment, begin the process to notify each individual whose PHI has been, or is reasonably believed to by BRADLEY A. CONNOR, M.D., P.L.L.C.  to have been accessed, acquired, used, or disclosed as a result of the breach. BRADLEY A. CONNOR, M.D., P.L.L.C.  shall also begin the process of determining what external notifications are required or should be made (e.g., Secretary of Department of Health & Human Services (HHS), media outlets, law enforcement officials, etc.).

 

  1. Breach Investigation: BRADLEY A. CONNOR, M.D., P.L.L.C.  shall name an individual to act as the investigator of the breach (e.g., privacy officer, security officer, risk manager, etc.). The investigator shall be responsible for the management of the breach investigation, completion of a risk assessment, and coordinating with others in BRADLEY A. CONNOR, M.D., P.L.L.C.  as appropriate (e.g., administration, security incident response team, human resources, risk management, public relations, legal counsel, etc.). The investigator shall be the key facilitator for all breach notification processes to the appropriate entities (e.g., HHS, media, law enforcement officials, etc.). All documentation related to the breach investigation, including the risk assessment and notifications made, shall be retained for a minimum of six years.

 

  1. Risk Assessment: For an acquisition, access, use or disclosure of PHI to constitute a breach, it must constitute a violation of the Privacy Rule. A use or disclosure of PHI that is incident to an otherwise permissible use or disclosure and occurs despite reasonable safeguards and proper minimum necessary procedures would not be a violation of the Privacy Rule and would not qualify as a potential breach.  An “acquisition, access, use, or disclosure in a manner not permitted is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the PHI has been compromised based on a risk assessment” of at least the following factors:
    1. The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification;
    2. The unauthorized person who used the PHI or to whom the disclosure was made;
    3. Whether the PHI was actually acquired or viewed; and
    4. The extent to which the risk to the PHI has been mitigated.

 

  1. BRADLEY A. CONNOR, M.D., P.L.L.C.  shall document the risk assessment as part of the investigation in the incident report form, noting the outcome of the risk assessment process. BRADLEY A. CONNOR, M.D., P.L.L.C.  has the burden of proof for demonstrating that all notifications were made as required or that the use or disclosure did not constitute a breach. Based on the outcome of the risk assessment, BRADLEY A. CONNOR, M.D., P.L.L.C.  will determine the need to move forward with breach notification. BRADLEY A. CONNOR, M.D., P.L.L.C.  may make breach notifications without completing a risk assessment.

 

  1. Timeliness of Notification: Upon determination that breach notification is required, the notice shall be made without unreasonable delay and in no case later than 60 calendar days after the discovery of the breach by BRADLEY A. CONNOR, M.D., P.L.L.C.  involved or the business associate involved that is acting as BRADLEY A. CONNOR, M.D., P.L.L.C. ‘s agent. It is the responsibility of BRADLEY A. CONNOR, M.D., P.L.L.C.  to demonstrate that all notifications were made as required, including evidence demonstrating the necessity of delay.
  2. Delay of Notification Authorized for Law Enforcement Purposes: If a law enforcement official states to BRADLEY A. CONNOR, M.D., P.L.L.C.  that a notification, notice, or posting would impede a criminal investigation or cause damage to national security, BRADLEY A. CONNOR, M.D., P.L.L.C.  shall:
  1. If the statement is in writing and specifies the time for which a delay is required, delay such notification, notice, or posting of the time period specified by the official; or
  2. If the statement is made orally, document the statement, including the identity of the official making the statement, and delay the notification, notice, or posting temporarily and no longer than 30 days from the date of the oral statement, unless a written statement as described above is submitted during that time.

 

  1. Content of the Notice: The notice shall be written in plain language and must contain the following information:
  1. A brief description of what happened, including the date of the breach and the date of the discovery of the breach, if known;
  2. A description of the types of unsecured PHI that were involved in the breach (such as whether full name, Social Security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved);
  3. Any steps the individual should take to protect themselves from potential harm resulting from the breach;
  4. A brief description of what BRADLEY A. CONNOR, M.D., P.L.L.C. is doing to investigate the breach, to mitigate harm to individuals, and to protect against further breaches; and
  5. Contact procedures for individuals to ask questions or learn additional information, which includes a toll-free telephone number, an e-mail address, web site, or postal address.

 

  1. Methods of Notification: The method of notification will depend on the individuals/entities to be notified. The following methods must be utilized accordingly:
  1. Notice to Individual(s): Notice shall be provided promptly and in the following form:
    1. Written notification by first-class mail to the individual at their last known address or, if the individual agrees to electronic notice and such agreement has not been withdrawn, by electronic mail. The notification shall be provided in one or more mailings, as information is available. If BRADLEY A. CONNOR, M.D., P.L.L.C. knows that the individual is deceased and has the address of the next of kin or personal representative of the individual, written notification by first-class mail to the next of kin or personal representative shall be carried out. Limited examples (refer to preamble for more examples):
      1. BRADLEY A. CONNOR, M.D., P.L.L.C. may send one breach notice addressed to both a plan participant and the participant’s spouse or other dependents under the plan who are affected by a breach if they all reside at a single address and all individuals to which the notice applies are clearly identified on the notice. When a plan participant (and/or spouse) is not the personal representative of a dependent under the plan however, address a breach notice to the dependent himself or herself; and
      2. In the limited circumstance that an individual affirmatively chooses not to receive communications from a health care provider at any written addresses or email addresses and has agreed only to receive communications orally or by telephone, the provider may telephone the individual to request and have the individual pick up their written breach notice from the provider directly. In cases in which the individual does not agree or wish to travel to the provider to pick up the written breach notice, the health care provider should provide all of the information in the breach notice over the phone to the individual, document that it has done so, and the Department will exercise enforcement discretion in such cases with respect to the “written notice” requirement.
    2. Substitute Notice: In the case where there is insufficient or out-of-date contact information (including a phone number, email address, etc.) that precludes direct written or electronic notification, a substitute form of notice reasonably calculated to reach the individual shall be provided. A substitute notice need not be provided in cases where there is insufficient or out-of-date contact information that precludes written notification to the next of kin or personal representative.
      1. In a case in which there is insufficient or out-of-date contact information for fewer than 10 individuals, then the substitute notice may be provided by an alternative form of written notice, telephone, or other means.
      2. In the case in which there is insufficient or out-of-date contact information for 10 or more individuals, then the substitute notice shall be in the form of either a conspicuous posting for a period of 90 days on the home page of the organization’s website or a conspicuous notice in a major print or broadcast media in BRADLEY A. CONNOR, M.D., P.L.L.C. ‘s geographic areas where the individuals affected by the breach likely reside. The notice shall include a toll-free number that remains active or at least 90 days where an individual can learn whether his or her PHI may be included in the breach.
    3. If BRADLEY A. CONNOR, M.D., P.L.L.C. determines that notification requires urgency because of possible imminent misuse of unsecured PHI, notification may be provided by telephone or other means, as appropriate in addition to the methods noted above.
  2. Notice to Media: Notice shall be provided to prominent media outlets serving the state and regional area (of the breached patients) when the breach of unsecured PHI affects 500 or more of BRADLEY A. CONNOR, M.D., P.L.L.C. ‘s patients of a State or jurisdiction.
    1. The Notice shall be provided in the form of a press release.
    2. What constitutes a prominent media outlet differs depending upon the state or jurisdiction where BRADLEY A. CONNOR, M.D., P.L.L.C. ‘s affected patients reside. For a breach affecting more than 500 individuals across a particular state, a prominent media outlet may be a major, general interest newspaper with a daily circulation throughout the entire state. In contrast, a newspaper serving only one town and distributed on a monthly basis, or a daily newspaper of specialized interest (such as sports or politics) would not be viewed as a prominent media outlet. Where a breach affects more than 500 individuals in a limited jurisdiction, such as a city, then a prominent media outlet may be a major, general-interest newspaper with daily circulation throughout the city, even though the newspaper does not serve the whole State.
  3. Notice to Secretary of HHS: Notice shall be provided to the Secretary of HHS as follows below. The Secretary shall make available to the public on the HHS website a list identifying covered entities involved in all breaches in which the unsecured PHI of more than 500 patients is accessed, acquired, used, or disclosed.
    1. For breaches involving 500 or more individuals, the organization shall notify the Secretary of HHS as instructed at hhs.gov at the same time notice is made to the individuals.
    2. For breaches involving fewer than 500 individuals, the organization will maintain a log of the breaches. The breaches may be reported during the calendar year or no later than 60 days after the end of that calendar year in which the breaches were discovered (e.g., 2017 breaches involving fewer than 500 individuals must be submitted by 3/1/2018 – 60 days from the end of the calendar year). Instructions for submitting the logged breaches are provided at hhs.gov.

 

  1. Maintenance of Breach Information/Log: As described above and in addition to the reports created for each incident, BRADLEY A. CONNOR, M.D., P.L.L.C.  shall maintain a process to record or log all breaches of unsecured PHI regardless of the number of patients affected. The following information should be collected/logged for each breach (see sample Breach Notification Log):
  1. A description of what happened including the date of the breach, the date of the discovery of the breach, and the number of patients affected, if known;
  2. A description of the types of unsecured protected health information that were involved in the breach (such as full name, Social Security number, date of birth, home address, account number, etc.);
  3. A description of the action taken with regard to notification of patients, the media, and the Secretary regarding the breach;
  4. The results of the risk assessment; and
  5. Resolution steps taken to mitigate the breach and prevent future occurrences.

 

  1. Business Associate Responsibilities: In 2013, the Omnibus Rule extended liability for compliance to the HIPAA Privacy and Security Rules to business associates and their subcontractors. With these modifications, business associates are now directly liable for impermissible uses and disclosures, provision of breach notification to the covered entity, completing breach risk assessments, breach documentation requirements, and civil and criminal penalties for violations. The business associate (BA) of BRADLEY A. CONNOR, M.D., P.L.L.C.  that accesses, creates, maintains, retains, modifies, records, stores, transmits, destroys, or otherwise holds, uses, or discloses unsecured PHI shall, without unreasonable delay and in no case later than 60 calendar days after discovery of a breach, notify BRADLEY A. CONNOR, M.D., P.L.L.C.  of such breach (when the business associate is an agent of the organization, this notification must be provided within a shorter timeframe as specified in BRADLEY A. CONNOR, M.D., P.L.L.C. ‘s Business Associate Agreement policy). Such notice shall include the identification of each individual whose unsecured PHI has been, or is reasonably believed by the BA to have been accessed, acquired, or disclosed during such breach. The BA shall provide BRADLEY A. CONNOR, M.D., P.L.L.C.  with any other available information that the organization is required to include in notification to the individual at the time of the notification or promptly thereafter as information becomes available. Upon notification by the BA of discovery of a breach, BRADLEY A. CONNOR, M.D., P.L.L.C.  will be responsible for notifying affected individuals, unless otherwise agreed upon by the BA to notify the affected individuals (note: it is the responsibility of the Covered Entity to document this notification).

 

  1. Workforce Training: BRADLEY A. CONNOR, M.D., P.L.L.C.  shall train all members of its workforce on the policies and procedures with respect to PHI as necessary and appropriate for the members to carry out their job responsibilities. Workforce members shall also be trained as to how to identify and promptly report breaches within BRADLEY A. CONNOR, M.D., P.L.L.C. , as well as return or destroy PHI, as appropriate for the incident. Workforce members that assist in investigating, documenting, and resolving breaches are trained on how to complete these activities.

 

  1. Complaints: BRADLEY A. CONNOR, M.D., P.L.L.C.  must provide a process for individuals to make complaints concerning the organization’s patient privacy policies and procedures or its compliance with such policies and procedures. Individuals have the right to complain about BRADLEY A. CONNOR, M.D., P.L.L.C. ‘s breach notification processes.

 

  1. Sanctions: BRADLEY A. CONNOR, M.D., P.L.L.C.  shall have in place and apply appropriate sanctions against members of its workforce who fail to comply with privacy policies and procedures.

 

  1. Retaliation/Waiver: BRADLEY A. CONNOR, M.D., P.L.L.C.  may not intimidate, threaten, coerce, discriminate against, or take other retaliatory action against any individual for the exercise by the individual of any privacy right. BRADLEY A. CONNOR, M.D., P.L.L.C.  may not require individuals to waive their privacy rights as a condition of the provision of treatment, payment, enrollment in a health plan, or eligibility for benefits.

 

Applicable Federal/State Regulations:

  • Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules under the Health Information Technology for Economic and Clinical Health Act (Omnibus Rule);
  • ARRA Title XIII § 13402 – Notification in the Case of Breach;
  • FTC Breach Notification Rules – 16 CFR Part 318;
  • 45 CFR Parts 160 and 164 – HIPAA Privacy and Security Rules; and
  • WI § 134.98 – Notice of Unauthorized Acquisition of Personal Information (Note:  Not applicable to Covered Entities under HIPAA).

 

 

ATTACHMENTS

 

Examples of Potential Breaches of Unsecured Protected Health Information

 

Note: Each of these events may not rise to the level of a “breach.” This can only be determined by completing the risk assessment analysis and making a determination of whether or not there was “harm” to the individual.

  • Workforce members access the electronic health records of a celebrity who is treated within the facility and they are not involved in the patient’s care.
  • Stolen or lost laptop containing unsecured PHI.
  • Papers containing PHI found scattered along roadside after improper storage in truck by business associate responsible for disposal (shredding).
  • Posting of patients’ HIV+ health status on Facebook by a laboratory tech who carried out the diagnostic study.
  • Misdirected e-mail of listing of drug seeking patients to an external group list.
  • Lost flash drive containing database of patients participating in a clinical study.
  • EOB (Explanation of Benefits) sent to wrong guarantor.
  • Provider accessing the health record of divorced spouse for information to be used in a custody hearing.
  • Workforce members accessing electronic health records for information on friends or family members out of curiosity/without a business-related purpose.
  • EMT takes a cell phone picture of patient following a MVA and transmits photo to friends.
  • Misfiled patient information in another patient’s medical records which is brought to the organization’s attention by the patient.
  • Medical record copies in response to a payer’s request lost in mailing process and never received.
  • Misdirected fax of patient records to a local grocery store instead of the requesting provider’s fax.
  • Briefcase containing patient medical record documents stolen from car.
  • PDA with patient-identifying wound photos lost.
  • Intentional and non-work related access by staff member of neighbor’s information.
  • Medical record documents left in public access cafeteria.

 

Breach Penalties

 

Penalties for Breach: Penalties for violations of HIPAA have been established under HITECH as indicated below. The penalties do not apply if the organization did not know (or by exercising reasonable diligence would not have known) of the violation or if the failure to comply was due to a reasonable cause and was corrected within thirty days. Penalties will be based on the organization’s culpability for the HIPAA violation. The Secretary of HHS will base its penalty determination on the nature and extent of both the violation and the harm caused by the violation. The Secretary still will have the discretion to impose corrective action without a penalty in cases where the person did not know (and by exercising reasonable diligence would not have known) that such person committed a violation.

 

The maximum penalty is $50,000 per violation, with a cap of $1,500,000 for all violations of an identical requirement or prohibition during a calendar year.

 

The minimum civil monetary penalties are tiered based upon the entity’s perceived culpability for the HIPAA violation, as follows:

 

Tier A – If the offender did not know

  • $100 for each violation, total for all violations of an identical requirement during a calendar year cannot exceed $25,000.

 

Tier B – Violation due to reasonable cause, not willful neglect

  • $1,000 for each violation, total for all violations of an identical requirement during a calendar year cannot exceed $100,000.

 

Tier C – Violation due to willful neglect, but was corrected.

  • $10,000 for each violation, total for all violations of an identical requirement during a calendar year cannot exceed $250,000.

 

Tier D – Violation due to willful neglect, but was NOT corrected.

  • $50,000 for each violation, total for all violations of an identical requirement during a calendar year cannot exceed $1,500,000.

 

 

AUTHORIZED BY:

 

 

Organizational Code of Conduct:

BRADLEY A. CONNOR, M.D., P.L.L.C.  and its employees must, at all times, comply with all applicable laws and regulations. BRADLEY A. CONNOR, M.D., P.L.L.C.  will not condone the activities of employees who achieve results through violation of the law or unethical business dealings. This includes any payments for illegal acts, indirect contributions, rebates, and bribery. BRADLEY A. CONNOR, M.D., P.L.L.C.  does not permit any activity where public scrutiny or opinions would damage the reputation of BRADLEY A. CONNOR, M.D., P.L.L.C. .

 

All business conduct should be well above the minimum standards required by law. Accordingly, employees must ensure that their actions cannot be interpreted, in any way, in contravention of the laws and regulations governing BRADLEY A. CONNOR, M.D., P.L.L.C. ‘s operations.

 

Employees uncertain about the application or interpretation of any legal requirements should refer the matter to their supervisor, who, if necessary, should seek appropriate legal advice.

 

Employees need to utilize the company provided systems in a correct and timely manner.

 

General Employee Conduct:

BRADLEY A. CONNOR, M.D., P.L.L.C.  expects that its employees will conduct themselves in a business-like manner. Drinking, gambling, fighting, swearing, and similar unprofessional activities are strictly prohibited while on the job.

 

Employees must not engage in sexual harassment, or conduct themselves in a way that could be construed as such. For example, by using inappropriate language, keeping or posting inappropriate materials in their work area, or accessing inappropriate materials on their BRADLEY A. CONNOR, M.D., P.L.L.C.  computer.

 

Conflicts of Interest:

BRADLEY A. CONNOR, M.D., P.L.L.C.  expects that employees will perform their duties conscientiously, honestly, and in accordance with the best interests of BRADLEY A. CONNOR, M.D., P.L.L.C. . Employees must not use their positions, or the knowledge gained as a result of their positions, for private or personal advantage. Regardless of the circumstance(s), if employees sense that a course of action they have pursued, are presently pursuing, or are even contemplating pursuing may involve them in a conflict of interest with their employer, they should immediately communicate all those facts to their supervisor.

Outside Activities, Employment, and Directorships:

All employees share a serious responsibility for BRADLEY A. CONNOR, M.D., P.L.L.C. ‘s good public relations, especially at the community level. Their readiness to help with religious, charitable, educational, and civic activities brings credit to BRADLEY A. CONNOR, M.D., P.L.L.C.  and is encouraged.

 

Employees must, however, avoid acquiring any business interest, or participating in any other activity outside BRADLEY A. CONNOR, M.D., P.L.L.C.  that would, or would appear to:

 

  • Create an excessive demand upon their time and attention, thus depriving BRADLEY A. CONNOR, M.D., P.L.L.C. of their best efforts on the
  • Create a conflict of interest – an obligation, interest, or distraction – that may interfere with the independent exercise of judgment in BRADLEY A. CONNOR, M.D., P.L.L.C. ‘s best

 

Relationships With Clients and Suppliers:

Employees should avoid investing in or acquiring a financial interest in any business organization that has a contractual relationship with BRADLEY A. CONNOR, M.D., P.L.L.C. . Also, avoid entering into a contractual agreement with an entity that provides goods or services, or both, to BRADLEY A. CONNOR, M.D., P.L.L.C.  if such investment or interest could influence or create the impression of influencing their decisions in the performance of their duties on behalf of BRADLEY A. CONNOR, M.D., P.L.L.C. .

 

Gifts, Entertainment, and Favors:

Employees must not accept entertainment, gifts, or personal favors that could, in any way, influence (or appear to influence) business decisions in favor of any person or organization with whom or with which BRADLEY A. CONNOR, M.D., P.L.L.C.  has, or is likely to have, business dealings. Similarly, employees must not accept any other preferential treatment under these circumstances because their positions with BRADLEY A. CONNOR, M.D., P.L.L.C.  might be inclined to, or be perceived to, place them under obligation to return the preferential treatment.

