Page 1
THE INSTITUTE OF PROFESSIONAL PRACTICE, INC.*
HIPAA POLICIES AND PROCEDURES MANUAL
FOR PERSONS SERVED
REVISED
June 10, 2010
January 7, 2011
February 8, 2011
May 31, 2011
November 8, 2011
September 23, 2013
*Including Mid-Atlantic Human Services Corporation
Page 2
i
THE INSTITUTE OF PROFESSIONAL PRACTICE HIPAA
POLICIES AND PROCEDURES MANUAL FOR PERSONS SERVED
TABLE OF CONTENTS
GENERAL POLICY………………………………………………...….. 1
Definitions……………………………………………………….… 3
PART A. PRIVACY…………………………..………………………………….... 11
SECTIONS PAGES
I. CONFIDENTIALITY……………………………………..……….... 11
II. IDENTIFYING PHI………………………………………..………… 11
III. PROPER USE AND DISCLOSURE………………………..………. 12
IV. PROPER USE AND DISCLOSURE/MINIMUM NECESSARY
STANDARD……………………………………………………..……. 12
V. ACCESS/AUTHORIZATION………………………………....…….. 13
VI. ACCESS/LIMITED ACCESS TO PERSONS SERVED
RECORDS…………………………………………………………...…14
VII. INFORMAL DISCLOSURE OF PHI ….…….……..….………...….16
VIII. BUSINESS ASSOCIATES/ADHERENCE TO POLICY ……..….. 17
IX. PROTECTION OF PHI DURING
NON-EMERGENCY/PERMITTED USES……………………….….20
X. THERAPY AND COUNSELING RECORDS…………………....….21
XI. RECORDS CORRECTION ……………………………………….… 22
XII. CLOSED CASES……………………………………………..……..….22
XIII. MAILING PHI……………………………………………………....….23
XIV. E-MAIL MESSAGES............................................................................. 23
XV. FACSIMILE…………………………………………………..….……..24
XVI. TELEPHONE……………………………………………………….......25
XVII. TRANSCRIPTION…………………………………………….…...…..25
XVIII. PRINTING/COPYING………………………………………….…..... 27
XIX. PHI SHALL BE STORED SECURELY……………………..….........27
XX. IDENTIFICATION OF NON PHI/DE-IDENTIFYING PHI ………. 28
XXI. PERMITTED USES/ TREATMENT………………………….…......29
XXII. PERMITTED USES/PAYMENT…………………………….…….…31
XXIII. PERMITTED USES/HEALTH CARE OPERATIONS…….............32
Page 3
ii
XXIV. PERMITTED USES/ LEGAL, JUDICIAL, ADMINISTRATIVE,
AND LAW ENFORCEMENT PROCEEDINGS……………..….......33
XXV. PERMITTED USES/ HEALTH AND PUBLIC HEALTH
OVERSIGHT………………………………………………………...…35
XXVI. MISCELLANEOUS PERMITTED USES/WORKERS
COMPENSATION.………………………………………….……........36
XXVII. AUTHORIZATIONS/WHEN AUTHORIZATIONS ARE
REQUIRED…………………………………………………….……....38
XXVIII. AUTHORIZATIONS/CORE ELEMENTS OF AN
AUTHORIZATION…………………………………………….…...…38
XXIX. AUTHORIZATIONS/SPECIAL CASE/PSYCHOTHERAPY
NOTES……………………………………………………………….….41
XXX. AUTHORIZATION/SPECIAL CASE/MARKETING……....…....…42
XXXI. AUTHORIZATION/ REVOCATIONS, AND RESTRICTIONS
OF USES…………………………………...……………………..……..45
XXXII. RIGHT OF ACCESS/NOTIFICATION……………..…………….…46
XXXIII. RIGHT OF ACCESS/SPECIAL RULES FOR ACCESS TO
TREATMENT NOTES…………………………………………..……48
XXXIV. RIGHT OF ACCESS/RIGHT TO CORRECT, MODIFY AND
AMEND PHI…………………………………………………….…. ….49
XXXV. RIGHT OF ACCESS/RIGHT OF PERSONS SERVED TO
RELEASE PHI………………………………………………………....50
XXXVI. REQUESTS FOR ALTERNATE CONFIDENTIAL
COMMUNICATIONS…………………...………………………........51
XXXVII. CONFLICT RESOLUTION……………………….……….……..….53
XXXVIII. MITIGATION OF INADVERTANT DISCLOSURES OF PHI......53
XXXIX. DOCUMENTATION AND RECORDKEEPING/ACCOUNTING
FOR DISCLOSURES……………………………………………........53
XL. NOTICE OF PRIVACY
POLICY……………………………..……………………………........55
XLI. WRITTEN POLICIES/POSTING……………………………….......56
XLII. SUBSTANTIVE CHANGES IN POLICY AND
PROCEDURES/NOTIFICATION/ TIMELINESS………………....57
XLIII. TRAINING……………………………………………………………..57
XLIV. RETENTION OF PRIVACY DOCUMENTATION……...……...…57
XLV. SANCTIONS…………………………………………………...........…62
XLVI. PRIVACY OFFICER ………………………………..………..…….. 63
XLVII. PRIVACY BREACH NOTIFICATION……………………………..63
XLVIII. PRIVACY OFFICER/JOB DESCRIPTION……………………...…69
Page 4
iii
PART B. SECURITY PROCEDURES…………………………………...……..70
I. GENERAL REQUIREMENTS OF THE SECURITY
STANDARDS………………………………………………….…...…..70
II. ELECTRONIC PHI…………………..………………………….…….70
III. PHI ADMINISTRATIVE PROCEDURES..............................….…...71
IV. SYSTEM INVENTORY…………………………………..…….…..…71
V. SYSTEMIC RISK ANALYSIS………….…..………………….……..71
VI. RISK MANAGEMENT PROGRAM………………………….…..….72
VII. LOW LEVEL RISK INFRASTRUCTURE……………………..…...73
VIII. ACCESS/AUTHORIZATION………………………...…………..…..73
IX. REVIEW OF AUTHORIZATION AND OTHER
INFRASTRUCTURE REQUIREMENTS…………….......................73
X. CRIMINAL BACKGROUND CHECKS/PHI……………………….74
XI. AUTHENTICATION/PASSWORD MANAGEMENT
SYSTEM…………………………………….……………………...…..74
XII. INTERNAL BREACHES/ATTEMPTS NOTED……………..….….75
XIII. SECURING PHI WHEN AUTHORIZED STAFF LEAVE……..….76
XIV. CORRECTIONS OF ELECTRONIC RECORDS………….….....…77
XV. SECURE TRANSMISSION OF ELECTRONIC DATA….….......…78
XVI. PHI PROTECTION WHEN SHARED…………………………....….78
XVII. STORING ELECTRONIC DATA SECURELY………………….…79
XVIII. DISPOSING OF ELECTRONIC DATA SECURELY…..……….…79
XIX. PHI BACKUP……………………………………………………….….80
XX. PREVENTION OF VIRAL/MALICIOUS SOFTWARE…..…….…80
XXI. CONTINGENCY PLANS: BACKUP, DISASTER RECOVERY,
EMERGENCY OPERATIONS………………………...…………….81
XXII. SECURITY AND PRIVACY
TRAINING………………………..…………..……………………......81
XXIII. SANCTIONS POLICY…………………….…………………….….....82
XXIV. FAIR ADMINISTRATION OF SANCTIONS POLICY…………....82
XXV. WRITTEN SECURITY POLICIES AND PROCEDURES…...…....83
XXVI. REVIEW OF SECURITY POLICIES AND
PROCEDURES………………………………………….........…....…..83
XXVII. SECURITY OFFICER……………………………………...................83
XXVIII. EXCEPTIONS…………………………………………….………....…84
XXIX. DISCLOSURES OF ELECTRONIC PHI
TO BUSINESS ASSOCIATES……………………..……...……....…..84
Page 5
iv
PART C. FORMS
1. HIPAA EMPLOYEE ACKNOWLEDGEMENT
2. BUSINESS ASSOCIATE AGREEMENT
3. BUSINESS ASSOCIATE TRACKING WORKSHEET
4. AUTHORIZATION FOR RELEASE OF INFORMATION
5. REQUEST FOR ALTERNATE COMMUNICATIONS
6. RESPONSE TO REQUEST FOR ALTERNATE
COMMUNICATIONS
7. REQUEST FOR ACCOUNTING OF DISCLOSURES OF
PROTECTED HEALTH INFORMATION
8. RESPONSE TO REQUEST FOR ACCOUNTING OF
DISCLOSURES OF PROTECTED HEALTH INFORMATION
9. REQUEST TO AMEND OR CORRECT PROTECTED HEALTH
INFORMATION
10. RESPONSE TO REQUEST TO AMEND OR CORRECT
PROTECTED HEALTH INFORMATION
11. REQUEST FOR RESTRICTIONS ON USE OR DISCLOSURE OF
PROTECTED HEALTH INFORMATION
12. RESPONSE TO REQUEST FOR RESTRICTIONS ON USE OR
DISCLOSURE OF PROTECTED HEALTH INFORMATION
13. NOTICE OF AVAILABILITY OF PRIVACY PRACTICES
14. NOTICE OF PRIVACY PRACTICES
15. PRIVACY DISCLOSURE LOG
16. REQUEST TO INSPECT OR COPY PROTECTED HEALTH
INFORMATION
17. RESPONSE TO REQUEST TO INSPECT OR COPY PROTECTED
HEALTH INFORMATION
18. COMPLAINT FORM
Page 6
- 1 -
GENERAL POLICY: It is the policy of the Institute of Professional Practice, Inc. (IPPI) to
preserve the integrity and confidentiality of medical, behavioral, and therapeutic records along
with other sensitive health information pertaining to the persons whom it serves (“Person” or
“Persons Served”) . As further defined herein, such records, data and information shall be
considered protected health information (PHI).
This Manual will ensure that IPPI and its officers, employees and agents have the necessary
medical, behavioral, therapeutic and financial information needed to provide the highest quality
care possible, while protecting the confidentiality of that information in accordance with local,
state and federal laws and regulations. To this end, IPPI, its officers, employees and agents will
collect and use individual PHI only for purposes of providing medical, behavioral, therapeutic
and financial services and for supporting the delivery, quality, integrity and payment of such
services.
IPPI, its officers, employees and agents recognize that PHI collected about Persons Served must
be accurate, complete, timely and available when needed. It will complete, authenticate and
maintain all records containing PHI in accordance with local, state, and federal laws, professional
ethics, and relevant accreditation standards. Reasonable measures will be taken to preserve the
integrity of all PHI, and no PHI will be altered or destroyed, except as permitted by law, when
necessary, and according to accepted policies.
IPPI recognizes that Persons Served have a right of privacy with respect to PHI. As such, IPPI, its
officers, employees and agents will respect the individual dignity of Persons Served at all times,
acting as responsible stewards of information and treating all individual PHI records and data as
sensitive and confidential.
IPPI also recognizes that Persons Served, IPPI and/or their legal representatives have the right of
access to their own PHI and will provide access to such PHI in timely fashion using reasonable
procedures and in compliance with local, state and federal laws. Persons Served and/or their legal
representatives will also be given the opportunity to request and to provide deletions and
modifications to the record should they feel such are necessary.
All employees, officers, and agents of IPPI must adhere to this general policy and IPPI will not
tolerate violations of it. Violation of this policy is grounds for disciplinary action, up to and
including termination of employment and criminal or professional sanctions in accordance with
IPPI’s PHI sanction policy as well as with local, state, and Federal laws and regulations, and the
standards of ethics of professional organizations.
No third party rights are intended to be created by this policy. IPPI reserves the right to amend or
change this policy at any time (and even retroactively) without notice. To the extent this policy
establishes requirements and obligations on IPPI, acting as either a covered entity or non-covered
entity, above and beyond those required by the Health Insurance Portability and Accountability
Act of 1996 (HIPAA), those requirements and policies shall be aspirational and shall not be
binding on IPPI.
This policy does not address requirements under other federal or state laws.
To the extent state laws are more stringent than the HIPAA rules, those laws shall govern.
A state law relating to privacy or security will be considered “more stringent” than HIPAA
privacy and security standards if the state law meets at least one of the following six
Page 7
- 2 -
criteria:
1. The state law prohibits or restricts uses and disclosures of PHI that
would otherwise be permitted by the HIPAA standards;
2. The state law permits individuals greater rights of access to or
amendment of PHI;
3. The state law permits greater disclosure/notice of information to an
individual who is the subject of PHI about use, disclosure, rights, and
remedies relating to such PHI, including disclosures relating to data security
breaches;
4. With respect to an authorization/release of records form, the state law
narrows the scope or duration, increases the privacy protections afforded, or
reduces the coercive effect of the circumstances surrounding the
authorization, as applicable;
5. With respect to record keeping or requirements relating to
accounting of disclosures, the state law requires retention or
reporting of more detailed information or for a longer duration; or
6. With respect to any other matter, the state law provides greater privacy
or security protections for the person who is the subject of the PHI.
For purposes of the Manual, a “covered entity” is a health care provider who transmits any health
information in electronic form in connection with a transaction covered by subchapter C of
subtitle A of Title 45 of the Code of Federal Regulations.
RATIONALE: These policies have been developed in response to the enactment of laws and
regulations of the federal government regarding protected health information, enacted and
modified from time to time.
STRUCTURE OF THE MANUAL: The following pages state the specific policies to be
implemented under the Manual followed by the procedure that implements the specific policy.
The Manual consists of four parts: Part A (Privacy), Part B (Security), Part C (Forms used in the
administration of the Manual.
PERSON RESPONSIBLE: Corporate Privacy Officer
DATE EFFECTIVE: June 1, 2011; Last Revision September 23, 2013
Page 8
- 3 -
DEFINITIONS
Where the following capitalized terms appear in these Policies, they have the definitions
set forth below.
(1) Authorization: A written document that authorizes a Use or Disclosure
ofProtected Health Information or PHI and that satisfies Sections XXVII-XXXI
of this Manual.
(2) Business Associate: A person who, on behalf of IPPI or as a subcontractor of an
IPPI Business Associate, either (i) performs (or assists in the performance of) a
function or activity involving the Use or Disclosure of protected health
information or any other function or activity regulated by the HIPAA Privacy
Standards; (ii) provides legal, actuarial, accounting, consulting, data aggregation,
management, administrative, accreditation, or financial services to or for IPPI,
where the provision of the service involves the Disclosure of protected health
information from IPPI, or from another Business Associate of IPPI, to the person;
or (iii) creates, receives, maintains, or transmits PHI on behalf of a covered entity;
provided that the term “Business Associate” does not include IPPI when it is
functioning as the sponsor of a group health plan.i The relationship between IPPI
and a Business Associate must be formalized by a written Business Associate
Agreement that binds the Business Associate to comply with all applicable
provisions of this Manual as to any PHI collected or held on behalf of IPPI and
includes a Certification.
(3) Carrier: A health insurance carrier, which is an insurance company, insurance
service, or managed care organization (including an HMO) that is licensed under
and subject to state law that regulates insurance; provided that the term “Carrier”
does not include a group health plan.ii
(4) Certification: A certification that an entity shall:
a. Not Use or Disclose PHI other than as permitted or required by the group
health plans administered or sponsored by IPPI or as required by law;
b. Agree to the same restrictions and conditions that apply to IPPI with
respect to such information;
c. Not Use or Disclose PHI for employment-related actions and decisions or
in connection with any other benefit or employee benefit plan of IPPI or
IPPI Administration;
d. Take steps to deal with any Use or Disclosure of PHI of which it becomes
aware that is inconsistent with the Uses or Disclosures provided for;
e. Make available PHI in accordance with individuals’ right to access PHI,
Page 9
- 4 -
which right is described in Sections XXXIII-XXXV of this Manual;
f. Make available PHI for amendment and incorporate any PHI amendments
into the Designated Record Sets held by IPPI in accordance with
individuals’ right to request amendments of PHI, which right is described
in Section XXXIV of this Manual;
g. Make available the information required to provide an accounting of
disclosures of PHI in accordance with individuals’ right to receive an
accounting of disclosures, which right is described in Section XXXIX of
this Manual;
h. Make IPPI’s internal practices, books, and records relating to the Use and
Disclosure of PHI available to the Secretary for purposes of determining
IPPI’s compliance with the HIPAA Privacy Standards;
i. If feasible, return or destroy all PHI received that IPPI still maintains in
any form and retain no copies of such information when no longer needed
for the purpose for which Disclosure was made, except that, if such return
or destruction is not feasible, limit further Uses and Disclosures to those
purposes that make the return or destruction of the information infeasible;
and
j. Ensure that any adequate separation of records or PHI is established and
maintained.iii
(5) Contact Person: The person or office designated as the Privacy Officer.
(6) Covered Entity: A health plan (as defined by HIPAA), a health care
clearinghouse (as defined by HIPAA), or a health care provider (as defined by
HIPAA) who transmits any health information in electronic form in connection
with a transaction covered by Subchapter C of Subtitle A of Title 45 of the Code
of Federal Regulations.iv
(7) De-identified Information: Information that does not identify an individual and
that IPPI has no reasonable basis to believe can be used to identify an individual.v
Two methods by which IPPI can demonstrate that information qualifies as De-
identified Information are as follows:
a. A person with appropriate knowledge of and experience with generally
accepted statistical and scientific principles and methods for rendering
information not individually identifiable: (i) determines, applying such
principles and methods, that the risk is very small that the information
could be used, alone or in combination with other reasonably available
information, by an anticipated recipient to identify an individual who is a
Page 10
- 5 -
subject of the information, and (ii) documents the methods and results of
the analysis that justify such determination; or
b. IPPI ensures that (i) it does not have actual knowledge that the information
could be used alone or in combination with other information to identify
an individual who is a subject of the information, and (ii) the following
identifiers of the individual, or relatives, employers, or household
members of the individual, are removed:
• Names;
• All geographic subdivisions smaller than a state, including street
address, city, county, precinct, and zip code and their geocodes (except
that the initial three digits of a zip code may be used if more than 20,000
people reside within the area included in all zip codes sharing those
initial three digits, and, if fewer than 20,000 people reside within such
area, the number “000” may be used instead);
• All elements of dates (except the year) for dates directly related to an
individual, including birth date, admission date, discharge date, and date
of death;
• All ages over 89 and all elements of dates (including the year) indicative
of such age, except that such ages and elements may be aggregated into
a single category of age 90 or older;
• Telephone numbers;
• Fax numbers;
• Electronic mail addresses;
• Social Security numbers;
• Medical record numbers;
• Health plan beneficiary numbers;
• Account numbers;
• Certificate/license numbers;
• Vehicle identifiers and serial numbers, including license plate numbers;
• Device identifiers and serial numbers;
• Web Universal Resource Locators (URLs);
• Internet Protocol (IP) address numbers;
• Biometric identifiers, including finger and voice prints;
• Full face photographic images and any comparable images; and
• Any other unique identifying number, characteristic, or code (other than
a code that enables the information’s creator to re-identify the
information).vi
(8) Designated Record Set: The set of information that includes PHI and that either
(i) is enrollment, Payment, claims adjudication, and case or medical management
record systems maintained by or for IPPI, or (ii) is used, in whole or in part, to
make decisions about individuals.vii
Page 11
- 6 -
(9) Disclosing, a Disclosure, to Disclose or to be Disclosed: Divulging information
outside an entity, including release, transfer, or provision of access to
information.viii
(10) Group Health Plan or Plan: Group health coverage that is offered to eligible
employees, retired employees, spouses and eligible dependents of IPPI and related
entities and that is self-funded.
