Outlineof this section:
Reviewof overall tasks
Reviewof the requirements for your policy and procedures documentation.
HIPAATasks “To Do List”
Preparedby Barney McDowell for HIPAA Training
A. General Goals Towards Compliance With HIPAA
c. Names of required documents interfacing with clients and businesspartners
4. Choose whether tomaintain “covered entity” or “non-covered entity” status
5. Create SpecificDocuments as required by HIPAA
B. The Language and Acronyms of HIPAA
1. PHI – protected health information includes all clinical records,billing information, written and oral communication of covered entities
2. TPO-Treatment, payment, health care operations – routine andgeneral purposes for which PHI may be disclosed without consent.
3. Treatment-defined as care, services, or supplies delivered by aprovider to a patient as a provision of health care, including the coordinationor management of care by a provider with a third party; consultation betweenhealth care providers relating to a patient; or the referral of a patient forhealth care from one provider to another. (p. 82497)
4. Payment-activities undertaken by or on behalf of a covered entityto obtain or determine or fulfill its responsibility for, provision of serviceor reimbursement for the provision of health care. They define a list of activities that includes billing, risk adjustment,review for medical necessity and utilization review. (p. 82495)
5. Health Care Operations—e.g., quality assessment, reviewingcompetence or qualifications,
qualifications, “accrediting", training future health careprofessionals”, “auditing”, etc.
6. Covered entities – all health plans, all health care informationclearing houses, all health care providers who engage in electronictransactions. However, once youhave the “covered entity” status, all of your communications of PHI arecovered by HIPAA—not just electronic transactions
7. Minimum Necessary- for any permitted use or disclosure HIPAA requiresthat disclosures be the minimum amount of information necessary to thetransaction or service. Specificminimums are left to professional standards and requirements of coveredentities.
8. Notice of Privacy Practices – you must provide yourpatients/clients with a written notice of your privacy practices, and thepatient privacy rights under HIPAA.
9. Authorization-allows use and disclosure of PHI for purposes otherthan treatment, payment, and health care operations; allows use and disclosurefor information not covered by consent.
10. Privacy Official-designatedindividual responsible for the implementation and development of the privacypolicies and procedures. May be same or different from contact person.
11. Contact Person-designatedperson to receive complaints about privacy and provide information about thematters covered by privacy notice. May be same or different from privacyofficial.
12. Psychotherapy notes-Highlyidiosyncratic definition elaborated elsewhere
13. HHS or “TheDepartment” refers to the Health and Human Services Department which wrotethe Privacy Standard of HIPAA. “Secretary” refers to the Secretary ofHHS.
C. PrivacyStandards guide handling and “disclosures” of PHI. There are requirements for documentation that interfaces with clients aswell as internal documentation for how you protect information.
D. PatientRights as determined by HIPAA must be documented with internal practicepolicy and procedures documents and in the “Notice of Privacy Practices”given to clients.
1. Educate Patients – Direct providers have an obligation to educateindividuals about their rights.
Patients have rights (with many exceptions) to: (Fed Reg, Vol 65, No. 250, p. 82550)
1. Requestrestrictionson certain uses and disclosures (p. 82552)
2. Receive confidential communications of PHI (p.82553)
3. Access,inspect and copyPHI (p.82554)
4. The right to amend PHI (p.82558)
5. An accounting of disclosures of PHI (p.82559)
6. Right to file a formal complaint to “Privacy Contact”(defined below) or Secretary of HHS (p. 82487)
E. Systemand Administrative practices – Since this entails the most challengingdocumentation under HIPAA, we will cover this part of the Rule as a section untoitself below. Also, see Check ListFor HIPAA Compliance at the beginning of this handout.
F. SecurityRegulations-HHS hasn’t yet issued standards, e.g. software protocol,for the safe transmission of electronic transactions, but they have promised todo so.
year); penalties ($100-$25k); applicable to financial institutionswhen processing, billing, etc.