 

Kickbacks and Secret Commissions:

Regarding BRADLEY A. CONNOR, M.D., P.L.L.C. ‘s business activities: Employees may not receive payment or compensation of any kind, except as authorized under BRADLEY A. CONNOR, M.D., P.L.L.C. ‘s business and payroll policies. In particular, BRADLEY A. CONNOR, M.D., P.L.L.C.  strictly prohibits the acceptance of kickbacks and secret commissions from suppliers or others. Any breach of this rule will result in immediate termination and prosecution to the fullest extent of the law.

 

Organization Funds and Other Assets:

Employees who have access to BRADLEY A. CONNOR, M.D., P.L.L.C.  funds in any form must follow the prescribed procedures for recording, handling, and protecting money as detailed in BRADLEY A. CONNOR, M.D., P.L.L.C. ‘s policies and procedures or other explanatory materials. BRADLEY A. CONNOR, M.D., P.L.L.C.  imposes strict standards to prevent fraud and dishonesty. If employees become aware of any evidence of fraud and dishonesty, they should immediately advise their supervisor or seek appropriate legal guidance so that BRADLEY A. CONNOR, M.D., P.L.L.C.  can promptly investigate.

 

When an employee’s position requires spending BRADLEY A. CONNOR, M.D., P.L.L.C.  funds or incurring any reimbursable personal expenses, that individual must use good judgment on BRADLEY A. CONNOR, M.D., P.L.L.C. ‘s behalf to ensure that the funds were used in a strictly professional capacity and benefited BRADLEY A. CONNOR, M.D., P.L.L.C. .

 

BRADLEY A. CONNOR, M.D., P.L.L.C.  funds and all other assets of BRADLEY A. CONNOR, M.D., P.L.L.C.  are purposed for BRADLEY A. CONNOR, M.D., P.L.L.C.  only and not for personal benefit. This includes the personal use of organizational assets, such as computers.

Organization Records and Communications:

Accurate and reliable records of many kinds are necessary to meet BRADLEY A. CONNOR, M.D., P.L.L.C. ‘s legal and financial obligations and to manage the affairs of BRADLEY A. CONNOR, M.D., P.L.L.C. . BRADLEY A. CONNOR, M.D., P.L.L.C. ‘s books and records must reflect, in an accurate and timely manner, all business transactions. The employees responsible for accounting and recordkeeping must fully disclose and record all assets and liabilities (or both) while exercising diligence in enforcing these requirements.

 

Employees must not make or engage in any false record or communication of any kind, whether internal or external, including but not limited to:

 

  • False expense, attendance, production, financial, or similar reports and
  • False advertising, deceptive marketing practices, or other misleading

 

Dealing With Outside People and Organizations:

Employees must take care to separate their personal roles from their organizational positions when communicating on matters not involving BRADLEY A. CONNOR, M.D., P.L.L.C.  business. Employees must not use organizational identification, stationery, supplies, and equipment for personal or political matters.

 

When communicating publicly on matters that involve BRADLEY A. CONNOR, M.D., P.L.L.C.  business, employees must not presume to speak for BRADLEY A. CONNOR, M.D., P.L.L.C.  on any topic. This is unless they are certain that the views they express are those of BRADLEY A. CONNOR, M.D., P.L.L.C.  and it is BRADLEY A. CONNOR, M.D., P.L.L.C. ‘s desire that such views be publicly disseminated.

 

When dealing with anyone outside BRADLEY A. CONNOR, M.D., P.L.L.C.  including public officials, employees must take care not to compromise the integrity, or damage the reputation of BRADLEY A. CONNOR, M.D., P.L.L.C. . This applies to any outside individual, business, or government body as well.

 

Prompt Communications:

In all matters relevant to customers, suppliers, government authorities, the public, and others in BRADLEY A. CONNOR, M.D., P.L.L.C. , all employees must make every effort to achieve and accurately complete timely communications – responding promptly and courteously to all proper requests for information and to all complaints.

 

Privacy and Confidentiality:

When handling financial and personal information about customers or others with whom BRADLEY A. CONNOR, M.D., P.L.L.C.  has dealings, observe the following principles:

 

  • Collect, use, and retain only the personal information necessary for BRADLEY A. CONNOR, M.D., P.L.L.C. ‘s business dealings. Whenever possible, obtain any relevant information directly from the person concerned. Use only reputable and reliable sources to supplement this information.
  • Retain information only for as long as necessary or as required by law. Protect the physical security of this
  • Limit internal access and personal information to those with a legitimate business reason for seeking that information. Use only personal information for the purposes for which it was originally obtained. Obtain the consent of the person concerned before externally disclosing any personal information, unless legal process or contractual obligation provides

 

Attendance:

This policy details how absences and tardiness are counted for the purposes of maintaining excellent customer service throughout the business day.

 

  • Family and Medical Leave Act: Absences due to illnesses or injuries that qualify under the Family and Medical Leave Act (FMLA) will not be counted against an employee’s attendance record. Medical documentation within the guidelines of the FMLA may be required in these instances.

 

Absences and Tardiness:

  • Prescheduled times away from work using accrued vacation, holiday, flex or PTO (where available) days are not considered occurrences for the purpose of this policy.
  • An absence occurs when an employee misses more than three hours of work within a normal workday. An absence of multiple days due to the same illness, injury, or other incident will be counted as one occurrence for the purpose of this policy. A tardy arrival, early departure or other shift interruption is considered a one-half occurrence. On occasion and with prior approval of the supervisor, an employee who is tardy may adjust that day’s schedule to work an equivalent amount of time at the end of the shift, and a one-half occurrence will not be counted. Arrival and departure times will be determined by the time on the time recording system in each department. An employee is considered late if he or she reports to work more than five minutes after the scheduled starting time; an early departure is one in which the employee leaves before the scheduled end of his or her shift. If an employee is scheduled to work overtime and either fails to report or reports after the scheduled start time, an occurrence will be charged as noted above.

 

 

 

 

Company Name:

BRADLEY A. CONNOR, M.D., P.L.L.C.

MEDICAL ADVANCE SERVICES, P.L.L.C.

TRAVEL HEALTH MEDICAL, P.C.

Policy Name:

Notice of Privacy Practices

Policy Number:

Privacy 23.0

Effective Date:

08/15/2018

 

Responsible for Review:

Marina Rogova, RN

Review Date:

08/15/2019

Synopsis of Policy: HIPAA Regulation: §164.520(b) Content of Notice of Privacy Practices; §164.520(c)(2) Provision of Notice of Privacy Practices

 

PURPOSE

 

This policy specifies the procedures to be followed in providing BRADLEY A. CONNOR, M.D., P.L.L.C.  patients with BRADLEY A. CONNOR, M.D., P.L.L.C. ‘s Notice of Privacy Practices, as required by the federal Health Insurance Portability and Accountability Act of 1996 (the “HIPAA Privacy Rule”).

 

POLICY

 

The Privacy Rule requires that BRADLEY A. CONNOR, M.D., P.L.L.C.  give patients detailed information about BRADLEY A. CONNOR, M.D., P.L.L.C. ‘s privacy practices. A copy of BRADLEY A. CONNOR, M.D., P.L.L.C. ‘s current, “Notice of Privacy Practices,” shall be given to all BRADLEY A. CONNOR, M.D., P.L.L.C. ‘s patients upon admission. Or, in the case of outpatients, at the time of service. In addition, a separate notice addressing the uses and disclosures of mental health information will be provided to inpatient and outpatient psychiatric patients.

 

 

 

 

 

 

 

 

 

 

 

 

 

Full Policy Language:

 

DEFINITIONS

 

Health Care Operations: Covers a broad range of activities such as quality assessment, patient education and training, student training, contracting for health care services, medical review, legal services, auditing functions, compliance, business planning and development, licensing and accreditation, business management, and general administrative activities.

 

Payment: Activities related to being paid for services rendered. These include eligibility determinations, billing, claims management, utilization review, etc. It also includes using debt collection and location agencies.

 

Protected health information or “PHI”: Any individually identifiable health information collected or created as a consequence of the provision of health care by a covered entity, in any form (including verbal communications).

 

Treatment: Providing, coordinating, or managing a patient’s care, and includes consultations between providers and referrals.

 

 

PROCEDURES

 

Notice of Privacy Practices

 

  1. BRADLEY A. CONNOR, M.D., P.L.L.C. must describe, in plain language, its privacy practices, including an individual’s rights related to his or her PHI. This Notice of Privacy Practices (“Notice”) must be made available to patients and be posted throughout BRADLEY A. CONNOR, M.D., P.L.L.C. ‘s facilities and on BRADLEY A. CONNOR, M.D., P.L.L.C. ‘s website. BRADLEY A. CONNOR, M.D., P.L.L.C.  must also make a good faith effort to obtain a written acknowledgement from the individual that he or she has received the Notice.

 

  1. The Notice must include the following elements:

 

  1. Should state: “This notice describes how medical information about you may be used and disclosed and how you can get access to this information. Please review it carefully.”

 

  1. The uses and disclosures the provider will make of the PHI. The Privacy Rule requires that the notice contain:

 

  1. A description, including at least one example, of the types of uses and disclosures of information that BRADLEY A. CONNOR, M.D., P.L.L.C. is permitted to make for each of the following purposes: treatment, payment, and health care operations. The description must include sufficient detail to place the individual on notice of the uses and disclosures that are permitted or required by state and federal law;
  2. A description of each of the other purposes (other than Treatment, Payment, or Health Care Operations) for which BRADLEY A. CONNOR, M.D., P.L.L.C. is permitted or required to use or disclose PHI without the individual’s written authorization;
  • A statement that other uses and disclosures will be made only with the individual’s written authorization, and that the individual may revoke this authorization at any time in writing; and
  1. BRADLEY A. CONNOR, M.D., P.L.L.C. must include a separate statement if they contact individuals for: (i) Appointment reminders or to provide information regarding treatment alternatives or other health-related benefits, including services that may be of interest to the individual; or (ii) fundraising.

 

  1. Individual Rights. The Notice must contain a statement of the individual’s rights with respect to PHI and how he or she may exercise the right to:
  1. Inspect and copy PHI;
  2. Amend PHI;
  • Receive an accounting of disclosures of PHI;
  1. Request restrictions on certain uses and disclosures of information, including a statement that BRADLEY A. CONNOR, M.D., P.L.L.C. is not required to agree to a requested restriction;
  2. Receive confidential communications of PHI; and
  3. Obtain a paper copy of the notice upon request.

 

  1. Provider Duties. The Notice needs to explain that BRADLEY A. CONNOR, M.D., P.L.L.C. , under the law, must:
  1. Maintain the privacy of PHI and provide individuals with notice of its legal duties and privacy practices;
  2. Abide by the terms of the Notice currently in effect; and
  • State in the Notice that BRADLEY A. CONNOR, M.D., P.L.L.C. reserves the right to change the terms of its Notice and to make the new Notice provisions effective for all PHI it maintains. The statement must also explain how BRADLEY A. CONNOR, M.D., P.L.L.C.  will provide individuals with a revised Notice.

 

  1. Complaints. The Notice must explain that individuals may file a complaint with BRADLEY A. CONNOR, M.D., P.L.L.C. and/or the Secretary of HHS if they believe their privacy rights have been violated. A brief description of how to file a complaint with BRADLEY A. CONNOR, M.D., P.L.L.C.  must be included. The Notice must also include a statement that the individual will not be retaliated against for filing a

 

  1. Contact Information. The Notice must contain the name, or title, and telephone number of a person or office to contact for further

 

  1. Effective Date. The Notice must contain its effective

 

  1. Font Size. California law requires that information produced by a hospital regarding patients’ rights be printed in 12-point font or larger.

 

Dissemination and Publication of the Notice of Privacy Practices

 

  1. BRADLEY A. CONNOR, M.D., P.L.L.C. must provide the Notice to its patients no later than the date of the first service delivery by a direct care provider. The Notice may also be given to an individual by e-mail if the individual agrees to such electronic notice. If BRADLEY A. CONNOR, M.D., P.L.L.C.  knows that the e-mail transmission has failed, it must provide a hard paper copy. If the first service is delivered electronically, BRADLEY A. CONNOR, M.D., P.L.L.C.  must send the notice electronically, automatically, and contemporaneously.

 

  1. BRADLEY A. CONNOR, M.D., P.L.L.C. must make the Notice available for individuals to take with them. (When the patient is not physically present, the Notice may be sent by first class )

 

  1. The Notice must be posted in a clear and prominent location where it is reasonable to expect patients to be able to read the

 

  1. The Notice shall be posted prominently on the BRADLEY A. CONNOR, M.D., P.L.L.C. website and shall be available electronically through the website.

 

  1. Patients will be informed of their right to restrict directory information. Requests for restrictions to the Facility Directory will be referred to the Director of Patient Access Services. Other requests for further restrictions, such as the use and disclosure of information, will be referred to the Health Information Management Services Department for

 

  1. If revised, BRADLEY A. CONNOR, M.D., P.L.L.C. must make the revised Notice available upon request and post the revised Notice.

 

  1. No Notice is required to be given to inmates who may receive treatment at a BRADLEY A. CONNOR, M.D., P.L.L.C.

 

  1. In the case of patients who are minors, the Notice should be given to the minor’s parent or guardian.

 

Acknowledgement of Notice of Privacy Practices

 

  1. Except in the case of an emergency treatment situation, BRADLEY A. CONNOR, M.D., P.L.L.C. must make a good faith effort to obtain a written Acknowledgement that the individual received BRADLEY A. CONNOR, M.D., P.L.L.C. ‘s If some individual refuses to sign the Acknowledgement, then BRADLEY A. CONNOR, M.D., P.L.L.C.  must document the good faith efforts taken and the reason why the Acknowledgement was not obtained.

 

  1. A “good faith effort” to obtain written acknowledgment is not required: (1) where emergency treatment/stabilization is required; or (2) when the Notice is mailed, and the patient does not return the acknowledgement form, no further effort need be

 

  1. Acknowledgement of the Notice will be completed during the intake process. The electronic ADT system flag will be updated to reflect whether the Acknowledgement has been signed or refused. The Acknowledgement form will be sent to the Health Information Management Services Department for scanning into the Electronic Medical Record. If the form is not scanned within 30 calendar days from the date of signing, the electronic ADT system flag will revert back to its original state to reflect that the Acknowledgment Notice has not been obtained. Upon the patient’s next encounter, the process will repeat until the signed or refused Acknowledgement is

 

  1. A separate ADT flag will be set when the Notice of Privacy Practices for Mental Health has been obtained, but the flag will only be visible to staff with access to the psychiatric registration and encountering

 

Revisions to the Notice of Privacy Practices

 

  1. BRADLEY A. CONNOR, M.D., P.L.L.C. must promptly revise and distribute its Notice whenever there is a material change to the uses and disclosures, individuals’ rights, BRADLEY A. CONNOR, M.D., P.L.L.C. ‘s legal duties, or other privacy practices stated in the Notice. The revised Notice will be posted in the service delivery areas and will be provided to patients upon request. The revised Notice will also be posted on the BRADLEY A. CONNOR, M.D., P.L.L.C.  website as indicated above.

 

 

Record Retention

 

  1. All versions of BRADLEY A. CONNOR, M.D., P.L.L.C. ‘s approved “Notice of Privacy Practices” will be archived and maintained by the Compliance Office for a period no less than six (6) years.

 

 

REFERENCES

HIPAA 45 CFR §160

 

 

 

 

APPROVAL:

 

Company Name:

BRADLEY A. CONNOR, M.D., P.L.L.C.

MEDICAL ADVANCE SERVICES, P.L.L.C.

TRAVEL HEALTH MEDICAL, P.C.

Policy Name:

Social Media

Policy Number:

HIPAA Policy 24.0

Effective Date:

08/15/2018

 

Responsible for Review:

Marina Rogova, RN

Review Date:

08/15/2019

Synopsis of Policy: Social Media

 

This policy provides guidance for employee use of social media, which should be broadly understood for purposes of this policy to include blogs, wikis, micro-blogs, message boards, chat rooms, electronic newsletters, online forums, social networking sites, and other sites and services that permit users to share information with others in a contemporaneous manner.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Full Policy Language:

 

Procedures:

 

The following principles apply to professional use of social media on behalf of BRADLEY A. CONNOR, M.D., P.L.L.C. , as well as personal use of social media when referencing BRADLEY A. CONNOR, M.D., P.L.L.C. .

 

  1. Employees should be aware that it is never acceptable to post to social media websites any information regarding patients, their condition, or their treatment plan, and be aware that sanctions up to and including termination may occur in breach of this policy.
  2. Employees need to know and adhere to the Company’s Code of Conduct, Employee Handbook, and other BRADLEY A. CONNOR, M.D., P.L.L.C. policies when using social media in reference to BRADLEY A. CONNOR, M.D., P.L.L.C. .
  3. Employees should be aware of the effect that their actions may have on their image, as well as BRADLEY A. CONNOR, M.D., P.L.L.C. ‘s image. Employees should be aware that the information that they post or publish may be publicly-accessible for a long time.
  4. Employees should be aware that BRADLEY A. CONNOR, M.D., P.L.L.C. may observe content and information made available by employees through social media. Employees should use their best judgment in posting material that is neither inappropriate nor harmful to BRADLEY A. CONNOR, M.D., P.L.L.C. , its employees, or its customers.
  5. Although this is not an exclusive list, some specific examples of prohibited social media conduct include posting commentary, content, or images that are defamatory, pornographic, proprietary, harassing, libelous, or that may create a hostile work environment.
  6. Employees are not to publish, post, or release any information that is considered confidential or private. If there are questions about what is considered confidential, employees should check with the Human Resources Department and/or their supervisor.
  7. Social media networks, blogs, and other types of online content can generate press, media attention, or legal questions. Employees should refer these inquiries to authorized BRADLEY A. CONNOR, M.D., P.L.L.C.
  8. If employees find that they encounter a situation while using social media that threatens to become antagonistic, employees should disengage from the dialogue in a polite manner and seek the advice of a supervisor.
  9. Employees should get appropriate permission before they refer to or post images of current (or former) BRADLEY A. CONNOR, M.D., P.L.L.C. employees, members, vendors, and suppliers. Additionally, employees should get appropriate permission to use a third party’s copyrights, copyrighted material, trademarks, service marks, or other intellectual property.

 

  1. Social media use shouldn’t interfere with employee’s responsibilities at BRADLEY A. CONNOR, M.D., P.L.L.C. . BRADLEY A. CONNOR, M.D., P.L.L.C. ‘s computer systems are to be used for business purposes only. When using BRADLEY A. CONNOR, M.D., P.L.L.C. ‘s computer systems, use of social media for business purposes is allowed (ex: Facebook, Twitter, BRADLEY A. CONNOR, M.D., P.L.L.C. blogs, and LinkedIn). However, personal use of social media networks, or personal blogging of online content is discouraged and could result in disciplinary action.
  2. Subject to applicable law, after-hours online activity that violates the BRADLEY A. CONNOR, M.D., P.L.L.C. Code of Conduct or any other company policy may subject an employee to disciplinary action or termination.
  3. If employees publish content after-hours that involves work or subjects associated with BRADLEY A. CONNOR, M.D., P.L.L.C. , a disclaimer should be used, such as this: “The postings on this site are my own and may not represent BRADLEY A. CONNOR, M.D., P.L.L.C. ‘s positions, strategies, or opinions.”
  4. It is highly recommended that employees keep BRADLEY A. CONNOR, M.D., P.L.L.C. -related social media accounts separate from personal accounts, if practical.

 

AUTHORIZED BY:

 

 

 

 

 

Company Name:

BRADLEY A. CONNOR, M.D., P.L.L.C.

MEDICAL ADVANCE SERVICES, P.L.L.C.

TRAVEL HEALTH MEDICAL, P.C.