(11) Health Care: Services that prevent, treat, cure or heal human physical and mental
conditions and illnesses.
(12) Health Care Operations: Any of the following activities:
a. Reviewing the competence or qualifications of health care professionals;
evaluating practitioner and provider performance or health plan
performance; conducting training programs in which students, trainees, or
practitioners in areas of health care learn under supervision to practice or
improve their skills as health care providers; training of non-health care
professionals; and accreditation, certification, licensing, or credentialing
activities;
b. Underwriting, premium rating, and other activities relating to the creation,
renewal, or replacement of a contract of health insurance or health
benefits; and ceding, securing, or placing a contract for reinsurance of risk
relating to claims for health care (including stop-loss insurance and excess
of loss insurance);
c. Conducting or arranging for medical review, legal services, and auditing
functions (including fraud and abuse detection and compliance programs);
d. Business planning and development (including cost-management and
planning-related analyses related to managing and operating the entity,
formulary development and administration, and development or
improvement of methods of payment or coverage policies); and
e. Business management and general administrative activities of the entity
including (i) management activities relating to implementation of and
compliance with the requirements of the HIPAA Privacy Standards; and
(ii) in accordance with the HIPAA Privacy Standards creating De-
identified Information or a Limited Data Set.ix
(13) Health Care Provider: A physician or other provider licensed under the laws of
the state to provide health care to an individual.
(14) Health Oversight Agency: An agency or authority of the United States, a state, a
territory, a political subdivision of a state or territory, or an Indian tribe (or a
Page 12
- 7 -
person or entity acting under a grant of authority from or contract with such
public agency, including the employees or agents of such public agency or its
contractors or persons or entities to whom it has granted authority) that is
authorized by law to oversee the health care system (whether public or private) or
government programs in which health information is necessary to determine
eligibility or compliance, or to enforce civil rights laws for which health
information is relevant.x
(15) HIPAA: The Health Insurance Portability and Accountability Act of 1996, as
amended from time to time.
(16) HIPAA Privacy Standards or Privacy Rule: The privacy regulations at Part 160
of, and subparts A and E of Part 164 of, Title 45 of the Code of Federal
Regulations, as amended from time to time.
(17) HMO: A federally qualified health maintenance organization, an organization
recognized as a health maintenance organization under state law, or a similar
organization regulated for solvency under state law in the same manner and to the
same extent as such a health maintenance organization.
(18) Limited Data Set: Information that excludes the following direct identifiers of
the individual and his relatives, employers, and household members:
• Names;
• Postal address information (but not including town or city, state, and zip
code);
• Telephone numbers;
• Fax numbers;
• Electronic mail addresses;
• Social Security numbers;
• Medical record numbers;
• Health plan beneficiary numbers;
• Account numbers;
• Certificate/license numbers;
• Vehicle identifiers and serial numbers, including license plate numbers;
• Device identifiers and serial numbers;
• Web Universal Resource Locators (URLs);
• Internet Protocol (IP) address numbers;
• Biometric identifiers, including finger and voice prints; and
• Full face photographic images and any comparable images.xi
(19) Manual: This compilation of IPPI’s HIPAA privacy policies and procedures for
Persons Served.
(20) Medical Record: Information that is created by a health care provider; identifies
or can be readily associated with the identity of an individual; and relates to the
health care of the individual.
Page 13
- 8 -
(21) Notification Disclosures: Disclosure of PHI to an individual’s relative or close
personal friend or other person identified by the individual, if such PHI is directly
relevant to such person’s involvement with the individual’s care or payment for
the individual’s health care; and Disclosure (or Use) of PHI to notify, or assist in
the notification of, a person responsible for the individual’s care (such as the
individual’s family member or personal representative) of the individual’s
location, general condition, or death.xii
(22) Payment: Activities undertaken by a Group Health Plan to obtain premiums or to
determine its responsibility for coverage and provision of benefits under the
Group Health Plan, and activities undertaken by a health care provider or health
plan to obtain or provide reimbursement for the provision of health care. Such
activities include, without limitation:
a. Determinations of eligibility or coverage (including coordination of
benefits or the determination of cost sharing amounts), and adjudication or
subrogation of health benefit claims;
b. Risk adjusting amounts due based on enrollee health status and
demographic characteristics;
c. Billing, claims management, collection activities, obtaining payment
under a contract for reinsurance (including stop-loss insurance and excess
of loss insurance), and related health care data processing;
d. Review of health care services with respect to medical necessity, coverage
under a health plan, appropriateness of care, or justification of charges;
e. Utilization review activities, including precertification and
preauthorization of services and concurrent and retrospective review of
services; and
f. Disclosure to consumer reporting agencies of any of the following PHI
relating to collection of premiums or reimbursement: name, address, date
of birth, Social Security number, payment history, account number, and
the health care provider’s and/or health plan’s name and address.xiii
(23) Plan Sponsor: An employer that maintains a group health plan for its employees.
(24) Privacy Officer: The individual appointed to serve as the Privacy Officer for IPPI
or the Privacy Officer’s authorized designee.
(25) Protected Health Information or PHI: Any information, transmitted or
maintained in any form or medium (including orally), that (i) is created or
Page 14
- 9 -
received by a health care provider, health plan, employer, or health care
clearinghouse; (ii) relates to the past, present, or future physical or mental health
or condition of an individual, the provision of health care to an individual, or the
past, present, or future Payment for the provision of health care to an individual;
and (iii) either identifies the individual or with respect to which there is a
reasonable basis to believe the information can be used to identify the individual;
provided that the term “PHI” does not include (A) education records covered by
the Family Educational Rights and Privacy Act, as amended, 20 U.S.C. § 1232g,
(B) student treatment records described at 20 U.S.C. 1232g(a)(4)(B)(iv), and (C)
employment records held by a Covered Entity in its role as employer.xiv
(26) Psychotherapy Notes: Notes recorded by a health care provider who is a mental
health professional documenting or analyzing the contents of conversation during
a private counseling session or a group, joint, or family counseling session and
that are separated from the rest of the individual’s medical record, but excluding
the following: medication prescription and monitoring, counseling session start
and stop times, the modalities and frequencies of treatment furnished, results of
clinical tests, and any summary of diagnosis, functional status, the treatment plan,
symptoms, prognosis, and progress to date.xv
(27) Public Health Authority: An agency or authority of the United States, a state, a
territory, a political subdivision of a state or territory, or an Indian tribe (or a
person or entity acting under a grant of authority from or contract with such
public agency, including the employees or agents of such public agency or its
contractors or persons or entities to whom it has granted authority), that is
responsible for public health matters as part of its official mandate.xvi
(28) Secretary: The Secretary of Health and Human Services (or any other officer or
employee of the Department of Health and Human Services to whom the
authority involved has been delegated).xvii
(28A) Subcontractor: A person to whom a Business Associate delegates a function,
activity or service other than in the capacity of a member of the workforce of such
Business Associate.
(29) Summary Health Information: Information that summarizes the claims history,
claims expenses, or types of claims experienced by individuals to or on whose
behalf health benefits have been provided and from which the following
information has been deleted:
• Names;
• All geographic subdivisions smaller than a state (including street address,
city, county, and precinct), except for the initial five digits of zip codes;
• All elements of dates (except the year) for dates directly related to an
individual, including birth date, admission date, discharge date, and date
of death;
Page 15
- 10 -
• All ages over 89 and all elements of dates (including the year) indicative
of such age, except that such ages and elements may be aggregated into a
single category of age 90 or older;
• Telephone numbers;
• Fax numbers;
• Electronic mail addresses;
• Social Security numbers;
• Medical record numbers;
• Health plan beneficiary numbers;
• Account numbers;
• Certificate/license numbers;
• Vehicle identifiers and serial numbers, including license plate numbers;
• Device identifiers and serial numbers;
• Web Universal Resource Locators (URLs);
• Internet Protocol (IP) address numbers;
• Biometric identifiers, including finger and voice prints;
• Full face photographic images and any comparable images; and
• Any other unique identifying number, characteristic, or code (other than a
code that enables the information’s creator to re-identify the
information).xviii
(30) Treatment: The provision, coordination, or management of health care or related
services by one or more health care providers, including the coordination or
management of health care by a health care provider with a third party,
consultation between health care providers relating to a patient, and the referral of
a patient for health care from one health care provider to another.xix
(31) Using, a Use, or To Use: Both (i) employment, application, utilization,
examination, or analysis of information, and (ii) sharing information within an
entity.xx
Page 16
- 11 -
PART A. PRIVACY
I. CONFIDENTIALITY
Policy: All PHI shall be considered confidential and shall be treated in
accordance with the terms of the Manual.
Procedures:
A. No PHI shall be used or disclosed without a proper authorization, or when
the use or disclosure is permitted or otherwise authorized, or allowed, or
required by local or state laws or regulations, or HIPAA or other federal
laws or regulations.
B. No IPPI employee shall access or disclose PHI unless properly
authorized to do so and shall otherwise disclose PHI only to those
persons served and/or their legal representatives who are authorized to
receive such information.
C. For purposes of the Manual (i) “using,” “a use” or to use means the
sharing of information within IPPI; and (ii) “disclosing”, or “disclosed’ or
“to be disclosed” means divulging information outside IPPI, including
release, transfer, or provision of access to information.
II. IDENTIFYING PHI
Policy: IPPI shall identify when routine health information becomes PHI.
Procedures:
A. The following information will be designated as PHI: Any health
information, including demographic information collected from Persons
Served, transmitted or maintained in any form or medium, that:
1. is created or received by IPPI; and
2. relates to the past, present, or future physical or mental health or
condition of Persons Served; the provision of health care to Persons
Served; or the past, present or future payment for the provision of
health care to Persons Served; and
3. identifies a Person Served or can be used to identify a Person Served.
Page 17
- 12 -
B. Routine health information which meets the above definition, will be
automatically designated PHI upon its receipt by IPPI.
C. PHI does not include (i) education records covered by the Family
Educational Rights, and Privacy Act, as amended, 20 U.S.C. § 123g; (ii)
student treatment records, and (iii) employment records held by IPPI in its
role as employer. To the extent information is held by IPPI in its capacity
as an employer or covered entity under the group health plan, such
information shall be treated as provided in the HIPAA Privacy
Compliance Manual for IPPI’s Group Health Plan and VEBA.
D. IPPI will adhere to its own policies and procedures and all other applicable
laws, regulations, policies and procedures when maintaining, using and
disclosing such PHI.
III. PROPER USE AND DISCLOSURE
Policy: IPPI shall ensure that PHI is used and disclosed properly for the
treatment of Persons Served, for the payment of such treatment, and for general
health care operations as they relate to Persons Served and as further provided
herein, IPPI shall not improperly withhold such PHI for any of these purposes.
Procedures:
A. The procedures for carrying out this Policy are set forth in this Manual.
IV. PROPER USE AND DISCLOSURE/MINIMUM NECESSARY STANDARD
Policy: HIPAA requires that when PHI is used or disclosed, the amount disclosed
generally must be limited to the “minimum necessary” to accomplish the purpose
of the use or disclosure.
Procedures:
A. IPPI shall make reasonable efforts to limit the scope of PHI to the
minimum necessary to accomplish the intended purpose of the use,
disclosure, or request. This minimum necessary rule applies in three
circumstances:
1. When using PHI internally;
2. When disclosing PHI to an external party in response to a
request;
3. When requesting PHI from another covered entity.
The “minimum-necessary” standard does not apply to any of the
following:
Page 18
- 13 -
i. Uses or disclosures made to the individual;
ii. Uses or disclosures to another covered entity who requests the
information;
iii. Uses or disclosures made pursuant to a valid authorization;
iv. Disclosures made to Health and Human Services (HHS);
v. Uses or disclosures required by law; and
vi. Uses or disclosures required to comply with HIPAA.
B. Disclosure of Entire Record. If a use or disclosure involves an
individual’s entire medical record, the justification for such use or
disclosure shall be documented. For example, the request of an
auditor for PHI must represent that the information requested is the
minimum necessary for the stated purpose.
C. Incidental Use. A use and disclosure that occurs incidentally to
another use or disclosure permitted by this Manual shall be acceptable,
provided that IPPI employs reasonable safeguards to limit incidental
Uses and Disclosures.
D. Consultation with State Privacy Officer. If there is a question as to what
the “minimum amount of PHI” should be in any of the above situations,
the State Privacy Officer shall be consulted. In the absence of the State
Privacy Officer, or should the State Privacy Officer him/herself wish, the
Corporate Privacy Officer shall be consulted.
V. ACCESS/AUTHORIZATION
Policy: Only authorized persons shall have access to the PHI of Persons Served.
Procedures:
A. The Institute of Professional Practice alone shall determine which
positions will be authorized for such access.
B. Electronic software used must allow individualized
access, provided that appropriate precautions shall be taken, as described
in Section VI to prevent unauthorized access.
C. Written records containing PHI shall be locked in file cabinets or kept in
file cabinets in rooms that are locked or in locked rooms.
D. Authorized persons shall not leave written records unattended
on their desks or in public places.
Page 19
- 14 -
E. For purposes other than treatment, payment or operations, or other
permitted uses, written or electronic records shall not be provided to
anyone unless an authorization has been obtained from the appropriate
person(s).
F. Electronic records shall be viewable on computer monitors
only by staff who have been authorized to view those records.
G. All computers or other electronic devices with electronic records on them,
including hardware where electronic records are saved, shall be password
protected to prevent unauthorized access.
VI. ACCESS/LIMITED ACCESS TO PERSONS SERVED RECORDS
Policy:
Unauthorized staff shall have no access to PHI. Authorized staff may have access
to all or part of the Persons Served file as determined by IPPI.
Procedures:
A. The State Director or his/her designee shall determine what
positions/employees shall have access to the files of Persons Served within
their state and to what part of the file that position or employee shall have
access. Those decisions shall be made on the basis of the need to know for
the provision of appropriate services.
B. For electronic files, the State Director or his/her designee shall inform
the Network Administrator of the positions/employees which have been
given access to a file and to what part of that file access has been allowed.
C. For electronic files the Network Administrator shall then assign a user
name and the authorized employee who has been given access shall
choose a password. The Network Administrator shall then provide
appropriate access to the authorized positions. This may range
anywhere from full access to partial access as determined by the State
Director. Authorization levels shall be reviewed by the State Director at
least annually and as circumstances warrant.
D. Each time an employee in an authorized position wishes to access an
electronic file from a computer or other electronic device, that
employee must enter his/her user name and password.
E. Passwords shall be changed as often as necessary to protect the security of
electronic files in accordance with best practices which practices shall be
reviewed periodically and as circumstances warrant.
Page 20
- 15 -
F. Periodically in accordance with security best practices, the Network
Administrator and/or State IT Security Officer shall monitor electronic
files to see if non-authorized personnel are attempting to, or have been,
accessing data to which they do not have authorized access and provide a
report to the State Director.
State IT Security Officer refers to that person designated by the State
Director to be responsible for HIPAA Security policies and procedures.
G. Employees shall not leave their computers when a file containing PHI is
open. However, in order to further accommodate computer security for
electronic files, screen savers shall be launched after twenty (20) minutes
of inactivity. The screen saver shall also be password protected to prevent
unauthorized access to a computer and its stored information. When staff
leave their stations and expect to be absent, they shall log off or lock their
workstation so that information can be accessed only by staff with the
authorized password.
H. Computer monitors shall be placed in shared offices so that staff at one
monitor shall not be able to see PHI data on another monitor.
I. When an invalid password is entered three consecutive times, the machine
shall lock after the third attempt to protect electronic files, and further
unauthorized access shall be denied.
J. If the locking of computer access was due to the mistake of the authorized
employee in remembering his/her password, then the authorized employee
must ask the Network Administrator or State Privacy or Security Officer
to unlock his/her computer.
K. The Network Administrator and the State IT Security Officer both shall be
notified of any attempt to breach electronic files.
L. Software designed to prevent breaches of electronic files shall be utilized
by IPPI.
M. The State Privacy Officer shall also monitor access to non electronic files
and shall investigate any reported incidents of breaches or any suspicious
evidence of breach activity.
N. If breach attempts are traced to a particular employee(s), corrective action
shall be taken immediately by the State Security Officer in conjunction
with the State Director, and notice of the breach and corrective action shall
be given to the Network Administrator.
Page 21
- 16 -
O. All employees shall be trained to report any suspected incidents of
breaches in privacy to their respective program manager and directly to
the State Privacy Officer in their state.
P. All such reports shall be documented and filed appropriately in a secure
file or location and in the employee’s personnel file, and shall include a
description of the incident, findings, recommendations, corrective action
and follow up. A copy of any sanctions meted out to any employee(s) shall
be placed in the employee(s) personnel file. A copy of the report
summarizing the breach and the corrective action shall be sent to the
Corporation’s Privacy Office in the event of a serious breach.
Q. IPPI shall keep all records concerning Persons Served separate from other
information held by IPPI concerning the Person Served and including any
employment-related information kept by IPPI.
VII. INFORMAL DISCLOSURE OF PHI
Policy: Informal disclosure of PHI shall be eliminated or minimized.
Procedures:
A. Staff orientation and re-training sessions shall stress (i) the need for
privacy with emphasis placed on the dangers of informal sharing of
information, (e.g., conversations in hallways and other public places,
telephone conversations, and privacy leaks in computer locations), and (ii)
that IPPI does not tolerate violations of the Manual, and that employees
shall be subject to discipline up to and including termination for a
violation of the Manual.