2. General Considerations: All electronic transactions will have tomeet these four criteria.
A. Confidentiality- keeping transfers private i.e. encrypted, keepingall transfers private
B. Integrity-intact data unchanged, protection to ensure data isunchanged
C. Authentication-make sure sender is who they claim andhave authority;
non-repudiation of electronic signatures,etc.,
D. Authorization accesscontrol i.e. password
3. Scalability:measures needed are different depending on size of CE and level of use of PHI
G. Marketing-defined “to make a communication about a product or service that encouragesthe recipients of the communication to purchase or use the product or service”(p.53186). Marketing requires anauthorization but there are many, many exceptions including communications about1) participating providers and health plans in a network, the services offeredby a provider, or the benefits of a health plan, 2) the individual’streatment, and 3) case management or care coordination or “recommendations foralternative treatments, therapies, health care providers or settings of care tothat individual” (p.53186)
Policyand Procedure Documentation
(When you read this, think of YOURSELF every time theterm Covered Entity (CE) is used.)
I. If you are a “covered entity”, you must keep written or electronicdocumentation of your compliance with HIPAA.
II. By making electronic transactions (or stipulating that you are a“covered entity” to, e.g., an insurer) then you are designated as a“covered entity”! But once a “covered entity”, the rule applies toall forms of your communication of PHI including written and oral--not justelectronic. See p. 82561-64 for administrative citations. Therefore, your policy and procedure documentation needs to addressall of those forms.
III. Below (B.1-9) overarching principles of HIPAA’s requirements for Policy and Proceduresare first listed; then very specific requirements are listed in a format youmay consider using as a template to create your own Policy and ProcedureDocumentation. This might bereferred to as a manual but there are also requirements for ongoing logging oftraining, complaints, sanctions, etc. Pleasenote that this “template” is not comprehensive and HHS does not specifythe degree of detail required beyond a one and half page description in Sec.164.530.
A. Over arching principles:
1. Administrative requirements are applicable to all policies, proceduresand documentation required throughout the regulation.
2. Your practices must be reasonably designed to comply with thestandards, implementation specifications, and other requirements of the relevantpart of the regulation.
3. Must be written in plain language and support the Privacy rules.
4. “Reasonably design” and “scalable scope” may not be interpretedto permit or excuse any action that violates the privacy regulation.
5. Policy and Procedures identified must be maintained in writing--complianceis documented.
6. Any other communication, action, activity, or designation that must bedocumented under this regulation must be documented in writing. (Writing can bein electronic or paper form).
7. Must retain documentation for at least 6 years (civilpenalties statute of limitations period) from the date of the creation or datedocument was last in effect, which ever is later.
8. Policies must establish conditions for making changes if you have notreserved the right to change your practices in your Privacy practice notice: They must include that changes to policy, procedure or documentation willnot be implemented until added to the documentation and appropriate individualsare notified.
Policyand Procedure Documentation
Policyand Procedure Documentation
Disclaimer: The following is one possible outline that may suffice to meet theRule’s requirement for documentation. HHSsimply does not specify what detail they will require. We are left to speculate that for an individual private practitioner itmay be sufficient to document that you are the person, e.g, who will beresponsible for receiving and acting on patient requests (as per their rightsunder HIPAA) and that you will accommodate those requests according to theappropriate subparts. For larger companies and agencies, a great deal more detailwill no doubt be required. For analternative example, see www.medicalprivacy.unc.edu/resources_potm.htm.
I. DesignatingRequired Personnel ß 164.530(a):
Privacy officialsmust be established. They are pointperson(s) for policy implementation, development and complaints process. Both aPrivacy Officer and Privacy Contact need to be designated and documented as such(they may be same or a different person).
A. (______________________)is the Privacy Officer and has the followingjob duties:
1. Maintainsawareness of relevant laws and regulation of HIPAA, including changes that mayaffect privacy practices.
3. Assuresimplementation of privacy activities and HIPAA compliance.
4. Educatesand trains workforce on privacy issues and practices.
B. (_______________________) is the Privacy Contact and has thefollowing duties:
1. Receives and handles complaints from patients regardingprivacy issues.
2. Provides further information and assistance regarding privacy practices
3. Reports and documents privacy activities.
II. Trainingthe Workforce: ß 164.530(b) of employees in privacy and security--Allmembers of workforce are required to receive training on the policies andprocedures and forms with respect to PHI as necessary and appropriate for theirrole. As stated above the Privacy Officer is charged with overseeing thefollowing:
A. CE implements policy and procedures for training.
III. Safeguards[ß 164.530(c)] must limit intentional, unintentional, and incidentaldisclosure of PHI to persons other than the intended recipient. No specificmeasures are required. “We intend this to be a common sense, scalable,standard”.