Policy Name:

HIPAA Privacy Program

 

Policy Number:

Privacy 25.0

Effective Date:

08/15/2018

 

Responsible for Review:

Marina Rogova, RN

Review Date:

08/15/2019

Synopsis of Policy: HIPAA Regulation: §164.530 HIPAA Privacy Program

 

This policy is designed to help BRADLEY A. CONNOR, M.D., P.L.L.C.  comply with the Administrative Simplification Act component of the HIPAA Privacy Rule, to secure and maintain the confidentiality of Protected Health Information (PHI), maintain sensitive organizational information at BRADLEY A. CONNOR, M.D., P.L.L.C. , and prevent and detect inappropriate and illegal uses and disclosures.

 

This policy ensures that BRADLEY A. CONNOR, M.D., P.L.L.C.  shall be responsible for implementation of the administrative requirements under the federal privacy rule.

 

BRADLEY A. CONNOR, M.D., P.L.L.C.  will designate a Privacy Officer to be responsible for the development and implementation of BRADLEY A. CONNOR, M.D., P.L.L.C. ‘s policies and procedures.

 

 

 

 

 

 

 

 

 

Full Policy Language:

 

Purpose:

To comply with the Administrative Simplification Act component of the HIPAA Privacy Rule, to secure and maintain the confidentiality of Protected Health Information (PHI), maintain sensitive organizational information at BRADLEY A. CONNOR, M.D., P.L.L.C. , and prevent and detect inappropriate and illegal uses and disclosures of PHI.

 

Policy Description:

BRADLEY A. CONNOR, M.D., P.L.L.C.  shall be responsible for implementation of the administrative requirements under the federal privacy rule.

 

BRADLEY A. CONNOR, M.D., P.L.L.C.  will designate a Privacy Officer to be responsible for the development and implementation of the policies and procedures of BRADLEY A. CONNOR, M.D., P.L.L.C.  [45 CFR § 164.530(a)(1)(i)].

 

The Privacy Officer for BRADLEY A. CONNOR, M.D., P.L.L.C.  is ___________________.

 

Definitions:

  1. Health Insurance Portability and Accountability Act of 1996 (HIPAA).
  2. Individually Identifiable Health Information (IIHI). Under § 160.103 of HIPAA, IIHI is defined as information that is a subset of health information, including demographic information collected from an individual, and:
  3. Is created or received by a health care provider, health plan, employer, or health care clearinghouse;
  4. Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and
  5. That identifies the individual; or
  6. With respect to which there is a reasonable basis to believe the information can be used to identify the individual.
  7. IIHI includes identifiers of the patient, relatives, employers, or household members such as the following (164.514):
  8. Names;
  9. Geographic subdivisions smaller than a State, including street address, city, county, precinct, or zip code (except for the initial three digits of a zip code if, according to the current publicly available data from the Bureaus of the Census, all zip codes with the same three initial digits contains more than 20,000 people);
  • All elements of dates (except year) directly related to an individual including birth date, admission date, discharge date, date of death, all ages over 89, and all elements of dates indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older;
  1. Telephone numbers;
  2. Fax numbers;
  3. E-mail addresses;
  • Social Security numbers;
  • Medical record numbers;
  1. Health plan beneficiary numbers;
  2. Account numbers;
  3. Certificate/license numbers;
  • Vehicle identifiers and serial numbers, including license plate numbers;
  • Device identifiers and serial numbers;
  • Web Universal Resource Locators (URLs);
  1. Internet Protocol (IP) address numbers;
  • Biometric identifiers, including finger and voice prints;
  • Full face photographic images and any comparable images; or
  • Any other unique identifying number, characteristic, or code.
  1. Protected Health Information (PHI). Under § 164.501 of HIPAA, PHI means IIHI that is transmitted and maintained in electronic media or in any other form or medium.
  2. In compliance with § 164.524 contained within the Privacy Rule of the Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), BRADLEY A. CONNOR, M.D., P.L.L.C. maintains a Designated Record Set (DRS). The DRS includes medical and billing records to which patients and/or their personal representatives have the right to access, inspect, and copy. Records include any item, collection, or grouping of information that includes PHI and is maintained, collected, used, or disseminated by or for a provider (§ 164.501).
  3. The health care records of a patient are the property of BRADLEY A. CONNOR, M.D., P.L.L.C. but the information maintained within the record belongs to the patient.
  4. An Individual, for purposes of HIPAA, is the patient and his/her legal Personal Representative (§ 164.502(g)).
  5. A Personal Representative is one who, under law, has the authority to act on behalf of a patient in making decisions related to health care (i.e., a parent, guardian, or legal custodian under WI stat. 48.02(8) and (11)). Personal Representatives may have access to and/or request amendment of PHI relevant to their representative capacity, unless there is a reasonable belief that the patient has been or may be subjected to domestic violence, abuse, or neglect by such person, the release could endanger the patient, or in the exercise of professional judgment it is decided that it is not in the best interest of the patient to treat the person as the patient’s personal representative [§ 164.502(g)].
  6. The provision, coordination, or management of health care and related services, including the coordination or management of health care by a health care provider with a third party; consultation between health care providers relating to a patient; or the referral of a patient for health care from one health care provider to another (§ 164.501).
  7. Activities undertaken by BRADLEY A. CONNOR, M.D., P.L.L.C. to obtain or provide reimbursement for the provision of health care. Activities for payment include eligibility of coverage determination, billing, claims management, collection activities, utilization review including precertification, preauthorization, concurrent and retrospective review of services, and specified disclosures to consumer reporting agencies (§ 164.501).
  8. Health Care Operations. Quality assessment and improvement activities; reviewing the competence, qualifications, performance of health care professionals, conducting training programs, accreditation, certification, licensing, credentialing, underwriting, premium rating, and other activities relating to the creation, renewal, or replacement of a contract of health insurance or health benefits; conducting or arranging for medical review, legal services, and audition functions; business planning and development; business management (§ 164.501).
  9. Under § 160.103 of HIPAA, workforce means employees, volunteers, trainees, and other persons whose conduct, in the performance of work for BRADLEY A. CONNOR, M.D., P.L.L.C. , is under the direct control of BRADLEY A. CONNOR, M.D., P.L.L.C. , whether or not they are paid by BRADLEY A. CONNOR, M.D., P.L.L.C. .
  10. Provider: Under § 160.103 of HIPAA, a provider of medical or health services (as defined in § 1861(u) of the Act, 42 U.S.C. 1395x(u) and 1861(s) of the Act, 42 U.S.C. 1395x(s)) and any other person or organization who furnishes, bills, or is paid for health care in the normal course of business. Providers at BRADLEY A. CONNOR, M.D., P.L.L.C. are those contracted, subcontracted, or employed who provide services on behalf of BRADLEY A. CONNOR, M.D., P.L.L.C. .

 

Procedures

 

  1. BRADLEY A. CONNOR, M.D., P.L.L.C. is committed to complying with the HIPAA Privacy Rule efforts throughout BRADLEY A. CONNOR, M.D., P.L.L.C.  to focus on maintaining the confidentiality of patients’ PHI through appropriate, authorized access, uses, and disclosures.
  2. BRADLEY A. CONNOR, M.D., P.L.L.C. and its business affiliates create, store, maintain, use, transmit, collect, and disseminate PHI in an environment that promotes confidentiality and integrity without compromising information availability.
  3. Confidentiality policies and procedures are reinforced throughout BRADLEY A. CONNOR, M.D., P.L.L.C. and followed by all physicians and workforce members.
  4. The HIPAA Privacy Officer oversees the HIPAA Privacy program. [ 164.530(a)(1)(i)].
  5. The HIPAA Privacy program may include a team. The following positions are recommended to be considered/involved in the administration of the Privacy Rule (Recommend meeting at least quarterly and filing meeting minutes in the HIPAA Privacy Officer’s files):
  6. Corporate Compliance Officer;
  7. HIS Director;
  • HIMS Director;
  1. I/S Decision Support Manager;
  2. HIPAA Privacy Officer;
  3. Physical Plant Security Officer;
  • Technical Security Officer;
  • Physical Plant Security Officer;
  1. Risk manager;
  2. Compliance officer; and
  3. Medical director.

 

  1. The HIPAA Privacy Officer is responsible for the facilitation of the following functions, which reinforce compliance with the HIPAA Privacy Rule, patient confidentiality, access laws, and BRADLEY A. CONNOR, M.D., P.L.L.C. ‘s policies and procedures pertaining to them:
  2. Establish and maintain written policies and procedures that place appropriate administrative, technical, and physical safeguards to protect the privacy of PHI from intentional or unintentional uses and disclosures that are in violation of the law [ 164.530(c & i)].
  3. Update policies and procedures as necessary and appropriate, and in compliance with BRADLEY A. CONNOR, M.D., P.L.L.C. ‘s Notice of Privacy Practices, to comply with changes in the law [§ 164.530(i)(2-4)].
  4. Make necessary changes to BRADLEY A. CONNOR, M.D., P.L.L.C. ‘s Notice of Privacy Practices [§ 164.530(i)(2 & 3)].
  • Maintain policies and procedures (including any changes made) in written or electronic form for six years from the date of its creation or the date when it last was in effect, whichever is later [§ 164.530(j)].
  1. Make all reasonable efforts to limit incidental uses and disclosures [ 164.530(c)(2)(ii)].
  2. Provide training for BRADLEY A. CONNOR, M.D., P.L.L.C. workforce members of the established policies and procedures as necessary to and appropriate to carry out their job functions and document the training provided [§ 164.530(b)]:
  3. To each member of the workforce by no later than the compliance date for BRADLEY A. CONNOR, M.D., P.L.L.C. ;
  4. To new workforce members during their first month of employment;
  • To existing workforce members annually; and
  1. To existing workforce members whose functions are affected by a material change in the policies and procedures within a month after the material change becomes effective.
  2. Maintain a program promoting workforce members and patients to report complaints concerning compliance with the regulation and BRADLEY A. CONNOR, M.D., P.L.L.C. ‘s policies and procedures to (PERSON or OFFICE) [§ 164.530(a & d)]:
  3. Promptly and properly investigate and address reported violations, taking steps to prevent recurrence; and
  4. Document all complaints and follow-up documentation and file them [§ 164.530(d)(2)].
  5. Persons, including workforce members and patients, who make reports or participate in an investigation of violations in good faith will not be subject to intimidation, threats, coercion, discrimination against, or any other retaliatory action as a consequence [ 164.530(g)].
  6. Mitigate, to the extent practicable, any harmful effect that is known to BRADLEY A. CONNOR, M.D., P.L.L.C. of a use or disclosure of PHI in violation of its policies and procedures or the requirements of the law by BRADLEY A. CONNOR, M.D., P.L.L.C.  or its business associate [ 164.530(f)].
  7. Consistently enforce the law and BRADLEY A. CONNOR, M.D., P.L.L.C. ‘s policies and procedures through appropriate disciplinary mechanisms [ 164.530(e)].
  8. Actions taken against a workforce member who failed to comply with the policies and procedures are documented and filed in the Privacy Officer’s files [§ 164.530(e)(2)].
  9. Monitor, audit, and reinforce compliance with the law and BRADLEY A. CONNOR, M.D., P.L.L.C. ‘s policies and procedures.
  10. Provide assistance to patients and other workforce members about the law and BRADLEY A. CONNOR, M.D., P.L.L.C. ‘s policies and procedures [§ 164.530(a)(1)(ii)].
  11. Do not require individuals to waive their legal rights as a condition of the provision of treatment or payment [ 164.530(h)].
  12. Implement, distribute, and maintain the Notice of Privacy Practices [ 164.520(a-e)].
  13. Maintain a copy of the Notice (including changes made) for six years from the date when it was last in effect;
  14. Update the Notice to reflect changes in the law or BRADLEY A. CONNOR, M.D., P.L.L.C. ‘s policies and procedures;
  • Distribute the Notice; and
  1. Direct questions regarding the Notice to (PERSON or OFFICE).
  2. BRADLEY A. CONNOR, M.D., P.L.L.C. will implement, monitor, and maintain a Business Associate Agreement with affiliate business entities when required by law.
  3. Documentation:
  4. All documentation related to and/or required by HIPAA, including but not limited to compliance enforcement activities such as training, policies and procedures, complaint investigations, designated record sets, etc. are maintained for six years from the date of creation, or the date it was last in effect, whichever is later [ 164.530(j)]. Documentation may be maintained in written or electronic form [§ 164.530(j)(1)(ii)].

 

 

AUTHORIZED BY:

 

 

 

 

SECURITY

 

 

Company Name:

BRADLEY A. CONNOR, M.D., P.L.L.C.

MEDICAL ADVANCE SERVICES, P.L.L.C.

TRAVEL HEALTH MEDICAL, P.C.

Policy Name:

Assigned Security Responsibility

Policy Number:

Security 1.0

Effective Date:

08/15/2018

 

Responsible for Review:

Marina Rogova, RN

Review Date:

08/15/2019

Synopsis of Policy: HIPAA Regulation: §164.308(a)(2) Assigned security responsibility

 

At all times BRADLEY A. CONNOR, M.D., P.L.L.C.  shall have one individual identified and assigned to HIPAA security responsibility.

 

The HIPAA Security Officer is responsible for the oversight of Security Rule implementation by department and has the ultimate responsibility for ensuring HIPAA Security Rule policies are implemented and followed. Responsibilities include:

 

1.   Ensure that the necessary and appropriate HIPAA-related policies are developed         and implemented to safeguard the integrity, confidentiality, and availability of    Electronic Protected Health Information (ePHI) within BRADLEY A. CONNOR, M.D., P.L.L.C. .

2.   Ensure that the necessary infrastructure of personnel, procedures, and systems are in   place:

a.   To develop and implement the necessary HIPAA-related policies.

b.   To monitor, audit, and review compliance with all HIPAA-related policies.

c.   To provide a mechanism for reporting incidents and HIPAA security violations.

3.   Act as a spokesperson and single point of contact for BRADLEY A. CONNOR, M.D., P.L.L.C.  in all issues relating to HIPAA security.

4.   The job title and duties shall be documented further within the Full Policy found below.

 

 

 

 

 

 

 

 

 

 

 

 

Full Policy Language:

 

HIPAA Regulation:

 

  • § 164.308(a)(2) Assigned security responsibility

 

Policy Purpose:

 

At all times BRADLEY A. CONNOR, M.D., P.L.L.C.  shall have one individual identified and assigned to HIPAA security responsibility.

 

Policy Description:

 

The HIPAA Security Officer is responsible for the oversight of the Security Rule and its implementation. They also have the ultimate authority and responsibility for ensuring that HIPAA Security Rule policies are implemented and followed.

 

Responsibilities include:

 

  1. Ensuring that the necessary and appropriate HIPAA-related policies are developed and implemented to safeguard the integrity, confidentiality, and availability of    electronic protected health information (ePHI) within BRADLEY A. CONNOR, M.D., P.L.L.C. .

 

  1. Ensuring that the necessary infrastructure of personnel, procedures, and systems are in place:
  2. To develop and implement the necessary HIPAA policies;
  3. To monitor, audit, and review compliance with all HIPAA policies; and
  4. To provide a mechanism for reporting incidents and HIPAA security violations.

 

  1. Act as a spokesperson and single point of contact for BRADLEY A. CONNOR, M.D., P.L.L.C. in all issues relating to HIPAA security.

 

  1. The job title and duties shall be documented within the Security Officer’s Job Description.

 

Policy Responsibilities:

 

The above HIPAA Security Officer responsibilities are assigned to the [JobTitle] for BRADLEY A. CONNOR, M.D., P.L.L.C. . BRADLEY A. CONNOR, M.D., P.L.L.C. ‘s current Security Officer is identified as [Name] who is the person that is responsible as the Security Officer.

 

The HIPAA Security Officer shall carry out the assigned responsibilities in coordination with their Job Description.

 

Definitions

 

Covered Entity: A health plan or a health care provider who stores or transmits any health information in electronic form in connection with a HIPAA transaction.

 

Business Associate: Any entity that uses or discloses protected health information (PHI) on behalf of a covered entity (e.g. group health plan, hospital, etc.).  Furthermore, it is any person or organization who, on behalf of a covered entity, performs (or assists in the performance of) a function or activity involving the use or disclosure of PHI.

 

ePHI: Electronic/Protected health information means individually identifiable health information:

  • Transmitted by electronic media;
  • Maintained in electronic media; or
  • Transmitted or maintained in any other form or medium.

 

Paper PHI: Protected Health Information that is not in an electronic format.

 

 

AUTHORIZED BY:

 

 

 

Company Name:

BRADLEY A. CONNOR, M.D., P.L.L.C.

MEDICAL ADVANCE SERVICES, P.L.L.C.

TRAVEL HEALTH MEDICAL, P.C.

Policy Name:

User Access Management

Policy Number:

Security Policy 2.0

 

Effective Date:

08/15/2018

 

Responsible for Review:

Marina Rogova, RN

Review Date:

08/15/2019

Synopsis of Policy: HIPAA Regulation: § 164.308(a)(3)(i) Workforce security; § 164.308(a)(3)(ii)(A) Authorization and/or supervision; § 164.308(a)(3)(ii)(B) Workforce clearance procedure; § 164.308(a)(3)(ii)(C) Termination procedures; § 164.308(a)(4)(i) Information access management; § 164.308(a)(4)(ii)(B) Access authorization; § 164.308(a)(4)(ii)(C) Access establishment and modification; § 164.312(a)(1) Access control; § 164.312(c)(1) Integrity; § 164.312(a)(2)(ii) Emergency access procedure.

 

This policy establishes rules for authorizing access to the computing network, applications, workstations, and to areas where Electronic Protected Health Information (ePHI) is accessible.

 

Workforce members that need access to ePHI will need authorization when working with ePHI or when working in locations where it resides.

 

Workforce security includes ensuring that only workforce members who require access to ePHI for work-related activities shall be granted access. When work activities no longer require access, authorization shall be terminated.

 

In addition, this policy provides guidelines on how user access is routinely reviewed and updated.

 

Aspects of this policy specifically concern:

Management and Access Control;

Rules for Minimum Necessary Access;

How we Grant Access to ePHI;

How we Screen Workforce members Prior to Access;

Why we maintain Signed Security Acknowledgements;

What Security Awareness is required Prior to getting Access;

Procedures for Granting Access in an Emergency;

Modifications to the Workforce members Access;

Ongoing Compliance for Access;

And Termination of Access

 

 

 

 

 

Full Policy Language:

 

HIPAA Regulation:

  • § 164.308(a)(3)(i) Workforce security
  • § 164.308(a)(3)(ii)(A) Authorization and/or supervision
  • § 164.308(a)(3)(ii)(B) Workforce clearance procedure
  • § 164.308(a)(3)(ii)(C) Termination procedures
  • § 164.308(a)(4)(i) Information access management
  • § 164.308(a)(4)(ii)(B) Access authorization
  • § 164.308(a)(4)(ii)(C) Access establishment and modification
  • § 164.312(a)(1) Access control
  • § 164.312(c)(1) Integrity
  • § 164.312(a)(2)(ii) Emergency access procedure

 

Policy Purpose:

The intent of this policy is to establish rules for authorizing access to the computing network, applications, workstations, and to areas where ePHI is accessible. Workforce members that require access to ePHI will need authorization when working with ePHI or when working in locations where it resides. Workforce security includes ensuring that only workforce members who require access to ePHI for work-related activities shall be granted access. When work activities no longer require access, authorization shall be terminated. In addition, this policy provides guidelines on how user access is routinely reviewed and updated.

 

Policy Description:

 

Management and Access Control

Only the workforce member’s supervisor or manager can grant access to BRADLEY A. CONNOR, M.D., P.L.L.C. ‘s ePHI information systems.

 

Access to the information system or application may be revoked or suspended, consistent with BRADLEY A. CONNOR, M.D., P.L.L.C.  policies and practices, if there is evidence that an individual is misusing information or resources. Any individual whose access is revoked or suspended may be subject to disciplinary action or other appropriate corrective measures.