B. Staff discussions of PHI shall be only for treatment or business purposes
and only on a “need to know” basis. Discussions shall be conducted in a
professional and dignified manner and only in an appropriate place, such
as in an individual office, and with other persons with whom the sharing
of such information has been authorized, or in a peer review or
consultation situation, or a special committee established by law,
regulation or required by professional discipline.
C. Doors shall be locked when offices are not expected to be in use.
D. Files shall either be locked or kept in rooms that are locked.
E. Fax machines shall either be kept secure or kept in an area that is
monitored to see that no one but authorized employees receive
information.
Page 22
- 17 -
G. Employees making copies of PHI on copy machines will remove the
originals and copies immediately upon making them and shall dispose of
them only in secure recycling bins or shall shred them immediately.
H. Smart phones and pocket PCs shall be equipped so that, after a determined
period of time, the device shall automatically go to “password protected”
when not in use and cannot be re-opened unless the proper password is
entered.
VIII. BUSINESS ASSOCIATES/ADHERENCE TO POLICY
Policy: IPPI shall require any Business Associate of IPPI, as defined in
paragraph E below, to agree by written agreement to certain restrictions and
duties with respect to PHI that the Business Associate creates, collects or holds on
behalf of IPPI in its capacity as a covered entity.
Procedures:
A. Indentifying Business Associates.
IPPI shall review existing contracts that involve use or disclosure of PHI or
other function regulated by the HIPAA Privacy Standards including but not
limited to, an entity that creates, receives, stores, maintains or transmits
PHI in order to determine whether such contracts need to be amended to
include Business Associate agreement provisions. Prior to entering into any
new agreement with another entity concerning such services or activities,
IPPI shall determine whether the entity is a Business Associate as a result
of such services or activities.
B. Contracting with Business Associates.
If a Business Associate creates, receives, maintains, stores, uses, transmits
or discloses the PHI of Persons Served, IPPI shall require the Business
Associate to enter into a written contract or other written agreement with
IPPI that:
i. Establishes the Business Associate’s permitted and required uses
and disclosures of PHI of Persons Served, which uses and
disclosures would not violate the HIPAA Privacy Standards if
performed by IPPI, except that the agreement may permit the
Business Associate to (i) use Persons Served PHI as necessary to
carry out the Business Associate’s proper management and
administration or legal responsibilities; (ii) disclose PHI of Persons
Served for such purposes if the disclosure is required by law or if
the Business Associate obtains reasonable assurances from the
person to whom PHI is disclosed that it will be held confidentially
Page 23
- 18 -
and used or further disclosed only as required by law or for the
purpose for which it was disclosed to the person and the person
notifies the Business Associate of any instances of which it is
aware in which the confidentiality of Persons Served PHI has been
breached; and (iii) conduct data analyses relating to the health care
operations of both IPPI and another entity of which the Business
Associate is a Business Associate;
ii. Provide that the Business Associate will (i) implement
administrative, physical, and technical safeguards that reasonably
and appropriately protect the confidentiality, integrity and
availability of electronic PHI that the Business Associate creates,
receives, maintains or transmits on behalf of IPPI and (ii) authorize
termination of the contract by IPPI if it determines the Business
Associate has violated a material term of the contract;
iii. Provides that the Business Associate shall use appropriate
safeguards to prevent use or disclosure of IPPI PHI other than as
provided for by the agreement;
iv. Provides that the Business Associate shall report to IPPI any
use or disclosure of Persons Served PHI not provided for by
the agreement of which it becomes aware;
v. Provides that the Business Associate shall ensure that any
agent, including a Subcontractor, to whom it provides PHI of
Persons Served, agrees to the same restrictions and conditions
that apply to the Business Associate with respect to such PHI;
vi. Provides that the Business Associate shall make the PHI of
Persons Served available to IPPI that is necessary for IPPI to
respond to a request made;
vii. Provides that the Business Associate shall make its internal
practices, books, and records relating to the use and disclosure
of PHI of Persons Served available to the Secretary of Health
and Human Services for purposes of determining IPPI’s
compliance with the HIPAA Privacy Standards;
viii. Provides that the Business Associate shall, at termination of the
underlying service agreement, if feasible, return or destroy all
PHI of Persons Served that the Business Associate still
maintains in any form and retain no copies of such PHI or, if
such return or destruction is not feasible, extend the
protections of the agreement to the PHI and limit further uses
Page 24
- 19 -
and disclosures to those purposes that make the return or
destruction of the PHI of Persons Served infeasible;
ix. Authorizes termination of the agreement by IPPI in the event
that IPPI determines that the Business Associate has violated a
material term of the agreement, except that this provision may
be omitted from the agreement if it is inconsistent with the
statutory obligations of IPPI or the Business Associate; and
x. Provides that the Business Associate shall notify IPPI of any
breach of unsecured Protected Health Information in
accordance with the requirements of Section XLVII of Part A
of this Manual and the requirements of the Health Information
for Economic and Clinical Health Act of 2009.
Notwithstanding the foregoing, if an entity is required by law to perform an
activity or provide a service, and the entity qualifies as a Business Associate
solely because of such legally required activities or services, IPPI may either
(x) require the entity to enter into a written agreement as described above, (y)
obtain satisfactory assurances from the entity that it will comply with the
agreement’s provisions described above, or (z) if IPPI’s good faith attempt to
obtain such satisfactory assurances fails, document the attempt and the
reasons that such assurances could not be obtained. A model Business
Associate Agreement and a Business Associate Tracking Sheet are provided
in Part C to the Manual.
C. Monitoring Business Associates.
If IPPI learns that a Business Associate has materially violated one or
more of the written agreement’s provisions described in this Section
VIII, IPPI shall take reasonable steps to end the violation and mitigate
the violation’s harmful effects. If IPPI’s steps to end the violation and
mitigate its effects are unsuccessful, IPPI shall terminate the contract
or arrangement with the Business Associate or, if the State Privacy
Officer determines that such termination is not feasible, report the
problem to the Secretary.
D. Documentation of Business Associates.
IPPI shall retain any written agreement with a Business Associate, or
any other set of written provisions intended to comply with this
Section. Such documentation shall be retained in accordance with
Section XXXIX of this Part A of the Manual.
Employees may disclose PHI to IPPI’s Business Associates and allow
Business Associates to create or receive or transmit PHI on its behalf.
Page 25
- 20 -
However, prior to doing so, IPPI must first obtain assurances from the
Business Associate that it will appropriately safeguard the information.
Before sharing PHI with outside consultants or contractors who meet the
definition of a “Business Associate,” employees must verify that a
Business Associate contract is in place.
E. A “Business Associate” is an entity defined above in Definitions;
F. Forms used in the administration of this Policy:
i. Business Associate Agreement (See 2, Part C (Forms) of the Manual).
ii. Business Associate Tracking Worksheet (See 3, Part C (Forms) of the
Manual).
IX. PROTECTION OF PHI DURING NON-EMERGENCY/PERMITTED
USES
Policy: Federal and state laws, and the ethical requirements of certain
professional disciplines to which some employees of IPPI are subject may require
the formation of committees for the performance of peer review, safety,
certification, abuse review, and record oversight etc. Further, good clinical
practice requires supervision as a necessary component of treatment. Participants
in these meetings, consultations, or supervisory sessions may or may not have
been specifically authorized to access the record of a Person Served. Therefore, it
is IPPI’s policy to disclose this potential disclosure of PHI to Persons Served and
to have the Persons Served consent to this use of PHI from the Persons Served for
the provision of services.
Procedures:
It shall be the practice of IPPI that:
A. Each Persons Served shall be given notice that such meetings may be held
and that their case may be reviewed by persons with whom the Person
Served has not had a previous professional relationship. Persons Served,
or their legal representative, will be provided with notice of such privacy
practice prior to receiving services.
B. All employees who are members of the committees referenced above and
all supervisors and consultants shall sign statements that they understand
the requirements of confidentiality in all situations where they have access
to PHI, whether authorized or not, and such statements of understanding
shall be filed in the employee’s personnel record or in the consultant’s file.
Page 26
- 21 -
X. THERAPY AND COUNSELING RECORDS
Policy: Therapy and counseling records of Persons Served shall be properly
protected.
Procedures:
A. Therapy/counseling records shall be kept in a locked file or a secured area,
and shall be available only to authorized employees.
B. Changes in therapy and counseling notes shall be made in such a way that
the material changed or corrected is still clearly visible and the
correction/change is signed and dated. (See Section XIV of Part B of the
Manual).
C. Employees who might otherwise have access to an entire file of a Person
Served, may not necessarily be authorized to see therapeutic or counseling
notes. The determination of access and authorization to such notes shall be
the responsibility of the State Director or his/her designee.
D. The materials in such records shall not be shared with anyone outside the
agency (except in emergency situations) unless (i) they are being used as
permitted under Sections XX-XXVI or (ii) authorized by the person
served or his/her legal representative, and subject to the conditions set out
in Sections XXVII- XXXI of this Part A of the Manual.
E. IPPI shall not release any information about Persons Served to any person
or legal entity outside the agency which was not generated at IPPI unless
they are a covered entity with whom IPPI has a Business Associate
Agreement (provided the Business Associate Agreement does not prohibit
or restrict further disclosure); or he/she is a parent, guardian, advocate of
the Person Served. All requests for such material must be made to the
original source. For example, if a Person Served enters a hospital and the
hospital provides IPPI with a therapeutic summary, all requests for that
summary must be made directly to the hospital, unless they are a covered
entity with whom IPPI has a Business Associate Agreement which permits
such further disclosure.
F. When information is released as a result of the request or consent of a
Person Served, their family or legal guardian, the date the material has
been sent will be noted on the request or consent document, or on an
official form, and shall be placed in the record of the Persons Served.
Page 27
- 22 -
XI. RECORDS CORRECTION
Policy: Records shall be corrected by authorized staff in a manner that does not
make the original entry unreadable, except that incorrectly filed information may
simply be moved to the correct individual’s file.
Procedures:
A. Errors shall be identified by crossing out, circling, or covering with a
translucent color, e.g. yellow, so the erroneous material can be easily read.
B. The correction and any additional material related to the correction, shall
be initialed and dated.
C. No corrections shall be made by whiting out the material or using other
opaque fluids, or by shredding, throwing out or otherwise removing the
corrected material completely from sight.
D. Electronic records shall be corrected as provided in XIV Part B (Security)
of the Manual.
XII. CLOSED CASES
Policy: The privacy of closed cases of Persons Served shall be maintained.
Procedures:
A. All closed records that are written shall be kept in locked files, or kept in
files in a room which will be locked, or both.
B. All closed cases which have been recorded in whole or in part on
computers, shall only be downloaded to encrypted flash drives or saved on
a server and deleted from the computer itself. All backup material shall be
kept in secure storage, e.g. a locked file, or in a file in a room which is
locked, or both.
C. Access to such closed cases shall be authorized only by the State Director
or his/her designee, or, in Vermont, the Executive President.
D. Unless otherwise required by law, cases which have been formally closed
for 7 years and in which no activity has been recorded for 7 years, and
cases which have not been formally closed, but in which no activity has
been recorded for 7 years, shall be destroyed by shredding or other
acceptable methods of destruction unless required to be kept for longer
periods by law or other regulation. Records for active Persons Served are
retained for ten (10) years, unless otherwise required by law.
Page 28
- 23 -
E. No information from such closed files shall be released unless the person
served, or the legal representative, authorizes such release and there shall
be a written record when the information was released and when it was
returned to the file.
XIII. MAILING PHI
Policy: Mailings including PHI shall be kept confidential.
Procedures:
A. Records containing PHI, if mailed, should be sent in a sealed envelope
marked “CONFIDENTIAL.”
B. The staff employee under whose direction a mailing is directed shall take
reasonable steps to assure that the envelope is marked and secure as
described above.
XIV. E-MAIL MESSAGES
Policy: IPPI shall safeguard PHI so as to minimize uses and disclosures of PHI
that violate HIPAA’s privacy standards or the policies or procedures set forth in
this policy. PHI shall not be inappropriately communicated electronically via e-
mail.
Procedures:
A. All e-mail messages sent or received that concern PHI of Persons Served
shall be treated as part of their medical/personal records with the same
degree of confidentiality as other parts of that record.
B. Whenever feasible, the transmission should be made via a system which
has the capability of securely encrypting the messages from point of entry
into the messaging system until delivered to the intended recipient in such
a way that only the intended recipient can decrypt them.
C. Whenever feasible, an IPPI employee should assure that PHI information
sent through an e-mail has firewalls, encryption, verification software,
recipient and sender name, and password systems in place.
D. E-mails shall be labeled confidential when containing PHI and requiring
the authorized person receiving the material to confirm receipt. Should
the person receiving the material be unauthorized to do so, the confidential
label should also specify that the unauthorized person should notify the
sender that they were unauthorized to receive it and destroy the material.
Page 29
- 24 -
E. Emails containing PHI must include a privacy statement notifying the
recipient of the insertion of electronic messaging and of whom to contact
should the message be misdirected. Misdirected messages must be
documented in the Disclosure Log (See Part C of the Manual) upon the
notification of the message being misdirected.
F. Forms used in the administration of this Policy:
1. Disclosure Log (See 15, Part C (Forms) of the Manual).
XV. FACSIMILE
Policy: PHI shall not be inappropriately communicated via facsimile.
Procedures:
A. All fax machines and the rooms in which they are situated must be
secure and/or reasonably private.
B. Employees must limit information transmitted to what is necessary to meet
the requester’s needs to the limit of the requester’s authorization.
C. Employees must make reasonable efforts to ensure that they send the fax
appropriately to an authorized person. To help ensure that faxes are sent to
the correct destination, any frequently used numbers or programmed
numbers shall be periodically checked for accuracy, and new fax numbers
shall be confirmed with the intended recipient before any PHI is faxed.
D. All pages of a fax containing PHI shall be marked “CONFIDENTIAL.”
Facsimiles containing PHI must include a privacy statement notifying the
recipient of whom to contact should the message be misdirected and an
instruction to destroy the communication. Misdirected messages must be
documented in a Disclosure Log upon the notification of the message
being misdirected.
E. Employees must report any misdirected faxes to the State Privacy Officer
in their state and to their supervisor.
F. The Privacy or Security Officer in each state shall periodically and/or
randomly check all speed dial numbers to ensure their currency,
validity, accuracy and authorization to receive confidential information.
Page 30
- 25 -
XVI. TELEPHONE
Policy: IPPI shall reasonably safeguard PHI that is orally used or disclosed. PHI
shall not be inappropriately communicated via telephone.
Procedures:
A. All telephone messages sent or received that concern PHI of Persons
Served or employees shall be treated as part of their medical record and
with the same degree of confidentiality as other parts of the record.
B. Employees must make reasonable efforts to ensure that they transmit PHI
via the phone only to authorized persons.
C. Employees must limit information transmitted to what is necessary to meet
the requester’s needs and to the limit of their authorization.
D. Telephone conversations involving PHI must take place in private areas.
E. The loss or theft of any Smart Phones/Pocket PCs, PDAs or other portable
devices shall immediately be reported by the employee to the Network
Administrator who shall immediately wipe the device clean from all data,
including PHI.
XVII. TRANSCRIPTION
Policy: Transcription of PHI shall be done in such a way as to maximize the
confidentiality and integrity of the information.
Procedures:
A. It is understood that the transcription system and all transcribed data
are part of the business equipment of IPPI, are owned by IPPI, and are not
the property of the users of the system.
B. Employees do not have the right of privacy in their use of the
transcription system or its data. IPPI reserves the right to monitor, audit
and read transcribed documents.
C. IPPI may monitor the content and usage of the transcription system to
support operational, maintenance, auditing, security and investigative
activities.
D. Transcriptionists and others using the transcription system may transcribe
only after having completed proper training and having received proper
Page 31
- 26 -
authorization solely relative to transcription in accordance with IPPI’s
Privacy and Security Policies.
E. Dictation shall not be done in an environment in which unauthorized
persons can overhear confidential dictation.
F. Transcriptionists, when transcribing in an electronic data base, must log
off computers and dictation equipment when transcribing is not being
done, unless they use a pause feature that removes the documentation from
screen view and access until the transcriptionist reactivates it.
G. Dictation on analog audio cassettes, CDs, or other voice files may only
be shipped with carriers authorized by the State Director
or his/her designee.
H. Employees shall not transmit voice data to equipment with an
activated auto answer such as an answering machine unless it has been
properly secured. The recipient of such voice data should immediately
acknowledge its receipt to the sender.
I. Users may store dictation only for the length of time necessary to
transcribe and review documentation and in a manner that protects
against unauthorized access. Once a voice file has been transcribed and the
data received by the provider, the voice file shall be deleted from a digital
system or erased from an analog system in a manner that
prevents unauthorized access. Destruction must be in a manner
approved by the State Director or his/her designee. Transcribed tapes
may not be re-used unless erased.
J. After the transcriptionist completes a report he/she shall authenticate it
using an identifier assigned by the State Director or his/her designee.
K. No transcriptionist may release any patient data except to the
originator of the document or to persons authorized by the State
Director or his/her designee.
L. Dictation playback must be done in a secure environment that
protects the information from being overheard by unauthorized
personnel.
Page 32
- 27 -
XVIII. PRINTING/COPYING
Policy: Printing, copying or downloading PHI shall be done in such a manner as
to maximize privacy.
Procedures:
A. When using the network’s printers, employees must go immediately to
the printer and retrieve the information to avoid unauthorized viewing
of confidential material.
B. All PHI copied by staff shall be removed immediately from the machine
by the person making the copies along with the original material.
XIX. PHI SHALL BE STORED SECURELY
Policy: IPPI will establish appropriate administrative physical and technical
procedures, including limiting access to information by creating computer
firewalls and physical safeguards to prevent PHI from being intentionally or
unintentionally disclosed in violation of HIPAA’s requirements.
Procedures:
A. Buildings where PHI is stored shall be locked after normal operating
hours.
B. Windows to all rooms shall be locked after normal operating hours.
C. Keys shall be given to an employee only to the areas where they have been
given authorized access.
D. All keys to the buildings that are issued to employees shall be logged.
E. Upon leaving agency employment all keys given to the employee shall be
turned in, and State Human Resource Directors shall be responsible for
establishing policies in their own states for securing the return of keys.
F. Rooms with servers shall be locked at the end of the day.
G. Rooms containing PHI shall be locked or the file cabinets, in rooms which
cannot be locked, shall be locked at the end of the regular business hours.
