HIPAA (Health Insurance Portability and Accountability Act )

Download as PDF
Board Approval Date Effective Date

Policy

  It is the policy of the PIC to operate in a manner that complies with the Health Insurance Portability & Accountability Act (HIPAA).  

Practice

  1. PIC shall maintain and document policies and practices delineating staff responsibilities with respect to the privacy and security of consumer protected health information (PHI) and electronic protected health information (EPHI), in compliance with HIPAA regulations, including sanctions for privacy violations.
  2. All employees shall be trained on HIPAA and agency practices to ensure that consumers’ confidential information (PHI) and (EPHI) is secure and protected.
  3. PIC shall have an appointed Privacy and Security Officer whose responsibilities will include:  
    1. overseeing training; ensuring privacy and security safeguards are in place; 
    2. receiving, investigation, and mitigating complaints regarding privacy; 
    3. ensuring all relevant documentation of privacy efforts are maintained for at least six years.
  4. PIC is responsible for developing practices that protect electronic protected health information (EPHI) and designating physical, administrative and technological safeguards to eliminate or minimize the possibility of “Security Incidents”.
  5. PIC shall enter into business associate privacy contracts with any business associates who have access to consumer and/or employee protected health information.
  6. PIC shall provide all consumers with a copy of the agency’s Notice of Privacy Practices and receive written acknowledgement of receipt to be filed in consumer’s files.
  7. PIC shall provide consumers with access to their protected health information (PHI) and electronic protected health information (EPHI) allow for amendment of consumer records and provide an accounting of disclosures of PHI and EPHI as requested, with some exceptions, in compliance with HIPAA regulations.

Consumer Records

  1.  Consumer records are maintained in a secure central location in a file.  Only individuals with the “need-to-know” will have access to an individual’s file and should only access that part of the file necessary to conduct business.
  2. No one is permitted to make copies of or remove from PIC premises any PIC consumer/family without parental release of information without prior approval of their supervisor.  Employee records or documents may be not be released with consent of the employee or the Executive Director.

Access to and Amendment of Consumer Records

Access Right

  1. PIC gives consumers access to their health and other confidential information whether PIC or our business associates hold that information and whether or not we are the source of that information. 
  2. The consumer may request access verbally or in writing and we will record the request in the consumer’s file.  We will provide the information within 30 days of receipt of request or notify consumer of reasons for the delay.  We may charge the consumer the cost of photocopying.  Exceptions to this access occur rarely, such as when the information is deemed dangerous.  If we feel we need to deny access, we will provide an explanation.  The consumer can contest the denial at which time a third party will review the request and determine the appropriate action.

Amendment Right

  1. The consumer may request verbally or in writing that we amend our records about that consumer.  We will log the request in the file and reply within 60 days.  We may deny the consumer request, if we were not the originators of the information or we believe the information is inaccurate.
  2. When we make an amendment, we add a note to the record to indicate the change but do not delete the original information.  If we deny the consumer request, then we will provide an explanation to the consumer and in the record.  If the consumer contests our denial, we will document the consumer concerns in the record.

Accounting and Restrictions of Disclosures of Confidential Information

Accounting of Disclosures

The consumer has a right to receive an accounting of certain disclosures of the consumer’s protected health information.  The consumer’s request may occur in writing or verbally and we will record the request in the file.  We have 60 days to respond.  Our accounting to the consumer will:

  • Be in writing
  • Include the dates of disclosure and to whom the information was sent;
  • Describe what information was sent; and
  • State the purpose of the disclosure.

The following disclosures are not subject to the accounting requirement:

  • For treatment, payment, or healthcare operations;
  • Made with the consumer authorization;
  • Covered by a business associate agreement;
  • For national security or intelligence purposes; or
  • To correctional institutions or law enforcement officials.

Restrictions on Use and Disclosure

The consumer may request restrictions on our use or disclosure of the consumer’s protected health information beyond those restrictions already imposed by the government.  We may elect to accept the restriction or not.  However, if we accept the request, then we must abide by it and could only reverse our position after notifying the consumer appropriately first.

Restrictions on Communication Method

We will accommodate a request that we communicate with the consumer by alternative means, if we can practically implement such an alternative.  The consumer is not required to explain why he or she wants such an alternative means of communication.  Our agreement with the consumer for an alternative means of communication channel will be documented and included in the consumer’s medical record.