 

Minimum Necessary Access

BRADLEY A. CONNOR, M.D., P.L.L.C.  shall ensure that only workforce members who require access to Electronic Protected Health Information (ePHI) are granted access. Each supervisor or manager is responsible for ensuring that the access to ePHI granted to each of his or her subordinates is the minimum necessary access required for each subordinate’s job role and responsibilities. If the user no longer requires access, it is the supervisor or manager’s responsibility to complete the necessary process to terminate access.

 

 

 

Granting Access to ePHI

Screen Workforce Members Prior to Access

The manager or supervisor shall ensure that information access is granted only after first verifying that the access of a workforce member to ePHI is appropriate.

 

Sign Security Acknowledgement

Prior to being issued a User ID or log on account to access any ePHI, each workforce member shall sign BRADLEY A. CONNOR, M.D., P.L.L.C. ‘s Confidentiality Agreement or an Acknowledgement of Information Security Responsibility before access is granted to the network or any application that contains ePHI, and thereafter shall comply with all BRADLEY A. CONNOR, M.D., P.L.L.C. ‘s security policies and procedures.

 

Security Awareness Prior to Getting Access

Before access is granted in any of the various systems or applications that contain

ePHI, workforce members shall be trained to a minimum standard including:

  1. Proper uses and disclosures of the ePHI stored is systems or application(s);
  2. How to properly log on and log off the systems or application(s);
  3. Protocols for correcting user errors;
  4. Instructions on contacting a designated person or help desk when ePHI may have been altered or destroyed in error; and
  5. Reporting a potential or actual security breach.

 

Management Approval

BRADLEY A. CONNOR, M.D., P.L.L.C.  shall implement the following policies:

  1. User IDs or log on accounts can only be assigned with management approval.
  2. Managers are responsible for requesting the appropriate level of computer access for staff to perform their job function.
  3. All requests regarding User IDs or computer system access for workforce members are to be communicated to the appropriate individuals by email, for tracking purposes for BRADLEY A. CONNOR, M.D., P.L.L.C. . All requests shall be made in writing (which may be in an electronic format).
  4. System administrators are required to process only those requests that have been authorized by managers.
  5. Request is to be retained by the system administrator for a minimum of one year.

 

Granting Access in an Emergency

 

Emergency User Access

Management has the authority to grant emergency access for workforce members who have not completed the normal HIPAA access requirements if:

  1. The facility declares an emergency or is responding to a natural disaster that makes the management of client information security secondary to immediate personnel safety activities.
  2. Management determines that granting immediate access is in the best interest of the client.

 

If management grants emergency access, she/he shall review the impact of emergency access and document the event within 24 hours of it being granted.

 

After the emergency event is over, the user access shall be removed or the workforce member shall complete the normal requirements for being granted access.

 

Granting Emergency Access to an Existing User Access Account

In some circumstances it may be necessary for management to grant emergency access to a user’s account without the user’s knowledge or permission. Management may grant this emergency access in these situations:

  1. The workforce member terminates or resigns and management requires access to the person’s data;
  2. The workforce member is out for a prolonged period;
  3. The workforce member has not been in attendance and therefore is assumed to have resigned; or
  4. Manager/supervisor needs immediate access to data on a workforce member’s computer in order to provide client treatment.

 

Termination of Access

The department manager or his/her designated representative is responsible for terminating a workforce member’s access to ePHI in these circumstances:

  1. If management has evidence or reason to believe that the individual is using information systems or resources in a manner inconsistent with the Security Rule policies.
  2. If the workforce member or management has evidence or reason to believe the user’s password has been compromised.
  3. If the employee resigns, is terminated, is suspended, retires, or is away on unapproved leave.
  4. If the employee’s job description changes and system access is no longer justified by the new job description.

 

If the workforce member is on an approved leave of absence and the user’s system access will not be required for more than three weeks, management shall suspend the user’s account until the workforce member returns from their leave of absence.

 

Modifications to the Workforce members Access

If a workforce member transfers to another program or changes role(s) within the same program within BRADLEY A. CONNOR, M.D., P.L.L.C. :

  1. The workforce member’s new supervisor or manager is responsible for evaluating the member’s current access and for requesting new access to ePHI commensurate with the workforce member’s new role and responsibilities.

 

If a workforce member transfers to another program or department outside of BRADLEY A. CONNOR, M.D., P.L.L.C. :

  1. The workforce member’s access to ePHI within his or her current unit shall be terminated as of the date of transfer.
  2. The workforce member’s new supervisor or manager is responsible for requesting access to ePHI commensurate with the workforce member’s new role and responsibilities.

 

Ongoing Compliance for Access

In order to ensure that workforce members only have access to ePHI when it is required for their job function, the following actions shall be implemented by BRADLEY A. CONNOR, M.D., P.L.L.C. :

  1. Every new User ID or log on account that has not been used after 30 consecutive calendar days since creation shall be investigated to determine if the workforce member still requires access to the ePHI.
  2. At least every six months, IT teams are required to send supervisors/managers (or appropriate designees):
  3. A list of all workforce members for all applications;
  4. A list of workforce members and their access rights for all shared folders that contain ePHI; and
  5. A list of all Virtual Private Network (VPN) workforce members.
  6. The supervisors/managers shall then notify their IT teams of any workforce members who no longer require access.

 

Policy Responsibilities:

 

Security Officer or Designee Responsibilities:

  1. Work with System Administrator to arrange an email to Security Officer with the names of workforce members who are terminating or transferring out of BRADLEY A. CONNOR, M.D., P.L.L.C. , along with the individual’s supervisor’s name and the effective date.
  2. Work with HR or their designee to arrange a process to immediately email and telephone IT and Facilities Management if a workforce member is being released from probation or terminated with cause. The HR division shall provide the workforce member’s name, supervisor’s name, and effective date so that access can be discontinued when the personnel action is effective.

 

 

BRADLEY A. CONNOR, M.D., P.L.L.C. ‘s IT Team(s) Responsibilities: Account Management

  1. Immediately, upon written notification, the worker’s access to ePHI shall be removed.
  2. A report shall be created that identifies new User IDs or log on accounts not accessed within 30 days of creation.
  3. A report shall be provided every six months to the manager/supervisor or designee documenting workers with access to ePHI, and requesting verification that access is still required to fulfill the worker’s job functions.

 

Managers and Supervisors Responsibilities:

  1. Each manager/supervisor is responsible for ensuring that the access to ePHI granted to each of his or her subordinates is the minimum necessary access required for each such subordinate’s job role and responsibilities.
  2. If the user no longer requires access, it is the manager/supervisor’s responsibility to complete the necessary paperwork as soon as possible to terminate access.
  3. The manager/supervisor shall validate new User IDs or log on accounts that are not accessed within 30 days of creation. If access is no longer required, the User ID shall be deleted.
  4. Semi-annual user and folder access reports and the VPN access reports prepared by the IT team shall be reviewed and verified to determine if the workforce members still require access to the ePHI.
  5. The manager/supervisor shall ensure members of the workforce have signed the IT security agreement and are properly trained before approving access to ePHI.

 

User Responsibility:

Each user shall read and attest to BRADLEY A. CONNOR, M.D., P.L.L.C. ‘s IT Security Policies, sign BRADLEY A. CONNOR, M.D., P.L.L.C. ‘s HIPAA Confidentiality Agreement, attend HIPAA Security training, and report all security incidents.

 

Procedures

 

BRADLEY A. CONNOR, M.D., P.L.L.C.  shall document written procedures for granting user access, the authorization of access to ePHI, and the termination of user access. These procedures shall include, as a minimum, all of the policy requirements above.

 

Definitions

 

Covered Entity: A health plan or a health care provider who stores or transmits any health information in electronic form in connection with a HIPAA transaction.

 

Business Associate: Any entity that uses or discloses protected health information (PHI) on behalf of a covered entity (e.g. group health plan, hospital, etc.). Furthermore, it is any person or organization who, on behalf of a covered entity, performs (or assists in the performance of) a function or activity involving the use or disclosure of PHI.

 

ePHI: Electronic/Protected health information means individually identifiable health information:

  • Transmitted by electronic media;
  • Maintained in electronic media; or
  • Transmitted or maintained in any other form or medium.

 

Paper PHI: Protected Health Information that is not in an electronic format.

 

Workforce: Employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a covered entity, is under the direct control of such entity, whether or not they are paid by the covered entity.

 

 

AUTHORIZED BY:

 

 

 

Company Name:

BRADLEY A. CONNOR, M.D., P.L.L.C.

MEDICAL ADVANCE SERVICES, P.L.L.C.

TRAVEL HEALTH MEDICAL, P.C.

Policy Name:

Authentication & Password Management

Policy Number:

Security Policy 3.0

Effective Date:

8/15/2018

 

Responsible for Review:

Marina Rogova, RN

Review Date:

08/15/2019

Synopsis of Policy: HIPAA Regulation: §164.312(c)(2) Mechanism to authenticate electronic protected health information; §164.312(d) Person or entity authentication; §164.308(a)(5)(ii)(D) Password management; §164.312(a)(2)(i) Unique user identification

 

Passwords are an important aspect of computer security and are the front line of protection for user accounts. A compromised password may result in a security breach of BRADLEY A. CONNOR, M.D., P.L.L.C. ‘s network. All BRADLEY A. CONNOR, M.D., P.L.L.C.  workforce members are responsible for taking the appropriate steps, as outlined in the full policy, to select and secure their passwords.

 

This policy reinforces the use and importance of effective passwords, also known as strong passwords. This policy will also require workforce members to change their passwords on a regular basis.

 

Information systems used to access ePHI shall uniquely identify and authenticate workforce members.

 

The policy specifies:

Standards of Authentication – Verification

The rules for maintaining Unique User ID and Password Management

The guidelines for appropriate User ID and Passwords

 

 

 

 

 

 

 

 

 

 

 

 

 

Full Policy Language:

 

HIPAA Regulation:

 

  • §164.312(c)(2) Mechanism to authenticate electronic protected health information
  • §164.312(d) Person or entity authentication
  • §164.308(a)(5)(ii)(D) Password management
  • §164.312(a)(2)(i) Unique user identification

 

Policy Purpose:

 

Passwords are an important aspect of computer security and are the front line of protection of user accounts. A compromised password may result in a security breach of BRADLEY A. CONNOR, M.D., P.L.L.C. ‘s network. All BRADLEY A. CONNOR, M.D., P.L.L.C.  workforce members are responsible for taking the appropriate steps to select and secure their passwords. The purpose of this policy is to reinforce the use of effective passwords, also known as strong passwords, and require workforce members to change their passwords on a regular basis.

 

Policy Description:

 

Information systems used to access ePHI shall uniquely identify and authenticate workforce members.

 

Authentication – Verification

Industry standard protocols will be used on all routers and switches used in the Wide Area Network (WAN) and the local area networks (LANs). Authentication types can include:

  1. Unique user ID and passwords;
  2. Biometric identification system;
  3. Telephone callback;
  4. Token system that uses a physical device for user identification;
  5. Two forms of authentication for wireless remote access; and
  6. Information systems used to access ePHI shall identify and authenticate connections to specific devices involved in system communications (digital certificate, for example).

 

The password file on the authenticating server shall be adequately protected and not stored unencrypted.

 

Unique User ID and Password Management

  1. All BRADLEY A. CONNOR, M.D., P.L.L.C. workforce members are assigned a unique user ID to access the network. All workforce members are responsible for creating and maintaining the confidentiality of the password associated with their unique user ID. Managers/supervisors are required to ensure that their staff understands the user responsibilities for securely managing confidential passwords.

 

  1. Upon receipt of a user ID, the person assigned to said ID is required to change the password provided by the administrator to a password that only he or she (the user) knows. Effective passwords shall be created in order to secure access to electronic protected health information (ePHI).

 

  1. Workforce members who suspect that their password has become known to another person shall change their password immediately. No user shall give his or her password to another person.

 

  1. Workforce members are required to change their network user ID passwords every six months (when the technology is capable). Each application access password shall be changed every six months. Where technology is capable, network and application systems shall be configured to enforce automatic expiration of passwords every six months.

 

  1. All privileged system-level passwords (e.g., root, enable, NT admin, application administration accounts, etc.) shall be changed at least each fiscal quarter. All passwords are to be treated as sensitive, confidential BRADLEY A. CONNOR, M.D., P.L.L.C.

 

User ID & Password Guidelines

Where possible, implement unique user IDs that are different from the e-mail address. BRADLEY A. CONNOR, M.D., P.L.L.C.  is encouraged not to use standard naming conventions for user IDs and should avoid using the same email username as the system user ID.

 

  1. Password length:
  2. 8-character passwords are the absolute minimum;
  3. 10-12 characters or longer is recommended; and
  4. Passwords up to 64 characters should be allowed.

 

  1. Requiring mixed case, numbers, or special characters is recommended.

 

  1. Requiring users to periodically change their passwords is recommended:
  2. Every 6 months or a year, preferably.
  3. Passwords are required to change if there is a suspicion that a password has been compromised.
  4. Password selection software should not allow “obvious” passwords:
  5. Common words, words related to the user, repeated letters, numeric sequences, etc. (e.g, “password123”, “johnsmith”, or​ “abcabcabc​”).

 

  1. Login software should include features to prevent brute force attacks, such as:
  2. Delay​s​ between login attempts; and
  3. Lock account after a number of failed attempts.
  4. Password protection requirements for users:
  5. Never reveal a password over the phone to anyone;
  6. Never reveal a password in an email message;
  7. Never reveal a password to your supervisor;
  8. Never talk about a password in front of others;
  9. Never hint at the format of a password (e.g., “my family name”);
  10. Never reveal a password on questionnaires or security forms;
  11. Never share a password with family members;
  12. Never reveal a password to co-workers;
  13. Never write down your password; instead, memorize it;
  14. Never keep a list of user IDs and passwords in your office; and
  15. Never misrepresent yourself by using another person’s user ID and password.

 

Policy Responsibilities:

 

Managers’ and Supervisors’ Responsibility

Managers/supervisors are responsible to reinforce secure password use in their offices with emphasis on ‘no password sharing.’

 

IT Team(s) Responsibilities for Network User ID Creation

  1. System administrators shall provide the password for a new, unique user ID only to the user to whom the new ID is assigned.

 

  1. Workforce members may, at times, request that their password be reset. System administrators shall verify the identity of the user requesting a password reset or verify that the person making the request is authorized to request a password reset for another user. When technically possible, a new or reset password shall be set to expire on its attempted use at log on so that the user is required to change the provided password to one that only they know.

 

All Workforce members accessing ePHI

Any workforce member who suspects that their password has become known by another person shall change their password immediately.

 

Procedures:

 

Managers’ and Supervisors’ Responsibility

Managers/supervisors are responsible to reinforce secure password use in their offices with emphasis on ‘no password sharing.’ If access to another worker’s account is required, managers/supervisors shall follow the emergency access section of BRADLEY A. CONNOR, M.D., P.L.L.C. ‘s HIPAA User Access Management policy.

 

IT Team(s) Responsibilities for Network User ID Creation

  1. System administrators shall provide the password for a new, unique user ID only to the user to whom the new ID is assigned.

 

  1. Workforce members may, at times, request that their password be reset. System administrators shall verify the identity of the user requesting a password reset or verify that the person making the request is authorized to request a password reset for another user. When technically possible, a new or reset password shall be set to expire on its initial use at log on so that the user is required to change the provided password to one only they know.

 

All Workforce Members Accessing ePHI

Any workforce member who suspects that their password has become known to another person shall change their password immediately.

 

Definitions

 

Covered Entity: A health plan or a health care provider who stores or transmits any health information in electronic form in connection with a HIPAA transaction.

 

Business Associate Definition: Any entity that uses or discloses protected health information (PHI) on behalf of a covered entity (e.g. group health plan, hospital, etc.).  Furthermore, it is any person or organization who, on behalf of a covered entity, performs (or assists in the performance of) a function or activity involving the use or disclosure of PHI.

 

ePHI: Electronic protected health information means individually identifiable health information:

  • Transmitted by electronic media;
  • Maintained in electronic media; or
  • Transmitted or maintained in any other form or medium.

 

Paper PHI: Protected Health Information that is not in an electronic format.

 

 

 

 

AUTHORIZED BY:

 

 

Company Name:

BRADLEY A. CONNOR, M.D., P.L.L.C.

MEDICAL ADVANCE SERVICES, P.L.L.C.

TRAVEL HEALTH MEDICAL, P.C.

Policy Name:

Facility Access Controls

Policy Number:

Security 4.0

Effective Date:

08/15/2018

 

Responsible for Review:

Marina Rogova, RN

Review Date:

08/15/2019

Synopsis of Policy: HIPAA Regulation: § 164.310(a)(2)(ii) Facility security plan; § 164.310(a)(1) Facility access controls; § 164.310(a)(2)(iii) Access control and validation procedures; § 164.310(a)(2)(iv) Maintenance records; § 164.310(a)(2)(i) Contingency operations

 

This policy establishes protocols for securing facilities that contain Electronic Protected Health Information (ePHI).

 

BRADLEY A. CONNOR, M.D., P.L.L.C.  shall reasonably safeguard ePHI from any intentional or unintentional use or disclosure. BRADLEY A. CONNOR, M.D., P.L.L.C.  shall protect its facilities where ePHI can be accessed.

 

When designing a new building and remodeling existing sites, facility managers and/or designees shall work with the Compliance Officers to ensure the facility plan components below are compliant with the HIPAA Regulations.

 

BRADLEY A. CONNOR, M.D., P.L.L.C.  shall safeguard its facilities and the equipment therein from unauthorized physical access, tampering and theft. BRADLEY A. CONNOR, M.D., P.L.L.C. ‘s Compliance Officers shall annually audit facilities to ensure that ePHI safeguards are continuously being maintained.

 

The policy details implementation specification for:

·         Visitor Access Control:

·         (IF YOU HAVE) Security Access Cards:

·         (IF YOU HAVE) Keypads/Cipher Locks:

·         Metal/Hard Keys:

·         Network Closet(s):

·         Server Room(s):

·         Alarm System(s):

·         Doors:

·         Contingency Operations – Emergency Access to Facilities

·         Maintenance Records Policy – For all sites that access ePHI

 

 

 

 

 

Full Policy Language:

 

HIPAA Regulation:

 

  • § 164.310(a)(2)(ii) Facility security plan
  • § 164.310(a)(1) Facility access controls
  • § 164.310(a)(2)(iii) Access control and validation procedures
  • § 164.310(a)(2)(iv) Maintenance records
  • § 164.310(a)(2)(i) Contingency operations

 

Policy Purpose:

 

The intent of this policy is to establish protocols for securing facilities that contain ePHI.

 

Policy Description:

 

General

BRADLEY A. CONNOR, M.D., P.L.L.C.  shall reasonably safeguard electronic protected health information (ePHI) from any intentional or unintentional use or disclosure. BRADLEY A. CONNOR, M.D., P.L.L.C.  shall protect its facilities where ePHI can be accessed.

 

New or Remodeled Facility in BRADLEY A. CONNOR, M.D., P.L.L.C.

When designing a new building and remodeling existing sites, facility managers and/or designees shall work with the Compliance Officers to ensure the facility plan components below are compliant with the HIPAA Regulations.

 

Facility Security Plan

BRADLEY A. CONNOR, M.D., P.L.L.C.  shall safeguard the facilities of BRADLEY A. CONNOR, M.D., P.L.L.C.  and the equipment therein from unauthorized physical access, tampering, and theft. BRADLEY A. CONNOR, M.D., P.L.L.C. ‘s Compliance Officers shall annually audit BRADLEY A. CONNOR, M.D., P.L.L.C. ‘s facilities to ensure ePHI safeguards are continuously being maintained.

 

Facility security guidelines for the workforce:

  1. Do not share access cards to enter the facility;
  2. Do not allow other persons to enter the facility by “piggy backing” (entering the facility by walking behind an authorized person through a door without using a card in the reader);
  3. Do not share hard key access to enter the facility; and
  4. Do not share alarm codes or keypad codes to enter the facility.