H. Files containing PHI that can be locked shall be locked at the end of the
day. Files that cannot be locked shall be stored in rooms that can be locked
and these rooms shall be locked at the end of the regular business day.
Page 33
- 28 -
I. When employees are finished with their computers for the day they shall
secure them by logging off or shutting them down to prevent any breach
from unauthorized users.
XX. IDENTIFICATION OF NON PHI/DE-IDENTIFYING PHI
Policy: IPPI will establish appropriate procedures for the de-identification of PHI.
Procedures:
A. Information that does not identify an individual and that IPPI has no
reasonable basis to believe can be used to identify an individual is de-
identified information and may be used as described herein. IPPI has the
capability to identify all information that is not PHI. Only health
information that “identifies” an individual is subject to the HIPAA privacy
standards as described in the Manual. Consequently, health information
that does not identify an individual, and with respect to which there is no
“reasonable basis” to believe that information may be used to identify any
individual, is not PHI and not subject to the privacy standards.
IPPI will designate employees in each state with the appropriate
knowledge and experience for rendering information not individually
identifiable. These designated employees will be aware of all the
individual identifiers that need to be removed to render health information
non-PHI.
B. Removing identifying information shall be referred to as “de-identifying”
PHI. Once information has been de-identified it may be used in a number
of ways, including, as a tool in utilization review and as a Limited Data
Set as defined in Section XXXIX of this Part A of the Manual for
research, evaluation, public health uses or health care operations,
marketing, fundraising etc.
C. Methods used to Demonstrate Information as De-identified.
1. A person with appropriate knowledge of and experience with
generally accepted statistical and scientific principles and methods
for rendering information not individually identifiable: (i)
determines, applying such principles and methods, that the risk is
very small that the information could be used, alone or in
combination with other reasonably available information, by an
anticipated recipient to identify an individual who is a subject of
the information, and (ii) documents the methods and results of the
analysis that justify such determination; or
Page 34
- 29 -
2. IPPI ensures that (i) it does not have actual knowledge that the
information could be used alone or in combination with other
information to identify an individual who is a subject of the
information, and (ii) the following identifiers of the individual, or
relatives, employers, or household members of the individual, are
removed:
Names;
All geographic subdivisions smaller than a state, including
street address, city, county, precinct, and zip code and their
geocodes (except that the initial three digits of a zip code may
be used if more than 20,000 people reside within the area
included in all zip codes sharing those initial three digits, and,
if fewer than 20,000 people reside within such area, the number
“000” may be used instead);
All elements of dates (except the year) for dates directly related
to an individual, including birth date, admission date, discharge
date, and date of death;
All ages over 89 and all elements of dates (including the year)
indicative of such age, except that such ages and elements may
be aggregated into a single category of age 90 or older;
Telephone numbers;
Fax numbers;
Electronic mail addresses;
Social Security numbers;
Medical record numbers;
Health plan beneficiary numbers;
Account numbers;
Certificate/license numbers;
Vehicle identifiers and serial numbers, including license plate
numbers;
Device identifiers and serial numbers;
Web Universal Resource Locators (URLs);
Internet Protocol (IP) address numbers;
Biometric identifiers, including finger and voice prints;
Full face photographic images and any comparable images; and
Any other unique, identifying number, characteristic, or code
to re-identify the information.
XXI. PERMITTED USES/TREATMENT
Policy: The HIPAA Privacy Standards do not require a consent from the Person
Served to execute health care treatment. The standards do give covered entities
express permission to use or disclose PHI under certain circumstances for
treatment.
Page 35
- 30 -
Procedures:
A. “Treatment” is defined as the provision, coordination or management of
health care and related services by one or more health care providers,
including:
1. Coordination or management of health care by a health care
provider with a third party;
2. Consultation between health care providers relating to a patient;
and
3. Referral of a patient for health care by one health care provider to
another.
B. “Treatment” is dependent on the provision of “health care” which is
defined as services that prevent, treat, cure or heal human physical and
mental conditions and illnesses, and includes, but is not limited to:
1. Preventive, diagnostic, rehabilitative, maintenance or palliative
care, and counseling, service, assessment or procedure with
respect to the physical or mental condition or functional status of
an individual or to the structure or function of the body;
2. Sale or dispensing of a drug, device, equipment, or other item in
accordance with a prescription.
C. A release of PHI is for treatment only if:
1. The recipient of the PHI is a health care provider, but not another
entity, including a health plan;
2. The PHI must enable the recipient provider to treat the Persons
Served;
3. Only one Person Served directly benefits from the release of the
PHI.
D. Staff shall disclose PHI only for purposes of the treatment in accordance
with the standard set forth in this Section XXI. Notwithstanding the
above, a use or disclosure of PHI that constitutes an individual’s entire
medical record or psychotherapy notes shall not be considered made under
routine circumstances and shall require the approval of the State Privacy
Officer.
Page 36
- 31 -
XXII. PERMITTED USES/PAYMENT
Policy: The HIPAA Privacy Standards do not require the consent of a Person
Served to execute payment for health care
.
Procedures:
A. “Payment” is defined as activities undertaken by:
1. A health plan to obtain premiums or to determine or fulfill its
responsibility for coverage and provision of benefits under the health
plan;
2. A health care provider, or health plan, to obtain or provide
reimbursement for the provision of health care.
B. Payment activities include, but are not limited to, the following:
1. Determinations of eligibility or coverage, including the coordination of
benefits, or the determination of cost sharing amounts, and
adjudication or subrogation of health benefit claims;
2. Risk adjusting amounts due, based on enrollee health status and
demographic characteristics;
3. Billing and claims management collection activities;
4. Obtaining payment under a contract for reinsurance, including stop
loss insurance and excess loss insurance, and related health care data
processing;
5. Review of health care services with respect to medical necessity,
coverage under a health plan, appropriateness of care, or justification
of charges;
6. Utilization review activities, including pre-certification and pre-
authorization of services, concurrent and retrospective review of
services;
7. Disclosure to consumer reporting agencies of any of the following PHI
relating to collection of premiums or reimbursement: name and
address, date of birth, Social Security number, payment history,
account number, name and address of the health care provider and/or
health plan, uses and disclosures of debt collection activities.
Page 37
- 32 -
C. Employees shall disclose PHI only to the extent required for the purposes
of the treatment in accordance with the standards set forth in this section
XXII. Notwithstanding the above, a use or disclosure of PHI that
constitutes an individual’s entire medical record or psychotherapy notes
shall not be considered to be made under routine circumstances and shall
require the approval of the State Privacy Officer.
XXIII. PERMITTED USES/HEALTH CARE OPERATIONS
Policy: The HIPAA Privacy Standards do not require the consent of a person
served to release PHI to execute Health Care Operations.
Procedures:
A. Health Care Operations encompass operational and administrative tasks of
the health care entity in five major areas:
1. Quality Assurance (QA) and Quality Improvement (QI) Activities:
Conducting QA and QI activities, including:
outcome evaluation and development of clinical guidelines;
population-based activities relating to improving health or
reducing health care costs;
protocol development;
case management and care coordination;
contacts with health care providers and patients with
information about treatment alternatives; and
related functions that do not include treatment.
2. Reviews and Evaluations:
reviewing the competence or qualification of health care
professionals;
evaluating practitioner, provider or health plan
performance;
conducting training programs in which health care students,
trainees or practitioners learn under supervision to practice
or improve their skills as health care providers;
training non-health care professionals;
accreditation, certification, licensing, or credentialing
activities.
3. Professional Services: conducting or arranging for medical review,
legal services, and auditing functions, including fraud and abuse
detection and compliance programs.
Page 38
- 33 -
4. Business Planning: business planning and development such as
conducting cost-management and planning related analyses relating
to managing and operating the entity.
5. Business Management and Administration:
management activities relating to implementation of,
and compliance with, privacy standard requirements;
customer service, including the provision of data
analyses, provided that PHI is not disclosed;
resolution of internal grievances;
the sale, transfer, merger or consolidation of all or part
of IPPI with another covered entity or an entity that
will become a covered entity after these transactions,
and due diligence conducted in conjunction with these
activities;
creating de-identified information or Limited Data Set,
as defined herein, fundraising for the benefit of the
covered entity; and
disclosing PHI to a medical liability insurer.
B. Employees shall use or disclose PHI only to the extent required for the
permitted use or disclosure in accordance with the standard set forth in this
Section XXIII. Notwithstanding the above, a use or disclosure of the
Person Served’s entire medical record or psychotherapy notes shall not be
considered routine and shall require the approval of the State Privacy
Officer.
XXIV. PERMITTED USES/ LEGAL, JUDICIAL, ADMINISTRATIVE, AND
LAW ENFORCEMENT PROCEEDINGS
Policy: IPPI shall disclose PHI without prior written authorization to the extent
that such use or disclosure is required by proper legal, judicial, administrative,
and law enforcement proceedings.
Procedures:
A. Disclosures for Law Enforcement Purposes: IPPI may disclose an
individual’s PHI to a law enforcement official under any of the
following circumstances:
1. Court Order: In compliance with and as limited by the relevant
requirements of a court order, a court-ordered warrant, a subpoena
or summons issued by a judicial officer, a grand jury subpoena,
or—if (A) the PHI sought is relevant and material to an IPPI
Page 39
- 34 -
related law enforcement inquiry, (B) the request is specific and
limited in scope to the extent reasonably practicable in light of the
purpose for which the PHI is sought, and (C) De-identified
information could not reasonably be used—an administrative
request (including an administrative subpoena or summons, a civil
or an authorized investigative demand, or similar process
authorized under law);
2. Using PHI for Identification or Location: In response to a law
enforcement official’s request for such PHI for the purpose of
identifying or locating a suspect, fugitive, material witness, or
missing person;
3. Alerting of Death: For the purpose of alerting law enforcement of
the individual’s death, if IPPI suspects that such death resulted
from criminal conduct; or
4. Alerting of Criminal Conduct: Due to IPPI’s good faith belief that
such PHI constitutes evidence of criminal conduct that occurred in
connection with benefits obtained through IPPI.
B. Mandatory versus Permissive Legal Requirements. IPPI shall identify
whether a requested use or disclosure is required by law and the
relevant requirements of such law and comply with such requirements
when using or disclosing PHI pursuant to that law.
IPPI may require the requestor to provide proof that the requested
information is required to be disclosed by IPPI. If IPPI determines that
a use or disclosure is required by law, IPPI shall use or disclose the
PHI that the law requires be used or disclosed as requested. If IPPI
determines the requested use or disclosure is merely permitted, and not
required, by law, IPPI shall determine if the use or disclosure is
permitted under another section of this policy as a permissible
disclosure and follow all requirements set forth in that section.
C. If IPPI determines that the use or disclosure is not required by law and
is not permitted under another section of this policy, IPPI must obtain
an authorization from the individual who is the subject of the PHI; de-
identify the information before using or disclosing it; require the
requestor to obtain the authorization of the individual; or require the
requestor to provide a court order or other legal process that would
authorize IPPI to release the information.
D. No Duty to Disclose. This Section does not create any duty or
obligation to use or disclose PHI to a requestor. Rather, this Section
Page 40
- 35 -
permits IPPI to use or disclose PHI when IPPI is required by law to do
so.
E. A determination of whether to disclose PHI shall be made by the State
Privacy Officer in consultation with the Corporate Privacy Officer.
F. Should any of the requests described in paragraph A through E of this
Section XXIV, not be required by law, or, if required by law, if the request
is not presented to IPPI in a proper legal fashion, then IPPI may, in its
discretion decide whether to disclose the PHI. Such decisions shall be
made by the State Privacy Officer in the state in which the request is
made. If the State Privacy Officer chooses to disclose PHI under these
circumstances, the Persons Served or his/her legal representative must be
notified and a release obtained. If releases are refused, then IPPI shall not
disclose such information. If the Person Served or his or her legal
representative cannot be reached after diligent efforts by IPPI to do so, the
State Privacy Officer must seek and obtain a Protective Order from a court
of appropriate jurisdiction in order to release the requested information.
Unless such order is given, no information shall be released.
G. Forms used in the Administration of this provision.
1. HIPAA Privacy Disclosure Log (See 15, Part C (Forms) of the
Manual.
XXV. PERMITTED USES/HEALTH, PUBLIC HEALTH OVERSIGHT
Policy: The HIPAA Privacy Standards do not require prior written authorization
of Persons Served to release PHI for Health and Public Health Oversight. IPPI
may disclose PHI to a health/public health oversight agency for oversight
activities authorized by law.
Procedures:
A. Uses and Disclosures for Public Health Activities: Subject to the
minimum necessary rule described in Section IV of this Manual, IPPI
may disclose PHI for:
1. Disease Prevention: A Public Health Authority that is authorized
by law to collect or receive such information for the purpose of
preventing or controlling disease, injury, or disability (including,
but not limited to, the reporting of disease, injury, vital events such
as birth or death, and the conduct of public health surveillance,
public health investigations, and public health interventions) or, at
the direction of a Public Health Authority, an official of a foreign
Page 41
- 36 -
government agency that is acting in collaboration with the Public
Health Authority;
2. Reporting Abuse or Neglect: A Public Health Authority or other
appropriate government authority authorized by law to receive
reports of child, adult and elder abuse or neglect;
3. FDA Regulation: A person subject to the jurisdiction of the Food
and Drug Administration (“FDA”) with respect to an FDA-
regulated product or activity for which that person has
responsibility, for the purpose of activities related to the quality,
safety, or effectiveness of such FDA-regulated product or activity,
including (A) collecting or reporting adverse events (or similar
activities with respect to food or dietary supplements), product
defects or problems (including problems with the use or labeling of
a product), or biological product deviations, (B) tracking FDA-
regulated products, (C) enabling product recalls, repairs,
replacement, or look back (including locating and notifying
individuals who have received products that have been recalled,
withdrawn, or are the subject of look back), and (D) conducting
post marketing surveillance;
4. Disease Control: A person who may have been exposed to a
communicable disease or may otherwise be at risk of contracting
or spreading a disease or condition if IPPI or a Public Health
Authority is authorized by law to notify such person as necessary
in the conduct of a public health intervention or investigation; or
5. Immunization Records. Student immunization records required by
a school prior to admitting the student, provided IPPI documents
the requested disclosure from the parent, guardian or person acting
in loco parentis, or the Person Served.
B. Prior to the release of PHI to a health oversight authority, the approval of
the State Privacy Officer in consultation with the Corporate Privacy
Officer shall be required.
C. Forms used in the Administration of this provision:
1. Privacy Disclosure Log (See 15, Part C (Forms) of the Manual.)
XXVI. MISCELLANEOUS PERMITTED USES/WORKER’S COMPENSATION
Policy: The HIPAA Privacy Standards do not require the prior written
authorization of the Persons Served to release PHI as authorized by, and to the
extent necessary to comply with laws relating to Workers’ Compensation or
Page 42
- 37 -
similar laws that provide benefits for work-related injuries or illness without
regard to fault.
Procedures:
A. IPPI may, therefore, disclose PHI to employers, Workers’ Compensation
carriers, and state officials to process and adjudicate and/or coordinate
Workers’ Compensation claims.
B. A use or disclosure of PHI that constitutes an individual’s entire medical
record or psychotherapy notes shall not be considered to be made under
routine circumstances and shall require the approval of that state privacy
officer.
C. Uses and Disclosures Due to Imminent Threat to Health or Safety:
IPPI may, consistent with applicable law and standards of ethical
conduct, use or disclose PHI if IPPI, in good faith, including reliance
on actual knowledge or on a credible representation by a person with
apparent knowledge or authority, believes the use or disclosure is
necessary to prevent or lessen a serious and imminent threat to the
health or safety of a person or the public and involves PHI, including
psychotherapy notes, disclosed to a person or persons reasonably able
to prevent or lessen the threat, including the target of the threat.
D. Uses and Disclosures Required by Military Authority: IPPI may use or
disclose the PHI of individuals who are Armed Forces personnel, or
foreign military personnel, for activities deemed necessary by
appropriate military command authorities to assure the proper
execution of a military mission, if the appropriate military authority
has published by notice in the Federal Register (i) the appropriate
military command authorities and (ii) the purposes for which the PHI
may be used or disclosed.
E. Uses and Disclosures for National Security Activities: IPPI may
disclose PHI to authorized federal officials for the conduct of lawful
intelligence, counter-intelligence, and other national security activities
authorized by the National Security Act (50 U.S.C. § 401 et seq.) and
implementing authority (e.g., Executive Order 12333).
F. Disclosures to Coroners and Medical Examiners: IPPI may disclose
PHI, including psychotherapy notes, to a coroner or medical examiner
for the purpose of identifying a deceased person, determining a cause
of death, or other duties as authorized by law. In connection with such
disclosure, IPPI shall not be required to redact identifying information
about persons other than the deceased individual.
Page 43
- 38 -
G. Disclosures to Funeral Directors: IPPI may disclose an individual’s
PHI to funeral directors, consistent with applicable law, as necessary
to carry out their duties with respect to the individual after his death, or
prior to and in reasonable anticipation of the individual’s death.
H. Forms used in the administration of this policy.
1. HIPAA Privacy Disclosure Log (See 15, Part C (Forms) of the
Manual).
XXVII. AUTHORIZATIONS/WHEN AUTHORIZATIONS ARE REQUIRED
Policy: IPPI must obtain the authorization of the Persons Served and/or their
personal representatives before it discloses PHI unless the disclosure is permitted
or required under the Privacy Policy (sections XXI-XXVI above).
Procedures:
A. To be valid, an authorization must be written in plain language and
include specific core elements and notification requirements.
B. When PHI is provided, based on an authorized request or consent, the date
the materials are sent shall be noted on the request or consent form, or on
another form, and placed in the file of the Persons Served.
C. Forms used in the administration of this policy.
1. Authorization for Release of Information (See 4, Part C
(Forms) of the Manual).
XXVIII. AUTHORIZATIONS/CORE ELEMENTS OF AN AUTHORIZATION
Policy: The authority of personal representatives to act on behalf of a Person
Served shall be appropriately verified and authorized only as described herein.
Procedures:
A. Identification of Personal Representatives:
1. A person qualifies as an individual’s “personal representative” to
the extent the person has authority under applicable state or federal
law to act on the individual’s behalf in connection with the
individual’s PHI including a person with authority to act on behalf
of a deceased individual or the individual’s estate.
Page 44
- 39 -
2. A person who presents him or herself to IPPI as the personal
representative of an individual in order to exercise the rights of that
individual afforded to an individual under the HIPAA Privacy
Rules and/or this Manual shall be required to provide
documentation of his or her status to IPPI, except that in the case
where a person presents himself or herself as the parent of an
individual who is a minor child, verification may be based on
confirmation of the child’s enrollment as the dependent minor
child of the person in a benefit plan.