IV. ComplaintsProcess [ß 164.530(d)] requires CE to have a mechanism for receivinginternal complaints from individuals concerning violations of the CE’s privacypractices and the requirements of the privacy standards.
A. Develop and implement formal process for persons to make complaints.
B. Develop process for plan of correction to process improvement whencomplaint is received or when a
mistake is identified.
C. Must have an identified contact person for complaint process.
D. Prohibit retaliation against persons for filing a complaint orexercising any right of the rule.
E. Must maintain a record of complaints and brief explanation ofnature and resolution if any.
F. Must be prepared to respond to complaints that may be filed with theSecretary of HHS.
V. Sanctions against members of workforce who failto comply with privacy policies or procedures of the CE or requirements of therule. Does not apply towhistleblowers and business associates. Theyare addressed separately in 164.504.
A. CE must develop and impose sanctions appropriate to the nature of theviolation based on nature, severity,intentional/unintentional and if pattern of improper use or disclosure.
B. Must have written policy and procedures for the application ofappropriate sanctions
C. Must document sanctions and violations.
VI. Refrainingfrom Intimidating or Retaliatory Acts [ß 164.530(g)]: A CE may “not intimidate, threaten, coerce, discriminate against,or take other retaliatory action against”
A. an individual for filing a complaint or participating in a processprescribed by the Rule or
B. “individuals and others” for
1. filing a complaint with the Secretary,
2. testifying, assisting or participating in an investigation, compliancereview, proceeding, or hearing under Part C of Title XI, or
3. opposing any act or practice made unlawful by Rule, provided theindividual…made the complaint in “good faith belief” that an“unlawful” act happened and that the “opposition” was made in areasonable manner without disclosing PHI in violation of the Rule
VI. Duty toMitigate Breaches of confidentiality-must alleviate any harmful effect of ause of disclosure of PHI that is known to the CE. Applies to CE’s policy and procedures and violations of therequirements of the rule. CEresponsible to act on harm caused by workforce or by business associates. Whatare your policies about how you plan do this? Suggestion: Establish policy that you’ll interview relevant persons andreview documents; consult with peers and/or attorney about appropriate actions;communicate in written form to all parties asking for documentation thatspecific breach have been addressed as well as causes of breach.
VII. Patient“Rights” – specific rights have practice or procedural elements that needpolicy and procedure development and documentation.
F. Requestsfor amending and correcting PHI
G. Requestsfor an accounting of PHI disclosures
H. Rememberthat HIPAA is a federal floor and that Substance Abuse Treatment Acts stillapply and need to be considered in light of HIPAA standards.]
VIII. Noticeof privacy practices-This written document for patients requires specificelements (sample form provided). ThePrivacy Notice must be given to the client, posted on the web, etc. as discussedin detail in another section, but it also has to be accounted for in the Policyand Procedure Documentation. Anychanges must be documented prior to the effective date of change, though changesto the Privacy Notice may retroactively apply as long as the Noticeclaimed the right to revise at a later date.
IX. Businessassociate relationship requirements. Businessassociate contracts ensure compliance by your business partners with HIPAA. Obviously, a contract is a document but you must document necessary policyand procedures about how you will go about developing and maintainingBusiness Associate relationships.
B. What systemdo you have to monitor these relationship and communications between them? Who?What?
X. Oralcommunications that need documenting relate to what is needed to meet the“standard” for providing disclosure history. Not all need to be documentedand patient access only applies to the designated record set. Must have policyto guide procedures. Do you have apolicy about using client names in your waiting rooms? If you have an officecoordinator or secretary, do you have policies about how they will use ordisclose oral communications about the client?