 

One or more of the following shall be implemented for all sites that access ePHI:

  1. Visitor Access Controls: In facilities where ePHI is available, all visitors shall be escorted and monitored. Each facility shall implement procedures that govern visitor access controls. These procedures may vary depending on the facilities structure, the type of visitors, and where the ePHI is accessible.

 

  1. Metal/Hard Keys: Facilities that use metal/hard keys shall change affected or appropriate key locks when keys are lost or a workforce member leaves without returning the key. In addition, the facility shall have:
  2. Clearances based on programmatic need, special-mandated security requirements, and workforce member security; and
  3. A mechanism to track which workforce members are provided access.

 

  1. Network Closet(s): Every network closet shall be locked whenever the room is unoccupied or not in use. BRADLEY A. CONNOR, M.D., P.L.L.C. shall document who has access to the network closets and periodically change the locking mechanism to these closets.

 

  1. Server Room(s): Every server room shall be locked whenever the room is unoccupied or not in use. BRADLEY A. CONNOR, M.D., P.L.L.C. shall document who has access to each server room and periodically change the locking mechanism to server rooms.

 

  1. Alarm Systems: All buildings that have ePHI shall have some form of alarm system that is activated during non-business hours. Alarm system codes may only be provided to workforce members that require this information in order to leave and enter a building. These alarm codes shall be changed at least every six months.

 

  1. Doors: All external facility doors and doors to areas where ePHI is housed shall remain completely shut at all times. It is each workforce member’s responsibility to make sure that the door that is being used to enter or exit the facilities is completely shut before leaving the vicinity. Sometimes the doors do not completely close by themselves. If a door’s closing or locking mechanism is not working, it is every worker’s responsibility to notify the facility manager or designee for that facility.

 

Contingency Operations – Emergency Access to Facilities

Each facility shall have emergency access procedures in place that allow facility access to appropriate persons to access data. This includes a primary contact person and back-up person for when facility access is necessary after business hours by persons who do not currently have access to the facility.

 

Maintenance Records Policy

Repairs or modifications to the physical building for each facility where ePHI can be accessed shall be logged and tracked. These repairs are tracked centrally by General Services – Facility Management. The log shall include events that are related to security (for example, repairs or modifications of hardware, walls, doors, and locks).

 

Policy Responsibilities:

 

Manager/supervisor Requirements:

  1. Take appropriate corrective action against any person who knowingly violates the facility plan;
  2. Authorize clearances that are appropriate to the duties of each workforce member;
  3. Notify the security administrator or designee within one business day when a user no longer requires access to the facility; and
  4. Verify that each worker surrenders her/his card or key upon leaving employment.

 

Worker Requirements:

  1. Display their access/security card to demonstrate their authorization to access restricted areas;
  2. Immediately report lost or stolen (key/ID) cards or metal keys or keypad-cipher lock combinations; and
  3. Surrender access card or key upon leaving employment.

 

Facility Manager/Security Officer or Designee Requirements:

  1. Request and track maintenance repairs;
  2. Establish and maintain a mechanism for accessing the facility in an emergency;
  3. Track who has access to the facility;
  4. Change metal locks when a key is lost or unaccounted for;
  5. Change combination keypads/cipher locks every three months;
  6. Change the alarm code every six months;
  7. Disable access cards not used for 90 days or more; and
  8. Complete access card audits every 6 months to verify user access.

 

Security Officer responsibilities:

  1. Work with General Services and BRADLEY A. CONNOR, M.D., P.L.L.C. to ensure facilities comply with the HIPAA Security Rule for facility access controls; and
  2. Conduct annual audits of BRADLEY A. CONNOR, M.D., P.L.L.C. ‘s facilities to ensure that the facility is secured and the requirements of this policy are being enforced.

 

Procedures

 

BRADLEY A. CONNOR, M.D., P.L.L.C.  shall document written procedures for their facility security plan. Procedures shall be written to address the unique requirements of each facility. An essential part of compliance is to document and implement processes to ensure that the safeguards in the facility security plan are being maintained.

 

BRADLEY A. CONNOR, M.D., P.L.L.C.  shall submit new and revised procedures and plans to the Compliance Officers for approval and ongoing evaluation. Any procedures developed by BRADLEY A. CONNOR, M.D., P.L.L.C.  shall be consistent with BRADLEY A. CONNOR, M.D., P.L.L.C. ‘s HIPAA policies and not deviate from BRADLEY A. CONNOR, M.D., P.L.L.C. ‘s standard.

 

Definitions

Covered Entity: A health plan or a health care provider who stores or transmits any health information in electronic form in connection with a HIPAA transaction.

 

Business Associate: Any entity that uses or discloses protected health information (PHI) on behalf of a covered entity (e.g. group health plan, hospital, etc.). Furthermore, it is any person or organization who, on behalf of a covered entity, performs (or assists in the performance of) a function or activity involving the use or disclosure of PHI.

 

ePHI: Electronic protected health information means individually identifiable health information:

  • Transmitted by electronic media;
  • Maintained in electronic media; or
  • Transmitted or maintained in any other form or medium.

 

Paper PHI: Protected Health Information that is not in an electronic format.

 

 

 

 

AUTHORIZED BY:

 

 

 

Company Name:

BRADLEY A. CONNOR, M.D., P.L.L.C.

MEDICAL ADVANCE SERVICES, P.L.L.C.

TRAVEL HEALTH MEDICAL, P.C.

Policy Name:

Workstation Access Controls

Policy Number:

Security 5.0

Effective Date:

08/15/2018

 

Responsible for Review:

Marina Rogova, RN

Review Date:

08/15/2019

Synopsis of Policy: HIPAA Regulations: § 164.310(a)(2)(iii) Access control and validation procedures; § 164.310(b) Workstation use; § 164.310(c) Workstation security; § 164.312(a)(2)(iii) Automatic log off

 

This policy establishes rules for securing workstations that access ePHI (electronic protected health information). Since ePHI is portable, this policy requires workforce members to protect ePHI in all locations, including, but not limited to, homes or client sites.

 

BRADLEY A. CONNOR, M.D., P.L.L.C.  shall ensure that observable confidential information is adequately shielded from unauthorized disclosure and unauthorized access on computer screens. Each of BRADLEY A. CONNOR, M.D., P.L.L.C. ‘s workstations shall make every effort to ensure that confidential information on computer screens is not visible to unauthorized persons.

 

The policy details implementation of this policy for:

·         Workforce members who work in other facilities;

·         Workforce members who work from home or other non-office sites;

·         Password protection of their personal computers;

·         Security for all other forms of portable ePHI such as locking up CD ROMs, floppy disks, USB drives, PDAs, and laptops;

·         Automatic, time-based user session-lock when a computer or workstation is left idle; and

·         Accessing ePHI outside BRADLEY A. CONNOR, M.D., P.L.L.C. ‘s Wide Area Network, e.g., by VPN.

 

 

 

 

 

 

 

 

 

 

 

 

Full Policy Language:

 

HIPAA Regulation:

 

  • §164.310(a)(2)(iii) Access control and validation procedures
  • §164.310(b) Workstation use
  • §164.310(c) Workstation security
  • §164.312(a)(2)(iii) Automatic log off

 

Policy Purpose:

 

The intent of this policy is to establish rules for securing workstations that access ePHI.

Since ePHI is portable, this policy requires workforce members to protect ePHI in all locations, including, but not limited to, homes or client sites.

 

Policy Description:

 

Workstation Use: Security

  1. BRADLEY A. CONNOR, M.D., P.L.L.C. members shall ensure that observable confidential information is adequately shielded from unauthorized disclosure and unauthorized access on computer screens. Each BRADLEY A. CONNOR, M.D., P.L.L.C.  workplace shall make every effort to ensure that confidential information on computer screens is not visible to unauthorized persons.

 

  1. Workforce members who work in other facilities that are not part of BRADLEY A. CONNOR, M.D., P.L.L.C. shall be aware of their surroundings to ensure that no one can incidentally view ePHI and that no ePHI is left unattended.

 

  1. Workforce members who work from home or other non-office sites shall take the necessary steps to protect ePHI from other persons who may have access to their home or other non-office site. This includes password protection of their personal computers, and security for all other forms of portable ePHI such as locking up CD ROMs, floppy disks, USB drives, PDAs, and laptops.

 

  1. User session-lock shall be implemented when the computer is left idle. It shall be automatic after a specific time based on location and function. The session shall be locked to disable access to the PC until the user enters their unique password with login information.

 

  1. When technology is capable, while accessing ePHI outside the BRADLEY A. CONNOR, M.D., P.L.L.C. Wide Area Network (for example: extranet, VPN) automatic log off shall occur after a maximum of 15 minutes of inactivity. Automatic log off is a system-enabled enforcement of session termination after a period of inactivity and blocks further access until the workforce member reestablishes the connection using the identification and authentication process.

 

Policy Responsibilities:

 

Manager/supervisor requirements:

  1. Take appropriate corrective action against any person who knowingly violates the security of workstation use;
  2. Ensure that workers set their computer to automatically lock when the computer is not in use; and
  3. Ensure that all confidential information is not viewable by unauthorized persons at workstations in offices under their management.

 

Worker Requirements:

  1. Session lock the computer when it is left unattended;
  2. Ensure that their computer is set to automatically lock when the computer is not in use;
  3. Ensure that all confidential information is not viewable by unauthorized persons; and
  4. When working from home or other non-office work sites, protect ePHI from unauthorized access or viewing.

 

IT Support:

  1. When installing new workstations, set the session lock timer to lock the computer when left unattended; and
  2. When installing new systems or applications, set the automatic log off timer to terminate the session when the computer is left unattended.

 

Procedures

 

Procedures for protecting workstations include:

  1. Use of polarized screens or other computer security screen overlay devices that shield confidential information;
  2. Placement of computers out of the visual range of persons other than the authorized user;
  3. Clearing confidential information from the screen when it is not actively in use;
  4. Setting an automatic session lock option on all computer workstations;
  5. Shutting down or locking workstation sessions when left unattended; and
  6. When the technology is capable, setting the applications to automatically log off after a specific time of inactivity.

 

BRADLEY A. CONNOR, M.D., P.L.L.C.  shall develop and implement procedures. BRADLEY A. CONNOR, M.D., P.L.L.C.  shall submit all new and revised procedures to the Compliance Officers for approval and ongoing evaluation. Any procedures developed by BRADLEY A. CONNOR, M.D., P.L.L.C.  shall be consistent with BRADLEY A. CONNOR, M.D., P.L.L.C. ‘s HIPAA policies and not deviate from BRADLEY A. CONNOR, M.D., P.L.L.C.  standard.

 

 

Definitions

 

Covered Entity: A health plan or a health care provider who stores or transmits any health information in electronic form in connection with a HIPAA transaction.

 

Business Associate: Any entity that uses or discloses protected health information (PHI) on behalf of a covered entity (e.g. group health plan, hospital, etc.). Furthermore, it is any person or organization who, on behalf of a covered entity, performs (or assists in the performance of) a function or activity involving the use or disclosure of PHI.

 

ePHI: Electronic/Protected health information means individually identifiable health information:

  • Transmitted by electronic media;
  • Maintained in electronic media; or
  • Transmitted or maintained in any other form or medium.

 

Paper PHI: Protected Health Information that is not in an electronic format.

 

 

 

AUTHORIZED BY:

 

 

 

Company Name:

BRADLEY A. CONNOR, M.D., P.L.L.C.

MEDICAL ADVANCE SERVICES, P.L.L.C.

TRAVEL HEALTH MEDICAL, P.C.

Policy Name:

Device and Media Controls

Policy Number:

Security 6.0

Effective Date:

08/15/2018

 

Responsible for Review:

Marina Rogova, RN

Review Date:

08/15/2019

Synopsis of Policy:  HIPAA Regulation: § 164.310(d)(1) Device and media controls; § 164.310(d)(2)(i) Disposal; § 164.310(d)(2)(ii) Media reuse; § 164.310(d)(2)(iii) Accountability; § 164.310(d)(2)(iv) Data backup and storage

 

This policy is to ensure that Electronic Protected Health Information (ePHI) stored or transported on storage devices is appropriately controlled and managed. Examples include thumb drives, external hard-drives, and removable media.

 

This policy details Device and Media Controls and outlines responsibility for their accountability.

 

The policy details implementation specification(s) for:

·         Portable Media Use & Security;

·         Disposal;

·         Media Reuse;

·         Sending a Computer Server or Hard-Drive out for Repair;

·         Moving Computer Server Equipment with ePHI; and

·         Device and media acquisition.

 

The policy specifies the various responsibilities of:

·         Manager/supervisor;

·         IT; and

·         Workforce for Device and Media controls.

 

 

 

 

 

 

 

 

 

 

 

 

Full Policy Language:

 

HIPAA Regulation:

     

  • § 164.310(d)(1) Device and media controls
  • § 164.310(d)(2)(i) Disposal
  • § 164.310(d)(2)(ii) Media reuse
  • § 164.310(d)(2)(iii) Accountability
  • § 164.310(d)(2)(iv) Data backup and storage

 

Policy Purpose:

 

The intent of this policy is to ensure that ePHI stored or transported on storage devices and removable media is appropriately controlled and managed.

 

Policy Description:

 

Device and Media Controls/Accountability

  1. BRADLEY A. CONNOR, M.D., P.L.L.C. shall protect all hardware and electronic media that contains electronic protected health information (ePHI). This includes personal computers, PDAs, laptops, storage systems, backup tapes, CD ROMs, and removable disks.

 

  1. Every area of BRADLEY A. CONNOR, M.D., P.L.L.C. is responsible for developing procedures that govern the receipt and removal of hardware and electronic media that contain(s) ePHI into and out of a facility. Procedures shall include maintaining a record of movements of hardware and electronic media and any persons responsible.

 

Portable Media Use – Security

  1. In addition to protecting BRADLEY A. CONNOR, M.D., P.L.L.C. ‘s workstations and facilities, workforce members shall protect ePHI when working from all other locations. This includes locations such as home, other offices, or when working in the field.

 

  1. In order to limit the amount of portable ePHI, workforce members shall not save any ePHI on floppy disks, CD ROMs, and other portable items.

 

  1. Methods for protecting portable media with ePHI include:
  2. All workforce members shall receive permission from their supervisor before removing ePHI from their facility. Approvals shall include the type of permission and the time period for authorization. The time period shall be a maximum of one year;
  3. Workforce members who work in the field shall not leave ePHI unlocked or visible in their vehicles. They will also not leave any ePHI in client facilities/homes; and
  4. If ePHI is lost, workforce members are responsible for promptly contacting their supervisor, the Security Officer, or designated Compliance Officers responsible for HIPAA Compliance within one business day upon awareness that ePHI has been lost.

 

Disposal

  1. Before electronic media that contains ePHI can be disposed, the following actions shall be taken on computers used in the workplace, at home, or at remote sites:
  2. Hard drives shall be either wiped clean or destroyed. Hard drive cleaning shall meet the Department of Defense (DOD) standards, which states: “The method of destruction shall preclude recognition or reconstruction of the classified information or material.” In addition, the hard drive shall be tested to ensure the information cannot be retrieved.
  3. Backup tapes shall be destroyed or returned to the owner and their return documented. Destruction shall include a method to ensure that there is no ability to reconstruct the data.
  4. Other media, such as memory sticks, USB flash drives or micro drives, CD-ROMs and floppy disks, shall be physically destroyed (broken into pieces) before disposing of the item.

 

Media Reuse

  1. All ePHI shall be removed from hard drives when the equipment is transferred to a worker who does not require access to the ePHI, or when the equipment is transferred to a new worker with different ePHI access needs. Hard drives shall be wiped clean before transfer.

 

  1. Cleaning shall meet the Department of Defense (DOD) standards, which states, “The method of destruction shall preclude recognition or reconstruction of the classified information or material.” In addition, the hard drive shall be tested to ensure the information cannot be retrieved.

 

Sending a Computer Server Hard Drive to Repair

When the technology is capable, an exact copy of the ePHI shall be created and the ePHI removed from the server hard drive before sending the device out for repair.

 

Moving Computer Server Equipment with ePHI

Before moving server equipment that contains ePHI, a retrievable exact copy needs to be created.

 

Device and Media Acquisition

BRADLEY A. CONNOR, M.D., P.L.L.C.  shall include security requirements and/or security specifications in information system acquisition contracts based on an assessment of risk (applications, servers, copiers, etc.).

 

 

 

 

 

Policy Responsibilities:

 

Manager/Supervisor Responsibilities:

  1. Ensure that only workforce members who require the need to remove ePHI from their facilities are granted permission to do so.

 

IT Responsibilities

  1. Ensure all hard drives are wiped clean before disposal or reuse;
  2. Test hard drives to ensure they are clean;
  3. Before moving hardware or sending hard drives for repair that contain ePHI, create a retrievable copy of that data; and
  4. Maintain an inventory and a record of movements or transfers of hardware and electronic media such as workstations, servers, or backup tapes.

 

Workforce Responsibilities:

  1. Individual workforce members or their units shall track laptops, PDAs, CD ROMs, floppy disks, and all other portable media that contain ePHI;
  2. To limit the amount of portable ePHI, workforce members shall not save any quantity of ePHI onto floppy disks, CD ROMs, or other portable items when it is not necessary; and
  3. Workforce members shall remove and destroy all ePHI before disposing of the media.

 

Procedures

BRADLEY A. CONNOR, M.D., P.L.L.C.  shall document written procedures to track, dispose, and reuse media devices used for ePHI. BRADLEY A. CONNOR, M.D., P.L.L.C.  shall submit all new and revised procedures to the Security Officer for approval and ongoing evaluation. Any procedures developed by BRADLEY A. CONNOR, M.D., P.L.L.C.  shall be consistent with BRADLEY A. CONNOR, M.D., P.L.L.C. ‘s HIPAA policies and not deviate from BRADLEY A. CONNOR, M.D., P.L.L.C.  standard.

 

Definitions

 

Covered Entity: A health plan or a health care provider that stores or transmits any health information in electronic form in connection with a HIPAA transaction.

 

Business Associate: Any entity that uses or discloses protected health information (PHI) on behalf of a covered entity (e.g. group health plan, hospital, etc.). Furthermore, it is any person or organization which, on behalf of a covered entity, performs (or assists in the performance of) a function or activity involving the use or disclosure of PHI.

 

ePHI: Electronic Protected Health Information is any individually identifiable health information:

  • Transmitted by electronic media;
  • Maintained in electronic media; or
  • Transmitted or maintained in any other form or medium.

 

Paper PHI: Protected Health Information that is not in an electronic format.

 

 

 

AUTHORIZED BY:

 

 

Company Name:

BRADLEY A. CONNOR, M.D., P.L.L.C.

MEDICAL ADVANCE SERVICES, P.L.L.C.

TRAVEL HEALTH MEDICAL, P.C.

Policy Name:

Audit Controls

Policy Number:

Security Policy 7.0

Effective Date:

08/15/2018

 

Responsible for Review:

Marina Rogova, RN

Review Date:

08/15/2019

Synopsis of Policy: HIPAA Regulation: § 164.308(a)(5)(ii)(C) Log-in monitoring; § 164.308(a)(1)(ii)(D) Information system activity review; § 164.312(b) Audit controls.

 

The intent of this policy is to provide the authority for workforce members representing BRADLEY A. CONNOR, M.D., P.L.L.C. ‘s IT organizations to conduct a security audit on any computing resource of BRADLEY A. CONNOR, M.D., P.L.L.C. .