3. In the case of a person whose representation is based on an
attorney-client relationship with the individual, the person must
present or transmit by facsimile a verification of legal
representation.
4. IPPI staff, in consultation with the State Privacy Officer, shall
determine whether the documentation indicates that under
applicable law the person is legally entitled to act on behalf of the
individual.
5. Notwithstanding paragraph 4 of this subsection, the State Privacy
Officer may elect not to treat a person as an individual’s personal
representative if (i) the State Privacy Officer has reasonable belief
that (A) the individual has been or may be subjected to domestic
violence, abuse, or neglect by such person or (B) treating such
person as the personal representative could endanger the
individual; and (ii) the State Privacy Officer, in the exercise of
professional judgment, decides that it is not in the best interest of
the individual to treat the person as the individual’s personal
representative.
6. A person that is determined to be an individual’s legal
representative must also verify his or her identity as that person
through the verification processes described in this section.
B. Authority of Personal Representatives:
If the State Privacy Officer or his/her designee determines that a
person is an individual’s personal representative, IPPI shall treat such
person as the individual for purposes of this policy. For example, the
person has the authority to sign and revoke authorizations on behalf of
the individual, and the person has the authority to exercise the
individual privacy rights described in this policy on behalf of the
individual.
Page 45
- 40 -
C. Documentation of Personal Representative Determinations:
Upon making a determination regarding whether to recognize a person
as an individual’s personal representative, the State Privacy Officer or
his/her designee shall document the determination. IPPI shall retain
such documentation in accordance with Section XXXIX of this
Manual.
D. Valid Authorization:
The core elements required in a valid authorization are as follows:
1. A description of the information to be used or disclosed that
identifies the information in a specific and meaningful fashion;
2. The name or other specific identification of the person(s) or class
of persons authorized to make the use/disclosure;
3. The name or other specific identification of the person(s) or class
of persons to whom the covered entity may make the
use/disclosure;
4. A description of each purpose of the requested use or disclosure. If
the persons served or their legal representatives request the
information to be disclosed, then the authorization need not
describe the purposes for which the request is made, but must state
that the disclosure is at the request of the person served or his/her
legal representative;
5. The authorization’s expiration date, or an expiration event that
relates to the person served or to the purpose or use of the
requested disclosure. For purposes of a research study, including
creation and maintenance of a research database, or research
depository, phrases such as “none” or “at the end of the research
study” are acceptable;
6. The signature of the Person Served, with a date, or, in the case of
the signature of the legal representative of the individual, identity
verification and the description of that person’s authority to act for
the person served. Initials may be accepted in lieu of signature
when documents are added to a file;
7. The right to revoke the authorization with a written notice and
either: (a) the exceptions to the right to revoke and instructions on
how to revoke, or, (b) a reference to IPPI’s Notice of Privacy
Page 46
- 41 -
Practices, if that notice contains a description of the right to
revoke, exceptions to the right to revoke, and instructions on how
to do so;
8. Whether the covered entity conditions treatment, payment,
enrollment, or eligibility for benefits on the authorization, by
stating either: (a) that IPPI is prohibited from conditioning
treatment, payment, enrollment, or eligibility for benefits on the
individual’s agreement to sign the authorization, or (b) the
consequences to the individual if s/he refuses to sign the
authorization, but only as permitted; and
9. A statement that information used/disclosed under the
authorization may be subject to re-disclosure by the recipient and
not be protected e.g., permitted uses, etc. If IPPI is assured that the
information will remain protected after disclosure, either under its
own or another entity’s policies, it may so state in the notice.
XXIX. AUTHORIZATION/ SPECIAL CASE/PSYCHOTHERAPY NOTES
Policy: Psychotherapy notes shall not be treated “routinely” and shall be used and
disclosed with special care.
Procedures:
A. Psychotherapy notes are notes recorded in any medium by a health care
provider who is a mental health professional documenting or analyzing the
contents of conversation during a counseling session.
B. Such notes must be separated from the rest of the individual’s medical
record.
C. Such notes do not include medication prescription and monitoring, the
start and stop times and dates of counseling sessions, the modalities and
frequencies of treatment furnished, results of clinical tests, and any
summary of the following items: diagnosis, functional status, the treatment
plan, symptoms, prognosis and progress to date.
D. Except as provided in this policy, IPPI will obtain an individual’s
authorization prior to use or disclosure of psychotherapy notes.
E. IPPI may use or disclose psychotherapy notes in the following instances
without obtaining authorization of the Person Served:
1. to carry out treatment, payment or healthcare operations including:
Page 47
- 42 -
a) use of psychotherapy notes by the originator for treatment;
b) use or disclosure by IPPI in training programs in which
students, trainees, or practitioners in mental health learn under
supervision to practice or improve their skills in group, joint,
family or individual counseling; and
c) use or disclosure by IPPI to defend itself in a legal action or
other proceeding brought by the individual.
2. use or disclosure that is required by compliance investigations;
3. use or disclosure permitted or required by law;
4. use or disclosure permitted by health oversight with respect to the
oversight of the originator of the psychotherapy notes;
5. use or disclosure permitted to the decedents; or
6. use or disclosure required if there is a threat to public safety.
F. IPPI will not condition treatment, enrollment or eligibility for benefits of
an individual on a requirement that the individual provide a specific
authorization for the disclosure of psychotherapy notes.
G.. The authorization will be written in plain language and may only be
combined with another authorization for a use or disclosure of
psychotherapy notes.
H. The authorizations will contain the core elements and the notice
requirements as set forth in section XXVIII above and XL, of this Part A
of the Manual below.
XXX. AUTHORIZATION/SPECIAL CASE/MARKETING
Policy: The HIPAA Privacy Rule gives individuals important controls over
whether and how their PHI is used and disclosed for marketing purposes. With
limited exceptions, the Rule requires an individual’s written authorization before
a use or disclosure of his or her PHI can be made for marketing. So as not to
interfere with core health care functions, the Rule distinguishes marketing
communications from those communications about goods and services that are
essential for quality health care.
Page 48
- 43 -
Procedures:
A. This section of the policy addresses the use and disclosure of PHI for
marketing purposes by:
Defining what is “marketing” under the Rule;
Excepting from that definition certain treatment or health care
operations activities;
Requiring individual authorization for all uses or disclosures of PHI
for marketing purposes with limited exceptions.
NOTE: If IPPI received financial remuneration from a third party whose
products or services are being marketed, authorization is required.
B. The Privacy Rule defines “marketing” as making “a communication about
a product or service that encourages recipients of the communication to
purchase or use the product or service.” Generally, if the communication
is “marketing,” then the communication can occur only if IPPI first obtains
an individual’s “authorization.” This definition of marketing has certain
exceptions, as discussed below.
An example of “marketing” communications requiring prior authorization,
is a communication from a hospital informing former patients about a
cardiac facility, that is not part of the hospital, that can provide a baseline
EKG for $39, when the communication is not for the purpose of providing
treatment advice.
Marketing also means “an arrangement between a covered entity and any
other entity whereby the covered entity discloses PHI to the other entity,
in exchange for direct or indirect remuneration, for the other entity or its
affiliate to make a communication about its own product or service that
encourages recipients of the communication to purchase or use that
product or service. This part of the definition to marketing has no
exceptions. The individual must authorize these marketing
communications before they can occur.
C. A covered entity may not sell PHI to a Business Associate or any other
third party for that party’s own purposes. Moreover, covered entities may
not sell lists of patients or enrollees to third parties without obtaining
consent from each person on the list. For example, it is “marketing” when
a drug manufacturer receives a list of patients from a covered health care
provider and provides remuneration, then uses that list to send discount
coupons for a new anti-depressant medication directly to the patients.
Page 49
- 44 -
D. The Privacy Rule carves out exceptions to the definition of marketing
under the following three categories:
1. A communication is not “marketing” if it is made to describe a health-
related product or service (or payment for such product or service) that
is provided by, or included in a plan of benefits of, the covered entity
making the communication, including communications about health-
related products or services available only to a health plan enrollee that
add value to, but are not PHI, of a plan of benefits.
This exception to the marketing definition permits communications by
a covered entity about its own products or services. For example,
under this exception, it is not “marketing” when a hospital uses its
patient list to announce the arrival of a new specialty group (e.g.,
orthopedic) or the acquisition of new equipment (e.g., x-ray machine
or magnetic resonance image machine) through a general mailing or
publication.
2. A communication is not “marketing” if it is made for treatment of the
individual and without financial remuneration from a third party
whose products or services are being marketed.
For example, under this exception, it is not “marketing” when:
A pharmacy or other health care provider mails prescription refill
reminders to patients, or contracts with a mail house to do so.
A primary care physician refers an individual to a specialist for a
follow-up test or provides free samples of a prescription drug to a
patient.
3. A communication is not “marketing” if it is made for case
management or care coordination for the individual, or to direct or
recommend alternative treatments, therapies, health care providers, or
settings of care to the individual and without financial remuneration
from a third party whose products or services are being marketed.
For example, under this exception, it is not “marketing” when:
An endocrinologist shares a patient’s medical record with several
behavior management programs to determine which program best
suits the ongoing needs of the individual patient.
A hospital social worker shares medical record information with
various nursing homes in the course of recommending that the
patient be transferred from a hospital bed to a nursing home.
Page 50
- 45 -
For any of the three exceptions to the definition of marketing, the
activity must otherwise be permissible under the Privacy Rule, and a
covered entity may use a Business Associate to make the
communication.
E. Marketing Authorizations and When Authorizations are Not Necessary:
Except as discussed below, any communication that meets the definition
of marketing is not permitted, unless the covered entity obtains an
individual’s authorization in accordance with this policy. To determine
what constitutes an acceptable “authorization,” see 45 CFR 164.508. If the
marketing involves direct or indirect remuneration to the covered entity
from a third party, the authorization must state that such remuneration is
involved. A communication does not require an authorization, even if it is
marketing, if it is in the form of a face-to-face communication made by a
covered entity to an individual; or a promotional gift of nominal value
provided by the covered entity. For example, no prior authorization is
necessary when a hospital provides a free package of formula and other
baby products to new mothers as they leave the maternity ward.
XXXI. AUTHORIZATION/ REVOCATION, RESTRICTION OF USES
Policy: Persons Served and or their personal representatives generally may
revoke an authorization at any time, or restrict the uses of the authorization by
delivering a written request for the revocation or restriction.
Procedures:
A. This policy is restricted to two exceptions:
1. IPPI has taken action in reliance upon the authorization,
2. The authorization was obtained as a condition of obtaining insurance
coverage.
B. The original authorization must contain clear instructions on how to
revoke/restrict the authorization, or, if such is contained in the Notice of
Privacy, then the authorization may be referred to that document.
C. The revocation/restriction renders the authorization invalid once IPPI
knows the authorization has been revoked/restricted. Knowledge is
inferred by receipt of the revocation/restriction, but not before.
D. IPPI must permit Persons Served and/or their personal representatives to
request that IPPI restrict uses and disclosures of PHI:
1. to carry out Treatment, Payment, and Operations; and
Page 51
- 46 -
2. for permitted disclosures to family members and to others
who are involved in the individual’s care.
E. While IPPI is not required to agree to a restriction, if it does agree, it must
not use or disclose the PHI in violation of the restriction, subject to certain
exceptions as specified in this policy, e.g., emergency care for the purpose
of treatment.
F. In no event shall IPPI agree to a restriction that limits the use or disclosure
of PHI for permitted uses including treatment by another provider, law
enforcement, public health, etc., as described in this section.
G. If IPPI has agreed to restrict the disclosure of PHI, then it cannot
terminate that agreement unless:
1. the individual agrees to, or requests, the termination in writing;
2. the request is oral and the oral request is documented;
3. IPPI informs the individual that it is terminating its restriction
agreement, except that such termination will be effective only with
respect to PHI created or received by the covered entity after the
termination of the restriction.
H. The determination of whether to grant a restriction or to terminate it
shall be made by the State Privacy Officer.
I. Forms used in the administration of this policy.
1. Request for Restrictions on Use or Disclosure of Protected
Information (See 11, Part C (Forms) of the Manual).
2. Response to Request for Restrictions on Use or Disclosure of
Protected Health Information (See 12, Part C, (Forms) of the
Manual).
XXXII. RIGHT OF ACCESS/NOTIFICATION
Policy: HIPAA gives individuals the right to access and obtain copies of their
protected health information that IPPI (or its business associates) maintains in
designated record sets. HIPAA also provides that individuals may request to have
their PHI amended, and that they are entitled to an accounting of certain types of
disclosures.
Page 52
- 47 -
Procedures:
A. “Designated Record Set” Defined. “Designated Record Set” is a group
of records maintained by or for IPPI that includes other protected health
information used, in whole or in part, by or for IPPI to make coverage
decisions about an individual.
B. Procedures. Request from Individual, Parent of Minor Child, or Personal
Representative. Upon receiving a written request from an individual (or
from a minor’s parent or an individual’s personal representative) for
disclosure of an individual’s PHI, IPPI staff must take the following steps:
1. Follow the procedures for verifying the identity of the individual
(or parent or personal representative).
2. Review the disclosure request to determine whether the PHI
requested is held in the individual’s designated record set. See the
State Privacy Officer, if it appears that the requested information is
not held in the individual’s designated record set. No request for
access may be denied without approval from the State Privacy
Officer.
3. Review the disclosure request to determine whether an exception
to the disclosure requirement might exist; for example, disclosure
may be denied for requests to access psychotherapy notes,
documents compiled for a legal proceeding, certain requests by
Persons Served, information compiled during research when the
individual has agreed to denial of access, information obtained
under a promise of confidentiality and other disclosures that are
determined by a health professional to be likely to cause harm. If
there is any question about whether one of these exceptions
applies, the State Privacy Officer should be contacted. No request
for access may be denied without approval from the State Privacy
Officer.
4. Respond to the request by providing the information or denying the
request within 30 days. If the requested PHI cannot be accessed
within the 30-day period, the deadline may be extended for 30-
days by providing written notice to the individual within the
original 30 day period of the reasons for the extension and the date
by which IPPI will respond.
5. A Denial Notice must contain (1) the basis for the denial; (2) a
statement of the individual’s right to request a review of the denial,
if applicable; and (3) a statement of how the individual may file a
complaint concerning the denial. All notices of denial must be
Page 53
- 48 -
prepared or approved by the State Privacy Officer. Note: All
denials must be approved by the State Privacy Officer.
6. Provide the information requested in the form or format requested
by the individual, if readily producible in such form. Otherwise,
provide the information in a readable hard copy or such other form
as is agreed to by the individual.
7. If the individual has requested a summary and explanation of the
requested information in lieu of, or in addition to, the full
information, prepare such summary and explanation of the
information requested and make it available to the individual in the
form or format requested by the individual.
8. IPPI may charge a reasonable cost-based fee for copying, postage,
and preparing a summary (but the fee for a summary must be
agreed to in advance by the individuals).
9. Disclosures must be documented in accordance with Section
XXXIX “Documentation and Recordkeeping Accounting for
Disclosures.”
C. Forms used in the Administration of this Policy:
1. Request to Inspect or Copy Protected Health Information (See 16, Part
C (Forms) of the Manual).
2. Response to Request to Inspect Protected Health Information (See 17,
Part C (Forms) of the Manual).
3. Privacy Disclosure Log (See 15, Part C (Forms) of the Manual).
XXXIII. RIGHT OF ACCESS/ SPECIAL RULES FOR ACCESS TO
TREATMENT NOTES
Policy: As noted above in section XXIX above, psychotherapy notes shall be
treated differently than other PHI.
Procedures:
A. Special treatment includes limitations on access as well as authorization
etc. The special conditions applicable to access to Psychotherapy notes by
Persons Served and their personal representatives are set forth at Section
XLIV of this Part A of the Manual.
B. The description of the rights to these notes shall be written clearly and
shall be included in the notification provided under Section XL, of this
Part A of the Manual, below.
Page 54
- 49 -
XXXIV. RIGHT OF ACCESS/RIGHT TO CORRECT, MODIFY AND
AMEND PHI
Policy: Persons Served and/or their legal representatives have the right to correct,
modify and amend PHI.
Procedures:
A. Request from Individual, Parent of Minor Child, or Personal
Representative. Upon receiving a request from an individual (or a minor’s
parent or an individual’s personal representative) for amendment of an
individual’s PHI held in a designated record set, the employee must take
the following steps:
1. Follow the procedures for verifying the identity of the individual
(or parent or personal representative) set forth in verification of
identity of those requesting protected health information.
2. Review the disclosure request to determine whether the PHI at
issue is held in the individual’s designated record set. See the
State Privacy Officer if it appears that the requested information is
not held in the individual’s designated record set. No request for
amendment may be denied without approval from the State
Privacy Officer.
3. Review the request for amendment to determine whether the
information would be accessible under HIPAA’s right to access
(see the access procedures above). See the State Privacy Officer if
there is any question about whether one of these exceptions
applies. No request for amendment may be denied without
approval from the State Privacy Officer.
4. Review the request for amendment to determine whether the
amendment is appropriate, that is, determine whether the
information in the designated record set is accurate and complete
without the amendment.
5. Respond to the request within 60 days by informing the individual
in writing that the amendment will be made or that the request is
denied. If the determination cannot be made within the 60-day
period, the deadline may be extended for 30 days by providing
written notice to the individual within the original 60-day period of
the reasons for the extension and the date by which IPPI will
respond.
Page 55
- 50 -
6. When an amendment is accepted, make the change in the
designated record set, and provide appropriate notice to the
individual and all persons or entities listed on the individuals’
amendment request form, if any, and also provide notice of the
amendment to any persons/entities who are known to have the
particular record and who may rely on the uncorrected information
to the detriment of the individual.
B. When an amendment request is denied, the following procedures apply:
1. All notices of denial must be prepared or approved by the State
Privacy Officer. A Denial Notice must contain (1) the basis for the
denial; (2) information about the individual’s right to submit a
written statement disagreeing with the denial and how to file such
a statement; (3) an explanation that the individual may (if he or she
does not file a statement of disagreement) request that the request
for amendment and its denial be included in future disclosures of
the information; and (4) a statement of how the individual may file
a complaint concerning the denial. Note: Denial of amendment
requests in inappropriate circumstances could lead to liability. For
this reason, IPPI requires all denials to be approved by the State
Privacy Officer.