 

Activity reviews provide indications that implemented safeguards are working, or that safeguards are insufficient. Audits may be conducted to:

1.   Ensure integrity, confidentiality, and availability of information and resources;

2.   Investigate possible security incidents to ensure conformance to BRADLEY A. CONNOR, M.D., P.L.L.C. ‘s IT and security policies;

3.   Monitor user or system activity where appropriate;

4.   Verify that software patching is being maintained at the appropriate security level; and

5.   Verify virus protection is being maintained at current levels.

 

 

 

 

 

 

 

 

 

 

 

 

 

Full Policy Language:

 

HIPAA Regulation:

 

  • § 164.308(a)(5)(ii)(C) Log-in monitoring
  • § 164.308(a)(1)(ii)(D) Information system activity review
  • § 164.312(b) Audit controls

 

Policy Purpose:

 

The intent of this policy is to provide the authority for workforce members representing BRADLEY A. CONNOR, M.D., P.L.L.C.’s IT organizations to conduct a security audit on any computing resource of BRADLEY A. CONNOR, M.D., P.L.L.C. .

 

Activity reviews provide indications that implemented safeguards are working, or that safeguards are insufficient. Audits may be conducted to:

  1. Ensure integrity, confidentiality, and availability of information and resources;
  2. Investigate possible security incidents to ensure conformance to BRADLEY A. CONNOR, M.D., P.L.L.C.’s IT and security policies;
  3. Monitor user or system activity where appropriate;
  4. Verify that software patching is being maintained at the appropriate security level; and
  5. Verify virus protection is being maintained at current levels.

 

Policy Description:

 

Log-in Monitoring

  1. BRADLEY A. CONNOR, M.D., P.L.L.C. has the right to monitor system access and activity of all workforce members.

 

  1. To ensure that access to servers, workstations, and other computer systems containing ePHI is appropriately secured, the following login monitoring measures shall be implemented:
  2. A mechanism to log and document four or more failed log-in attempts in a row shall be implemented on each network system containing ePHI when the technology is capable;
  3. Login activity reports and logs shall be reviewed biweekly at a minimum to identify any patterns of suspicious activity;
  4. All failed login attempts of a suspicious nature, such as continuous attempts, shall be reported immediately to the Security Officer or the designee for BRADLEY A. CONNOR, M.D., P.L.L.C. ; and
  5. To the extent that technology allows, any user ID that has more than four-repeated failed login attempts in a row shall be disabled for a minimum of 30 minutes.

 

 

Information System Activity Review – Audit Controls

To ensure that activity for all computer systems accessing ePHI is appropriately monitored and reviewed, these requirements shall be met:

  1. Where technology allows, the audit record shall capture sufficient information to establish what events occurred, the sources of the events, and the outcomes of the events.
  2. Each fiscal quarter, at a minimum, every application and system administrator or designee shall review audit logs, activity reports, or other mechanisms to document and manage system activity.
  3. Indications of improper use shall be reported to management for investigation and follow up.
  4. Audit logs of access to networks and applications with ePHI shall be archived.
  5. Audit information and audit tools shall be protected from unauthorized access, modification, and deletion.

 

Policy Responsibilities:

 

System administrators and Security Officers are responsible to implement and monitor audit controls for all systems that contain ePHI.

 

Procedures:

 

BRADLEY A. CONNOR, M.D., P.L.L.C.  shall submit all new and revised procedures to the Compliance Officers for approval and ongoing evaluation. The Security Officer shall create audit control checklists and logs to assist with and standardize the audit function. Any procedures developed by BRADLEY A. CONNOR, M.D., P.L.L.C.  shall be consistent with BRADLEY A. CONNOR, M.D., P.L.L.C.  HIPAA policies and not deviate from BRADLEY A. CONNOR, M.D., P.L.L.C.  standard.

 

Definitions:

 

Covered Entity: A health plan, a health care clearinghouse, or a health care provider who transmits any health information in electronic form in connection with a HIPAA transaction.

 

ePHI: Electronic protected health information means individually identifiable health information:

  • Transmitted by electronic media;
  • Maintained in electronic media; or
  • Transmitted or maintained in any other form or medium.

 

 

 

AUTHORIZED BY:

 

 

 

Company Name:

BRADLEY A. CONNOR, M.D., P.L.L.C.

MEDICAL ADVANCE SERVICES, P.L.L.C.

TRAVEL HEALTH MEDICAL, P.C.

Policy Name:

Incident Response & Reporting

Policy Number:

Security 8.0

Effective Date:

08/15/2018

 

Responsible for Review:

Marina Rogova, RN

Review Date:

08/15/2019

Synopsis of Policy:  HIPAA Regulation: § 164.308(a)(6)(i) Security incident procedures; § 164.308(a)(6)(ii) Response and reporting

 

This policy formalizes the response to security incidents and the reporting of them.

It includes identification and response to suspected and known security incidents, their mitigation and the documentation of incidents and their outcomes.

 

It is imperative that a formal reporting and response policy be followed when responding to security incidents. Therefore, BRADLEY A. CONNOR, M.D., P.L.L.C.  shall employ tools and techniques to monitor events, detect attacks, and provide identification of unauthorized use of the systems that contain Electronic Protected Health Information (ePHI).

 

The policy details the type of incidents that shall be reported, and who is responsible for notifying whom. It also details the appropriate Response, Tracking and Resolution, and it outlines who is responsible for determining if a report shall be forwarded to the Department of Health and Human Services (HHS).

 

All HIPAA security-related incidents and their outcomes shall be logged and documented by the Compliance Officers. The Compliance Officers shall document and log incidents and outcomes.

 

The policy specifies that all workforce members are responsible for promptly reporting any security-related incidents to the IT help desk, the Security Officer, or their manager.

 

 

 

 

 

 

 

 

 

 

 

 

 

Full Policy Language:

 

HIPAA Regulation:

 

  • § 164.308(a)(6)(i) Security incident procedures
  • § 164.308(a)(6)(ii) Response and reporting

 

Policy Purpose:

 

The purpose of this policy is to formalize the response to, and reporting of, security incidents. This includes identification and response to suspected or known security incidents, the mitigation of the harmful effects of known or suspected security incidents, and the documentation of security incidents and their outcomes. It is imperative that this formal reporting and response policy be followed when responding to security incidents.

 

Policy Description:

 

BRADLEY A. CONNOR, M.D., P.L.L.C.  shall employ tools and techniques (The Guard and its Process) to monitor events, detect attacks, and provide identification of unauthorized use of the systems that contain ePHI.

 

Reporting

  1. All security incidents, threats, or violations that affect or may affect the confidentiality, integrity, or availability of electronic protected health information (ePHI) shall be reported and responded to promptly.

 

  1. Incidents that shall be reported include, but are not limited to:
  2. Virus, worm, or other malicious code attacks;
  3. Network or system intrusions;
  4. Persistent intrusion attempts from a particular entity;
  5. Unauthorized access to ePHI, an ePHI-based system, or an ePHI based network;
  6. ePHI data loss due to disaster, failure, error, or theft;
  7. Loss of any electronic media that contains ePHI;
  8. Loss of the integrity of ePHI; and
  9. Unauthorized person found in BRADLEY A. CONNOR, M.D., P.L.L.C. ‘s facility.

 

  1. BRADLEY A. CONNOR, M.D., P.L.L.C. ‘s Compliance Officers shall be notified immediately of any suspected or real security incident. If it is unclear as to whether a situation is a security incident, the Compliance Officers shall be contacted to evaluate the situation.

 

Response and Resolution

The Compliance Officers shall track the incident. The Compliance Officers shall determine if a report of the incident shall be forwarded to HHS. Compliance Officers are the only employees that can resolve an incident. The Compliance Officers shall evaluate the report to determine if an investigation of the incident is necessary. The Compliance Officers shall determine if BRADLEY A. CONNOR, M.D., P.L.L.C. ‘s Counsel, law enforcement, Human Resources, or BRADLEY A. CONNOR, M.D., P.L.L.C. ‘s Communication and Media Office is to be contacted regarding the incident.

 

Logging

 

  1. All HIPAA security-related incidents and their outcomes shall be logged and documented by the Compliance Officers. The Compliance Officers shall document and log incidents and outcomes.

 

  1. All incident(s) will be reviewed and investigated and if the breached PHI has been compromised (unauthorized individuals have received and viewed the PHI) the breach will be reported to HHS. BRADLEY A. CONNOR, M.D., P.L.L.C. and its Compliance Officers will record all the incidents and retain these incident reports for six years.

 

  1. BRADLEY A. CONNOR, M.D., P.L.L.C. shall train personnel in their incident response roles and responsibilities and provide refresher training as needed. BRADLEY A. CONNOR, M.D., P.L.L.C.  shall test the incident response capability at least annually using tests and exercises to determine the effectiveness.

 

Policy Responsibilities:

Report violations of this policy to BRADLEY A. CONNOR, M.D., P.L.L.C. ‘s Compliance Officers.

 

Workforce members

Workforce members are responsible for promptly reporting any security-related incidents to the Security Officer.

 

IT Help Desk

The Security Officer documents all security incidents.

 

Compliance Officers

The Compliance Officers that are responsible to determine if the incident requires further investigation are ___________ and ___________X.  BRADLEY A. CONNOR, M.D., P.L.L.C. ‘s Security Officer, and BRADLEY A. CONNOR, M.D., P.L.L.C. ‘s Privacy Officer shall determine if corrective actions should be implemented. The Compliance Officers are responsible for documenting the investigations and any corrective actions. The Compliance Officers are responsible for maintaining all documentation of security breaches for six years.

 

Procedures:

 

BRADLEY A. CONNOR, M.D., P.L.L.C.  shall submit all new and revised procedures to the Compliance Officers for approval and ongoing evaluation. Any procedures developed by BRADLEY A. CONNOR, M.D., P.L.L.C.  shall be consistent with BRADLEY A. CONNOR, M.D., P.L.L.C. ‘s HIPAA policies and not deviate from BRADLEY A. CONNOR, M.D., P.L.L.C. ‘s standard.

 

 

Definitions

 

Covered Entity: A health plan or a health care provider who stores or transmits any health information in electronic form in connection with a HIPAA transaction.

 

Business Associate: Any entity that uses or discloses protected health information (PHI) on behalf of a covered entity (e.g. group health plan, hospital, etc.). Furthermore, it is any person or organization who, on behalf of a covered entity, performs (or assists in the performance of) a function or activity involving the use or disclosure of PHI.

 

ePHI: Electronic protected health information means individually identifiable health information:

  • Transmitted by electronic media;
  • Maintained in electronic media; or
  • Transmitted or maintained in any other form or medium.

 

Paper PHI: Protected Health Information that is not in an electronic format.

 

 

AUTHORIZED BY:

 

 

 

 

Company Name:

BRADLEY A. CONNOR, M.D., P.L.L.C.

MEDICAL ADVANCE SERVICES, P.L.L.C.

TRAVEL HEALTH MEDICAL, P.C.

Policy Name:

Transmission Security

 Policy Number:

Security Policy 9.0

Effective Date:

08/15/2018

Responsible for Review:

Marina Rogova, RN

Review Date:

08/15/2019

Synopsis of Policy: HIPAA Regulation: §164.312(e)(1) Transmission security; §164.312(e)(2)(i) Integrity controls; §164.312(e)(2)(ii) Encryption and decryption

 

This policy creates the rules which guard against unauthorized access to, or modification of, Electronic Protected Health Information (ePHI) that is being transmitted over an electronic communications network (“data in motion”). It commits resources to assure that when ePHI is transmitted from one point to another, it shall be protected in a manner commensurate with the associated risk.

 

The policy details standards of encryption and under which circumstances it is required or optional.

 

It specifies control requirements of:

·         Modem use;

·         WAN access;

·         Wireless devices;

·         Perimeter security; and

·         Firewall and details management and workforce responsibilities to execute the policy.

 

 

 

 

 

 

 

 

 

 

 

 

 

Full Policy Language:

 

HIPAA Regulation:

 

  • §164.312(e)(1) Transmission security
  • §164.312(e)(2)(i) Integrity controls
  • §164.312(e)(2)(ii) Encryption and decryption

 

Policy Purpose:

 

The intent of this policy is to guard against unauthorized access to, or modification of, ePHI that is being transmitted over an electronic communications network. When ePHI is transmitted from one point to another, it shall be protected in an encrypted manner.

 

Policy Description:

 

Encryption:

Proven, standard algorithms shall be used as the basis for encryption technologies. The use of proprietary encryption algorithms is not allowed for any purpose, unless authorized by the HIPAA Security Officer.

 

Encryption Required:

  1. No ePHI shall be sent outside BRADLEY A. CONNOR, M.D., P.L.L.C. ‘s domain unless it is encrypted. This includes all email and email attachments sent over a public internet connection.
  2. When accessing a secure network, an encryption communication method, such as a VPN, shall be used.

 

Encryption Optional:

  1. When using a point-to-point communication protocol to transmit ePHI, no encryption is required.
  2. Dial-up connections directly into secure networks are considered to be secure connections for ePHI and no encryption is required.

 

If still using Modems:

  1. Modems shall never be left connected to personal computers in auto-answer mode.
  2. Dialing directly into or out of a desktop computer that is simultaneously connected to a local area network (LAN) or another internal communication network is prohibited.
  3. Dial-up access to WAN-connected personal computers at the office is prohibited.

 

 

ePHI Transmissions Using Wireless LANs and Devices within BRADLEY A. CONNOR, M.D., P.L.L.C. ‘s domain:

  1. The transmission of ePHI over a wireless network within BRADLEY A. CONNOR, M.D., P.L.L.C. ‘s domain is permitted if both of the following conditions are met:
  2. The local wireless network is utilizing an authentication mechanism to ensure that wireless devices connecting to the wireless network are authorized; and
  3. The local wireless network is utilizing an encryption mechanism for all transmissions over the aforementioned wireless network and uses two types of authentication.
  4. B) If transmitting ePHI over a wireless network that is not utilizing an authentication and encryption mechanism, the ePHI shall be encrypted before transmission.

 

Perimeter Security

  1. Any external connection to BRADLEY A. CONNOR, M.D., P.L.L.C. ‘s Wide Area Network (WAN) shall come through the perimeter security’s Firewall.
  2. If determined safe by the Security Officer, outbound services shall be initiated for internal addresses to external addresses.
  3. Inbound services shall be negotiated on a case-by-case basis with the Security Officer.
  4. All workforce members connecting to the WAN shall sign BRADLEY A. CONNOR, M.D., P.L.L.C. ‘s IT Confidentiality Agreement before connectivity is established.

 

Firewall Controls to Transmit ePHI Into and Out of BRADLEY A. CONNOR, M.D., P.L.L.C.

  1. Networks containing systems and applications with ePHI shall implement perimeter security and access control with a firewall.
  2. Firewalls shall be configured to support the following minimum requirements:
  3. Limit network access to only authorized workforce members and entities;
  4. Limit network access to only legitimate or established connections (an established connection is return-traffic in response to an application request submitted from within the secure network); and
  5. Console and other management ports shall be appropriately secured or disabled.
  6. The configuration of firewalls used to protect networks containing ePHI-based systems and applications shall be submitted to the Security Officer for review and approval.

 

Policy Responsibilities:

 

All workforce members that transmit ePHI outside BRADLEY A. CONNOR, M.D., P.L.L.C. ‘s WAN are responsible for ensuring the information is safeguarded by using encryption when using the public internet or a wireless device.

 

 

Procedures

 

Each area of BRADLEY A. CONNOR, M.D., P.L.L.C.  shall submit all new and revised procedures to the Compliance Officers for approval and ongoing evaluation. Any procedures developed by BRADLEY A. CONNOR, M.D., P.L.L.C.  shall be consistent with BRADLEY A. CONNOR, M.D., P.L.L.C. ‘s HIPAA policies and not deviate from BRADLEY A. CONNOR, M.D., P.L.L.C.  standard.

 

Definitions

 

Covered Entity: A health plan or a health care provider who stores or transmits any health information in electronic form in connection with a HIPAA transaction.

 

Business Associate: Any entity that uses or discloses protected health information (PHI) on behalf of a covered entity (e.g. group health plan, hospital, etc.).  Furthermore, it is any person or organization who, on behalf of a covered entity, performs (or assists in the performance of) a function or activity involving the use or disclosure of PHI.

 

ePHI: Electronic/Protected health information means individually identifiable health information:

  • Transmitted by electronic media;
  • Maintained in electronic media; or
  • Transmitted or maintained in any other form or medium.

 

Paper PHI: Protected Health Information that is not in an electronic format.

 

 

AUTHORIZED BY:

 

 

 

Company Name:

BRADLEY A. CONNOR, M.D., P.L.L.C.

MEDICAL ADVANCE SERVICES, P.L.L.C.

TRAVEL HEALTH MEDICAL, P.C.

Policy Name:

Protection from Malicious Software

Policy Number:

Security 10.0

Effective Date:

08/15/2018

 

Responsible for Review:

Marina Rogova, RN

Review Date:

08/15/2019

Synopsis of Policy: HIPAA Regulation: §164.308(a)(5)(ii)(B) Protection from malicious software

 

This policy establishes protections to safeguard against, detect, and report malicious software, including but not limited to viruses, worms, and trojans. This policy mandates that BRADLEY A. CONNOR, M.D., P.L.L.C.  shall ensure all computers owned, leased, and/or operated by the covered components install and maintain anti-virus software. Additionally, all workstations shall be configured to activate and update anti-virus software automatically each time the computer is turned on or the user logs on to the network.

 

The policy also details the necessary steps in the event that a virus, worm, or other malicious code has infected or been identified on a server or workstation. It specifies workforce members’ responsibilities to maintain cyber-hygiene standards; and the IT manager’s responsibilities to support this policy.

 

 

 

 

 

 

 

 

 

 

 

 

Full Policy Language:

 

HIPAA Regulation:

 

  • 164.308(a)(5)(ii)(B) Protection from malicious software

 

Policy Purpose:

 

The intent of this policy is to establish procedures for protections to guard against, detect, and report malicious software. Malicious software includes, but is not limited to, viruses, worms, trojans, ransomware attacks.

 

Policy Description:

 

BRADLEY A. CONNOR, M.D., P.L.L.C.  shall ensure all computers (owned, leased, and/or operated by BRADLEY A. CONNOR, M.D., P.L.L.C. ) are installed with and maintain anti-virus software. All workstations shall be configured to activate and update anti-virus software automatically each time the computer is turned on or the user logs on to the network.

 

In the event that a virus, worm, or other malicious code has infected or been identified on a server or workstation, that equipment shall be disconnected from the network until it has been appropriately cleaned.

 

Policy Responsibilities:

 

Workforce Responsibilities:

  1. Workforce members who utilize laptops to log on to the network shall work with their IT support to ensure all updates are received.
  2. Workforce members are not to disable automatic virus scanning features.
  3. All non-BRADLEY A. CONNOR, M.D., P.L.L.C. computers that directly access the WAN shall have anti-virus software and remain current with updates.
  4. All downloaded files shall be virus-checked prior to use.
  5. All storage media (i.e. disks) shall be treated as if they contain viruses. Workforce members are permitted to use removable storage disks provided that all disks are virus checked prior to use.
  6. If a virus is detected, workforce members are instructed to immediately contact their Security Officer.
  7. For the purposes of protecting data and preventing the spread of viruses, workers shall:
  8. Attend HIPAA security training; and
  9. Maintain back-up copies of data files.

 

IT Responsibility:

  1. Set up laptop computers so they automatically load virus updates when they are connected to BRADLEY A. CONNOR, M.D., P.L.L.C. ‘s network.

 

Procedures

 

To ensure that all BRADLEY A. CONNOR, M.D., P.L.L.C.  workforce members are made aware of the threats and vulnerabilities caused by malicious code and software, such as viruses and worms, and are effectively trained to identify and prevent these types of attacks, the following procedures shall be established and implemented:

 

  1. The workforce shall be trained to identify and protect data, when possible, against malicious code and software.
  2. Security reminders shall be given to the workforce to inform them of any of new virus, worm, or other type of malicious code that may threaten ePHI.

 

BRADLEY A. CONNOR, M.D., P.L.L.C.  shall submit all new and revised procedures to the Compliance Officers for approval and ongoing evaluation. Any procedures developed by BRADLEY A. CONNOR, M.D., P.L.L.C.  shall be consistent with BRADLEY A. CONNOR, M.D., P.L.L.C. ‘s HIPAA policies and not deviate from BRADLEY A. CONNOR, M.D., P.L.L.C. ‘s standards.