2. If, following the denial, the individual files a statement of
disagreement, include the individual’s request for an amendment;
the denial notice of the request, the individual’s statement of
disagreement, if any, and IPPI’s rebuttal/response to such
statement of disagreement, if any, with any subsequent disclosure
of the record to which the request for amendment relates. If the
individual has not submitted a written statement of disagreement,
include the individual’s request for amendment and its denial with
any subsequent disclosure of the protected health information only
if the individual has requested such action.
C. Forms used in the Administration of this Policy:
1. Request to Amend or Correct Protected Health Information
(See 9, Part C (Forms) of the Manual).
2. Response to Request to Amend or Correct Protected Health
Information (See 10, Part C (Forms) of the Manual).
XXXV. RIGHT OF ACCESS/RIGHT OF PERSONS SERVED TO RELEASE PHI
Policy: Persons Served and/or their legal representatives shall have a right to send
their own PHI to whomever they wish.
Page 56
- 51 -
Procedures:
A. Proper authorization is required for such PHI to be released as set forth in
Section XXVII of this Part A of the Manual;
B. The release of PHI to a Person Served shall be subject to exceptions set
forth in Section XXXIII; e.g., treatment notes.
C. The rights of the Person Served and the exceptions to those rights are
described in the Notice of Privacy, Section XL of this Part A of the
Manual.
XXXVI. REQUESTS FOR ALTERNATE CONFIDENTIAL COMMUNICATIONS
Policy: An individual shall have the right to designate a specific means and a
specific location, if reasonable for IPPI’s communications of PHI to the
Person Served.
Procedures:
A. Individual’s Right to Request Confidential Communications. A
Person Served or the personal representative of a Person Served, shall
have the right to request that IPPI communicate PHI to that individual
by a specified means and/or to a specified location. Such request may
cover all PHI or, if specifically identified, only a class of PHI (e.g.,
PHI relating to a certain disease).
B. IPPI’s Consideration of a Request for Confidential Communications.
1. The State Privacy Officer or his/her designee shall be
responsible for receiving and processing the request of a
Person Served for confidential communications. The Privacy
Officer shall have ultimate authority regarding the disposition
of such requests. Upon receipt by IPPI of a request for
confidential communications on the appropriate form, IPPI
shall suspend any communications of the individual’s PHI that
are subject to the request.
2. IPPI may deny a request for confidential communications only
for one or more of the following reasons:
i. the request is not in writing;
ii. the request does not specify an alternative method (e.g., e-
mail or fax) or alternative location (e.g., business address or
post office box) for Disclosure of PHI;
Page 57
- 52 -
iii. the State Privacy Officer determines that the administrative
difficulty that would result from granting the individual’s
request, would be unreasonable and would result in a more
than modest additional cost.
C. Granting a Request. If IPPI grants an individual’s request, IPPI shall
notify the individual through the alternative means specified for
communications of PHI. See 5, Part C (Forms) of the Manual,
Response to Request for Alternate Communications. Upon granting
an individual’s request for confidential communications, IPPI shall
conduct all communications of the individual’s PHI to the individual
in accordance with the alternative means specified. A communication
that contains both unrestricted PHI and restricted PHI shall be divided,
with the restricted portion being sent in accordance with the granted
request. The granted request shall be filed with the individual’s
Designated Record Set in accordance with this Manual.
D. Denying a Request.
1. If IPPI denies an individual’s request for confidential
communications, IPPI shall notify the individual of such
denial. Such notification shall be given in accordance with the
alternative means specified in the request unless (i) the request
does not specify an alternative means or location, or (ii) a
reason for the request’s denial is an unreasonable
administrative difficulty and notifying the individual of such
denial in the manner requested would, considered alone, result
in an unreasonable additional cost. If the notification of denial
is not sent in accordance with the specified alternative means
and/or location, such notification shall be given directly to the
individual (e.g., in person or by phone) or, if direct
communication fails or is not feasible, shall be in writing, shall
be addressed to the individual, and shall identify neither the
affected PHI nor any specified alternative means and/or
location.
2. A notification of denial shall set forth the reasons for denial
and shall include a blank form Request for Confidential
Communications of Medical Information.
E. Documentation of Requests for Confidential Communications. IPPI
shall document (i) all requests for confidential communications; (ii)
IPPI’s notifications of granted or denied requests; and (iii) the method
of delivery of such notifications. Such documentation shall be
retained in accordance with this Manual.
Page 58
- 53 -
XXXVII. CONFLICT RESOLUTION.
Policy: IPPI shall have in place a process for conflict resolution concerning all
aspects of use and disclosure, including authorization, “permitted” use,
revocation, and restriction, access, correction, modification, amendment, and all
other rights and restrictions concerning PHI which may arise from time to time.
Procedures:
A. The Person Served and/or his/her legal representative shall be notified of
these procedures through the Notice of Privacy.
B. Should the Person Served or their personal representative not be satisfied at
the end of the internal appeals process, he/she may file a formal complaint
with the Federal Office for Civil Rights.
C. That right to appeal to the Federal Office of Civil Rights shall be
described in the IPPI Notice of Privacy Policy provided to each Person
Served or their personal representative.
D. Forms used in the Administration of this Policy:
1. Complaint Form (See 18, Part C (Forms) of the Manual).
XXXVIII. MITIGATION OF INADVERTENT DISCLOSURES OF PHI
Policy: IPPI shall mitigate, to the extent possible, any harmful effects that
become known to it from a use or disclosure of an individual’s PHI in violation of
HIPAA or the policies and procedures set forth in this Manual.
Procedures:
A. If an employee or Business Associate becomes aware of an unauthorized
use or disclosure of PHI, either by an employee or a Business Associate,
the employee or Business Associate must immediately contact the State
Privacy Officer so that appropriate steps to mitigate harm to the Person
Served can be taken.
XXXIX. DOCUMENTATION AND RECORDKEEPING ACCOUNTING
FOR DISCLOSURES
Policy: An individual has the right to obtain an accounting of certain disclosures
of his or her own PHI.
Page 59
- 54 -
Procedures:
A. This right to an accounting extends to disclosures made in the last six
years, other than disclosures:
1. to carry out treatment, payment or health care operation to
individuals about their own PHI;
2. incident to an otherwise permitted use or disclosure;
3. pursuant to an authorization;
4. to persons involved in the individual’s care or payment for the
individual’s care or for certain other notification purposes;
5. to correctional institutions or law enforcement when the disclosure
was permitted without authorization;
6. as part of a Limited Data Set, as defined herein;
7. for specific national security or law enforcement purposes; or
8. disclosure that occurred prior to the compliance date.
B. IPPI shall respond to an accounting request within 60 days. If IPPI is
unable to provide the accounting within 60 days, it may extend the period
by 30 days, provided that it gives the participant notice (including the
reason for the delay and the date the information will be provided) within
the original 60-day period.
C. The accounting must include the date of the disclosure, the name of the
receiving party, a brief description of the information disclosed, and a
brief statement of the purpose of the disclosure that reasonably informs the
individual of the basis for the disclosure (or a copy of the written request
for disclosure, if any). If a brief purpose statement is included in the
accounting, it must be sufficient to reasonably inform the individual of the
basis of the disclosure.
D. The first accounting in any 12-month period shall be provided free of
charge. The State Privacy Officer may impose reasonable production and
mailing costs for subsequent accountings.
E. IPPI shall have a formal mechanism for documenting and maintaining an
accounting of when the PHI of persons served has been used or disclosed.
For some uses and disclosures, forms will be necessary. Examples include
but are not limited to:
Page 60
- 55 -
1. Authorization forms for release of PHI by persons served
and/or their legal representatives;
2. Revocation/Restriction of Authorizations;
3. Request for Review of Record;
4. Request for Amendment of Record; and
5. Disclosure logs.
F. Signed copies of the above documents shall be kept in the files of the
persons served and a signed copy will be given to the persons served or
their legal representatives.
G. Upon request, persons served and/or their legal representatives shall be
informed of any disclosures of PHI, other than those for permitted uses.
H. Limited Data Set Defined: See Definition Section
I. Forms used in the Administration of this Policy:
1. Request for Accounting of Disclosures of Protected Health
Information (See 7, Part C (Forms) of the Manual).
2. Response to Request for Accounting of Disclosures of Protected
Health Information (See 8, Part C (Forms) of the Manual).
XL. NOTICE OF PRIVACY POLICY
Policy: IPPI shall send a notice of the Privacy Policy to all persons served and/or
their legal representatives.
Procedures:
A. In this notice, IPPI shall explain the rights of the persons served in
regard to:
1. Access to the record;
2. Right of accounting for all uses and disclosures except for
permitted uses upon request;
3. Right of the Person Served to restrict uses and disclosures of PHI;
Page 61
- 56 -
4. Right of the Person Served to correct or amend the record according
to procedures;
5. Notice of any exceptions or limitations to the above, e.g., as with
therapy notes;
6. Complaint Resolution procedures including name and
telephone number of the contact person for further information;
7. The uses and disclosures that may be made by IPPI;
8. IPPI’s legal duties with respect to PHI; and
9. Other information as required by the HIPAA Privacy Rules.
B. If requested, a representative of IPPI will explain the policy in detail to
the Persons Served and/or their legal representatives.
C. Upon receipt of IPPI’s Notice of Privacy Policy, Persons Served and/or
their legal representatives will sign a form acknowledging they have
received such notice.
D. The Notice of Privacy practices shall be placed on IPPI’s website. The
Notice will be individually delivered:
1. At the time the individual becomes a Person Served; and
2. To a person requesting the notice.
Updates will be posted on the website and posted at service delivery sites.
They also will be enclosed in an annual mailing to Persons Served after a
material change in the Notice.
E. Forms used in the Administration of this Policy:
1. Notice of Availability of Privacy Practices (See 14, Part C (Forms)
of the Manual).
2. Notice of Privacy Practices (See 15, Part C (Forms) of the
Manual).
XLI. WRITTEN POLICIES/POSTING
Policy:
All policies and procedures related to the Privacy of PHI shall be in writing.
Page 62
- 57 -
Procedures:
A. An easily read and understood statement summarizing the rights of
Persons Served with respect to PHI shall be developed and shall include
all the information contained in the Notice of Privacy Policy.
B. Such summary shall then be posted in highly visible areas in IPPI’s
facilities, including administrative offices, day programs and places of
congregate living and on the IPPI website.
XLII. SUBSTANTIVE CHANGES IN POLICY AND PROCEDURES/
NOTIFICATION/TIMELINESS
Policy: All Persons Served and/or their legal representatives, and all Business
Associates shall be notified within a reasonable period of time of any substantive
changes in the policies or procedures which affect PHI and shall be notified of
their right to receive a full copy of the Privacy and Security policies should they
so request.
Procedures:
A. Such notifications shall be initiated by the Privacy Officer in coordination
with the State Privacy Officer and posted on the IPPI website.
XLIII. TRAINING
Policy: IPPI’s policy is to conduct training in privacy of PHI for all employees
and the Board of Directors.
Procedures:
A. The training requirements for complying with the privacy and security
requirements of the Manual are set forth in Section XXII of Part B
(Security) of the Manual.
XLIV. RETENTION OF PRIVACY DOCUMENTATION
Policy: IPPI shall engage in document retention efforts. The primary purpose
of these efforts is to demonstrate past compliance and to facilitate continued
compliance with the HIPAA Privacy Standards.
Page 63
- 58 -
Procedures:
A. Overview of Privacy Documentation.
IPPI shall maintain records, either in written or electronic form, of its
activities that are conducted in accordance with this Manual. The
content, organization, and duration of such records are described in
this Section XLIV.
B. Designated Record Set to Be Maintained for Each Covered Individual.
A Designated Record Set of all PHI held by IPPI shall be separately
maintained for each Person Served. Any Psychotherapy Notes
attributable to a Person Served shall be maintained separately from the
rest of such individual’s medical record.
C. Contents of a Designated Record Set.
In addition to any PHI held by IPPI on behalf of a Person Served, the
following documents shall be attached to the Designated Record Set:
1. Authorizations: Any valid Authorization signed by the covered
individual, in the event that IPPI may presently use or disclose the
PHI of the Person Served in reliance on such authorization. An
authorization that has expired, been revoked, or otherwise been
determined to be invalid shall be removed from the individual’s
designated record set.
2. Determination to Treat a Person as a Personal Representative:
documentation of any determination by the State Privacy Officer,
or his/her designee, to treat a person as the covered individual’s
personal representative in accordance with this policy. Such
documentation shall be removed from the individual’s Designated
Record Set in the event that the State Privacy Officer determines
that such person is no longer the covered individual’s personal
representative.
3. Restrictions on Uses and Disclosures: Any restriction on IPPI’s use
or disclosure of PHI of a Person Served in accordance with this
policy to which IPPI has agreed. Such restriction shall be removed
from the individual’s designated record set in the event that it
ceases to be effective.
4. Confidential Communications: Any request for confidential
communications applicable to disclosures of PHI to the covered
individual in accordance with this policy to which IPPI has agreed,
Page 64
- 59 -
along with any other applicable documentation required by that
section. Such description of alternate communications shall be
removed from the Designated Record Set of the Person Served in
the event that it ceases to be effective.
5. Data Use Agreements: Any data use agreement to which IPPI has
agreed to in order to receive a Limited Data Set, in accordance
with this Manual. Such data use agreement shall be removed from
the Designated Record Set of the Person Served in the event that
IPPI no longer maintains the applicable Limited Data Set.
D. Compliance Records: Maintained for Each Person Served.
For each Person Served, IPPI shall maintain the following applicable
documents:
1. Accounted Disclosures of PHI: Listed disclosures of the
individual’s PHI with descriptions, in accordance with this
Manual. Documentation of a disclosure shall be retained at least
until the date that is 10 years after the date on which the Disclosure
occurred.
2. Suspension or Disclosure Inclusion in Accounting: Any request by
a health oversight agency or law enforcement official that results in
the suspension or inclusion in an accounting of disclosures shall be
retained at least until the date that is 10 years after the expiration of
the time period during which the applicable disclosures would be
excluded from any accountings requested.
3. Requests for Entire Medical Record: In accordance with this
policy, the justification for any IPPI request of the individual’s
entire medical record. Such documentation shall be retained at
least until the date that is 10 years after the date of the request.
4. Uses or Disclosures of Entire Medical Record: In accordance with
this Manual, the justification for a use or disclosure of the
individual’s entire medical record. Such documentation shall be
retained at least until the date that is 10 years after the date of the
use or disclosure.
5. Determinations of Personal Representatives: In accordance with
this Manual, any determination regarding whether a person is the
individual’s personal representative. Such documentation shall be
retained at least until the date that is 10 years after the later of the
determination date or, if the State Privacy Officer determines the
Page 65
- 60 -
person is the personal representative, the date on which such
determination ceases to be effective.
6. Authorizations: In accordance with this policy, any Authorization
received for IPPI’s use or disclosure of the individual’s PHI. Such
documentation shall be retained at least until the date that is 10
years after the date on which the Authorization expires or is
revoked.
7. Notification Disclosures: If the State Privacy Officer approves a
notification disclosure concerning the individual (in accordance
with this policy), the reasons for the determination that such
notification disclosure is permissible. Such documentation shall be
retained at least until the date that is 10 years after the date of
disclosure.
8. Dates of Provision of a Notice: In accordance with this policy, a
log of the dates on which the individual requests a copy of the
notice of privacy practices and the dates on which he receives a
copy. Documentation of each date shall be retained at least until
the date that is 10 years after the date documented.
9. Requests for Access: The documents described in this Manual
relating to the individual’s request for access. All such documents
shall be retained at least until the date that is 10 years after the date
on which the last document attributable to the applicable request
for access was created.
10. Requests for Amendment: The documents described in this policy
relating to the individual’s request for amendment. All such
documents shall be retained at least until the date that is 10 years
after the date on which the last document attributable to the
applicable request for amendment was created.
11. Requests for Accounting: The documents described in this policy
relating to the individual’s request for accounting. All such
documents shall be retained at least until the date that is 10 years
after the date the applicable accounting is provided.
12. Requests for Restriction on Use or Disclosure of PHI: The
documents described in this policy relating to the individual’s
request for restriction. All such documents, if attributable to a
granted request, shall be retained at least until the date that is 6
years after the date on which the respective restriction is no longer
effective. All such documents, if attributable to a denied request,
Page 66
- 61 -
shall be retained at least until the date that is 10 years after the date
of denial.
13. Requests for Confidential Communications: The documents
described in this policy relating to the individual’s request for
confidential communications. All such documents, if attributable
to a granted request, shall be retained at least until the date that is
10 years after the date on which the alternate communications are
no longer in effect. All such documents, if attributable to a denied
request, shall be retained at least until the date that is 10 years after
the notification of denial.
14. Notification of Complaint Disposition: In accordance with this
policy, any notification that is sent to the individual regarding the
disposition of his complaint. Such notification shall be retained at
least until the date that is 10 years after the date on which it is
given.
F. Compliance Records:
IPPI shall maintain the following general privacy files and shall
maintain them for the periods described below except as otherwise
provided by law:
1. Policies and Procedures: The current written policies and
procedures set forth in this Manual and, in accordance with this
policy, any written policies and procedures that are no longer in
effect. A superseded Section of the policies and procedures shall
be retained at least until the date that is 10 years after the date it
becomes superseded.
2. Notices of Privacy Practices: IPPI’s current version of the notice of
privacy practices and, in accordance with this policy, any former
version that is no longer in effect. A former version shall be
retained at least until the date that is 10 years after the date it was
revised.
3. Business Associate Contract Provisions: The provisions of contracts
with a Business Associate that are intended to comply with this
policy. Documentation of such contractual provisions shall be
retained at least until the date that is 10 years after the date on
which the provisions cease to be effective.
4. Data Use Agreements: Data use agreements that are intended to
comply with this policy. Any such agreement shall be retained at
Page 67
- 62 -
least until the date that is 10 years after the date on which it ceases
to be effective.
5. Designation of Contact Person: Documents identifying IPPI’s
State Privacy Officer, in accordance with this policy. Such
documentation shall be retained at least until the date that is 10
years after the date on which the identified person or office ceases
to be the Contact Person.
6. Disposition of Complaints: In accordance with this Manual,
documentation of a complaint received and its disposition. Such
documentation shall be retained at least until the date that is 10
years after the date on which it is created.
7. Secretary Investigations: In accordance with this policy, any
written communications with the Secretary regarding IPPI’s
privacy policies and procedures. Each such document shall be
retained at least until the date that is 10 years after the date on
which it was created.