 

Definitions

 

Covered Entity: A health plan or a health care provider who stores or transmits any health information in electronic form in connection with a HIPAA transaction.

 

Business Associate: Any entity that uses or discloses protected health information (PHI) on behalf of a covered entity (e.g. group health plan, hospital, etc.).  Furthermore, it is any person or organization who, on behalf of a covered entity, performs (or assists in the performance of) a function or activity involving the use or disclosure of PHI.

 

ePHI: Electronic/Protected health information means individually identifiable health information:

  • Transmitted by electronic media;
  • Maintained in electronic media; or
  • Transmitted or maintained in any other form or medium.

 

Paper PHI: Protected Health Information that is not in an electronic format.

 

 

 

AUTHORIZED BY:

 

 

 

Company Name:

BRADLEY A. CONNOR, M.D., P.L.L.C.

MEDICAL ADVANCE SERVICES, P.L.L.C.

TRAVEL HEALTH MEDICAL, P.C.

Policy Name:

Contingency Plan, Disaster Recovery

Policy Number:

Security Policy 11.0

Effective Date:

08/15/2018

Responsible for Review:

Marina Rogova, RN

Review Date:

08/15/2019

Synopsis of Policy: HIPAA Regulation: § 164.308(a)(7)(i) Contingency plan; § 164.308(a)(7)(ii)(A) Data backup plan; § 164.308(a)(7)(ii)(B) Disaster recovery plan; § 164.308(a)(7)(ii)(C) Emergency mode operation plan; § 164.308(a)(7)(ii)(D) Testing and revision procedures; § 164.308(a)(7)(ii)(E) Applications and data criticality analysis; § 164.310(a)(2)(i) Contingency operations

 

This policy sets forth rules for continuing business without the normal resources of BRADLEY A. CONNOR, M.D., P.L.L.C. . These include the required procedures for an emergency, disaster, or other occurrence (i.e. fire, vandalism, system failure and natural disaster) when any system that contains ePHI is affected, including:

·         Applications and data criticality analysis;

·         Data backup;

·         Disaster Recovery Plan; and

·         Emergency mode operation plan.

 

The policy details specific requirements for each of these critical functions, and the responsibility for the creation, evaluation, testing, and updating of the various contingency plans described therein.

 

 

 

 

 

 

 

 

 

 

 

 

 

Full Policy Language:

 

HIPAA Regulation:

 

  • §164.308(a)(7)(i) Contingency plan
  • §164.308(a)(7)(ii)(A) Data backup plan
  • §164.308(a)(7)(ii)(B) Disaster recovery plan
  • §164.308(a)(7)(ii)(C) Emergency mode operation plan
  • §164.308(a)(7)(ii)(D) Testing and revision procedures
  • §164.308(a)(7)(ii)(E) Applications and data criticality analysis
  • §164.310(a)(2)(i) Contingency operations

 

Policy Purpose:

 

The purpose of this policy is to establish rules for continuing business without the normal resources of BRADLEY A. CONNOR, M.D., P.L.L.C. .

 

Policy Description:

 

  1. BRADLEY A. CONNOR, M.D., P.L.L.C. shall develop procedures for implementation in the event of an emergency, disaster, or other occurrence (i.e. fire, vandalism, system failure and natural disaster) when any system that contains ePHI is affected, including:
  2. Applications and data criticality analysis;
  3. Data backup;
  4. Disaster Recovery Plan; and
  5. Emergency mode operation plan.

 

  1. Each of the following plans shall be evaluated and updated at least annually as business needs and technology requirements change.

 

Applications and Data Criticality Analysis

  1. BRADLEY A. CONNOR, M.D., P.L.L.C. shall assess the relative criticality of specific applications and data within BRADLEY A. CONNOR, M.D., P.L.L.C.  for purposes of developing its Data Backup Plan, its Disaster Recovery Plan, and its Emergency Mode Operation Plan.
  2. BRADLEY A. CONNOR, M.D., P.L.L.C. shall identify critical business functions, define impact scenarios, and determine resources needed to recover from each impact.
  3. The assessment of data and application criticality shall be conducted periodically and at least annually to ensure that appropriate procedures are in place for data and applications at each level of risk.

 

Data Backup Plan

  1. All ePHI shall be stored on network servers in order for it to be automatically backed up by the system.
  2. ePHI shall not be saved on the local drives of personal computers.
  3. ePHI stored on portable media (e.g. thumb drives, external hard drive, CD ROMs) shall be saved to the network to ensure backup of ePHI data.
  4. BRADLEY A. CONNOR, M.D., P.L.L.C. shall conduct daily backups of user-level and system-level information and store the backup information in a secure location. A weekly backup shall be stored offsite.
  5. BRADLEY A. CONNOR, M.D., P.L.L.C. shall establish and implement a Data Backup Plan pursuant to which it would create and maintain retrievable exact copies of all ePHI.
  6. The Data Backup Plan shall apply to all files that may contain ePHI.
  7. The Data Backup Plan shall require that all media used for backing up ePHI be stored in a physically secure environment, such as a secure, off-site storage facility; or, if backup media remains on site, it shall be stored in a physically secure location, different from the location of the computer systems it usually backs up.
  8. If a non-BRADLEY A. CONNOR, M.D., P.L.L.C. off-site storage facility or backup service is used, a written contract shall be used to ensure that the contractor shall safeguard the ePHI in an appropriate manner.
  9. Data backup procedures outlined in the Data Backup Plan shall be tested on, at least, an annual basis to ensure that exact copies of ePHI can be retrieved and made available.
  10. BRADLEY A. CONNOR, M.D., P.L.L.C. shall submit its new and revised Data Backup Plan to the Compliance Officers for approval.

 

Disaster Recovery Plan

  1. To ensure that BRADLEY A. CONNOR, M.D., P.L.L.C. can recover from the loss of data due to an emergency or disaster such as fire, vandalism, terrorism, system failure, or natural disaster affecting systems containing ePHI, BRADLEY A. CONNOR, M.D., P.L.L.C.  shall establish and implement a Disaster Recover Plan pursuant to which it can restore or recover any loss of ePHI and the systems needed to make that ePHI available in a timely manner. The Disaster Recovery Plan for BRADLEY A. CONNOR, M.D., P.L.L.C.  shall be incorporated into BRADLEY A. CONNOR, M.D., P.L.L.C. ‘s Disaster Recovery Plan.
  2. The Disaster Recovery Plan shall include procedures to restore ePHI from data backups in the case of a disaster that causes data loss.
  3. The Disaster Recovery Plan shall include procedures to log system outages, failures, and data loss to critical systems. Also, procedures will be implemented to train the appropriate personnel in regards to the disaster recovery plan.
  4. The Disaster Recovery Plan shall be documented and easily available to the necessary personnel at all time(s), who shall be trained to implement the Disaster Recovery Plan.
  5. The disaster recovery procedures outlined in the Disaster Recovery Plan shall be tested on a periodic basis to ensure that ePHI and the systems needed to make ePHI available can be restored or recovered.
  6. BRADLEY A. CONNOR, M.D., P.L.L.C. shall submit its new and revised Disaster Recovery Plan to the Compliance Officers for approval.

 

 

Disaster and Emergency Mode for Small Practices (Larger Organizations like Clinics and Hospitals should use the Full Disaster Recovery Plan)

 

  1. Real Estate/Office Suite: Who to call, Phone Number
  2. Computers: Who to call, Phone Number
  3. Networking of Computers: Who to call, Phone Number
  4. Restoration of Data to Server or Connection to the Internet: Who to call, Phone Number
  5. EHR Support: Who to call, Phone Number
  6. Add anything else needed to continue business

 

Emergency Mode Operation Plan

  1. BRADLEY A. CONNOR, M.D., P.L.L.C. shall establish and implement (as needed) procedures to enable continuation of critical business processes for protection of the security of ePHI while operating in emergency mode. Emergency mode operation involves critical business processes that shall occur to protect the security of electronic protected health information during and immediately after a crisis situation.
  2. Emergency mode operation procedures outlined in the Disaster Plan shall be tested on a periodic basis to ensure that critical business processes can continue in a satisfactory manner while operating in emergency mode.
  3. BRADLEY A. CONNOR, M.D., P.L.L.C. shall submit its new and revised Emergency Mode Operation Plan to the Compliance Officers for approval.

 

Policy Responsibilities:

 

  1. The Compliance/Security Officer shall oversee the creation, evaluation, testing, and updating of the various contingency plans described herein.

 

  1. BRADLEY A. CONNOR, M.D., P.L.L.C. shall submit its new and/or revised procedures and plans to the Security Officer for approval and ongoing evaluation. Any procedures developed by BRADLEY A. CONNOR, M.D., P.L.L.C.  shall be consistent with BRADLEY A. CONNOR, M.D., P.L.L.C. ‘s HIPAA policies and not deviate from BRADLEY A. CONNOR, M.D., P.L.L.C.

 

Definitions

 

Covered Entity: A health plan or a health care provider who stores or transmits any health information in electronic form in connection with a HIPAA transaction.

 

Business Associate: Any entity that uses or discloses protected health information (PHI) on behalf of a covered entity (e.g. group health plan, hospital, etc.).  Furthermore, it is any person or organization who, on behalf of a covered entity, performs (or assists in the performance of) a function or activity involving the use or disclosure of PHI.

 

ePHI: Electronic protected health information means individually identifiable health information:

  • Transmitted by electronic media;
  • Maintained in electronic media; or
  • Transmitted or maintained in any other form or medium.

 

Paper PHI: Protected Health Information that is not in an electronic format.

 

 

AUTHORIZED BY:

 

 

 

Company Name:

BRADLEY A. CONNOR, M.D., P.L.L.C.

MEDICAL ADVANCE SERVICES, P.L.L.C.

TRAVEL HEALTH MEDICAL, P.C.

Policy Name:

Business Associates

Policy Number:

Security 12.0

Effective Date:

08/15/2018

 

Responsible for Review:

Marina Rogova, RN

Review Date:

08/15/2019

Synopsis of Policy: HIPAA Regulation: § 164.308(b)(1) Business associate contracts and other arrangements; § 164.308(b)(3) Written contract or other arrangements

 

This policy defines procedures for determining which contractual and business relationships are considered “Business Associates” as defined by HIPAA. In addition, this policy addresses requirements for tracking designated Business Associates (BAs) and how to follow up on complaints about the BAs.

 

 

 

 

 

 

 

 

 

 

 

 

Full Policy Language:

 

HIPAA Regulation:

 

  • § 164.308(b)(1) Business associate contracts and other arrangements
  • § 164.308(b)(3) Written contract or other arrangements

 

Policy Purpose:

 

To document the policy and procedure for determining which contractual and business relationships are considered “Business Associates” (“BA”) as defined by HIPAA. In addition, this policy addresses tracking designated Business Associates and how to follow up on complaints about Business Associates.

 

Policy Description:

 

Business Associates

  1. BRADLEY A. CONNOR, M.D., P.L.L.C. has many contractual and business relationships, and policies related to its contracts and business relationships. However, not all contractors or business partners are “Business Associates” as defined by HIPAA. This policy only applies to contractors or business partners that come within the definition of a “Business Associate.” A Business Associate is any person or organization that you hire to help you do something, and for that contract to work, you must either directly share PHI or ePHI or give them access to PHI or ePHI. An organization that meets these criteria would be considered a BA and would need to sign a BA agreement.

 

  1. Compliance Officers of BRADLEY A. CONNOR, M.D., P.L.L.C. shall review contracts to determine if the contractual relationship requires a Business Associate Agreement. If a Business Associate Agreement is required: contract managers must complete the Business Associate Agreement (“BAA”) and notify the Compliance Officers. This BAA requires the BA to provide satisfactory assurance that the BA shall appropriately safeguard the confidential information and report any security incidents. BRADLEY A. CONNOR, M.D., P.L.L.C.  shall audit the BA via electronic questionnaire. If decided by the Compliance Officers, BRADLEY A. CONNOR, M.D., P.L.L.C.  shall conduct a security audit of the BA’s HIPAA Policies and Procedures as a means of due diligence to ensure that the BA is taking the necessary precautions under the HIPAA Security Rule to protect the data that is shared with them.

 

Business Associate Non-Compliance

  1. If BRADLEY A. CONNOR, M.D., P.L.L.C. knows of a pattern of activity or practice of a BA that constitutes a material breach or violation of an obligation under the contract or other arrangement, BRADLEY A. CONNOR, M.D., P.L.L.C.  shall take reasonable steps to repair the breach or end the violation, as applicable. This includes working with and providing consultation to the BA.

 

  1. If such steps are unsuccessful, BRADLEY A. CONNOR, M.D., P.L.L.C. shall terminate the contract or arrangement, if feasible. If termination is not feasible, the problem shall be reported to the Office of Civil Rights (OCR) within 30 days of the incident.

 

Policy Responsibilities:

 

Compliance Officers of BRADLEY A. CONNOR, M.D., P.L.L.C.  shall work together to ensure that all BAs are identified, tracked, and investigated when an allegation is made.

 

Procedures

 

Tracking and Identifying BRADLEY A. CONNOR, M.D., P.L.L.C.  Business Associates

BRADLEY A. CONNOR, M.D., P.L.L.C.  shall identify those business relationships that meet the definition of a BA. Contract managers shall note that designation in the contract record and notify the Compliance Officer when a contractor is determined to be a BA.

 

Response to Complaints about Business Associates

BRADLEY A. CONNOR, M.D., P.L.L.C.  workforce members who receive a report or complaint from any source about inappropriate safeguards to ePHI by BAs shall provide information regarding that report or complaint to the Compliance Officers. The Compliance Officers shall coordinate with the BA’s contract administrator to document the alleged violation and determine if remediation is required in order for the BA to attain/retain contract compliance.

 

Where contract compliance cannot be attained/retained, BRADLEY A. CONNOR, M.D., P.L.L.C.  shall terminate the contract, if feasible. If termination is not feasible, the Compliance Officers shall report the problem to the Office of Civil Rights within 30 days of the incident.

 

Definitions

 

Business Associate: Any organization that, on behalf of the covered entity, completes a function or activity involving the use or disclosure of protected health information (PHI), including claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, billing, benefit management, practice management, and re-pricing; or, provides, other than in the capacity of a member of the workforce of such covered entity, legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services to or for such covered entity or, to or for an organized health care arrangement in which the covered entity participates, where the provision of the service involves the disclosure of individually identifiable health information from such covered entity or arrangement, or from another business associate of such covered entity or arrangement, to the person.

 

Covered Entity: A health plan or a health care provider who stores or transmits any health information in electronic form in connection with a HIPAA transaction.

 

ePHI: Electronic/Protected health information means individually identifiable health information:

  • Transmitted by electronic media;
  • Maintained in electronic media; or
  • Transmitted or maintained in any other form or medium.

 

Paper PHI: Protected Health Information that is not in an electronic format.

 

 

AUTHORIZED BY:

 

 

 

Company Name:

BRADLEY A. CONNOR, M.D., P.L.L.C.

MEDICAL ADVANCE SERVICES, P.L.L.C.

TRAVEL HEALTH MEDICAL, P.C.

Policy Name:

Monitoring and Effectiveness

Policy Number:

Security 13.0

Effective Date:

08/15/2018

 

Responsible for Review:

Marina Rogova, RN

Review Date:

08/15/2019

Synopsis of Policy: HIPAA Regulation: § 164.308(a)(8) Perform a periodic technical and non-technical evaluation; § 164.308(a)(1)(i) Security management process; § 164.308(a)(1)(ii)(A) Risk analysis; § 164.308(a)(1)(ii)(B) Risk management

 

This policy establishes periodic evaluations of BRADLEY A. CONNOR, M.D., P.L.L.C. ‘s compliance with HIPAA policies and procedures. Security assessments shall be conducted periodically to confirm continued compliance with security standards and specifications. Assessments will determine if security controls are correctly implemented, and, as implemented, are effective in their application.

 

The policy also establishes procedures for Change Management of systems governed by the HIPAA Security Rule. The policy specifies the need for Change Control, Change Notification, Change Implementation, Change Closure, and Evaluation.

 

The policy also specifies management and workforce responsibilities for implementation.

 

 

 

 

 

 

 

 

 

 

 

 

 

Full Policy Language:

 

HIPAA Regulation:

 

  • § 164.308(a)(8) Perform a periodic technical and non-technical evaluation
  • § 164.308(a)(1)(i) Security management process
  • § 164.308(a)(1)(ii)(A) Risk analysis
  • § 164.308(a)(1)(ii)(B) Risk management

 

Policy Purpose:

 

The intent of this policy is to establish periodic evaluations on whether BRADLEY A. CONNOR, M.D., P.L.L.C.  is complying with the HIPAA policies and procedures to effectively provide confidentiality, integrity, and availability of electronic protected health information (ePHI). Security assessments shall be conducted periodically to determine continued compliance with security standards and specifications. Assessments are conducted to:

  1. Determine if security controls are correctly implemented, and, as implemented, are effective in their application;
  2. Ensure that HIPAA security regulations, policies, and directives are met; and
  3. Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level.

 

Policy Description:

 

Risk Assessment & Management:

BRADLEY A. CONNOR, M.D., P.L.L.C. , along with the Security Officer, shall monitor the effectiveness of BRADLEY A. CONNOR, M.D., P.L.L.C. ‘s ability to secure ePHI. In order to accomplish this, a risk assessment shall be conducted when:

  1. New technology is implemented that either contains ePHI or is used to protect ePHI;
  2. New facilities that maintain or house ePHI are designed;
  3. Existing facilities that maintain or house ePHI are being remodeled or the design layout is being altered;
  4. New programs, functions, or departments are added that affect the security of BRADLEY A. CONNOR, M.D., P.L.L.C. ;
  5. Security breaches are identified; and
  6. Changes in the mode or manner of service delivery are made.

 

Security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level shall be documented and implemented.

 

Change Control

The primary goal of change management is to facilitate communications and coordinate all changes that may occur in the IT environment. These changes include, but are not limited to, the installation, update, or removal of network services and components, operating system upgrades, application or database servers, and software.

 

Change Notification

  1. For informational purposes, the Compliance Officers shall be notified of changes by email no less than 48 hours in advance.
  2. Emergency Changes shall be communicated to the Compliance Officers as soon as is reasonable.
  3. Any change that encounters difficulties that could adversely affect customers, patients, or clients shall be communicated to the Compliance Officers as soon as is reasonable.

 

Change Implementation

All non-emergency changes shall occur within the recognized downtime unless approved in advance by all affected parties or for inter-departmental changes as department procedures dictate.

 

Change Closure

The disposition of all changes shall be documented.

 

Evaluation

BRADLEY A. CONNOR, M.D., P.L.L.C.  shall conduct an assessment of security controls at least annually to determine the extent to which controls are implemented correctly, operating as intended, and producing the desired outcome. Technical and non-technical evaluations are to be conducted periodically to identify any new risks or to determine the effectiveness of the HIPAA Security Policies and Procedures. These evaluations include but are not limited to the following:

  1. Random audit reviews of a facility’s physical environment security;
  2. Random audit reviews of workstation security;
  3. Periodic, unannounced tests of physical, technical, and administrative controls;
  4. Assessment of changes in the environment or business process that may affect the HIPAA Security Policies and Procedures;
  5. Assessment when new federal, state, or local laws and regulations are passed that may affect the HIPAA Security Policies and Procedures;
  6. Assessment of the effectiveness of the HIPAA Security Policies and Procedures when security violations, breaches or other security incidents occur; and
  7. Assessment of redundancy required in the network or servers for ePHI availability.

 

Policy Responsibilities:

 

Compliance Officers

HIPAA Compliance Officers:

  1. Are responsible to coordinate with the Security Officers to conduct audits of covered entity compliance with the HIPAA security rule;
  2. Shall coordinate the production of procedures to implement this policy; and
  3. Are responsible for providing tools and processes for assessing technical and nontechnical evaluations as part of BRADLEY A. CONNOR, M.D., P.L.L.C. ‘s ongoing compliance efforts.

 

If assessments recommend changes to the HIPAA Policies and Procedures, the Compliance Officers are responsible for reviewing these changes and presenting them to management. If needed, the Compliance Officers will update the workforce training materials.

 

Procedures

 

The Compliance Officers shall write procedures to ensure ongoing evaluation and assessments are completed to mitigate risks to ePHI.

 

Definitions

 

Covered Entity: A health plan or a health care provider who stores or transmits any health information in electronic form in connection with a HIPAA transaction.

 

Business Associate: Any entity that uses or discloses protected health information (PHI) on behalf of a covered entity (e.g. group health plan, hospital, etc.). Furthermore, it is any person or organization that, on behalf of a covered entity, performs (or assists in the performance of) a function or activity involving the use or disclosure of PHI.

 

ePHI: Electronic protected health information means individually identifiable health information:

  • Transmitted by electronic media;
  • Maintained in electronic media; or
  • Transmitted or maintained in any other form or medium.

 

Paper PHI: Protected Health Information that is not in an electronic format.

 

 

AUTHORIZED BY:

 

 

 

Company Name or Other Sites

BRADLEY A. CONNOR, M.D., P.L.L.C.

MEDICAL ADVANCE SERVICES, P.L.L.C.

TRAVEL HEALTH MEDICAL, P.C.

Policy Name:

Security Awareness and Training

Policy Number:

Security 14.0

Effective Date:

08/15/2018

 

Responsible for Review:

Marina Rogova, RN

Review Date:

08/15/2019

Synopsis of Policy: HIPAA Regulation: § 164.308(a)(5)(i) Security awareness and training; § 164.308(a)(5)(ii)(A) Security reminders Texas Med Rec Privacy Act: THSC §2.I.181.101 Training Required

 

This policy ensures that all members of BRADLEY A. CONNOR, M.D., P.L.L.C. ‘s workforce who can access Electronic Protected Health Information (ePHI) receive the necessary training in order to implement and maintain the HIPAA Security Policies and Procedures. The intent is also to prevent any violations of confidentiality, integrity, or availability of ePHI. Since Security Awareness Training is key to mitigating BRADLEY A. CONNOR, M.D., P.L.L.C. ‘s exposure to both malicious threats and accidental errors and omissions, its components are specified in the policy, along with training frequency, record keeping, and ongoing reminders.

 

Compliance with Texas Medical Records Privacy Act security awareness and training requirements (as noted above) are also fulfilled in this policy.

 

 

 

 

 

 

 

 

 

 

Full Policy Language:

 

HIPAA Regulation:

 

  • § 164.308(a)(5)(i) Security awareness and training
  • § 164.308(a)(5)(ii)(A) Security reminders

 

Policy Purpose:

 

The intent of this policy is to ensure that all members of BRADLEY A. CONNOR, M.D., P.L.L.C. ‘s workforce that can access electronic protected health information (ePHI) receives the necessary training in order to implement and maintain the HIPAA Security Policies and Procedures. Also, the intent of this policy is to prevent any violations of confidentiality, integrity, or availability of ePHI.

 

Policy Description:

 

Security Awareness Training

Security awareness training is key to mitigating BRADLEY A. CONNOR, M.D., P.L.L.C. ‘s exposure to both malicious threats and accidental errors or omissions.

 

System & Application Training

This policy sets forth a minimum standard for system and application security awareness to reduce BRADLEY A. CONNOR, M.D., P.L.L.C. ‘s risk, including:

  1. Proper uses and disclosures of the ePHI stored in the application;
  2. How to properly log on and log off the application;
  3. Protocols for correcting user errors;
  4. Instructions for contacting a designated person or help desk when ePHI may have been altered or destroyed in error; and
  5. Reporting a potential security breach.

 

HIPAA Security Training

  1. All members of the workforce that are part of BRADLEY A. CONNOR, M.D., P.L.L.C. shall receive security training. The Compliance Officers will provide the training and materials.
  2. Worker Level Training: This training entails those Security Policies and Procedures that directly affect members of the general workforce.
  3. Managerial-Supervisory Training: This training entails all of the HIPAA Security Policies and Procedures and should detail Management’s role in enforcement and supervision.

 

  1. All new workforce members are required to attend the appropriate training within 60 days of entering the workforce.

 

  1. BRADLEY A. CONNOR, M.D., P.L.L.C. is required to ensure that all of their workforce members receive training.

 

Tracking Security Training:

BRADLEY A. CONNOR, M.D., P.L.L.C. ‘s training coordinator or designee shall enter their workforce members into The Guard to sign them up for the appropriate level of training.

 

HIPAA Security Reminders

  1. The Compliance Officers shall develop and implement periodic security updates and issue reminders to BRADLEY A. CONNOR, M.D., P.L.L.C. ‘s workforce. These security reminders shall be provided using any media that is most effective for BRADLEY A. CONNOR, M.D., P.L.L.C. (e.g. email, posters, newsletters, intranet site, etc.).

 

  1. At a minimum, these reminders shall be provided on a quarterly basis.

 

Policy Responsibilities:

 

Compliance Officers are responsible for ensuring that all workforce members in their operational areas are trained no later than 60 days after entering their workforce. In addition, the Compliance Officers will have oversight responsibility to audit reports from The Guard to ensure required workforce member attendance. If needed, the Compliance Officers may require workforce members to attend more training if security incidents warrant this remedial action.

 

Procedures:

 

BRADLEY A. CONNOR, M.D., P.L.L.C.  shall document written procedures on how new workers are notified and sent to training.

 

BRADLEY A. CONNOR, M.D., P.L.L.C.  shall submit its new and revised procedures and plans to the Compliance Officers for approval and ongoing evaluation. Any procedures developed by BRADLEY A. CONNOR, M.D., P.L.L.C.  shall be consistent with BRADLEY A. CONNOR, M.D., P.L.L.C. ‘s HIPAA policies and will not deviate from BRADLEY A. CONNOR, M.D., P.L.L.C. ‘s standard.

 

Definitions

 

Covered Entity: A health plan or a health care provider who stores or transmits any health information in electronic form in connection with a HIPAA transaction.

 

Business Associate: Any entity that uses or discloses protected health information (PHI) on behalf of a covered entity (e.g. group health plan, hospital, etc.).  Furthermore, it is any person or organization who, on behalf of a covered entity, performs (or assists in the performance of) a function or activity involving the use or disclosure of PHI.

 

ePHI: Electronic/Protected health information means individually identifiable health information:

  • Transmitted by electronic media;
  • Maintained in electronic media; or
  • Transmitted or maintained in any other form or medium.

 

Paper PHI: Protected Health Information that is not in an electronic format.

 

 

AUTHORIZED BY:

 

 

 

Company Name:

BRADLEY A. CONNOR, M.D., P.L.L.C.

MEDICAL ADVANCE SERVICES, P.L.L.C.

TRAVEL HEALTH MEDICAL, P.C.

Policy Name:

Sanctions Policy

Policy Number:

Security 15.0

Effective Date:

08/15/2018

 

Responsible for Review:

Marina Rogova, RN

Review Date:

08/15/2019

Synopsis of Policy: HIPAA Regulation: § 164.308(a)(1)(ii)(C) Sanctions policy

 

This policy specifies enforcement, sanctions, penalties, and disciplinary actions that may be applied against workforce members who fail to comply with all security policies and procedures. This policy ensures that information system workforce members know that they can be held accountable for their actions.

 

The policy details all requirements of its fulfillment and penalties for non-compliance. It is of critical importance for all members of BRADLEY A. CONNOR, M.D., P.L.L.C. ‘s workforce to read this policy in full, and acknowledge having read it with signature.

 

 

 

 

 

 

 

 

 

 

 

 

Full Policy Language:

 

HIPAA Regulation:

 

  • § 164.308(a)(1)(ii)(C) Sanctions policy

 

Policy Purpose:

 

The intent of this policy is to specify enforcement, sanctions, penalties, and disciplinary actions that may be applied against workforce members who fail to comply with the security policies and procedures. This policy ensures that workforce members know that they can be held accountable for their actions.

 

Policy Description:

 

Sanctions

  1. The definition of BRADLEY A. CONNOR, M.D., P.L.L.C. ‘s workforce is taken from the Privacy Rule. In § 160.103, of the Privacy Rule, the term “workforce” is defined as, “Employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a covered entity, is under the direct control of such entity, whether or not they are paid by the covered entity.” The workforce shall guard against improper uses or disclosures of BRADLEY A. CONNOR, M.D., P.L.L.C. ‘s confidential protected health information.

 

  1. All members of BRADLEY A. CONNOR, M.D., P.L.L.C. ‘s workforce are required to be aware of their responsibilities under BRADLEY A. CONNOR, M.D., P.L.L.C. ‘s HIPAA Security Rule policies.

 

  1. All members of BRADLEY A. CONNOR, M.D., P.L.L.C. ‘s workforce are required to sign the HIPAA Confidentiality form indicating that they have been informed of the business practices in BRADLEY A. CONNOR, M.D., P.L.L.C. as they relate to security.

 

  1. Managers and supervisors are responsible for ensuring that workforce members who have access to ePHI are informed of their responsibilities. Management is responsible for ensuring timely and appropriate training, that updates are communicated broadly, and that old/discontinued information is purged from common usage.

 

  1. Members of BRADLEY A. CONNOR, M.D., P.L.L.C. ‘s workforce who violate BRADLEY A. CONNOR, M.D., P.L.L.C. ‘s policies and procedures regarding the safeguarding of an individual’s confidential information are subject to disciplinary action by BRADLEY A. CONNOR, M.D., P.L.L.C. up to and including immediate dismissal from employment or service. For violations of these polices, corrective action, including but not limited to contract cancellation or termination of services, shall be implemented by BRADLEY A. CONNOR, M.D., P.L.L.C.  for those members of the workforce who are not subject to BRADLEY A. CONNOR, M.D., P.L.L.C. ‘s discipline process.

 

  1. Members of BRADLEY A. CONNOR, M.D., P.L.L.C. ‘s workforce who knowingly and willfully violate state or federal law for failure to safeguard ePHI are subject to criminal investigation and prosecution or civil monetary penalties.

 

  1. If BRADLEY A. CONNOR, M.D., P.L.L.C. fails to enforce security safeguards, BRADLEY A. CONNOR, M.D., P.L.L.C.  may be subject to administrative penalties by the Office of Civil Rights (OCR), including federal funding penalties.

 

Reporting violations

All workforce members shall notify the Compliance Officers when there is a reasonable belief that any security policies or procedures are being violated.

 

Retaliation prohibited

  1. Neither BRADLEY A. CONNOR, M.D., P.L.L.C. as an entity nor any member of BRADLEY A. CONNOR, M.D., P.L.L.C. ‘s workforce shall intimidate, threaten, coerce, discriminate against, or take any other form of retaliatory action against any individual for:
  2. Exercising any right established under BRADLEY A. CONNOR, M.D., P.L.L.C. ‘s policy;
  3. Participating in any process established under BRADLEY A. CONNOR, M.D., P.L.L.C. ‘s policy including the filing of a complaint with the BRADLEY A. CONNOR, M.D., P.L.L.C. or with the Office of Civil Rights;
  4. Testifying, assisting, or participating in an investigation, compliance review, proceeding, or hearing relating to BRADLEY A. CONNOR, M.D., P.L.L.C. ‘s policies and procedures; and
  5. Opposing any unlawful act or practice, provided that the individual or other person (including a member of BRADLEY A. CONNOR, M.D., P.L.L.C. ‘s workforce) has a good faith belief that the act or practice being opposed is unlawful and the manner of such opposition is reasonable and does not involve a use or disclosure of an individual’s protected health information in violation of BRADLEY A. CONNOR, M.D., P.L.L.C. ‘s

 

  1. Those engaging in retaliation shall be subject to the sanctions under this policy.

 

Policy Responsibilities:

 

All workforce members are responsible for notifying the Compliance Officers when there is a belief that any security policies are being violated. In addition, suspected violations should be reported to the Security Officer.

 

Definitions

 

Covered Entity: A health plan or a health care provider who stores or transmits any health information in electronic form in connection with a HIPAA transaction.

 

Business Associate: Any entity that uses or discloses protected health information (PHI) on behalf of a covered entity (e.g. group health plan, hospital, etc.). Furthermore, it is any person or organization who, on behalf of a covered entity, performs (or assists in the performance of) a function or activity involving the use or disclosure of PHI.

 

ePHI: Electronic protected health information means individually identifiable health information:

  • Transmitted by electronic media;
  • Maintained in electronic media; or
  • Transmitted or maintained in any other form or medium.

 

Paper PHI: Protected Health Information that is not in an electronic format.

 

 

AUTHORIZED BY:

 

 

 

Company Name:

BRADLEY A. CONNOR, M.D., P.L.L.C.

MEDICAL ADVANCE SERVICES, P.L.L.C.

TRAVEL HEALTH MEDICAL, P.C.

Policy Name:

Policies and Procedures

Policy Number:

Security 16.0

Effective Date:

08/15/2018

 

Responsible for Review:

Marina Rogova, RN

Review Date:

08/15/2019

Synopsis of Policy: HIPAA Regulation: § 164.316(a) Policies and procedures; § 164.316(b)(1) Documentation; § 164.316(b)(2)(i) Time limit; § 164.316(b)(2)(ii) Availability; § 164.316(b)(2)(iii) Updates

 

This policy formalizes the process by which BRADLEY A. CONNOR, M.D., P.L.L.C. ‘s HIPAA Security Rule policies and procedures are created, documented, and implemented in accordance with the regulation. It specifies the role of the various Compliance Officers in development, discussion, and implementation of new policies, and regular review of current policies.

 

It details documentation requirements surrounding policy administration.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Full Policy Language:

 

HIPAA Regulation:

 

  • §164.316(a) Policies and procedures
  • §164.316(b)(1) Documentation
  • §164.316(b)(2)(i) Time limit
  • §164.316(b)(2)(ii) Availability
  • §164.316(b)(2)(iii) Updates

 

Policy Purpose:

 

The intent of this policy is to formalize the process by which BRADLEY A. CONNOR, M.D., P.L.L.C. ‘s HIPAA Security Rule policies and procedures are created, documented, and implemented in accordance with regulations.

 

Policy Description:

 

  1. The Compliance Officers shall implement reasonable and appropriate policies and procedures to comply with the standards, implementation specifications, or other requirements of the HIPAA Security Rule. The Compliance Officers shall work with workforce members to draft and revise policies and procedures.
  2. All policies and procedures implemented to comply with the HIPAA Security Rule shall be documented in writing (which may be in electronic form). All records of actions, activities, or assessments required by the Rule shall be documented. The documentation shall be detailed enough to communicate the security measures taken and to facilitate periodic evaluations.
  3. Documentation shall be retained for a minimum of 6 years from the time of its creation or the date when it last was in effect, whichever is later.
  4. All documentation shall be available to those persons responsible for implementing the procedures to which the documentation pertains.
  5. Documentation shall be reviewed at least annually and updated as needed in response to environmental or operational changes affecting the security of the electronic protected health information (ePHI).

 

Policy Responsibilities:

 

Compliance Officers

The Compliance Officers shall be responsible for leading the development, implementation, and maintenance of the policies, procedures, and related documentation.

 

Department Management

BRADLEY A. CONNOR, M.D., P.L.L.C.  shall submit all new and revised procedures to the Compliance Officers for approval and ongoing evaluation.

 

Procedures

 

In general the following process is used to develop and implement policies and procedures:

  1. The Compliance Officers shall draft new or updated HIPAA information security policies;
  2. The new information security policy shall be presented to the Head of BRADLEY A. CONNOR, M.D., P.L.L.C. for awareness, input, and endorsement;
  3. The Compliance Officers shall give final approval for the new or updated policy; and
  4. The Compliance Officers shall communicate the new or updated policy to the workforce, including updating training and related materials as needed.

 

Any procedures developed by BRADLEY A. CONNOR, M.D., P.L.L.C.  shall be consistent with BRADLEY A. CONNOR, M.D., P.L.L.C. ‘s HIPAA policies and shall not deviate from BRADLEY A. CONNOR, M.D., P.L.L.C.  standard.

 

Definitions

 

Covered Entity: A health plan or a health care provider who stores or transmits any health information in electronic form in connection with a HIPAA transaction.

 

Business Associate: Any entity that uses or discloses protected health information (PHI) on behalf of a covered entity (e.g. group health plan, hospital, etc.). Furthermore, it is any person or organization who, on behalf of a covered entity, performs (or assists in the performance of) a function or activity involving the use or disclosure of PHI.

 

ePHI: Electronic/Protected health information means individually identifiable health information:

  • Transmitted by electronic media;
  • Maintained in electronic media; or
  • Transmitted or maintained in any other form or medium.

 

Paper PHI: Protected Health Information that is not in an electronic format.

 

 

AUTHORIZED BY:

 

 

 

Company Name:

BRADLEY A. CONNOR, M.D., P.L.L.C.

MEDICAL ADVANCE SERVICES, P.L.L.C.

TRAVEL HEALTH MEDICAL, P.C.

Policy Name:

Satellite Office and Home Office Policy

Policy Number:

Security 17.0

Effective Date:

08/15/2018

 

Responsible for Review:

Marina Rogova

Review Date:

08/15/2019

Synopsis: HIPAA Regulation: Satellite Office and Home Office

 

This policy is designed to help BRADLEY A. CONNOR, M.D., P.L.L.C.  designate and protect Satellite and Home Offices that directly perform services for the Covered Entity or Business Associate.

 

Definitions:

 

Satellite Office: A Satellite Office is a non-descript location, with no signage to designate that it is part of, or performs services for, the main organization. This location is not used for storing PHI documented in physical or digital form. It is strictly used for providing treatment and then leaving. When leaving, there is no footprint, no computers, no charts, no trash: nothing that can be traced back to any of the PHI that was interacted with. If any of the above does not apply, then this site is considered a location and is subject to all the HIPAA requirements that the main office is subject to.

 

Home Office: A home office with no signage to designate that it is part of, or performs services for, the main organization. This location is not used for storing charts, for storing computers, and does not retain any documentation. It is strictly used for providing treatment and healthcare viewing of electronic records. There is no footprint, no data stored on computers, no charts, no trash: nothing that can be traced back to any of the PHI that was interacted with. BRADLEY A. CONNOR, M.D., P.L.L.C.  should not allow storage of PHI at a Home Office. Printed matter should be shredded immediately after use, and it should not be stored. Computers should be set up so PHI cannot be downloaded from the main site.  No footprint can be left. If any of the above does not apply, then this site is considered a location and is subject to all the HIPAA requirements that the main office is subject to.

 

 

 

 

 

 

 

Requirements of Compliance for Satellite and Home Offices:

 

  1. Devices used at Satellite and Home sites must be protected and encrypted and listed in the Device Audit as encrypted.
  2. Site(s) must have a Physical Site Audit filled out and stored in The Guard.
  3. All BRADLEY A. CONNOR, M.D., P.L.L.C. staff that work in the Satellite and Home offices must go through HIPAA training.
  4. No footprint (evidence of PHI) will be allowed at either Satellite or Home Offices.
  5. If the above are not followed, the organization must defend their decisions to the Department of Health and Human Services (HHS) should a breach occur and it be revealed that these protocols were not followed.

 

Example of a Satellite Office:

 

A Doctor’s office in city A has a lot of patients in city B, so once a week they use a site in city B (i.e., an examination room in another doctor’s office, etc.) to see patients who live there so they do not have to travel as far. This site is not used for storing charts, for storing computers, or for leaving any documentation behind. It is strictly used for seeing the Doctor’s patients, and then the site is vacated. When leaving, they leave behind no footprint, no computers, no charts, no trash, and nothing about or pertaining to any of the patients that were there that day.