8. Mitigation Efforts: In accordance with this policy, documentation
of IPPI’s efforts to mitigate the harmful effects of a privacy
violation. Such documentation shall be retained at least until the
date that is 10 years after the date on which it is created.
G. Records Relating to Personnel.
1. Privacy Training: In accordance with this policy, documentation of
privacy training received by all employees and any signed PHI
Employee Acknowledgement. Such documentation shall be
retained at least until the date that is 10 years after the person’s
date of termination of employment.
2. Sanctions: Description of any sanctions considered against the
employee in accordance with this policy, whether or not imposed.
Information that identifies the individual whose privacy rights
were violated shall be removed to the extent practicable. All such
documents shall be retained at least until the date that is 10 years
after the date on which they were created.
XLV. SANCTIONS
Policy: It is the policy of IPPI to appropriately sanction employees for violations
of the privacy and security procedures of the Manual and to communicate the
system of sanctions to all employees.
Page 68
- 63 -
Procedures:
A. The sanction procedures for violation of the privacy and security
parts of this Manual are set forth at Section XXIII of Part B of the
Manual.
B. Training shall also emphasize that certain breaches of HIPAA policy may
require notification to other regulatory and licensing agencies, as well as
local, state and federal law enforcement agencies, and may result in civil
and/or criminal penalties.
XLVI. PRIVACY OFFICER
Policy: Each state shall have a Privacy Officer.
Procedures:
A. Each State Director shall designate a State Privacy Officer for the state
and be responsible for developing a formal job description for that Officer.
B. In Vermont the Executive President shall designate a Corporate Privacy
Officer for Vermont and for general oversight of Privacy issues for the
Corporation, and be responsible for developing a job description for the
duties of that person(s) both as State Privacy Officer of Vermont and as
Corporate Privacy Officer.
XLVII. PRIVACY BREACH NOTIFICATION
Policy: IPPI adopts the policies and procedures set forth in this Manual as the
provisions required by HIPAA for disclosure to affected individuals and the
Department of Health and Human Services of privacy breaches.
Procedures:
A. Breach Defined.
Breach means the acquisition, access, use, or disclosure of protected
health information in a manner not permitted under 45 C.F.R. Part
164, Subpart E which compromises the security or privacy of
protected health information.
1. Except as provided in paragraph 2 below, an acquisition,
access, use, or disclosure of PHI in a manner not permitted by
Subpart E is presumed to be a breach unless IPPI or the
business associate demonstrates that there is a low probability
Page 69
- 64 -
that the PHI has been compromised based on a risk assessment
of at least the following factors:
(i) The nature and extent of the PHI involved, including the
types of identifiers and the likelihood of re-identification;
(ii) The unauthorized person who used the PHI or to whom the
disclosure was made;
(iii) Whether the PHI was actually acquired or viewed; and
(iv) The extent to which the risk to the PHI has been mitigated.
2. A Breach excludes.
(i) any unintentional acquisition, access, or use of protected
health information by a workforce member or person
acting under the authority of IPPI or a Business Associate,
if such acquisition, access, or use was made in good faith
and within the scope of authority and does not result in
further use or disclosure in a manner not permitted under
45 C.F.R. Part 164, Subpart E.
(ii) Any inadvertent disclosure by a person who is authorized to
access protected health information at IPPI or Business
Associate to another person authorized to access protected
health information at the same covered entity or business
associate, or organized health care arrangement in which
IPPI participates, and the information received as a result of
such disclosure is not further used or disclosed in a manner
not permitted under Subpart E of this part.
(iii) A disclosure of protected health information where IPPI or
Business Associate has a good faith belief that an
unauthorized person to whom the disclosure was made
would not reasonably have been able to retain such
information.
B. Unprotected Health Information.
Unsecured protected health information means protected health
information that is not rendered unusable, unreadable, or
indecipherable to unauthorized individuals through the use of
technology or methodology specified by the Secretary in the guidance
issued under section 13402(h)(2) of Public Law 111-5 on the HHS
Web Site.
C. Notification to Individuals.
1. Standard.
Page 70
- 65 -
(i) General rule. Following the discovery of a breach of
unsecured protected health information, the State Privacy
Officer shall notify each individual whose unsecured protected
health information has been or is reasonably believed by IPPI
to have been, accessed, acquired, used, or disclosed as a result
of such breach.
(ii) Breaches treated as discovered. A breach shall be treated
as discovered as of the first day on which such breach is known
to IPPI, or, by exercising reasonable diligence would have been
known to IPPI.
2. Implementation specification: Timeliness of notification.
Except as provided in 45 C.F.R. §164.412, the State Privacy
Officer shall provide the notification required by paragraph (a)
of this section without unreasonable delay and in no case later
than 60 calendar days after discovery of a breach.
3. Content of notification. The notification required by this
section shall include, to the extent possible:
(a) A brief description of what happened, including the date of
the breach and the date of the discovery of the breach, if
known;
(b) A description of the types of unsecured protected health
information that were involved in the breach (such as
whether full name, social security number, date of birth,
home address, account number, diagnosis, disability code,
or other types of information were involved);
(c) Any steps individuals should take to protect themselves
from potential harm resulting from the breach;
(d) A brief description of what IPPI is doing to investigate the
breach, to mitigate harm to individuals, and to protect
against any further breaches; and
(e) Contact procedures for individuals to ask questions or learn
additional information, which shall include toll-free
telephone number, an e-mail address, Web site, or postal
address.
(f) Plain language requirement. The notification shall be
written in plain language.
Page 71
- 66 -
4. Methods of individual notification. The notification required by
this section shall be provided in the following form:
(a) Written notice.
(i) Written notification by first-class mail to the individual
at the last known address of the individual or, if the
individual agrees to electronic notice and such
agreement has not been withdrawn, by electronic mail.
The notification may be provided in one or more
mailings as information is available.
(ii) If IPPI knows the individual is deceased and has the
address of the next of kin or personal representative of
the individual (as specified under 45 C.F.R.
§164.502(g)(4), written notification by first class mail
to either the next of kin or personal representative of
the individual. The notification may be provided in
one or more mailings as information is available.
(b) Substitute notice. In the case in which there is insufficient
or out-of-date contact information that precludes written
notification to the individual as described above, a
substitute form of notice reasonably calculated to reach the
individual shall be provided. Substitute notice need not be
provided in the case in which there is insufficient or out-
of-date contact information that precludes written
notification to the next of kin or personal representative of
the individual.
(i) In the case in which there is insufficient or out-of-date
contact information for fewer than 10 individuals, then
such substitute notice may be provided by an alternative
form of written notice, telephone, or other means.
(ii) In the case in which there is insufficient or out-of-date
contact information for 10 or more individuals, then
such substitute notice shall:
(A) Be in the form of either a conspicuous posting for
a period of 90 days on the home page of the Web
site of the covered entity involved, or conspicuous
notice in major print or broadcast media in
geographic areas where the individuals affected
by the breach likely reside; and
Page 72
- 67 -
(B) Include a toll-free phone number that remains
active for at least 90 days where an individual can
learn whether the individuals unsecured protected
health information may be included in the breach.
(c) Additional notice in urgent situations. In any case deemed
by the State Privacy Officer to require urgency because of
possible imminent misuse of unsecured protected health
information, IPPI may provide information to individuals
by telephone or other means, as appropriate, in addition to
written notice.
D. Notification to Media.
1. Standard. For a breach of unsecured protected health
information involving more than 500 residents of a State or
jurisdiction, the State Privacy Officer shall, following the
discovery of the breach, notify prominent media outlets serving
the State or jurisdiction.
2. Implementation specification. Timeliness of notification.
Except as provided in 45 C.F.R. §164.412, IPPI shall provide
the notification required by this section without unreasonable
delay and in no case later than 60 calendar days after discovery
of a breach.
3. Content of notification. The notification required by paragraph
(a) of this section shall meet the requirements of 45 C.F.R.
§164.404(c).
E. Notification to the Secretary.
1. The State Privacy Officer shall, following the discovery of
breach of unsecured protected health information as provided
in 45 C.F.R. §164.404(a)(2), notify the Secretary of the
Department of Health and Human Services of the breach.
2. Breaches involving 500 or more individuals. For breaches of
unsecured protected health information involving 500 or more
individuals, a covered entity shall, except as provided in 45
C.F.R. §164.412, provide the notification required by
paragraph (a) of this section contemporaneously with the notice
required by 45 C.F.R. §164.404(a) and in the manner specified
on the HHS Web site.
Page 73
- 68 -
3. Breaches involving fewer than 500 individuals. For breaches
of unsecured protected health information involving fewer than
500 individuals, the State Privacy Officer shall maintain a log
and other documentation of such breaches and, not later than
60 days after the end of each calendar year, provide the
notification required by this section for breaches discovered
during the preceding calendar year, in the manner specified on
the HHS Web site.
F. Notification by a Business Associate.
1. Standard.
(a) A Business Associate shall, following the discovery of a
breach of unsecured protected health information, notify
the State Privacy Officer of such breach.
(b) Breaches treated as discovered. A breach shall be treated
as discovered by a Business Associate as of the first day
on which such breach is known to the Business Associate
or, by exercising reasonable diligence, the breach would
have been known to the Business Associate. A Business
Associate shall be deemed to have knowledge of a breach
if the breach is known, or by exercising reasonable
diligence, would have been known to any person, other
than the person committing the breach, who is an
employee, officer, or other agent of the Business Associate
(determined in accordance with the federal common law
of agency).
(i) Timeliness of notification. Except as provided in
C.F.R. §164.412, a Business Associate shall provide
the notification required by paragraph (a) of this
section without unreasonable delay and in no case
later than 60 calendar days after discovery of a
breach.
(ii) Content of notification. The notification required by
this section shall include, to the extent possible, the
identification of each individual whose unsecured
protected health information has been or is reasonably
believed by the Business Associate to have been
accessed, acquired, used, or disclosed during the
breach.
Page 74
- 69 -
(c) A Business Associate shall provide IPPI with any other
available information that IPPI is required to include in
notification to the individual under C.F.R. §164.404(c) at
the time of the notification required by this section or
promptly thereafter as information becomes available.
(d) Law enforcement delay. If a law enforcement official
states to IPPI or a Business Associate that a notification,
notice, or posting required under this subpart would
impede a criminal investigation or cause damage to
national security, IPPI or Business Associate shall:
(i) If the statement is in writing and specifies the time for
which a delay is required, delay such notification,
notice, or posting for the time period specified by the
official; or
(ii) If the statement is made orally, document the statement,
including the identity of the official making the
statement, and delay the notification, notice, or posting
temporarily and no longer then 30 days from the date of
the original statement, unless a written statement as
described in this section is submitted during that time.
XLVIII. PRIVACY OFFICER/JOB DESCRIPTION
The State Privacy Officers for each state and for Vermont, and the Corporate
Privacy Officer shall be responsible for developing a job description of the duties
and functions of that position. The Corporate Privacy Officer shall be responsible
for the development and implementation of policies and procedures relating to the
privacy of PHI. The State Privacy Officer will serve as the contact person for
Persons Served who have questions, concerns or complaints about the privacy of
their PHI. The Corporate Privacy Officer is responsible for ensuring that IPPI
complies with the provisions of HIPAA privacy rules regarding Business
Associates, including the requirement that a covered entity have a HIPAA
compliant Business Associate Agreement in place with all Business Associates.
The State Privacy Officer shall also be responsible for monitoring compliance by
all Business Associates with the HIPAA privacy rules and this policy. IPPI will
comply with the requirements of the HITECH Act and its implementing
regulations to provide notification to affected individuals, HHS, and the media
(when required) if IPPI or one of its Business Associates discovers a breach of
unsecured PHI.
IN ORDER TO IMPLEMENT IPPI’S GENERAL
STATEMENT, IPPI HAS DEVELOPED THE FOLLOWING
PROCEDURES RELATED TO SECURITY
Page 75
- 70 -
PART B. SECURITY PROCEDURES
I. GENERAL REQUIREMENTS OF THE SECURITY STANDARDS
Policy:
IPPI intends to comply with four general HIPAA Security compliance
requirements that apply for all covered entities and which are designed to:
Procedures:
A. Ensure the confidentiality, integrity and availability of all protected health
information which it creates, receives, maintains or transmits;
B. Protect against any reasonably anticipated threat or hazard to the
confidentiality, availability and integrity of such information;
C. Protect against any reasonably anticipated uses or disclosures of such
information that are not permitted or required under the Privacy policies
and procedures; and
D. Enforce workforce compliance to ensure the security of PHI.
Procedure: The procedures implementing this policy follow.
II. ELECTRONIC PHI
Policy: It is IPPI’s policy to comply fully with the requirements of
HIPAA/HITECH security regulations. HIPAA, the Health Information
Technology For Economic and Clinical Health Act (“HITECH Act”) and their
implementing regulations and guidance require IPPI to implement various
security measures with respect to electronic protected health information
(electronic PHI). Whenever reference is made to PHI in its electronic form, it
shall refer to electronic PHI as defined in this Section B II.
Procedures:
Electronic PHI is protected health information that is transmitted by or
maintained in electronic media. Electronic Media means:
1. Electronic storage media including memory devices in computers
(hard drives) and any removable/transportable digital memory
medium, such as magnetic tape or disk, optical disk, or digital memory
card;
Page 76
- 71 -
2. Transmission media used to exchange information already in
electronic storage media. Transmission media include, for example,
the Internet (wide-open), extranet (using Internet technology to link a
business with information accessible only to collaborating parties),
leased lines, dial-up lines, private networks, and the physical
movement of removable/transportable electronic storage media; or
3. Certain transmissions via electronic media, although the information
being exchanged did not exist in electronic form before the
transmission.
III. PHI ADMINISTRATIVE PROCEDURES
Policy: Administrative procedures shall be in place which shall guard the data
integrity, privacy and permitted availability of PHI.
Procedures: The procedures are those described in Part A (Privacy).
IV. SYSTEM INVENTORY
Policy: A systems inventory shall be kept.
Procedures:
A. The IPPI Security Officer shall keep a systems inventory of all
hardware, software, applications, servers etc. to see that Security
measures are kept up to date and that new hardware/software etc. do not
compromise the security system.
B. Security hardware and software shall be periodically updated and
incorporated into the system by the IPPI Security Officer, as more
efficient security systems are developed.
C. Each State shall keep its own system inventory with a copy sent to the
Network Administrator.
V. SYSTEMIC RISK ANALYSIS
Policy: IPPI shall conduct a corporate wide risk analysis using the standard
Federal HIPAA Risk Analysis format initially and every three years thereafter. If
major system or business changes occur, or there is a major change in HIPAA
policies or procedures prior to the three year period, IPPI will conduct a risk
analysis within a reasonable time after the changes occur.
Procedures:
Page 77
- 72 -
A. IPPI manages risks to its electronic PHI by limiting vulnerabilities, based
on its risk analyses, to a reasonable and appropriate level, taking into
account the following:
1. The size, complexity, and capabilities of IPPI;
2. IPPI’s technical infrastructure, hardware, software, and security
capabilities;
3. The costs of security measures; and
4. The credibility of the electronic PHI potentially affected.
B. Based on risk analysis discussed in Section V, IPPI has made a reasoned,
well-informed and good-faith determination on the implementation of the
HIPAA security regulations that it need not take any additional security
measures, other than the measures set forth herein and the measures of the
Business Associates, to reduce risks to the confidentiality, integrity and
availability of electronic PHI.
VI. RISK MANAGEMENT PROGRAM
Policy: The HIPAA Implementation Committee shall address solutions to the
risks identified in the risk analysis, and shall provide the oversight to see that
corrections are implemented in a timely fashion.
Procedures:
A. The HIPAA Implementation Committee shall be composed of all State
Security Privacy Officers, and IT Coordinators, the corporate HR Officer
and others, positions or individuals as determined by the Executive
President.
B. The members of the HIPAA Implementation Committee are appointed by
the Executive President.
C. The HIPAA Implementation Committee shall meet at least annually and as
often as is necessary to carry out its responsibilities.
D. Minutes of the HIPAA Implementation Committee meetings shall be kept
and maintained in the office of the Corporate Privacy Officer.
VII. LOW LEVEL RISK INFRASTRUCTURE
Page 78
- 73 -
Policy: The IPPI Security Officer shall have the overall authority and ultimate
responsibility to develop and maintain the electronic infrastructure that will
systemically reduce the risk of an electronic breach to PHI.
Procedures:
A. The IPPI Security Officer’s position shall be located in the IPPI Network
Administrator’s office and shall be a member of and report to the HIPAA
Implementation Committee.
B. The Committee shall meet as is necessary to fulfill these responsibilities.
VIII. ACCESS/AUTHORIZATION
Policy: Only authorized employees shall have access to the PHI of Persons
Served.
Procedures:
A. Access shall be determined in accordance with Section V of Part A
(Privacy) of the Manual.
IX. REVIEW OF AUTHORIZATION AND OTHER INFRASTRUCTURE
REQUIREMENTS
Policy: It is the policy of IPPI to review authorizations of access to PHI.
Procedures:
A. Members of the HIPAA Implementation Committee are empowered to
question the authorization of any staff with respect to records or parts of
records that contain PHI or any other infrastructure requirement.
B. If a member believes the State Director, or his/her designee, has
incorrectly authorized any person to access PHI, or an infrastructure
requirement is inappropriate for his/her state to implement, s/he may
respectfully challenge the decision directly to the State Director.
C. If the State Director disagrees, the Committee member may bring the issue
before the Committee.
D. If the Committee agrees with the Committee member, then the Executive
President of IPPI shall order the previously authorized person to no longer
be authorized or to make changes in the infrastructure requirement.
Page 79
- 74 -
E. If the State Director still disagrees, s/he may appeal the Executive
President’s decision to the Senior Management Committee and the
decision of that committee shall be final.
X. CRIMINAL BACKGROUND CHECKS/PHI
Policy: Criminal background checks shall be done on all applicants for
employment and employees.
Procedures:
A. The State Human Resources Director shall be responsible for authorizing
criminal and background checks on IPPI applicants and staff.
B. If a background or reference check evidences a prior breach of
confidentiality of PHI or confidential information, the applicant shall not
be hired without a full understanding of the circumstances and final
approval by the State Director.
C. Employees who falsify information in the application process, or who fail
to divulge a breach of confidentiality of PHI that has resulted in
disciplinary action against the employee may be disciplined up to and
including immediate termination.
XI. AUTHENTICATION/PASSWORD MANAGEMENT SYSTEM
Policy: A password management system shall be developed and implemented as
described below that will allow access to PHI only to employees who have been
approved.
Procedures:
A. Only authorized persons, as determined by IPPI alone, may have access to
the PHI of Persons Served.
B. The State Director or approved designee(s) shall determine what position
shall have access to the file of a person served within each state and to
what part of the file that staff member shall have access. Those decisions
shall be made on the basis of a need to know for the provision of
appropriate services and communicated to the Vermont Network
Administrator and the State’s Security and Privacy Officers.
C. For electronic files, the State Director shall inform the Network
Administrator or his/her designee(s) of the positions which have been
given access to a file and to what part of that file access has been allowed,
by position.
Page 80
- 75 -
D. The Network Administrator, or the State Security Officer, or approved
designee(s), shall then assign a user name and the authorized staff member
who has been given access shall then choose a password. The Network
Administrator, or the state Security Officer, or approved designee(s) shall
then provide appropriate access to the authorized positions.
E. Each time an employee in an authorized position wishes to access a
computer, s/he must enter his/her user name and password.
F. Passwords shall be changed periodically in accordance with best practices.
G. In order to further accommodate computer security, when employees are
not at their computer terminal, screen savers shall be launched after no
more than twenty (20) minutes of inactivity. The screen saver shall also be
password protected to prevent unauthorized access to a computer and its
stored information.
H. Staff who are no longer employed by IPPI shall have their user ID(s)
disabled. The State Director, or his/her designee(s) shall notify the
Network Administrator and the State Security Officer that a staff member
is no longer employed. When appropriate, the Network Administrator or
approved designee shall immediately disable the staff member’s access to
the network. Locally, the State Security Officer or approved designee(s)
shall also remove the staff member and his/her access.
XII. INTERNAL BREACHES/ ATTEMPTS NOTED
Policy: Breaches and suspected breaches of PHI shall be reported to the Network
Administrator.
Procedures:
A. When there have been five invalid attempts to log on to the system, access
will be denied.
B. The Network Administrator or State Security Officer shall note the breach
attempt.
C. A recognized utility will be used to stop breaches where access to
information is gained through signatures. (Currently IPPI uses Citrix
Secure Gateway.)
D. Should it be possible to trace the breach attempts to a particular staff
member(s), corrective action shall be taken immediately by the State
Page 81
- 76 -
Security Officer in conjunction with the State Director and notice of the
breach and corrective action shall be given to the Network Administrator.
E. All staff shall be trained to report any suspected incidents of breaches in
Security to the respective program manager and directly to the State
Security Officer.
F. All such reports shall be documented and filed appropriately in a secure
file or location in each state and shall include a description of the incident,
findings, recommendations, corrective action and follow up. A copy of
any sanctions which have been given to any staff member(s) shall be
placed in the staff member(s)’ personnel file.
G. The Network Administrator shall also be notified of all documented
breaches of electronic files.
XIII. SECURING PHI WHEN AUTHORIZED STAFF LEAVE
Policy: PHI shall be secured when employment is terminated.
Procedures:
A. In the event that an employee is terminated without notice, or suddenly
leaves the agency, the State Security Officer, or designee, and the
Vermont Network Administrator, or designee, shall be notified
immediately, and any access to PHI authorized to that staff shall be denied
at once to prevent any Security breaches. The employee’s account shall be
disabled immediately, and all authorization to any files shall be removed.
If the State Security Officer, has the ability and authority to disable an
employee’s account, s/he or his/her designee shall be charged with
disabling the account. If the State Security Officer does not have the
ability or authority to disable an account, the Vermont Administrator, or
designee, shall be notified by the State Security Officer and shall disable
the account. If the employee is from VT, the Network Administrator (who
is also the VT State Security Officer), or designee, shall disable the
account.
B. Should an employee be discharged with notice, or resign with notice, any
decisions regarding the restriction of the employee to authorized files shall
be at the discretion of the State Director, or the Executive President in
Vermont if the employee is in the Vermont office. Whatever the decision,
it shall be immediately communicated to the State Security Officer. If the
State Security Officer has the ability and authority to disable an
employee’s account, the State Security Officer, or designee, shall disable
the account based on the State Director’s decision, e.g. either immediately
or after the employee’s last day of employment. If the State Security
Page 82
- 77 -
Officer does not have the authority or the ability, s/he will notify the
Vermont Network Administrator, or designee, who will disable the
account as per instructions of the State Director. Should the employee be
from Vermont the Executive President will make the decision about when
the account shall be disabled and the Vermont Network Administrator
(who is also the State Security Officer), or designee, shall disable the
account as per instructions.
Network Administrator refers to the person who is responsible for
managing the IPPI IT system across all states. The term also refers to any
staff from the Network Administrator’s office who has been authorized to
provide technical assistance etc. to the Network Administrator and the
States.
State IT Coordinator is the person in each state, appointed by the State
Director to manage and administrate the IT System in that State. It also
refers to any person the State Coordinator designates to do a particular
function at a particular time, and the “backup” persons listed by the State
who are to be called in case the State Coordinator is not available.
XIV. CORRECTIONS OF ELECTRONIC RECORDS
Policy: Electronic records shall be corrected in accordance with HIPAA
standards.
Procedures:
A. No material shall be deleted from an electronic record.
B. Material which is to be corrected shall be highlighted using various
methods chosen by the State Privacy Officer, e.g. putting corrected
material in bold, or underlining it, or putting it in italics, or putting
parentheses around it.
C. The corrected information or information to be substituted for the
incorrect material, shall be highlighted using a different method than the
method used to highlight the material which is corrected.
D. The substituted material shall then be dated and signed (if possible) by the
person making the correction. If signing is not possible the person making
the correction shall type in his/her name.
E. Each state shall choose one method for identifying incorrect information
and a different method for identifying the substitute material, for example
bold for corrected material, italics for substituted material.
Page 83
- 78 -
XV. SECURE TRANSMISSION OF ELECTRONIC DATA
Policy: Electronic data which is transmitted between the central office and state
offices shall be protected by a security system that is secure in accordance with
industry best practices.
Procedures:
A. The security system shall include, but not be limited to,
firewalls and a secured access site which uses an https protocol.
B. The system shall be monitored from servers, using event viewer for
logon attempts.
C. An SSL (Secured Sockets Layer) certificate shall be used for secured
access.
D. SSL 128 bit encryption shall be used for secured access.
E. Firewall security shall be in place.
F. States shall have direct access linkage to the Vermont corporate office
using the intranet secured site.
G. Any other features as may be determined, from time to time, appropriate
for protecting electronic PHI.
XVI. PHI PROTECTION WHEN SHARED
Policy: To assure proper service, IPPI may share service delivery with other
organizations, receive consultation, combine programs with other agencies,
contribute data, undergo reviews etc.
Procedures:
A. Where IPPI makes available and/or transfers PHI to another individual
provider, or another legal entity, in conjunction with goods or services, or
for other purposes not related to treatment, the two parties shall sign a
Business Associates Agreement, a sample copy of which is appended to
this document.
B. Details concerning business associate agreements are set forth at
Section VIII of this Part A of the Manual.
XVII. STORING ELECTRONIC DATA SECURELY.
Page 84
- 79 -
Policy: Electronic data shall be stored securely.
Procedures:
A. Electronic data stored on the servers in VT and all States shall be
encrypted, and access to this data may only be achieved through the
process of Authentication. (See Section XI, of this Part B of the Manual,
above)
B. Back-up data shall be taken off site and secured.
C. Laptops shall be encrypted and files made available off line when needed.
D. No PHI is allowed to be stored on non-encrypted Laptops or Workstation
PCs for any length of time. They shall be stored on USB devices which
shall be encrypted.
XVIII. DISPOSING OF ELECTRONIC DATA SECURELY
Policy: Electronic data shall be disposed of securely.
Procedures:
A. When any of the following are to be disposed of their hard drives shall be
wiped clean first, then they shall be destroyed by a secure disposal
company whose business it is to destroy such hardware. In some instances
the hardware may be disposed of by the Network Administrator, or the
state consultant with approval from the Network Administrator.
B. The above procedure refers to data storage devices, including, but not
limited to:
1. Workstation PCs and non-encrypted Laptops (note that these should
not have PHI stored on them for any length of time);
2. Servers;
3. USB drives;
4. Tape drives;
5. Floppy disks, CDs and DVDs (Note: none of these should be used to
store PHI);
6. External, encrypted hard drives;
Page 85
- 80 -
7. Scrub copiers before taken out of use -- including leased copiers.
XIX. PHI BACKUP
Policy: Electronic PHI shall be backed up in a manner that protects such data.
Procedures:
A. All PHI gathered on personal computers in offices or in the field shall be
backed up on a regular basis and within a reasonable period of time, but
no later than within seven days of its collection.
B. Such data must be backed up on an encrypted USB drive or a server. No
data may be backed up on a floppy disk, CD, or DVD.
C. All backed up data from Servers which contains PHI must be stored in
a secure location that does not have public access, is relatively secure from
disasters, and whose temperature and humidity levels are such that the
data will not be damaged.
D. IPPI shall work toward developing a system whereby there is a virtual
back-up mechanism in place. (See Emergency plans referred to under
Section XXI of this Part B of the Manual)
XX. PREVENTION OF VIRAL/ MALICIOUS SOFTWARE
Policy: All IPPI computers shall have IPPI approved antivirus protection
software.
Procedures:
A. The central office Network Administrator and the State Security Officer(s)
or approved designee(s) shall work together to routinely ensure that
updates to the latest virus software protection are available to protect PHI.
B. All staff shall scan their computers (including all drives) as a preventive
measure. The State Security Officer or his/her designee shall oversee this
procedure.
C. Staff shall refrain from loading software onto their computers unless it has
been approved by the central office Network Administrator.
D. Approved software shall be installed on individual workstations only by
the central office Network Administrator or his/her designee, or by the
State IT Consultant with the approval of the Network Administrator.
Page 86
- 81 -
E. Once installed, staff shall not change settings (configurations) that are in
place.
F. Staff may not download anything from the Internet unless it is work
related.
G. The Network Administrator/Corporate Security Officer shall be
responsible for detecting and halting the spread of viruses and other
malicious software programs. His/her functions shall include infection
prevention, detection of malicious software and protection of systems
and data from damage/and/or corruption from the introduction of
malicious software.
XXI. CONTINGENCY PLANS: BACKUP, DISASTER RECOVERY,
EMERGENCY OPERATIONS.
Policy: Contingency planning, including data backup, disaster recovery and
emergency operations shall be in place.
Procedures:
A. Oversight, policy, and procedures for these activities shall be the
responsibility of the IT Department at IPPI and its Emergency
Subcommittee.
B. Such policies, procedures shall be subject to approval of the
Senior Management Team.
C. For specifics concerning contingency plans see Sections x-l of the IPPI IT
Policies and Procedures, attached hereto as Exhibit A.
XXII. SECURITY AND PRIVACY TRAINING
Policy: All staff shall be trained in HIPAA Privacy and Security Procedures.
Procedures:
A. When these Policies and Procedures were first promulgated staff and
Board Members were trained in both Privacy and Security matters prior to
April 15th
, 2003. Subsequent to this, Privacy and Security training have
been part of each employee’s and Board Member’s orientation.
B. Documentation of a particular employee’s training shall be maintained.
C. Subsequent to orientation, Privacy and Security training shall occur every
three years for all employees or as frequently as is necessary to acquaint
Page 87
- 82 -
employees with significant changes in the Manual. Attendance shall be
documented and placed in the employee’s personnel file.
D. Training shall also emphasize that certain breaches of HIPAA policy may
require notification of other regulatory and licensing agencies, as well as
local, State and Federal law enforcement agencies, and may result in civil
and/or criminal penalties.
E. All employees shall acknowledge they have read and understood the
Manual using the Employee Acknowledgment Form (See 1, at Part C
(Forms) of the Manual.).
XXIV. SANCTIONS POLICY
Policy: Sanctions shall be imposed by the State Director in each state, or in
Vermont, by the Executive President, which policy shall be
communicated to all employees.
Procedures:
A. Sanctions within IPPI may include disciplinary action, up to and including
termination.
B. The sanction policy which includes notice of HIPAA penalties as well as
state and civil penalties and possible penalties based on the professional
ethics of the employee’s particular discipline shall be included in the IPPI
Personnel Manual.
C. All initial training and subsequent orientation training shall include
information on HIPAA as well as the possibility of employee sanctions for
violation of any HIPAA policies and procedures, up to and including
immediate discharge.
XXV. FAIR ADMINISTRATION OF SANCTIONS POLICY
Policy: It is understood that if the sanction policy is administered in an
inconsistent fashion it may be considered invalid when applied in subsequent
violations. Consequently the HIPAA sanction policy shall be administered fairly
and consistently in all cases, once the HIPAA policies and procedures have gone
into effect.
XXVI. WRITTEN SECURITY POLICIES AND PROCEDURES
Policy: All Security Policies and Procedures relating to PHI and strategies for
implementing them shall be in writing and available for inspection by Persons
Served.
Page 88
- 83 -
Procedures:
A. These policies, procedures and implementation strategies shall be
reviewed with all staff at orientation and with all staff already employed at
the time of their official approval by IPPI.
B. Any subsequent employee trainings will also be grounded in the written
Policies and Procedures contained in the Manual as the Manual, from time
to time, is amended.
XXVII. REVIEW OF SECURITY POLICIES AND PROCEDURES
Policy: The HIPAA Implementation Committee is responsible for the
development of Security Policies and Procedures.
Procedures:
A. The Committee shall review the Policies and Procedures periodically.
B. The Committee shall revise Policies and Procedures as necessary, for
changes in federal and/or state laws, statutes and regulations, and given
changes in the nature of IT Systems, the increase or decrease of risks, and
the status of the Persons Served.
XXVII. SECURITY OFFICER
Policy: Each state shall have a Security Officer.
Procedures:
A. Each State Director shall designate a State Security Officer for the State
and be responsible for developing a formal job description for that Officer.
B. In Vermont the Executive President shall designate a Corporate Security
Officer for Vermont and for general oversight of Security issues for the
Corporation, and be responsible for developing a job description for the
duties of that person(s) both as Security Officer of Vermont and as
Corporate Security Officer.
XXVIII. EXCEPTIONS
Policy: IPPI intends the rules on these policies will be followed. However, IPPI
recognizes that there may be circumstances where it is not prudent or practical to
follow them and where an exception to the policies is warranted.
Page 89
- 84 -
Procedures:
A. Exemptions from these policies must first be approved by the State
Director in consultation with the State Security and State Privacy Officers,
and must also be approved by the Network Administrator.
B. Even though an exemption is approved, it shall be reviewed and
considered at the next scheduled meeting of the HIPAA Implementation
Committee. If the committee does not approve the exemption, it shall no
longer be in effect.
C. No exception from the policies shall be approved if it would violate the
requirements of any applicable federal or state law.
XXIX. DISCLOSURES OF ELECTRONIC PHI TO BUSINESS ASSOCIATES
Policy: It is the policy of IPPI to identify all service providers who are Business
Associates.
Procedures:
A. A Business Associate is an entity as defined in the Manual.
B. IPPI may retain the Business Associate to create, receive, maintain, or
transmit electronic PHI on its behalf. IPPI has obtained or will obtain
satisfactory assurances from all business associates that they will
appropriately safeguard the information. Such satisfactory assurances
shall be documented through a written contract containing all of the
requirements of the HIPAA security regulations and specifically providing
that the business associate will:
1. Implement administrative, physical, and technical safeguards and
documentation requirements that reasonably and appropriately protect
the confidentiality, integrity, and availability of the electronic PHI that
the Business Associate creates, receives, maintains, or transmits on
behalf of IPPI (the Contract Electronic PHI);
2. Ensure that any agents or subcontractors to whom the Business
Associate provides electronic PHI agree to implement reasonable and
appropriate security measures to protect the Contract Electronic PHI;
3. Report to IPPI any security incident of which the Business Associate
becomes aware;
Page 90
- 85 -
4. Take required steps with respect to breach notification requirements;
and
5. Authorize termination of the contract by IPPI if IPPI determines that
the Business Associate has violated a material term of the contract.
Page 91
- 86 -
PART C. FORMS
1. HIPAA EMPLOYEE ACKNOWLEDGEMENT
2. BUSINESS ASSOCIATE AGREEMENT (Revised)
3. BUSINESS ASSOCIATE TRACKING WORKSHEET
4. AUTHORIZATION FOR RELEASE OF INFORMATION
5. REQUEST FOR ALTERNATE COMMUNICATIONS
6. RESPONSE TO REQUEST FOR ALTERNATE
COMMUNICATIONS
7. REQUEST FOR ACCOUNTING OF DISCLOSURES OF
PROTECTED HEALTH INFORMATION
8. RESPONSE TO REQUEST FOR ACCOUNTING OF
DISCLOSURES OF PROTECTED HEALTH INFORMATION
9. REQUEST TO AMEND OR CORRECT PROTECTED HEALTH
INFORMATION
10. RESPONSE TO REQUEST TO AMEND OR CORRECT
PROTECTED HEALTH INFORMATION
11. REQUEST FOR RESTRICTIONS ON USE OR DISCLOSURE OF
PROTECTED HEALTH INFORMATION
12. RESPONSE TO REQUEST FOR RESTRICTIONS ON USE OR
DISCLOSURE OF PROTECTED HEALTH INFORMATION
13. NOTICE OF AVAILABILITY OF PRIVACY PRACTICES
14. NOTICE OF PRIVACY PRACTICES (Revised)
15. PRIVACY DISCLOSURE LOG
16. REQUEST TO INSPECT OR COPY PROTECTED HEALTH
INFORMATION (Revised)
17. RESPONSE TO REQUEST TO INSPECT OR COPY PROTECTED
HEALTH INFORMATION
18. COMPLAINT FORM
c:\users\dnajjar.nelgpc\appdata\local\temp\r02ivkku\00. hipaapolicies and procedures09202013.doc
Page 92
- 87 -
i 45 C.F.R. § 160.103.
ii Id.
iii Id. § 164.504(f)(2)(ii).
iv Id. § 160.103.
v Id. § 164.51(a).
vi Id. § 164.514(b).
vii Id. § 164.501.
viii Id.
ix Id.
x Id.
xi
Id. § 164.514(e)(2). xii
Id. § 164.510(b)(1). xiii
Id. xiv
Id. §§160.103, 164.501. xv
Id. § 164.501. xvi
Id. § a64.504(f). xvii
Id. § 160.103. xviii
Id. § 164.504(a). xix
Id. § 164.501. xx
Id.